California lawmakers recently passed legislation that amends the California Consumer Privacy Act.
“The most significant outcome of AB 713’s passage is that, pending California Gov. Gavin Newson’s signature, information that is deidentified is exempt from regulation under the CCPA if the information is (1) derived from patient information that is protected under HIPAA, the California Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule; and (2) created pursuant to either the HIPAA expert determination method or the HIPAA Safe Harbor method. While the CCPA exempts deidentified information as defined in Cal. Civ. Code 1798.140(h) that definition did not align with the HIPAA deidentification standard, which led to confusion regarding the applicability and scope of the exemption.”
“Businesses that sell or disclose such information must state this in their privacy policy… If HIPAA deidentified information is sold or licensed after Jan. 1, 2021, to or by a party doing business in California, the contract must include provisions prohibiting the reidentification or further disclose of information.”
Details from the International Association of Privacy Professionals.