Careers

Experiences

Industries

Offices

Our Firm

Pages

Our People

Updates

Practices

Warner Norcross + Judd LLP is a corporate law firm with over 230 attorneys serving clients in nine offices throughout Michigan. Among the largest law firms in Michigan, Warner works in virtually all areas of business law.

Michigan Law Firm - Warner Norcross + Judd LLP

California recently enacted an amendment to the California Consumer Privacy Act (CCPA) to clarify how the law interacts with the Health Information Portability and Accountability Act (HIPAA). This change may affect: (1)&nbsp;employers who sponsor group health plans that cover California residents; (2)&nbsp;health care providers, insurers and other HIPAA covered entities who treat or cover California residents; and (3)&nbsp;HIPAA business associates who have information about California residents.

contentpilot/introduction

The CCPA applies to certain for-profit businesses that collect personal information about California residents. A business that is subject to the CCPA must disclose its data collection and sharing practices; must respond to certain requests by California residents about their information; and, if the business sells personal information, must give California residents the right to opt out of the sale of their information. For more information about the CCPA, and which businesses are subject to its requirements, see our prior article&nbsp;<a href="https://www.wnj.com/Publications/Preparing-for-the-California-Consumer-Privacy-(1)">here</a>. &nbsp; Under the recent amendment:

core/paragraph

Medical information governed by the California Confidentiality of Medical Information Act (CMIA) or by HIPAA, including deidentified data derived from the medical information, is exempt from the CCPA’s requirements.

core/list-item

To the extent that deidentified data derived from medical information is reidentified, the reidentified data loses its exemption under the CCPA and also becomes subject to HIPAA and the CMIA.

In situations involving sale or licensing of deidentified data derived from medical information, the business selling or licensing the deidentified data:&nbsp;Must disclose to California residents the fact that it sells or licenses deidentified data derived from medical information and whether the information was deidentified under one of the methods described in HIPAA regulations.

If one of the parties to the sale or licensing agreement is residing in or doing business in California, then by January 1, 2021, the contract must include certain restrictions on the reidentification of the information.

core/list

Note that the CCPA broadly defines “sale” to include any disclosure or sharing of data for monetary or other consideration. While the CCPA does not define “license,” the term can broadly refer to any kind of contractual consent. Some HIPAA business associate agreements authorize a business associate to deidentify the covered entity’s information and then grant permission to the business associate to use that deidentified information for the business associate’s own purposes. A court could construe a HIPAA business associate agreement that grants the business associate express or implied permission to use deidentified data as authorizing a “sale” or a “license” of deidentified medical information, requiring the additional disclosures and the contractual terms described above. &nbsp; Businesses should move quickly to evaluate the potential impact of the new law, as it is effective immediately and requires that agreements be amended by January 1, 2021. A business should consider whether it is subject to the CCPA or does business with a customer that is subject to the CCPA, whether it shares or receives deidentified information derived from medical information, or whether it shares medical information with or receives medical information from another business that is then deidentified. Even businesses that are not subject to HIPAA may have to comply with these new requirements. &nbsp; If you need assistance with this new law or with the CCPA generally, please contact Norbert Kugele, Kelly Hollingsworth, Stephanie Grant or any other member of Warner’s Cybersecurity and Privacy or Employee Benefits/Executive Compensation Practice Groups.

Senior Counsel

Stephanie H. Grant

Partner

Kelly R. Hollingsworth

Of Counsel

Norbert F. Kugele

Cybersecurity and Privacy

Employee Benefits

New California Law Requires Contract Amendments

Warner Norcross + Judd LLP is responsible for the contents of our advertising and this website. Please read our full <a href="/privacy-policy/" aria-label="see privacy policy">privacy policy</a> available on our website. If you have any questions or comments about our website or our Privacy Policy please contact us at <a href="mailto:info@wnj.com">info@wnj.com</a> or 616.752.2000.

New California Law Requires Contract Amendments

professionals