More Proposed Changes to CCPA Geared to Health Care and Life Sciences Industries

January 15, 2020 Alerts and Newsletters

The California Consumer Privacy Act of 2018 (“CCPA”) took effect on January 1, 2020. Days later on January 8, 2020, the California Senate Health Committee unanimously approved Senate bill A.B. 713 (the “Bill”) to establish new exemptions particularly relevant to the health care and life sciences industries. The Bill is currently with the Senate Judiciary Committee and would need to be passed by the full Senate and signed by the Governor before being enacted into law.

Expanded Exemptions

Biomedical Research

The Bill would increase flexibility and bring some needed clarification on the scope of CCPA requirements for life sciences and pharmaceutical companies conducting medical research. It would also significantly expand upon the current exemption in the CCPA that applies to information collected as part of a “clinical trial.” The term “clinical trial” is not defined in the law and it is unclear how it will ultimately be interpreted by the California Office of the Attorney General; however, if the Bill were enacted, it would clarify that personal information collected for other types of research that do not qualify as a clinical trial may be exempt as well. Under the Bill, the following two types of personal information would be exempt:

  • Personal information that is collected for, or used in biomedical research subject to institutional review board standards and the ethics and privacy requirements under the Federal Policy for the Protection of Human Subjects also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration (“FDA”); and
  • Personal information that is collected for, or used in research, subject to all applicable ethics and privacy laws, provided that the information is either individually identifiable health information, as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, or medical information governed by the California Confidentiality of Medical Information Act (“CMIA”).

The Bill specifies that “research,” as used above, shall have the meaning given that term in the HIPAA Privacy Rule.

Regulatory Oversight and Public Health Activities

Additionally, the Bill includes an exemption for personal information used by life sciences companies in connection with oversight and safety activities conducted to meet regulatory obligations. That new exemption would apply to:

  • Personal information that the business uses only for the following purposes: (i) product registration and tracking consistent with applicable FDA regulations and guidance; (ii) public health activities and purposes as described in the HIPAA Privacy Rule; and (iii) activities related to quality, safety, or effectiveness regulated by the FDA, provided that the information is subject to all confidentiality and privacy provisions applicable under federal or state law (besides the CCPA), and it is not sold or used except as stated above.

HIPAA De-Identified Information

Another new exemption included in the Bill would apply to HIPAA de-identified information which is significant due to the fact that, currently, data sets that satisfy the HIPAA de-identification standard may not necessarily meet the standard for de-identification under the CCPA. That exemption would apply to:

  • Information that is (i) de-identified in accordance with the requirements of the HIPAA Privacy Rule and (ii) derived from protected health information, medical information, individually identifiable health information, or identifiable private information, provided that the business or its business associates do not attempt to re-identify the information and do not actually re-identify the information.

Notably, the Bill defines the various terms used in this proposed exemption by reference to their meaning in the underlying laws (e.g., HIPAA Privacy Rule, the CMIA, and the Common Rule).

Business Associates

Unlike the other newly proposed exemptions which apply to personal information that meets certain specified criteria, the final proposed exemption would exempt a particular type of business. It would apply to:

  • A business associate of a covered entity governed by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, to the extent that the business associate maintains, uses and discloses patient information only in accordance with the legal requirements of such Rules applicable to protected health information.

New Requirement

In addition to the newly proposed exemptions, the Bill would also create a new requirement for businesses that sell or disclose personal information that has been de-identified in accordance with the HIPAA Privacy Rule. Such businesses would be required to state in their online privacy notice whether information de-identified under HIPAA had been disclosed in the previous 12 months and if so, whether the de-identified information had been de-identified using the “HIPAA expert determination method” or the “HIPAA safe harbor method.”

Although this Bill is intended to broaden the current exemptions in the CCPA and harmonize the CCPA with other federal and state medical privacy and confidentiality laws, its text creates additional interpretation questions that will need to be explored. Further, the Bill would create a new requirement that businesses may find administratively burdensome to implement. We will continue to monitor the progression of this Bill and the CCPA’s overall implementation. For questions or if you would like to discuss this matter, please reach out to your regular Verrill attorney.

Firm Highlights

Matter

Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...

Publication/Podcast

CMS Cracking Down on Health Care Fraud and Abuse

To increase provider and supplier transparency and accountability, the Centers for Medicare & Medicaid Services (CMS) recently issued a final rule (Final Rule) with comment period that allows CMS greater ability to prevent fraud...

Publication/Podcast

Two Proposed Rules Aim to Increase Organ Donation in the U.S.

News

39 Verrill Attorneys Named 2019 Super Lawyers and Rising Stars

Verrill Attorney Karen Frink Wolf Again Named One of New England’s Top 100 Attorneys and Top 50 Women Attorneys (December 11, 2019) – The 2019 edition of New England Super Lawyers and Rising Stars...

Publication/Podcast

Keep Medicare Enrollment Information Correct and Current or Suffer Consequences

While most providers understand the need to bill Medicare correctly, many often fail to recognize the potentially disastrous results of not keeping Medicare informed of your correct and up-to-date practice information . A recent...

Matter

Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.

Publication/Podcast

Avoid Rejection: Make Sure Your Medicare Cost Report is Properly Completed

As the calendar year draws to a close, hospitals with a 9/30 fiscal year end are working intensely on completing their FY 2019 Medicare cost reports. This seemed like a good time to remind...

News

Verrill Welcomes Health Care Attorney Sarah V. Ferranti

Sarah V. Ferranti
News

Michael K. Fee to Lead Verrill’s Health Care and Life Sciences Defense Practice

(January 22, 2020) – Verrill is pleased to welcome Michael K. Fee to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group and as the leader...

Matter

European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...