Considering a motion to dismiss and an alleged violation of the CCPA, Judge Carney from the Central District of California ruled on April 21, 2021 that:
Medical information or protected health information, as defined by the statute, includes information related to an individual’s healthcare “[t]hat identifies the individual” or “to which there is a reasonable basis to believe the information can be used to identify the individual.” 45 C.F.R. § 160.103; see Cal. Civ. Code § 1798.146(b) (incorporating definitions from 45 C.F.R. § 160.103). This clearly includes Social Security numbers and other nonmedical information which was provided in relation to an individual’s healthcare, as was the case here. [Therefore,] Defendant is an exempt business associate….
Despite Defendant’s data breach and in reliance on the CCPA’s HIPAA exemption, the Court dismissed that cause of action.