Publications & Podcasts

More Proposed Changes to CCPA Geared to Health Care and Life Sciences Industries

January 15, 2020 Alerts and Newsletters

The California Consumer Privacy Act of 2018 (“CCPA”) took effect on January 1, 2020. Days later on January 8, 2020, the California Senate Health Committee unanimously approved Senate bill A.B. 713 (the “Bill”) to establish new exemptions particularly relevant to the health care and life sciences industries. The Bill is currently with the Senate Judiciary Committee and would need to be passed by the full Senate and signed by the Governor before being enacted into law.

Expanded Exemptions

Biomedical Research

The Bill would increase flexibility and bring some needed clarification on the scope of CCPA requirements for life sciences and pharmaceutical companies conducting medical research. It would also significantly expand upon the current exemption in the CCPA that applies to information collected as part of a “clinical trial.” The term “clinical trial” is not defined in the law and it is unclear how it will ultimately be interpreted by the California Office of the Attorney General; however, if the Bill were enacted, it would clarify that personal information collected for other types of research that do not qualify as a clinical trial may be exempt as well. Under the Bill, the following two types of personal information would be exempt:

  • Personal information that is collected for, or used in biomedical research subject to institutional review board standards and the ethics and privacy requirements under the Federal Policy for the Protection of Human Subjects also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration (“FDA”); and
  • Personal information that is collected for, or used in research, subject to all applicable ethics and privacy laws, provided that the information is either individually identifiable health information, as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, or medical information governed by the California Confidentiality of Medical Information Act (“CMIA”).

The Bill specifies that “research,” as used above, shall have the meaning given that term in the HIPAA Privacy Rule.

Regulatory Oversight and Public Health Activities

Additionally, the Bill includes an exemption for personal information used by life sciences companies in connection with oversight and safety activities conducted to meet regulatory obligations. That new exemption would apply to:

  • Personal information that the business uses only for the following purposes: (i) product registration and tracking consistent with applicable FDA regulations and guidance; (ii) public health activities and purposes as described in the HIPAA Privacy Rule; and (iii) activities related to quality, safety, or effectiveness regulated by the FDA, provided that the information is subject to all confidentiality and privacy provisions applicable under federal or state law (besides the CCPA), and it is not sold or used except as stated above.

HIPAA De-Identified Information

Another new exemption included in the Bill would apply to HIPAA de-identified information which is significant due to the fact that, currently, data sets that satisfy the HIPAA de-identification standard may not necessarily meet the standard for de-identification under the CCPA. That exemption would apply to:

  • Information that is (i) de-identified in accordance with the requirements of the HIPAA Privacy Rule and (ii) derived from protected health information, medical information, individually identifiable health information, or identifiable private information, provided that the business or its business associates do not attempt to re-identify the information and do not actually re-identify the information.

Notably, the Bill defines the various terms used in this proposed exemption by reference to their meaning in the underlying laws (e.g., HIPAA Privacy Rule, the CMIA, and the Common Rule).

Business Associates

Unlike the other newly proposed exemptions which apply to personal information that meets certain specified criteria, the final proposed exemption would exempt a particular type of business. It would apply to:

  • A business associate of a covered entity governed by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, to the extent that the business associate maintains, uses and discloses patient information only in accordance with the legal requirements of such Rules applicable to protected health information.

New Requirement

In addition to the newly proposed exemptions, the Bill would also create a new requirement for businesses that sell or disclose personal information that has been de-identified in accordance with the HIPAA Privacy Rule. Such businesses would be required to state in their online privacy notice whether information de-identified under HIPAA had been disclosed in the previous 12 months and if so, whether the de-identified information had been de-identified using the “HIPAA expert determination method” or the “HIPAA safe harbor method.”

Although this Bill is intended to broaden the current exemptions in the CCPA and harmonize the CCPA with other federal and state medical privacy and confidentiality laws, its text creates additional interpretation questions that will need to be explored. Further, the Bill would create a new requirement that businesses may find administratively burdensome to implement. We will continue to monitor the progression of this Bill and the CCPA’s overall implementation. For questions or if you would like to discuss this matter, please reach out to your regular Verrill attorney.

Firm Highlights

Matter

Trademark Litigation: Software

Represented trademark owner in litigation with foreign software company. Successfully defeated motion to dismiss on jurisdictional grounds, which was affirmed on appeal. Also successfully defeated summary judgment motion, which resulted in case settling before...

Publication/Podcast

2021 Year End Employee Benefit Plan Amendments

Health and Welfare Plans Employers that made available COVID-19 relief and benefit enhancements in 2020 – such as the increased carry over limit and extended grace period for health flexible spending accounts – need...

Blog

Incidental Take of Migratory Birds Prohibited Once Again as New MBTA Rule Becomes Effective

A U.S. Fish and Wildlife Service (“FWS”) final rule that presumptively reinstates liability for incidental take under the Migratory Bird Treaty Act (“MBTA”) becomes effective on December 3. The new rule revokes a Trump-era...

Event

Maine Rural Water Association Annual Conference

On Wednesday, December 8th from 12:40PM to 2:10PM Verrill Attorney Mathew Todaro will be speaking at the Maine Rural Water Association's 41st Annual Conference. Mat and two other speakers will be presenting "PFAS and...

Matter

Copyright Litigation: Software

Defended equipment manufacturer in copyright dispute involving firmware for digital subscriber line access multiplexers (“DSLAMs”). Case resolved favorably.

Publication/Podcast

Connecticut Supreme Court Rejects Tough Delaware Standard in Allowing Member Inspections of Manager-Managed LLC Books and Records – Or Does It?

Before allowing the inspection of corporate books and records, Delaware courts require a shareholder seeking information about possible mismanagement to come forward with evidence demonstrating a reasonable basis to suspect mismanagement. [1] In Benjamin...

News

Andrew Nevas appears before Connecticut Supreme Court regarding COVID rent dispute

Blog

Maine Rural Water Association Annual Conference with Verrill Attorney Mathew J. Todaro

Verrill Attorney Mathew J. Todaro, along with two others, will be presenting at the Maine Rural Water Association’s 41 st Annual Conference and Trade Show. Their presentation, “PFAS and Practicality Regulatory Updates with a...

Event

Medicare's Future: Improving Health Equity and Implications for Employers

On Wednesday, December 15th at 2 pm join the National Academy of Social Insurance , Verrill , the New England Council , and the Massachusetts Hospital Association for a virtual discussion on the future...

News

High-Profile Former U.S. Department of Justice Prosecutor, David Lazarus, Joins Verrill’s Health Care and Life Sciences Practice

(November 29, 2021) – Verrill is pleased to welcome David Lazarus to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group. Lazarus is a former Department...

Contact Verrill at (855) 307 0700