Is the HIPAA Exemption Enough? A Look at the Impact of New California and Virginia Privacy Laws on Healthcare and Life Sciences Entities
|Footnotes for this article are available at the end of this page.|
With the recent enactment of Virginia’s Consumer Data Privacy Act (VCDPA), and similar bills under consideration in several state legislatures, healthcare and life sciences companies are considering how these new laws are likely to impact their operations. The VCDPA follows the California Consumer Privacy Act (CCPA), the first “general” data privacy law in the U.S., which has been in effect since January 1, 2020. The VCDPA is similar, though not identical, to the CCPA and will take effect January 1, 2023, the same day that the California Privacy Rights Act (CPRA), which California voters adopted through a ballot initiative in November 2020, will replace and expand the CCPA. These new laws regulate the processing of personal information about state residents, require businesses to provide public-facing privacy notices, and give individuals the right to access, correct, delete, and limit the sale or sharing of their personal information. In addition, though not addressed in this article, the Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and will take effect on July 1, 2023. For our prior discussion of the CCPA, CPRA, and VCDPA, see here, here, and here, respectively.
These new laws are not always straightforward as to whether—or to what extent—they apply to healthcare or life sciences companies. Therefore, each organization should consider whether it satisfies the general applicability requirements of these laws. If an organization meets the applicability requirements, it is still possible that some, or perhaps all, of its processing of personal information may be exempt from coverage. Key exemptions that may benefit healthcare and life sciences companies, discussed further below, include exemptions for non-profits, HIPAA exemptions, de-identified data exemptions, clinical trial exemptions, as well as exemptions for certain employment and business-to-business situations.
General Applicability Thresholds
The CCPA applies to any “business” that (i) has annual gross revenues over $25 million; (ii) annually processes the personal information of 50,000 or more California residents or households (increased to 100,000 by the CPRA); or (iii) derives 50% or more of its annual revenue from selling California residents’ personal information.1 The “annual gross revenues” prong of the California definition of “business” potentially captures national and multinational organizations that process personal information about only small numbers of California residents. The CCPA and CPRA also regulate the activities of “service providers” to covered businesses, so healthcare and life sciences entities that provide services to businesses subject to CCPA and CPRA may also have compliance obligations under these laws.
The VCDPA applies to any business that (i) during a calendar year, controls or processes the personal data of 100,000 or more Virginia residents; or (ii) controls or processes the personal data of 25,000 or more Virginia residents and derives over 50% of gross revenue from the sale of personal data.2 Importantly, annual gross revenue alone is not sufficient to make a business subject to VCDPA. As with the CCPA and CPRA, the Virginia law also imposes obligations on service providers (“processors” in VCDPA terms) that process personal data about Virginia residents for covered businesses.
However, healthcare and life sciences organizations that meet the general applicability requirements for businesses or controllers may benefit from one or more of the laws’ full or partial exemptions, discussed below.
The CCPA and CPRA apply only to for-profit organizations.3 Drafted inversely, but having the same effect, the VCDPA does not apply to non-profit organizations.4 Even though non-profit organizations are exempt, it is still important for them to have an awareness and general understanding of these laws because they may find themselves on the receiving end of a consumer request made by a consumer who assumes these laws apply to all organizations. Exempt entities may also be expected by vendors and other partners to comply with these laws, and may be contractually obligated to do so. It also warrants mentioning that under the CCPA, an otherwise exempt entity, such as a non-profit hospital, is subject to the CCPA if it is controlled by, and shares common branding with, a business to whom the CCPA applies.5 Under the CPRA, the same is true, so long as personal information is also shared between the businesses.6
The CCPA, CPRA, and VCDPA each contain a HIPAA exemption, but the scope of the exemption differs in California and Virginia. The CCPA and CPRA exempt protected health information (PHI)—as the term is defined by HIPAA—that is collected by a covered entity or business associate that is governed by HIPAA.7 The VCDPA, by contrast, exempts the entire covered entity or business associate that is governed by HIPAA (rather than just the PHI that is subject to HIPAA).8 Because the CCPA and CPRA exemption only applies to PHI, other personal information about California residents is not subject to this exemption. Personal information collected through websites or mobile applications that is not PHI would not be subject to this particular exemption, for example.
The CCPA and CPRA also exempt other “patient information” to the extent that a covered entity or business associate maintains it “in the same manner” as it maintains PHI.9 In practice, though, this exemption might not completely remove an organization from the CCPA or CPRA’s reach unless an organization maintains all personal information collected about an individual, including, for example, an IP address or geolocation data collected during visits to the organization’s website, in the same manner as it maintains PHI. Plus, the wording of the exemption suggests that it might only apply to information of patients of the organization.
The CCPA and CPRA also have a state law exemption that parallels their HIPAA exemption. They exempt “medical information,”—as the term is defined under California’s Confidentiality of Medical Information Act (CMIA)—as well as a “provider of health care” covered by the CMIA to the extent the provider maintains “patient information in the same manner” as medical information.10
De-identified Data Exemptions
The CPRA and the CCPA both include exemptions for “de-identified” information, but the definition differs slightly in each.11 For example, under the CPRA, businesses are required to publicly commit to not re-identify de-identified information and to contractually obligate any recipients of de-identified information to comply with the CPRA.12 The CPRA and CCPA also separately exempt information that (i) has been de-identified in accordance with HIPAA, (i.e., using the expert determination or safe harbor method); and (ii) is derived from patient information that was originally maintained by an entity regulated by HIPAA, the CMIA, or the Common Rule.13 In the CCPA, this exemption is only partial because the CCPA still requires the business to disclose whether it sells or discloses the de-identified health information.14
The VCDPA also includes exemptions for de-identified data. The VCDPA’s definition of “personal data” excludes “de-identified data,” which it defines as “data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.”15 Similar to the CPRA, the VCDPA requires an organization to publicly commit to not re-identify de-identified data and to contractually obligate any recipients to comply with the VCDPA.16 The VCDPA also separately exempts “information derived from [healthcare-related information] that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA.”17
Clinical Trial Exemptions
The CCPA, CPRA, and VCDPA also contain exemptions for clinical trial data. The CPRA exempts “personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by [the CPRA], and if it is inconsistent, that participants be informed of that use and provide consent.”18 The CCPA exemption language differs slightly from the CPRA exemption language, but is similar.
The VCDPA provides a similar exemption for clinical trial data, exempting “identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under [certain FDA regulations], or personal data used or shared in research conducted in accordance with the requirements [of the VCDPA], or other research conducted in accordance with applicable law.”19
Employment and B2B Exemptions
Data collected about employees and job applicants (“employment data”) and personal data exchanged in a business-to-business context (“B2B data”) is partially exempted from the CCPA and CPRA until January 1, 2023, but it remains to be seen whether the partial exemption will be extended past that date by amendment.20 The exemption is partial because (i) employees and applicants residing in California are still entitled to a CCPA privacy notice explaining the information the business collects and discloses about them, and (ii) the CCPA’s security breach provisions still apply with regard to employment data (i.e., the private right of action in the event of a data breach is afforded to employees as well as consumers).21 The VCDPA, on the other hand, definitively exempts employment data and B2B data.22
As the patchwork of data privacy laws in the United States continues to grow in complexity, healthcare and life sciences companies should consider, if they have not already done so, whether the CCPA, CPRA, and/or VCDPA apply to their organizations and, if they do, take the steps needed to comply with them. While there are differences between the California and Virginia laws, and the Colorado Privacy Act for that matter, many of the consumer rights they grant and business obligations they impose are similar, and other bills that may be enacted in the not too distant future—whether at the state or federal level—will likely draw on the same principles. Thus, organizations that come into compliance with these laws, will be well-positioned to build on that framework in the future as the legal landscape continues to evolve.
For assistance assessing whether state general data privacy laws apply to your healthcare or life sciences organization, please contact members of Arnall Golden Gregory’s Data Privacy team, Kevin L. Coy or Erin E. Doyle.
 Cal. Civ. Code § 1798.140(c), (d).
 Va. H.B. 2307 § 59.1-572(A) (2021).
 Cal. Civ. Code § 1798.140(c), (d).
 Va. H.B. 2307 § 59.1-572(B)(iv) (2021).
 Cal. Civ. Code § 1798.140(c).
 Id. at § 1798.140(d).
 Id. at § 1798.145(c)(1)(A).
 Va. H.B. 2307 § 59.1-572(B)(iii) (2021).
 Cal. Civ. Code §§ 1798.145(c)(1)(B); 1798.146(a)(2)-(3).
 Id. at §§ 1798.145(c)(1)(A),(B); 1798.146(a)(2)-(3).
 Id. at § 1798.140(h), (m).
 Id. at § 1798.140(m).
 Id. at § 1798.146(a)(4).
 Id. at § 1798.130(a)(5)(D).
 Va. H.B. 2307 § 59.1-571 (2021).
 Id. at § 59.1-577(A).
 Id. at § 59.1-572(C)(7).
 Cal. Civ. Code § 1798.145(c)(1)(C).
 Va. H.B. 2307 § 59.1-572(C)(4) (2021).
 Cal. Civ. Code § 1798.145(h)(1), (m)(1).
 Id. at § 1798.145(h)(3).
 Va. H.B. 2307 § 59.1-571 (2021).
- Kevin L. Coy
- Erin E. Doyle