IRMI Online Talk With Us
Home Articles Expert Commentary Further Amendment to the California Consumer Privacy Act of 2018
Cyber and Privacy Risk and Insurance

Further Amendment to the California Consumer Privacy Act of 2018

Melissa Krasnow | October 9, 2020

On This Page
A map of California with California flag on it

AB 713 describes additional exceptions to the California Consumer Privacy Act (CCPA), reidentification of deidentified information, contract requirements regarding the sale or license of deidentified information, and additional privacy policy requirements.

Please also see "A Summary of the California Consumer Privacy Act of 2018."

CCPA Exceptions

The CCPA shall not apply to the following.

  • Medical information governed by the California Confidentiality of Medical Information Act (CMIA) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), a provider of health care governed by the CMIA or a covered entity governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent the provider or covered entity maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in this bullet point, or a business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to HIPAA and the HITECH Act, to the extent that the business associate maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in this bullet point (the definitions of "medical information" and "provider of health care" in section 56.05 of the CMIA shall apply, the definition of "identifiable private information" in 45 C.F.R. 160.102 shall apply, and the definitions of "business associate," "covered entity," "individually identifiable health information," and "protected health information" in 45 C.F.R. 160.103 shall apply).
  • "Patient information" means identifiable private information, protected health information, individually identifiable health information, or medical information.
  • Information that is collected, used, or disclosed in research, as defined in 45 C.F.R. 164.501, including without limitation, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of 45 C.F.R., part 164, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the US Food and Drug Administration.
  • Under Cal. Civ. Code 1798.146(a)(4)(A), information that is deidentified in accordance with the requirements for deidentification in 45 C.F.R. 164.514 and derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the CMIA, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, provided that information that met the requirements of Cal. Civ. Code 1798.146(a)(4)(A) but is subsequently reidentified shall no longer be eligible for this exemption, and shall be subject to applicable federal and state data privacy and security laws, including without limitation, HIPAA, the CMIA, and the CCPA.

Reidentification

"Reidentify" means the process of reversal of deidentification techniques, including without limitation, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.

A business or other person shall not reidentify, or attempt to reidentify information that met the requirements of Cal. Civ. Code 1798.146(a)(4), except for any of the following purposes.

  • Treatment, payment, or healthcare operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity. For purposes of this bullet point, "treatment," "payment," "healthcare operations," "covered entity," and "business associate" have the same meaning as defined in 45 C.F.R. 164.501.
  • Public health activities or purposes as described in 45 C.F.R. 164.512
  • Research, as defined in 45 C.F.R. 164.501, that is conducted in accordance with 45 C.F.R., part 46, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule
  • Pursuant to a contract where the lawful holder of the deidentified information that met the requirements of Cal. Civ. Code 1798.146(a)(4) expressly engages a person or entity to attempt to reidentify the deidentified information to conduct testing, analysis, or validation of deidentification, or related statistical techniques, if the contract bans any other use or disclosure of the reidentified information and requires the return or destruction of the information that was reidentified upon completion of the contract
  • If otherwise required by law

In accordance with Cal. Civ. Code 1798.146(a)(4), information reidentified pursuant to Cal. Civ. Code 1798.148 shall be subject to applicable federal and state data privacy and security laws, including without limitation, HIPAA, the CMIA, and the CCPA.

Contract Requirements

Beginning on January 1, 2021, any contract for the sale or license of information that has met the requirements of Cal. Civ. Code 1798.146(a)(4) where one of the parties is a person residing or doing business in California, shall include the following, or substantially similar, provisions.

  • A statement that the deidentified information being sold or licensed includes deidentified patient information.
  • A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to Cal. Civ. Code 1798.148.
  • A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

Privacy Policy Requirements

A business that sells or discloses deidentified patient information not subject to the CCPA pursuant to Cal. Civ. Code 1798.146(a)(4)(A)(i) must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months, whether the business sells or discloses deidentified patient information derived from patient information and if so, whether that patient information was deidentified pursuant to any of the following.

  • The deidentification methodology described in 45 C.F.R. 164.514(b)(1), commonly known as the HIPAA expert determination method
  • The deidentification methodology described in 45 C.F.R. 164.514(b)(2), commonly known as the HIPAA safe harbor method

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

IRMI Online