The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

New Bill Would Aid CCPA Compliance for HIPAA Business Associates

by Chris Brook on Monday January 20, 2020

Contact Us
Free Demo
Chat

A new bill in California would amend the CCPA and further health data exemptions - namely data that's been de-identified in the eyes of HIPAA.

The California Consumer Privacy Act (CCPA) hasn't even been in effect for a full month yet - enforcement by the California Attorney General (AG) doesn't even kick into until July 1, 2020 - but that isn't stopping stakeholders there from attempting to pass new bills to piggyback on the legislation.

One of those bills, AB 713, which would amend the CCPA to except additional categories of health information, was unanimously approved earlier this month by the California State Senate Health Committee.

If passed, the bill could help ease compliance for healthcare organizations – specifically those that specialize in medical research and safety – by creating an exception based on HIPAA-style expert determination.

In its current iteration, the CCPA doesn't regulate personally identifiable information (PIII) collected by HIPAA covered entities or businesses. AB 713 would except from CCPA requirements data de-identified in accordance with HIPAA, medical research data, personal data used for public health and safety activities, and patient information maintained by HIPAA business associates.

The goal of the bill to clear the air around how both HIPAA and the CCPA deidentified data.

By making it so the CCPA doesn't apply to what HIPAA considers de-identitifed information, the bill should cut down on inconsistencies made by HIPAA-regulated entities. Entities that create data sets that include de-identified data but that aren't regulated by HIPAA, like life sciences companies, healthcare businesses, and research organizations.

Under AB 713, CCPA would except de-identified health information under the following three conditions:

  • When the information is de-identified in accordance with a HIPAA de-identification method
  • When the information is from PHI or as HIPAA refers to it, individually identifiable health information," "medical information" under the California Confidentiality of Medical Information Act (CMIA) or “identifiable private information” under HHS Common Rule regulations.
  • The business doesn't actually, or attempt to, re-identify the information.

AB 713 also adds an exemption for personal information that's used in the following purposes:

  • Product registration and tracking consistent with applicable FDA regulations and guidelines.
  • Public health activities and purposes detailed in 45 CFR § 164.512
  • FDA-regulated quality, safety, and effectiveness activities

The bill was approved just two days after Kevin Mullin, an assemblymember who represents the 22nd California Assembly District, introduced it; it seems likely the bill will be referred to the Senate Judiciary Committee next.

Tags: Industry Insights, Healthcare

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.