2024-2025 Global AI Trends Guide
This is the sixth installment in Hogan Lovells’ series on the California Consumer Privacy Act.
The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come.
We describe below these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.
The CCPA includes several exemptions that may permit health and life sciences companies to limit their compliance obligations or exempt their activities entirely. The exemptions that are particularly important for health and life sciences companies include:
Determining the scope of each of these exemptions and how they apply to a company will require careful analysis.
As a starting point, determine whether the company qualifies as a business under the CCPA’s definition or if it may be subject to the CCPA by its relationships with for-profit businesses.
The CCPA imposes obligations on for-profit “businesses” that meet specific threshold requirements. The CCPA does not appear to apply to non-profit entities, which may include hospitals and research institutions that do not operate “for the profit or financial benefit” of their owners.
However, even organizations that do not qualify as a “business” may nonetheless need to evaluate their data sharing arrangements and partnerships with CCPA-covered entities. For example, a non-profit research institution that is controlled by a for-profit business and shares common branding or a non-profit charitable subsidiary of a for-profit parent company may be subject to the CCPA.
Depending on the nature of the relationship and types of activities the non-profit engages in, the non-profit could also be subject to certain requirements under the CCPA as a third party.
As part of a company’s assessment, identify what types of personal information the company collects and the different manners in which it maintains the data.
The CCPA exempts all “protected health information” (PHI) collected by “Covered Entities” and “Business Associates” subject to HIPAA. It also exempts any patient information maintained by a Covered Entity to the extent the Covered Entity maintains the patient information in the same manner as PHI.
Together, these exemptions emphasize the need to clearly identify whether and how HIPAA applies to a company’s operations. As a company evaluates how the HIPAA exemption may apply to its activities consider:
Importantly, the CCPA does not categorically exempt all data-related operations of Covered Entities and Business Associates. Instead, the CCPA expressly exempts PHI collected by a Covered Entity or Business Associate that is governed by HIPAA. Data that is not PHI is not automatically exempted even if it is maintained by a Covered Entity or Business Associate. Data that is maintained by a Covered Entity “in the same manner” as PHI under HIPAA also is exempt, but the scope of this exemption is not clear—and Business Associates are not expressly listed in this exemption.
As a result, companies subject to HIPAA should carefully analyze what patient information they maintain as PHI and what patient information they maintain outside of HIPAA. For example, information obtained pursuant to certain authorizations, types of research data, or other HIPAA-exempt information like workers’ compensation data may not be governed by HIPAA or maintained in the same manner as PHI. This data may not be eligible for the CCPA exemption.
Revisit determinations of what data and portions of a company are subject to the CMIA and re-evaluate this analysis in light of the CCPA.
The CCPA also exempts “medical information,” as well as a “provider of health care” covered by the CMIA to the extent the provider maintains patient information in the same manner as medical information. Determining what is medical information and who is a provider of health care under the CMIA have long been complicated assessments for health and life science companies such as pharmaceutical and device manufacturers.
It will be important for a company to assess the scope of the CMIA’s application to its activities and various types of data. Some considerations in making that assessment:
Similar to HIPAA, the CCPA does not exempt all data-related operations of a CMIA-covered provider of health care. Instead, the CCPA expressly exempts medical information collected by a provider of health care that is governed by the CMIA. Patient information is exempt only if it is maintained by a provider of health care in the same manner as medical information under the CMIA.
For companies that conduct research, evaluate research studies and clinical trials to determine the extent to which the clinical trial exemption applies.
The CCPA exempts information collected “as part of a clinical trial,” to the extent the clinical trial is subject to the Federal Policy for the Protection of Human Subjects (the Common Rule), pursuant to the clinical practice guidelines issued by the International Council for Harmonisation or the human subject protection requirements of the U.S. Food and Drug Administration.
Common Rule requirements generally apply to biomedical and/or behavioral research involving human subjects and outline the criteria and mechanisms for Institutional Review Boards’ evaluation of human subjects research. The Common Rule, however, does not automatically apply to all clinical trials, but rather to human subjects research conducted or supported by a federal department or agency.
Non-government-funded clinical trials and research organizations often adhere to the Common Rule voluntarily. The CCPA does not identify if voluntary adherence to the Common Rule will bring the clinical trial data within the scope of the exemption. Some may wish to clarify this through further legislative amendments or future guidance.
In the meantime, identify the types of research and clinical trials the company engages in and determine whether these activities are subject to, or comply with, the Common Rule’s requirements.
While the company may have existing practices for accommodating individual rights, evaluate existing procedures for responding to new individual rights requests and develop additional policies where necessary.
The CCPA grants individuals new rights with respect to their personal information including the right to access, request deletion, be informed of certain transactions, opt-out of or opt-in to sales, and receive equal service and price even if they exercise their rights. It also provides a limited private right of action related to data breaches.
Covered Entities and Business Associates are familiar with responding to individuals’ rights requests under HIPAA and have processes in place to receive, verify, and respond to rights requests that are likely more advanced than companies not subject to HIPAA.
These HIPAA obligations will likely remain unaffected because PHI maintained by Covered Entities or Business Associates is eligible for the CCPA exception. As noted above, however, Covered Entities and Business Associates may maintain data not subject to HIPAA that may be subject to the new CCPA rights requirements. In these cases, Covered Entities and Business Associates may need to reevaluate their processes for compliance with individual rights requests to adhere to HIPAA, CCPA, and other applicable requirements. And, entities not subject to HIPAA will need to institute procedures for responding to the individual rights granted by the CCPA.
If the company collects and maintains deidentified data, identify and evaluate the methods for deidentification and map the resulting deidentified data to the CCPA’s definitions and requirements.
The CCPA and HIPAA articulate different standards for deidentified data. As a result, it is possible to read the two standards and identify circumstances where data may be considered deidentified according to HIPAA’s Privacy Rule, yet not deidentified under the CCPA’s definition. Additionally, deidentified health information that meets HIPAA’s standard of deidentification is no longer PHI and may then fall out of the HIPAA exemption and into the CCPA if it is not considered deidentified under the CCPA.
The CCPA does not apply to “deidentified” data, defined by the CCPA as information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a company that uses deidentified information:
While aspects of this definition will be familiar to those used to the HIPAA standard for deidentification, the two standards do not entirely overlap, and the CCPA does not explicitly acknowledge that information considered deidentified by HIPAA would be sufficient to meet its definition. There may be circumstances and types of data where information could be considered deidentified under HIPAA, while not deidentified under the CCPA.
Nearly all health and life sciences companies engage in data sharing in one form or another, assess the company’s data sharing arrangements and agreements with third parties and service providers in light of the CCPA’s expansive definition.
As discussed in the Key Terms blog post, the CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” This definition is sweeping and may potentially pick up routine disclosures in the health and life sciences industry.
Data sharing and other types of service provider relationships are common in health care, and, unless an exemption applies, disclosures in those relationships may be considered “sales,” especially when there is monetary or other valuable consideration involved. If these disclosures are “sales,” a number of individual rights will attach.
Click here to read the next post in the CCPA blog series.
Authored by Scott Loughlin, Melissa Bianchi, Marcy Wilder and Alyssa Golay.