Although the bill to amend the California Consumer Privacy Act (CCPA) to extend the so-called “B-to-B” and “employee” exceptions for one more year has garnered many headlines, the California legislature passed a second CCPA amendment (AB 713) that will be of interest to anyone involved in medical research as the new bill would ease some CCPA restrictions on research. The changes pertaining to healthcare data are expected to pass and are clearly responsive to additional needs to share information and conduct research on potential treatments and vaccines for the ongoing COVID pandemic. The bill has been sent to the governor for signature, if signed, the changes will take immediate effect.

Some initial 2019 CCPA amendments exempted certain health and research data. One in particular applies to clinical trials; however, the scope of that exemption was left undefined. The new language provides much needed clarity. It exempts:

Information that is collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.

First, the exemption applies to more than clinical trials in the traditional sense. Research conducted in accordance with Section 164.501 is also exempt (e.g., studies conducted with IRB oversight that may not technically be “clinical trials”). Second, the exemption applies to secondary research so long as that research complies with the Common Rule.

In addition, the bill would clearly exempt information that has been deidentified in accordance with 164.514 of HIPAA and that is also “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.” The existing CCPA exemption does not formally recognize HIPAA’s deidentification standard, but this amendment would provide organizations who use this standard a clear exemption for use of data meeting one of HIPAA’s deidentification standards.

The bill also proposes a new section on reidentification. Reidentification would be prohibited unless certain requirements are met. This section provides circumstances where reidentification is permitted, they include:

  • Treatment, payment and operations as permitted by HIPAA
  • Public health activities
  • Research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, that is conducted in accordance with Part 46 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule
  • Pursuant to a contract “where the lawful holder of the deidentified information” (e.g., the data owner, data controller, the party the directly collects the data, etc.) engages a person or entity to reidentify deidentified information to conduct “testing, analysis, or validation of deidentification, or related statistical techniques.” In addition, the contract must ban any other use or disclosure of the reidentified information and require destruction of redidentified information
  • Where required by law

Starting January 1, 2021, the bill would also place three new requirements on the sale of de-identified information:

(1) A statement that the deidentified information being sold or licensed includes deidentified patient information.

(2) A   statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited.

(3) A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

The bill would also add a new requirement to privacy policies, by adding a new subsection (D) to Section 130(a)(5) requiring the business to disclose if it sells or discloses deidentified patient information derived from personal patient information and if so, whether that deidentified health patient information was deidentified in accordance with the HIPAA “expert determination” method or the HIPAA “safe harbor” method.