Client Alert: California Governor Signs CCPA Amendment Giving Clarity for HIPAA-Regulated Entities
Governor Gavin Newson signed a bill on Friday, September 25 to amend the California Consumer Privacy Act (CCPA) to exempt certain health information from the CCPA, among other things. While the amendment provides some much needed clarity, it also places some new obligations on businesses sharing or selling de-identified protected health information (PHI). Certain components of the bill are effective immediately.
Clarity on the PHI De-identification Issue
Under the CCPA, the definition of “Personal Information” excludes “consumer information that is de-identified.” Since the enactment of the CCPA, there has been some debate about whether PHI (typically exempt from the CCPA) actually becomes “Personal Information” once it is de-identified. The reason for this paradox is due to the differing standards of what it means to “de-identify” information under the CCPA and HIPAA. With the passage of AB 713, any PHI de-identified in accordance with the HIPAA Privacy Rule remains exempt from the CCPA so long as the information is not subsequently re-identified.
The CCPA requires...