September 25, 2020

California Bills Would Expand and Clarify Consumers' Privacy Rights Regarding Health Information

Holland & Knight Alert
Ashley L. Shively

Highlights

  • Two bills related to personal privacy have been passed by the California State Legislature: the Genetic Information Privacy Act (GIPA) and a bill that amends the California Consumer Privacy Act of 2018 (CCPA) to clarify the scope of the exemption for certain types of health information. Both laws will become effective immediately upon the signature of Gov. Gavin Newsom or will automatically take effect on Sept. 30, 2020, if Newsom doesn't sign.
  • GIPA requires direct-to-consumer genetic testing companies to provide certain clear and complete information regarding the company's policies and procedures for the collection, use, maintenance and disclosure of such data.
  • Assembly Bill 713 amends CCPA to clarify the scope of CCPA's exemption for health data, specifying that the CCPA does not apply to medical information governed by the Confidentiality of Medical Information Act (CMIA) or protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA) to a provider of healthcare governed by CMIA or to covered entities and their business associates covered by HIPAA.

Update: Late on Sept. 25, California Gov. Gavin Newsom signed into law AB 713, which clarifies the scope of the California Consumer Privacy Act (CCPA) exemption for health data. However, Newsom vetoed the bill establishing the Genetic Information Privacy Act (GIPA), saying that while he agreed "the sensitive nature of human genetic data warrants strong privacy rights and protections," he was concerned the bill would interfere with the mandatory reporting of COVID-19 test results to public health departments. Newsom directed state health agencies to work with the California Legislature "on a solution that achieves the primary aims of the bill while preventing inadvertent impacts on COVID-19 testing efforts."


Two bills related to personal privacy have been passed by the California State Legislature and are awaiting signature from Gov. Gavin Newsom: the Genetic Information Privacy Act (GIPA) and a bill that amends the California Consumer Privacy Act of 2018 (CCPA) to clarify the scope of the exemption for certain types of health information. Both laws will become effective immediately upon Newsom's signature or will automatically take effect on Sept. 30, 2020, if Newsom doesn't sign, according to California's "pocket pass" provision.

GIPA Imposes New Restrictions on Genetic Testing Companies

GIPA updates the disclosure and deletion rights that genetic companies must provide to California residents, irrespective of whether such companies are also covered under the CCPA. Specifically, the Act requires direct-to-consumer genetic testing companies — as well as all other companies that collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product — to provide certain clear and complete information regarding the company's policies and procedures for the collection, use, maintenance and disclosure of such data. Prior to collection, companies must obtain express consent from the consumer and obtain additional, separate, consent for certain specified actions, such as for storage of a consumer's biological sample after the initial testing requested by the consumer has been fulfilled or for transfer of the consumer's genetic data or sample to a third party other than to a service provider.

Companies subject to GIPA must allow a consumer to easily revoke consent, and must honor the revocation as soon as practicable but not later than 30 days after receipt. Companies may not discriminate against a consumer for exercising his or her rights under GIPA.

Finally, testing companies may not disclose a consumer's genetic data to any entity responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance or employment, or to any entity that provides advice to an entity that is responsible for performing these functions.

GIPA does not provide for a private right of action. Violations will be prosecuted only by the California attorney general or local authorities, with negligent violations punishable by a civil penalty of up to $1,000 and willful violations with a penalty between $1,000 and $10,000.

Notably, the Act makes clear that any contract or agreement between a consumer and a GIPA-covered entity that would delay or limit access to a legal remedy will not apply to the exercise of rights or enforcement of GIPA.

Importantly, however, GIPA does not apply to medical information governed by the state's Confidentiality of Medical Information Act (CMIA) or protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), nor does GIPA apply to a provider of healthcare governed by CMIA or to covered entities and their business associates covered by HIPAA. Likewise, certain scientific research or educational activities are exempt, as well as the California newborn screening program.

Amendment to CCPA Clarifies Exemption for Health Information

Assembly Bill 713 amends CCPA to clarify the scope of CCPA's exemption for health data, specifying that the CCPA does not apply to medical information governed by the CMIA or protected health information covered by HIPAA to a provider of healthcare governed by CMIA or to covered entities and their business associates covered by HIPAA. Additionally, CCPA now expressly does not apply to information that is deidentified in accordance with HIPAA or is collected for, used in or disclosed in research.

Nevertheless, a business that sells or discloses deidentified patient information — even if otherwise exempt from CCPA — must now state in its privacy policy whether such information is derived from patient information and, if so, whether that patient information was deidentified pursuant to HIPAA.

Furthermore, the amendment prohibits businesses from reidentifying, or attempting to reidentify, protected health information or medical information, unless the reidentification falls under a specific exemption, including treatment, payment or healthcare operations, public health activities under HIPAA or research.

Finally, any contract for the sale or license of deidentified information must now include certain provisions, including a statement that the deidentified information being sold includes deidentified patient information, that reidentification is prohibited, and that the purchaser or licensee may not further disclose the deidentified information to any third party unless said third party is contractually bound by the same or stricter conditions.


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.


Related Insights