Lexology June 15, 2022
Goodwin Procter LLP

The Health Insurance Portability and Accountability Act (“HIPAA”) establishes standards by which Protected Health Information (“PHI”) may be deidentified. Upon deidentification, HIPAA generally allows covered entities to use or disclose the information without limitation. However, states are increasingly passing privacy laws with definitions of personal information expansive enough to arguably incorporate PHI deidentified under HIPAA. This article summarizes how the California Consumer Privacy Act (“CCPA”) largely exempts deidentified PHI from its scope, while simultaneously imposing new obligations on the handling of such information.

1. The CCPA’s and HIPAA’s Divergent Understandings of Deidentified Information. The CCPA excludes deidentified information from its broad definition of personal information. The Act defines deidentified information as “information that cannot reasonably identify, relate to, describe, be...

Today's Sponsors

LEK
ZeOmega

Today's Sponsor

LEK

Continue Reading

 
Topics: Govt Agencies, Healthcare System, HIPAA, Patient / Consumer, Privacy / Security, Provider
Related Articles:
Addressing The HIPAA Blind Spot For Crisis Pregnancy Centers
6 Important Takeaways for HIPAA Covered Entities and Business Associates from 2024 NIST HHS OCR Conference
HHS settles 2 ransomware investigations as attacks rise
Safeguarding Health Information: Takeaways from HHS and NIST 2024 HIPAA Security Conference
White House OMB is reviewing proposed cybersecurity updates to HIPAA

Share This Article