Lexology June 15, 2022
Goodwin Procter LLP

The Health Insurance Portability and Accountability Act (“HIPAA”) establishes standards by which Protected Health Information (“PHI”) may be deidentified. Upon deidentification, HIPAA generally allows covered entities to use or disclose the information without limitation. However, states are increasingly passing privacy laws with definitions of personal information expansive enough to arguably incorporate PHI deidentified under HIPAA. This article summarizes how the California Consumer Privacy Act (“CCPA”) largely exempts deidentified PHI from its scope, while simultaneously imposing new obligations on the handling of such information.

1. The CCPA’s and HIPAA’s Divergent Understandings of Deidentified Information. The CCPA excludes deidentified information from its broad definition of personal information. The Act defines deidentified information as “information that cannot reasonably identify, relate to, describe, be...

Today's Sponsors

LEK
ZeOmega

Today's Sponsor

LEK

Continue Reading

 
Topics: Govt Agencies, Healthcare System, HIPAA, Patient / Consumer, Privacy / Security, Provider
Related Articles:
HHS finalizes reproductive health data protections
HIPAA update protects privacy of reproductive health information
More FTC Privacy Action
White House moves to protect patient abortion records
OCR launches webpage with HIPAA FAQs on Change Healthcare cyberattack

Share This Article