The California Consumer Privacy Act (“CCPA”) becomes effective in less than a year. That means that for businesses in highly regulated sectors such as pharmaceuticals and life sciences, now is the time to determine precisely how the new law may apply and identify covered processing activities in order to allow timely compliance. This exercise can be challenging for pharmaceuticals and biotechs due to a lack of clarity around the law’s application to the use of personal information by entities regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), the California Confidentiality of Medical Information Act (“CMIA”) and in clinical trials subject to the Common Rule. Such organizations should first understand the application of the Act and its exemptions, then proceed to identify applicable data sets, and finally build solutions to implement applicable CCPA requirements into their existing privacy programs.
The CCPA’s Applicability and Exemptions
The CCPA generally applies to all businesses that (1) have annual gross revenues exceeding $25 million; (2) annually buy or receive for commercial purposes, or sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information. CCPA definitions for terms such as “Consumer” (any natural person who is a California resident) and “Personal Information” (information that identifies, relates to, describes, or can be associated with or linked, directly or indirectly, with a Consumer or household) result in a broadly applicable Act with expansive reach.
The CCPA, however, exempts from its requirements personal information processed pursuant to the HIPAA, the CMIA and certain clinical trials. Importantly, the CCPA does not provide a blanket exemption for all processes involving patient or health information. There will be instances in which pharmaceutical and life science companies must assess whether their use of personal information falls outside the scope of applicable exemptions, making CCPA requirements applicable. Particular attention should be focused on the processing of personal information about health care providers and patients that falls outside the provision of clinical research or health care services (e.g., customer service management or sales and marketing activities).
The HIPAA Exemption
The CCPA’s HIPAA exemption applies to “Protected Health Information” (“PHI”) collected and used by HIPAA “Covered Entities” and “Business Associates”. “Covered Entities” are further exempt to the extent that they maintain non-PHI patient information in the same manner as PHI.
In most instances pharmaceutical and life science companies do not provide health care services or related transactions and are, therefore, not Covered Entities or Business Associates when processing patient information. Of course, there may be limited instances where larger pharma or biotech companies provide benefits such as employee health services, which would bring such entities firmly under HIPAA rules. Typically, however, these entities use PHI for activities such as analyzing medical research data, providing patient assistance programs, or reporting adverse events.
While it is relatively unusual for pharmaceutical and life science companies to act as a Business Associate with a duty to adhere to the HIPAA privacy and security requirements, this does occur in certain instances. This is the case, for example, when a life science company provides a software application for the benefit of healthcare providers to exchange electronic test and treatment information on an electronic patient dashboard. It may also occur in the rare instances when a pharmaceutical company is directly involved in patient care and obtains PHI from a health care provider to consult him/her on the appropriate dosage or treatment period for its drugs.
With the exception of the limited (and similar) examples included above, pharma and biotech companies do not tend to commonly process PHI as covered entities or business associates. Thus, the HIPAA exemption will only need to be sought in very limited circumstances.
The CMIA Exemption
The CCPA also exempts “Medical Information” as defined by the CMIA. The exemption also extends to general patient information held by “Providers of Health Care” to the extent they maintain such information in the same manner as Medical Information.
Under the CMIA, the term Medical Information aligns with the HIPAA definition of PHI, but specifically expands the definition to include health information held by pharmaceutical companies or contractors (e.g., medical groups, independent practice associations, pharmaceutical benefits managers, or a medical service organizations).
As with HIPAA, there are limited instances in which pharmaceutical and life sciences entities directly process identifiable patient health information (e.g., health information processed during adverse event reports or patient speaker engagements). Also, while pharmaceutical and life sciences entities will generally not hold such personal information as providers of health care, instances in which they will seek to apply the CMIA exemption should be relatively rare.
The Clinical Trial Exemption
Personal information collected as part of a clinical trial is also exempt from the CCPA requirements for trials subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule. The Common Rule applies only to federally-funded research. However, privately funded organizations typically adhere to the Rule as well. While it would clearly be beneficial for organizations involved with privately funded research to take advantage of the CCPA exemption, guidance supporting the applicability of the rule to such clinical trials has not yet been published. Furthermore, it is uncertain whether the exemption merely applies to patient information or personal information of all individuals involved in a clinical trial (e.g. trial site staff and investigators).
While awaiting clarification on the scope of the exemption, and in order to be prepared for CCPA compliance with personal information in clinical trials, pharmaceuticals and clinical research organizations should start to assess personal information collected in clinical research and determine whether they are subject to the Common Rule.
In-Scope Personal Information
A careful review of the CCPA exemptions and the laws that they reference is essential to determining exactly what personal information commonly processed by pharmaceutical and life sciences entities falls within the scope of the Act, and which data might be exempt. Processing activities that appear to fall firmly within the Act include, for example:
- Processing personal information about California healthcare professionals (e.g., for sales and marketing purposes, at medical conferences, in key opinion leader management, or for speaker engagements);
- Processing personal information about California patients that is not related to a patient’s medical history, mental or physical condition, or treatment (e.g., some medical information requests or collection of patient names for consumer marketing activities);
- Processing of personal information about investigators, trial site staff, consultants and other individuals involved in a privately funded clinical trial;
- Processing of personal information about California employees of, or job applicants to, pharmaceutical or life science companies; and
- Processing of personal information about California business contacts, such as employees of vendors or other business partners.
Locating In-Scope Personal Information and Responding to CCPA Requests
In anticipation of the CCPA becoming effective in 2020, pharmaceutical and life science companies should begin efforts to locate in-scope data sets and consider efforts to develop and implement detailed process workflows to prepare for CCPA notice and consumer right requirements. Such workflows should map out all required actions and include details of the locations of in-scope personal information and third parties with which such information is shared. For more information on these tasks, see our blog post on “Operationalizing CCPA Compliance: Know Your Data and Establish Detailed and Practical Workflows”.
The readiness process should also include an evaluation of the circumstances in which a pharmaceutical and life science company is not required to comply – or may be exempt from complying – with a consumer request. For example, in addition to the specific exemptions detailed above, a pharmaceutical company may not need to fulfill a consumer’s request for deletion when the consumer has initially provided informed consent and the deletion request would render impossible or seriously impair the achievement of research in the public interest. Likewise, pharmaceutical or life science companies do not need to comply with a deletion request if they need the information to enable solely internal uses that are reasonably aligned with the expectations of the consumer, or to comply with a legal obligation (e.g., adverse event or financial transparency reporting), or otherwise use the personal information in a lawful manner that is compatible with the context in which the consumer provided the information company (e.g., using information for a related research project).
While the September 2018 amendments to the CCPA provided a bit more clarity with regard to potential exemptions in the life sciences industry, pharma and biotech entities should not underestimate the CCPA’s application to their data sets. Gaining a thorough understanding of the Act’s application and exceptions well in advance of the CCPA’s effective date will provide companies with the opportunity to work through some of the still vague CCPA language and establish effective processes to address business risks associated with the Act.