Press "Enter" to skip to content

California Enacts HIPAA-Conforming Amendments to CCPA; Extends B2B and Employment Exemptions  

HIPAAAssembly Bill 713 was approved by California Gov. Gavin Newsom on Sept. 25, 2020, at which time its provisions went into effect.  The legislation amends the California Consumer Privacy Act (CCPA) in part by addressing certain issues related to de-identified patient information.

The CCPA excludes from the definition of personal information any consumer information that has been deidentified, which “means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information: 1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain; 2)  Has implemented business processes that specifically prohibit reidentification of the information; 3)  Has implemented business processes to prevent inadvertent release of deidentified information; 4)  Makes no attempt to reidentify the information.” §§ 1798.140(o)(3); 1798.140(h).

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, on the other hand, provides that individually identifiable health information is only deidentified if: 1) a formal determination is made by an expert; or 2) certain identifiers are removed. 45 C.F.R. § 164.514(b).

Thus, the legislation conforms the CCPA to the HIPAA Privacy Rule by requiring that, to be excluded, the information must be:

1.  deidentified in accordance with the requirements for deidentification set forth in in the HIPAA Privacy Rule; and
2.  derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects. § 1798.146.

Assembly Bill 1281 was approved by Gov. Newsom on Sept. 29, 2020, and simply amends the CCPA by extending the existing exclusions for personal information associated with business-to-business communications and for certain personal information that is employment related. The exclusions are extended from Jan. 1, 2021, to Jan. 1, 2022.  However, if the California Privacy Rights Act ballot initiative is approved by California voters in November, the exclusion will extend to Jan. 1, 2023.

WEBINAR

Now is the time to fine-tune your CCPA compliance. Join me to learn how to get your business ready to comply with the CCPA during “CCPA Enforcement Is Almost Upon Us! Are You Ready?” Click here to register.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.