More Proposed Changes to CCPA Geared to Health Care and Life Sciences Industries

January 15, 2020 Alerts and Newsletters

The California Consumer Privacy Act of 2018 (“CCPA”) took effect on January 1, 2020. Days later on January 8, 2020, the California Senate Health Committee unanimously approved Senate bill A.B. 713 (the “Bill”) to establish new exemptions particularly relevant to the health care and life sciences industries. The Bill is currently with the Senate Judiciary Committee and would need to be passed by the full Senate and signed by the Governor before being enacted into law.

Expanded Exemptions

Biomedical Research

The Bill would increase flexibility and bring some needed clarification on the scope of CCPA requirements for life sciences and pharmaceutical companies conducting medical research. It would also significantly expand upon the current exemption in the CCPA that applies to information collected as part of a “clinical trial.” The term “clinical trial” is not defined in the law and it is unclear how it will ultimately be interpreted by the California Office of the Attorney General; however, if the Bill were enacted, it would clarify that personal information collected for other types of research that do not qualify as a clinical trial may be exempt as well. Under the Bill, the following two types of personal information would be exempt:

  • Personal information that is collected for, or used in biomedical research subject to institutional review board standards and the ethics and privacy requirements under the Federal Policy for the Protection of Human Subjects also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration (“FDA”); and
  • Personal information that is collected for, or used in research, subject to all applicable ethics and privacy laws, provided that the information is either individually identifiable health information, as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, or medical information governed by the California Confidentiality of Medical Information Act (“CMIA”).

The Bill specifies that “research,” as used above, shall have the meaning given that term in the HIPAA Privacy Rule.

Regulatory Oversight and Public Health Activities

Additionally, the Bill includes an exemption for personal information used by life sciences companies in connection with oversight and safety activities conducted to meet regulatory obligations. That new exemption would apply to:

  • Personal information that the business uses only for the following purposes: (i) product registration and tracking consistent with applicable FDA regulations and guidance; (ii) public health activities and purposes as described in the HIPAA Privacy Rule; and (iii) activities related to quality, safety, or effectiveness regulated by the FDA, provided that the information is subject to all confidentiality and privacy provisions applicable under federal or state law (besides the CCPA), and it is not sold or used except as stated above.

HIPAA De-Identified Information

Another new exemption included in the Bill would apply to HIPAA de-identified information which is significant due to the fact that, currently, data sets that satisfy the HIPAA de-identification standard may not necessarily meet the standard for de-identification under the CCPA. That exemption would apply to:

  • Information that is (i) de-identified in accordance with the requirements of the HIPAA Privacy Rule and (ii) derived from protected health information, medical information, individually identifiable health information, or identifiable private information, provided that the business or its business associates do not attempt to re-identify the information and do not actually re-identify the information.

Notably, the Bill defines the various terms used in this proposed exemption by reference to their meaning in the underlying laws (e.g., HIPAA Privacy Rule, the CMIA, and the Common Rule).

Business Associates

Unlike the other newly proposed exemptions which apply to personal information that meets certain specified criteria, the final proposed exemption would exempt a particular type of business. It would apply to:

  • A business associate of a covered entity governed by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, to the extent that the business associate maintains, uses and discloses patient information only in accordance with the legal requirements of such Rules applicable to protected health information.

New Requirement

In addition to the newly proposed exemptions, the Bill would also create a new requirement for businesses that sell or disclose personal information that has been de-identified in accordance with the HIPAA Privacy Rule. Such businesses would be required to state in their online privacy notice whether information de-identified under HIPAA had been disclosed in the previous 12 months and if so, whether the de-identified information had been de-identified using the “HIPAA expert determination method” or the “HIPAA safe harbor method.”

Although this Bill is intended to broaden the current exemptions in the CCPA and harmonize the CCPA with other federal and state medical privacy and confidentiality laws, its text creates additional interpretation questions that will need to be explored. Further, the Bill would create a new requirement that businesses may find administratively burdensome to implement. We will continue to monitor the progression of this Bill and the CCPA’s overall implementation. For questions or if you would like to discuss this matter, please reach out to your regular Verrill attorney.

Firm Highlights

Publication/Podcast

The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...

News

High-Profile Former U.S. Department of Justice Prosecutor, David Lazarus, Joins Verrill’s Health Care and Life Sciences Practice

(November 29, 2021) – Verrill is pleased to welcome David Lazarus to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group. Lazarus is a former Department...

News

Verrill's Strategic Growth in Key Areas Shared in Mainebiz

On Monday, November 15th Verrill was listed as a Maine law firm who is innovating ways to hire talent in the Mainebiz article "Remote Work Changes Hiring Strategies for Some Maine Law Firms." The...

Publication/Podcast

HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...

Publication/Podcast

Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...

Publication/Podcast

Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...

News

65 Verrill Attorneys Recognized by Best Lawyers® 2022, Including Eight Named Lawyers of the Year

(August 31, 2021) – 65 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2022 , including 8 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer in...

Publication/Podcast

340B Providers Get Partial Relief from New Dispute Resolution Regulation

1. 340B ADR Process Established At long last, more than ten years after Congress directed it to do so, HHS has finalized an alternative dispute resolution (“ADR”) process for both providers and pharmaceutical manufacturers...

Contact Verrill at (855) 307 0700