On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out.

AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research.

Specific carve-outs:
  • De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information
  • “Business associates”
  • Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule.
  • Personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information or medical information.
Additional change:

Required disclosure, in the privacy notice, of whether information de-identified under HIPAA has been disclosed in the preceding 12 months and if so, whether it had been de-identified using the “expert method” or the “safe harbor method.”

For additional insights on the interplay between HIPAA and CCPA, check out previous posts on this blog looking at health organizations’ overall exposure to CCPA and the law’s interaction with HIPAA, as well as the California Attorney General’s comments that his office would focus early enforcement efforts on how large companies handle sensitive personal information such as PHI.

Details on the Senate Amendment are available on the California Legislative Information website.