Well, remember the issues around what the “HIPAA exemption” in the California Consumer Privacy Act (CCPA) really applied to? We wrote about it here all the way back in May 2019.
Turns out our impression was correct – so correct that California just passed a law to correct it! Here’s the skinny:
On September 5, 2020, the California Legislature passed Assembly Bill 713, which amends the CCPA. The business associate exemption creates a new exemption for business associates in parallel to the 2018 CCPA health care provider exemption. It covers not only PHI but also the processing of a wide range of “patient information.” That is, as long as it is protected in the same manner as medical information or PHI.
AB713 could be effective as early as September 30th
Because AB713 has an emergency clause, if Governor Newsom signs the bill by September 30 it will go into immediate effect.
However, if you’re a business that’s proactively planning for the California Privacy Rights Act (CPRA) ballot initiative, be aware that AB713 does not directly conflict with CPRA’s provisions. That means that the business associate CCPA exemption is likely to remain in effect regardless of whether or not California voters approve the CPRA this November.
Worried about how to deal with your business’s data privacy policies & procedures in the wake of CCPA? Talk to Julia Huddleston, CIPP, CIPM about your concerns. You can reach her at 503-384-2538.