More Proposed Changes to CCPA Geared to Health Care and Life Sciences Industries

January 15, 2020 Alerts and Newsletters

The California Consumer Privacy Act of 2018 (“CCPA”) took effect on January 1, 2020. Days later on January 8, 2020, the California Senate Health Committee unanimously approved Senate bill A.B. 713 (the “Bill”) to establish new exemptions particularly relevant to the health care and life sciences industries. The Bill is currently with the Senate Judiciary Committee and would need to be passed by the full Senate and signed by the Governor before being enacted into law.

Expanded Exemptions

Biomedical Research

The Bill would increase flexibility and bring some needed clarification on the scope of CCPA requirements for life sciences and pharmaceutical companies conducting medical research. It would also significantly expand upon the current exemption in the CCPA that applies to information collected as part of a “clinical trial.” The term “clinical trial” is not defined in the law and it is unclear how it will ultimately be interpreted by the California Office of the Attorney General; however, if the Bill were enacted, it would clarify that personal information collected for other types of research that do not qualify as a clinical trial may be exempt as well. Under the Bill, the following two types of personal information would be exempt:

  • Personal information that is collected for, or used in biomedical research subject to institutional review board standards and the ethics and privacy requirements under the Federal Policy for the Protection of Human Subjects also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration (“FDA”); and
  • Personal information that is collected for, or used in research, subject to all applicable ethics and privacy laws, provided that the information is either individually identifiable health information, as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, or medical information governed by the California Confidentiality of Medical Information Act (“CMIA”).

The Bill specifies that “research,” as used above, shall have the meaning given that term in the HIPAA Privacy Rule.

Regulatory Oversight and Public Health Activities

Additionally, the Bill includes an exemption for personal information used by life sciences companies in connection with oversight and safety activities conducted to meet regulatory obligations. That new exemption would apply to:

  • Personal information that the business uses only for the following purposes: (i) product registration and tracking consistent with applicable FDA regulations and guidance; (ii) public health activities and purposes as described in the HIPAA Privacy Rule; and (iii) activities related to quality, safety, or effectiveness regulated by the FDA, provided that the information is subject to all confidentiality and privacy provisions applicable under federal or state law (besides the CCPA), and it is not sold or used except as stated above.

HIPAA De-Identified Information

Another new exemption included in the Bill would apply to HIPAA de-identified information which is significant due to the fact that, currently, data sets that satisfy the HIPAA de-identification standard may not necessarily meet the standard for de-identification under the CCPA. That exemption would apply to:

  • Information that is (i) de-identified in accordance with the requirements of the HIPAA Privacy Rule and (ii) derived from protected health information, medical information, individually identifiable health information, or identifiable private information, provided that the business or its business associates do not attempt to re-identify the information and do not actually re-identify the information.

Notably, the Bill defines the various terms used in this proposed exemption by reference to their meaning in the underlying laws (e.g., HIPAA Privacy Rule, the CMIA, and the Common Rule).

Business Associates

Unlike the other newly proposed exemptions which apply to personal information that meets certain specified criteria, the final proposed exemption would exempt a particular type of business. It would apply to:

  • A business associate of a covered entity governed by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, to the extent that the business associate maintains, uses and discloses patient information only in accordance with the legal requirements of such Rules applicable to protected health information.

New Requirement

In addition to the newly proposed exemptions, the Bill would also create a new requirement for businesses that sell or disclose personal information that has been de-identified in accordance with the HIPAA Privacy Rule. Such businesses would be required to state in their online privacy notice whether information de-identified under HIPAA had been disclosed in the previous 12 months and if so, whether the de-identified information had been de-identified using the “HIPAA expert determination method” or the “HIPAA safe harbor method.”

Although this Bill is intended to broaden the current exemptions in the CCPA and harmonize the CCPA with other federal and state medical privacy and confidentiality laws, its text creates additional interpretation questions that will need to be explored. Further, the Bill would create a new requirement that businesses may find administratively burdensome to implement. We will continue to monitor the progression of this Bill and the CCPA’s overall implementation. For questions or if you would like to discuss this matter, please reach out to your regular Verrill attorney.

Firm Highlights

Matter

European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...

Publication/Podcast

FDA Updates its Guidance on Conducting Clinical Trials During COVID-19 Public Health Emergency

On April 16, 2020, the U.S. Food & Drug Administration (“FDA”) again updated its guidance on the “Conduct of Clinical Trials of Medical Products during COVID-19 Public Health Emergency,” adding seven new questions and...

Publication/Podcast

News Flash: HHS Issues Statement Removing Premarket Review Requirements for Laboratory Developed Tests (“LDTs”), Including COVID-19 LDTs

What happened? On August 19, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a single paragraph statement rescinding U.S. Food and Drug Administration (“FDA”) guidance documents concerning premarket review of Laboratory...

Publication/Podcast

FDA Issues Guidance on IRB Review of Non-Emergency Individual Patient Expanded Access Requests for Investigational Drugs and Biological Products to Treat COVID-19

Prompted by a substantial increase in requests for individual patient access to investigational drugs and biologics to treat COVID-19, the U.S. Food & Drug Administration (“FDA”) issued guidance on June 2, 2020 that outlines...

News

38 Verrill Attorneys, Across Four Offices, Recognized in 2020 Chambers & Partners Guide

(April 27, 2020) – Verrill has been rated as a Leading Firm in a total of ten categories and subcategories as evaluated by London-based Chambers & Partners , one of the world's most respected...

Matter

Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.

Publication/Podcast

EU-U.S. Privacy Shield Invalidated: Does Your Company Have a Plan B?

On Thursday, July 16, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield (“Privacy Shield”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18...

News

Nearly 80 Verrill Attorneys Recognized by Best Lawyers® 2021, Including a Dozen Named Lawyers of the Year

(August 24, 2020) – Nearly 80 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2021 , including 12 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer...

Matter

Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...

News

Michael K. Fee to Lead Verrill’s Nationally-Recognized Health Care and Life Sciences Practice Amidst Recent Changes

(August 31, 2020) – Verrill is pleased to announce Michael K. Fee as the new leader of Verrill’s nationally-recognized Health Care & Life Sciences Group. The Group has a long history of representing a...