Deidentified Under HIPAA, But Regulated Under the CCPA

The Health Insurance Portability and Accountability Act (“HIPAA”) establishes standards by which Protected Health Information (“PHI”) may be deidentified.  Upon deidentification, HIPAA generally allows covered entities to use or disclose the information without limitation.  However, states are increasingly passing privacy laws with definitions of personal information expansive enough to arguably incorporate PHI deidentified under HIPAA.  This article summarizes how the California Consumer Privacy Act (“CCPA”) largely exempts deidentified PHI from its scope, while simultaneously imposing new obligations on the handling of such information.

1.      The CCPA’s and HIPAA’s Divergent Understandings of Deidentified Information.  The CCPA excludes deidentified information from its broad definition of personal information.  The Act defines deidentified information as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business [takes several enumerated steps designed to safeguard the information].”  HIPAA, on the other hand, provides a more objective standard for deidentification.  It holds that PHI becomes deidentified upon either: (i) a qualified expert formally making the determination that it is deidentified; or (ii) the removal of specified individual identifiers as well as the absence of actual knowledge by the covered entity that the remaining information could be identifying (this approach is commonly referred to as the “Safe Harbor Method”).

The Office of Civil Rights (“OCR”) has written about the meaning of the covered entity not having “actual knowledge” that the deidentified PHI could be identifying.  It found that there may be situations where researchers could use certain analytic and quantitative methods to identify individuals from PHI deidentified using the Safe Harbor Method.  However, the OCR provided that a covered entity’s mere knowledge of these studies and methods, by itself, does not mean that the covered entity has “actual knowledge” that these methods would be used on the particular deidentified PHI that it is disclosing.  Moreover, the OCR provided that it “does not expect a covered entity to presume such capacities of all potential recipients of de-identified data.”  The CCPA’s deidentification standard, however, makes no exception for a covered entity not having actual knowledge that these analytic and quantitative methods would be used to reidentify the deidentified PHI.  Instead, the CCPA simply asks whether the deidentified information could be reidentified.  As such, the existence of these analytic and quantitative methods suggests that PHI deidentified under the HIPAA Safe Harbor Method may not meet the more onerous (and subjective) deidentification standard established by the CCPA.  The result is that PHI may become deidentified under HIPAA, but yet still be considered personal information under the CCPA.  We note that other commentators have also recognized this distinction.

2.      Amendment to CCPA Helps Harmonize the Difference Between the CCPA’s and HIPAA’s Deidentification Standards.  California passed AB 713 to help remedy the disconnect between the CCPA’s and HIPAA’s definitions of deidentified information.  This amendment reduced the risk that entities using or disclosing PHI deidentified under HIPAA may be using or disclosing personal information as defined under the CCPA.  Specifically, the amendment, inter alia, generally exempted PHI deidentified pursuant to a HIPAA-approved method from the scope of the CCPA.  For this exemption to apply, the deidentified information must be: (i) deidentified in accordance with HIPAA; (ii) derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (a/k/a the Common Rule); and (iii) shall not be reidentified unless a specific exception applies (e.g. public health activities or research, as defined in HIPAA).  If each of these conditions are not met (e.g. the entity reidentifies the formally deidentified PHI), then the deidentified PHI may be treated as personal information under the CCPA.

However, while the CCPA broadly exempts from its scope deidentified PHI, it does still impose several obligations on entities handling such information.

3.      Businesses Disclosing Deidentified PHI Must Provide Certain Disclosures in their Privacy Policies.  The CCPA requires that all Businesses (as defined under the CCPA) selling or disclosing deidentified PHI must: (i) state that the Business sells or discloses deidentified information derived from PHI; and (ii) disclose the HIPAA-approved method used to deidentify the information (i.e. expert determination or the Safe Harbor Method).  See Cal. Civ. Code § 1798.130(a)(5)(D).  A Business must generally make this disclosure in its online privacy policy.  Interestingly, the Consumer Privacy Rights Act (“CPRA”) does not seem to carry forward this disclosure requirement.  As such, it appears that Businesses will no longer have to publicly disclose their use of deidentified PHI as of January 1, 2023.

4.      Contracts for the Sale or License of Deidentified PHI Must Include Certain Provisions.  The CCPA (and CPRA) requires that contracts for the sale or license of deidentified PHI include the following key provisions:

(i) a statement that the deidentified information being sold or licensed includes deidentified patient information;

(ii) a statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is generally prohibited pursuant to the CCPA; and

(iii) a requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

See Cal. Civ. Code § 1798.140(c)

Of significant note is that this requirement applies whenever one of the contracting parties is a person (broadly understood to include companies and other business organizations) residing or doing business in California.  This is noteworthy as the CCPA generally regulates Businesses and information about residents of California.  Here though, the CCPA requires these license provisions whenever one of the contracting parties is a person residing or doing business in California—regardless of whether the party is a Business or the information relates to residents of California.  This is a substantial departure from the typical scope of the CCPA and may surprise entities that had previously assumed that they did not have compliance obligations under the CCPA because they did not meet any of the thresholds to be considered a Business.  Conceivably, this requirement could even apply to nonprofits.

5.      Practice Points for Entities Disclosing Deidentified PHI.

·         An entity disclosing deidentified PHI may first consider whether the information may satisfy the CCPA’s own definition for deidentified information.  From a CCPA-compliance standpoint, this may be the most desirable approach as it would impose relatively few obligations on the entity.  However, as discussed above, it will likely be difficult for most deidentified PHI to satisfy the CCPA’s deidentification standards.  Instead, entities seeking to disclose deidentified PHI will likely usually have to rely on the CCPA exemption for PHI deidentified pursuant to HIPAA.

·         Until the end of 2021, entities: (i) regulated as Businesses under the CCPA; and (ii) selling or disclosing PHI deidentified under HIPAA, must in their privacy policy: (a) state that the entity sells or discloses deidentified information derived from PHI; and (b) disclose the HIPAA-approved method used to deidentify the information.  As such, these entities acquiring or licensing-in deidentified PHI should be sure they understand which HIPAA-approved deidentification method is used to produce the information.

·         Furthermore, all contracts for the sale or license of deidentified PHI must include the three key provisions referenced above at § 4 whenever one of the contracting parties is an individual or entity residing or doing business in California.  As noted above, this may apply to various entities that are not otherwise regulated under the CCPA.