CA AB713

Exempts deidentified medical information from CCPA requirements if deidentified according to federal HIPAA standards (45 CFR 164.514) and derived from patient information regulated by HIPAA, state Confidentiality of Medical Information Act, or Common Rule research regulations.

Exempts business associates of covered entities governed by federal privacy and security rules (45 CFR Parts 160 and 164) when they maintain, use, and disclose patient information in compliance with HIPAA requirements.

Prohibits reidentification of deidentified information except for treatment, payment, health care operations, public health activities, approved research, deidentification testing with contractual restrictions, or when required by law.

Requires contracts for sale or license of deidentified patient information (effective January 1, 2021) to include statements that the information is deidentified patient data, prohibit reidentification, and restrict further disclosure to bound third parties.

Requires businesses selling deidentified patient information to disclose in privacy policies whether they sell such information and which HIPAA deidentification methods were used (expert determination or safe harbor method).