California’s CCPA regulation has been amended to say that data considered deidentified under HIPAA is considered deidentified under CCPA. The amendment was proposed last year and was finally signed into law on September 25, 2020.
This is good news because it’s relatively clear what deidentification means under HIPAA compared to CCPA. In particular, HIPAA has two well-established alternatives for determining that data have been adequately deidentified:
- Safe Harbor, or
- Expert determination.
The latter is especially important because most useful data doesn’t meet the requirements of Safe Harbor.
I provide companies with HIPAA expert determination. And now by extension I can provide expert determination under CCPA.
I’m not a lawyer, and so nothing I write should be considered legal advice. But I work closely with lawyers to provide expert determination. If you would like to discuss how I could help you, let’s talk.