Lexology June 15, 2022
Goodwin Procter LLP

The Health Insurance Portability and Accountability Act (“HIPAA”) establishes standards by which Protected Health Information (“PHI”) may be deidentified. Upon deidentification, HIPAA generally allows covered entities to use or disclose the information without limitation. However, states are increasingly passing privacy laws with definitions of personal information expansive enough to arguably incorporate PHI deidentified under HIPAA. This article summarizes how the California Consumer Privacy Act (“CCPA”) largely exempts deidentified PHI from its scope, while simultaneously imposing new obligations on the handling of such information.

1. The CCPA’s and HIPAA’s Divergent Understandings of Deidentified Information. The CCPA excludes deidentified information from its broad definition of personal information. The Act defines deidentified information as “information that cannot reasonably identify, relate to, describe, be...

Today's Sponsors

LEK
ZeOmega

Today's Sponsor

LEK

Continue Reading

 
Topics: Govt Agencies, Healthcare System, HIPAA, Patient / Consumer, Privacy / Security, Provider
Related Articles:
Not 1, Not 2, but 6 Settlements
HIPAA Security Rule: Big Changes May Be Coming for Covered Entities & Business Associates
Perceived industry compliance failures prompt stringent proposed HIPAA Security Rule
Proposed Changes to the HIPAA Security Rule Will Have a Significant Impact on the Health Care Sector
HHS’ Proposed HIPAA Changes Are a Step in the Right Direction, But Some Providers May Struggle to Comply

Share This Article