Press "Enter" to skip to content

California Enacts HIPAA-Conforming Amendments to CCPA; Extends B2B and Employment Exemptions  

HIPAAAssembly Bill 713 was approved by California Gov. Gavin Newsom on Sept. 25, 2020, at which time its provisions went into effect.  The legislation amends the California Consumer Privacy Act (CCPA) in part by addressing certain issues related to de-identified patient information.

The CCPA excludes from the definition of personal information any consumer information that has been deidentified, which “means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information: 1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain; 2)  Has implemented business processes that specifically prohibit reidentification of the information; 3)  Has implemented business processes to prevent inadvertent release of deidentified information; 4)  Makes no attempt to reidentify the information.” §§ 1798.140(o)(3); 1798.140(h).

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, on the other hand, provides that individually identifiable health information is only deidentified if: 1) a formal determination is made by an expert; or 2) certain identifiers are removed. 45 C.F.R. § 164.514(b).

Thus, the legislation conforms the CCPA to the HIPAA Privacy Rule by requiring that, to be excluded, the information must be:

1.  deidentified in accordance with the requirements for deidentification set forth in in the HIPAA Privacy Rule; and
2.  derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects. § 1798.146.

Assembly Bill 1281 was approved by Gov. Newsom on Sept. 29, 2020, and simply amends the CCPA by extending the existing exclusions for personal information associated with business-to-business communications and for certain personal information that is employment related. The exclusions are extended from Jan. 1, 2021, to Jan. 1, 2022.  However, if the California Privacy Rights Act ballot initiative is approved by California voters in November, the exclusion will extend to Jan. 1, 2023.


Now is the time to fine-tune your CCPA compliance. Join me to learn how to get your business ready to comply with the CCPA during “CCPA Enforcement Is Almost Upon Us! Are You Ready?” Click here to register.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.