1. HIPAA Privacy Rule
The HIPAA Privacy Rule, last modified on December 10, 2020, establishes national standards to protect the medical records and personal health information of individuals. It applies to health plans, health care clearinghouses, and health providers that transfer medical information electronically. The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Click here to view the combined regulation text of all HIPAA Administrative Simplification Regulations.
2. HIPAA and CCPA
The California Consumer Privacy Act (CCPA) is a sweeping consumer privacy law passed in California that is transforming the landscape of data management and consumer privacy protections across industries. In trying to understand the intersection between HIPAA and emerging data privacy laws, a comparison with CCPA is a good place to look.
AB-713, signed into law by California Gov. Gavin Newsome,relaxed someCCPA compliance issuesfor the health care and life science industries, bringing it into closer alignment with HIPAA. As assessed by JDSupra, the amended law provides for:
- Further exemptions for de-identified patient information,
- Expanded consumer privacy notice requirements concerning de-identified patient information;
- Research exemption; and
- Limited exemption for HIPAA business associates.
3. De-Identified Information vs. Personal Information
Under HIPAA, health information can be exchanged between health providers or health researchers so long as it is “de-identified”. The same is true when it comes to large scale clinical trials that drugmakers use to apply for FDA certification of pharmaceutical products. De-identification means that patient data can be shared as long as the name and any personally identifying information about the patient is removed. Demographic information, such as age, race, ethnicity, and marital status are usually included in these records, and can be important data points for understanding the impact of certain treatments or drugs on different populations.
“Personal information” is a broader category in CCPA and similar consumer privacy laws, that encompasses demographic information, personally identifying information, and analytical information about individuals based on their personal information – companies often create customer profiles based on data analysis. That last one is important, because HIPAA does not necessarily protect information that is derived from de-identified information about patients and individuals.
As is discussed below, in important ways the protections under HIPAA that protect health data as long as it is de-identified is often inadequate to sufficiently protect personal information.
4. HIPAA Exemptions Don’t Extend As Far As You May Think Under CCPA
The line between collecting information related to a healthcare company’s sale of products and services and personal health information about a consumer can get blurry inside the complex data ecosystems of hospitals, health insurance providers, and other industry players. A recent study published in the Health Policy and Technology found the interplay of the two laws creates confusion for healthcare companies. The study’s researchers explained that “several types of data collected by HIPAA-compliant healthcare organizations potentially fall within the jurisdiction of the CCPA, but there is significant regulatory ambiguity around such data.” Essentially, HIPAA exemptions end when healthcare companies collect personal information that is not “protected health information”.
HIPAA exemptions my also not extend to derivative data based on personal information, or vendor relationships that involve sharing personal information protected by CCPA. The challenge for health companies that already comply with the HIPAA Privacy Rule is figuring out which classes of information are HIPAA compliant but protected by CCPA, and properly managing the compliance of those classes. These matters are addressed more directly in the California Privacy Rights Act of 2020 (click here for more).
5. Using De-Indentified Data Can Lead to Privacy, Security and Compliance Issues
Avoiding CCPA compliance by virtue of using de-indentified information about patients and healthcare recipients is unlikely to hold up to scrutiny. As the Privacy Log Blog explains, “CCPA does not restrict a business from collecting, using, retaining, selling, or disclosing consumer information that is de-identified or aggregated. However, the CCPA establishes a high bar for claiming data is de-identified. Another problem with de-identification is that de-identification does not always work. Sophisticated hackers and data specialists can often reverse engineer datasets and figure out the individual from whom the data was collected. This scenario is a real problem that healthcare companies face, and it is possible regulators could hold companies responsible for a privacy breach resulting from this type of failed de-identification.”