Last Thursday, the California Attorney General, Xavier Becerra, released the long-awaited text of the proposed California Consumer Privacy Act (CCPA) regulations. Once finalized, these 24 pages of regulations will govern compliance with the CCPA. While the draft regulations provide insight into how regulated entities must address verification of consumer requests and clarifies aspects of how to notify consumers of their rights, among other things, it notably does not address or provide any guidance regarding the three exemptions most relevant to the health care industry, biotechnology companies, and drug and device manufacturers.
Untouched, unexplained and still ambiguous as ever, were the Health Insurance Portability and Accountability Act (HIPAA), California Medical Information Act (CMIA), and clinical research exemptions. As discussed below, the industry has grappled with interpretation and application of these provisions due to missing definitions and uncertainty in statutory construction.
As set forth in the statute, the HIPAA exemption states that the obligations imposed by the CCPA are not applicable to protected health information (PHI) collected by a “covered entity” or “business associate” governed by the privacy, security and breach notification rules issued pursuant to HIPAA. The exemption also provides that HIPAA-covered entities are not subject to the CCPA to the extent that they “maintain patient information in the same manner as medical information or protected health information.” A primary source of uncertainty that was left unaddressed by the proposed regulations, however, is whether other types of personal information held by these entities remain subject to the CCPA. To this end, the proposed regulations do not define “patient information,” and thus it remains unclear whether the HIPAA exemption would exempt non-PHI held by these types of entities.
Similarly, the CMIA exemption states that providers and medical information subject to CMIA are not subject to the CCPA. However, like the HIPAA exemption, several key terms have been left undefined, and it is unclear whether other information held by entities regulated by CMIA are fair game under the CCPA.
Finally, the clinical research exemption continues to be one of the CCPA’s prominent ambiguities. The statute exempts from its scope information collected “as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation (ICH) or pursuant to human subject protection requirements of the United States Food and Drug Administration.” It remains unclear whether only clinical trials conducted pursuant to the federal Common Rule or the other standards are exempt, or if this statutory provision also applies to privately funded research. Following publication of the new regulations, disappointment was palpable, as stakeholders had requested regulations providing that research conducted according to any of the following standards be exempt: the federal Common Rule, the ICH Good Clinical Practice standards, or Food and Drug Administration human subject protection standards.
However, time is not up yet, these regulations are not final, and there is opportunity for submission of public comments. The California Attorney General will hold public hearings in early December, and will accept written comments through December 6.
To read more about the significant changes posed in the draft regulations or to learn how to submit a public comment, click here.