Last Thursday, the California Attorney General, Xavier Becerra, released the long-awaited text of the proposed California Consumer Privacy Act (CCPA) regulations. Once finalized, these 24 pages of regulations will govern compliance with the CCPA. While the draft regulations provide insight into how regulated entities must address verification of consumer requests and clarifies aspects of how to notify consumers of their rights, among other things, it notably does not address or provide any guidance regarding the three exemptions most relevant to the health care industry, biotechnology companies, and drug and device manufacturers.
Untouched, unexplained and still ambiguous as ever, were the Health Insurance Portability and Accountability Act (HIPAA), California Medical Information Act (CMIA), and clinical research exemptions. As discussed below, the industry has grappled with interpretation and application of these provisions due to missing definitions and uncertainty in statutory construction.
As set forth in the statute, the HIPAA exemption states that the obligations imposed by the CCPA are not applicable to protected health information (PHI) collected by a “covered entity” or “business associate” governed by the privacy, security and breach notification rules issued pursuant to HIPAA. The exemption also provides that HIPAA-covered entities are not subject to the CCPA to the extent that they “maintain patient information in the same manner as medical information or protected health information.” A primary source of uncertainty that was left unaddressed by the proposed regulations, however, is whether other types of personal information held by these entities remain subject to the CCPA. To this end, the proposed regulations do not define “patient information,” and thus it remains unclear whether the HIPAA exemption would exempt non-PHI held by these types of entities.