Applying CCPA Exemptions for Medical Marijuana
The California Consumer Privacy Act (“CCPA”) is now in effect and the cannabis industry may come under scrutiny with regard to its collection of personal information of California residents once enforcement by the State Attorney General begins in mid-2020. For cannabis businesses catering to medical marijuana customers, gaining a clear understanding of the extent to which the new law will apply to their businesses is a necessary first step towards evaluating compliance needs. In particular, exemptions related to the Health Insurance Portability and Accountability Act (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”) should be considered.
CCPA Applicability and Health-Related Exemptions
The CCPA generally applies to businesses that meet one or more of the following threshold requirements: (1) annual gross revenues exceeding $25 million; (2) annually buy or receive for commercial purposes, or sell or share for commercial purposes, personal information of 50,000 or more consumers, households or devices; or (3) derive 50 percent or more of annual revenues from selling consumers’ personal information.
The CCPA, however, has numerous exemptions upon which may apply to sellers of cannabis to California residents for medical purposes, so that such businesses are not subject to duplicative legal requirements.
Personal information processed pursuant to HIPAA and CMIA is exempt from most CCPA requirements. The CCPA does not, however, provide a blanket exemption for all processes involving patient or health information, leaving it up to effected businesses to determine whether their use of personal information falls within or outside the scope of the Act. In assessing applicability, particular attention should be paid to the processing of medical marijuana patient information that falls outside the provision of traditional health services or other transactions covered by HIPAA or CMIA, such as customer relationship management or sales and marketing activities.
The HIPAA Exemption
HIPAA Covered Entity and Business Associates may – in many instances – be exempt from CCPA requirements. The CCPA does not, however, provide a blanket HIPAA exemption.
The HIPAA exemption applies primarily to Protected Health Information (“PHI”). PHI is information that is held or transmitted by a Covered Entity or its Business Associates, in any form or media, whether electronic, paper, or oral, that relates to an individual’s past, present or future physical or mental health or condition, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
A HIPAA Covered Entity may include subscribers and providers of medical products such as medical marijuana, while a Business Associate is an entity that performs certain functions or activities (e.g., providing medical marijuana) that involve the use or disclosure of PHI on behalf of a Covered Entity.
The CMIA Exemption
The CCPA also exempts “Medical Information” as defined by the CMIA. It exempts general patient information (e.g., name, phone number, address) held by “Providers of Healthcare” to the extent they maintain such information in the same manner as Medical Information.
Medical Information under CMIA aligns with the HIPAA definition of PHI, but also includes health information in possession of or derived from a pharmaceutical company or contractor (which may include, in some instances, personal information held by sellers or distributors of medical marijuana). A Provider of Healthcare is any person licensed or certified to provide health or medical services and includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies (which may include medical marijuana dispensaries).
In addition, the CMIA treats businesses as Providers of Healthcare if they are organized for the purpose of maintaining Medical Information or offer consumer software or hardware designed to maintain Medical Information. This may include data companies supporting the cannabis industry. However, such businesses may only rely on the CCPA exemption for Medical Information derived from a Provider of Healthcare, health care service plans, pharmaceutical companies, or contractors. Thus, if a software provider for example, maintains health information that does not qualify as Medical Information, it must comply with the CCPA requirements.
The De-Identification Exemption
Finally, if a company merely collects and uses “De-Identified Personal Information”, it may be exempt from CCPA requirements. The CCPA and HIPAA de-identification standards must be understood in order to determine their breadth:
Under the CCPA, De-Identified Personal Information is information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular Consumer.
Similarly, HIPAA defines De-Identified Personal Information as information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. Additionally, it provides, however, two standards for de-identification: (1) expert determination (2) removal of eighteen Safe Harbor identifiers.
Because of the broad CCPA language there may be circumstances where information could be considered de-identified under HIPAA under the Safe Harbor standard, while identifiable under the CCPA. Thus, medical marijuana businesses that wish to rely on this exemption should review and evaluate the different methods for de-identification under HIPAA and align their internal process to meet the wider CCPA standard which may require de-identification based on an expert’s evaluation in some circumstances where the Safe Harbor standard does not meet CCPA requirements.
In-Scope Personal Information
Reviewing the language and purpose of the different laws closely helps to determine which processing activities of medical marijuana-related businesses do not fall under the HIPAA and CMIA exemptions and for which they must implement CCPA compliance measures. Such processing of personal information may include, for example:
· Information about California medical marijuana consumers maintained or used for advertising purposes or which is otherwise not maintained like PHI or Medical Information by HIPAA Covered Entities or CMIA Providers of Healthcare (e.g., newsletter subscriptions);
Non-PHI about California medical marijuana consumers maintained by HIPAA Business Associates; and
Personal information of individuals such as patient family members, friends or caretakers would not be subject to the exemption.
Although a large amount of personal information about California medical marijuana consumers falls outside of the scope of the CCPA, cannabis providers should not underestimate the CCPA’s application to their businesses. Such businesses should further consider compliance efforts aimed at developing and implementing successful processes to address CCPA notice and consumer right requirements.
Understanding CCPA’s application and exceptions will provide providers of medical marijuana with the opportunity to assess their personal information inventory, organize it, and establish effective processes to address business risks associated with the Act.