Lexology June 15, 2022
Goodwin Procter LLP

The Health Insurance Portability and Accountability Act (“HIPAA”) establishes standards by which Protected Health Information (“PHI”) may be deidentified. Upon deidentification, HIPAA generally allows covered entities to use or disclose the information without limitation. However, states are increasingly passing privacy laws with definitions of personal information expansive enough to arguably incorporate PHI deidentified under HIPAA. This article summarizes how the California Consumer Privacy Act (“CCPA”) largely exempts deidentified PHI from its scope, while simultaneously imposing new obligations on the handling of such information.

1. The CCPA’s and HIPAA’s Divergent Understandings of Deidentified Information. The CCPA excludes deidentified information from its broad definition of personal information. The Act defines deidentified information as “information that cannot reasonably identify, relate to, describe, be...

Today's Sponsors

Venturous
Got healthcare questions? Just ask Transcarent

Today's Sponsor

Venturous

Continue Reading

 
Topics: Govt Agencies, Healthcare System, HIPAA, Patient / Consumer, Privacy / Security, Provider
Related Articles:
Selling a practice: How to remain HIPAA compliant during a sale
Why are only physicians prosecuted under HIPAA? [PODCAST]
HIPAA Enforcement Marches On (?)
New privacy screen protectors launched to help practices stay HIPAA compliant
Home-Based Care Providers Vulnerable to HIPAA Compliance Issues

Share This Article