On May 26, 2022, California Attorney General Rob Bonta called upon mobile health apps to step up efforts to protect user data from “unprecedented threats to reproductive freedom.” In an official press release, Attorney General Bonta urged health apps to adopt more robust security and privacy measures in order to protect reproductive health information. The official statement was released by the Office of the California Attorney General as the U.S. Supreme Court seemingly contemplates overturning Roe v. Wade, the landmark case that legalized abortion nationwide.
California law already imposes strong data privacy and security obligations on mobile apps that store reproductive health information. The Confidentiality of Medical Information Act (CMIA) is a state law that requires businesses that store medical information to preserve confidentiality and prevent unauthorized disclosures. Notably, the scope of CMIA is broader than that of the Health Insurance Portability and Accountability Act (HIPAA), the federal health privacy law enacted by U.S. Congress in 1996. HIPAA established national standards to safeguard sensitive health information by prohibiting unauthorized disclosure of such information by “covered entities,” which includes traditional health care entities such as health plans and healthcare providers. However, CMIA goes a step further than HIPAA by extending data privacy obligations beyond traditional healthcare entities. Specifically, the state law applies to “providers of health care,” which California broadly defines to include “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.”1 As such, reproductive health and fertility tracking apps tend to fall under the scope of CMIA, but not necessarily HIPAA, and are treated similarly to healthcare entities under California law in that they are required to take steps to ensure the protection of sensitive health information collected in the course of business. For California businesses, it is also worth noting that HIPAA establishes a floor of federal privacy protections and rights for individuals. To the extent CMIA provides greater privacy protection than a provision of HIPAA, and it is possible to comply with both the state law and HIPAA, the requirements of CMIA must be followed and HIPAA does not preempt state law.
Given the broader applicability of CMIA as compared to HIPAA, companies that offer fertility trackers and other pregnancy-related products are bound by CMIA even if they are not similarly bound by HIPAA. Per Attorney General Bonta’s recommendation, apps that are subject to CMIA obligations should, at a minimum, “assess the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare right.”
Attorney General Bonta’s statement also referenced a landmark settlement the California Department of Justice secured in 2020 with Glow, Inc. (Glow). The DOJ struck a settlement with the company following Glow’s alleged violation of CMIA stemming from unsafe user data storage practices. The Glow settlement was unique in that the DOJ required the company to consider how security breaches may disproportionately impact women.
Per the official press release, the California attorney general encourages health apps to:
- Develop and maintain information security programs designed to minimize unauthorized disclosures of reproductive health information
- Adopt strong authentication protocols, and, at a minimum, require two-factor authentication
- Obtain affirmative consent from users prior to sharing sensitive information and allow users to revoke previously granted consent
- Provide internal employee training on security threats specific to reproductive rights
Attorney General Bonta concluded his call to action by pointing to the California Consumer Privacy Act (CCPA), which may serve as a privacy umbrella to health apps that do not fall under the scope of CMIA. CCPA, which has been in effect since January 1, 2020, requires large businesses to honor certain consumer rights, such as requests for access and deletion as well as the ability to “opt out” of the sale of their personal information.
Companies in the health space should also be aware of the California Privacy Rights Act (CPRA), which amends and expands upon CCPA. In particular, CPRA has a broad definition of “sensitive information” that includes “personal information collected and analyzed concerning a consumer’s health.” Sensitive information is a category of personal information under CPRA, which means that companies not covered by HIPAA which collect sensitive information should develop systems to ensure they give consumers rights to this data, in particular the right to access, correct or delete this data. They also may have to take additional compliance steps if they are “inferring characteristics” from consumers as a result of the collection and use of their sensitive information. CPRA goes into effect on January 1, 2023.
This means that health apps and companies that collect health information from California consumers must ensure that they develop systems to comply with the patchwork of applicable laws. Further, even if a health app is exempt from HIPAA or CMIA obligations, CCPA and CPRA may apply. Going beyond the constraints of federal and state law, every business collecting sensitive health information should implement robust security procedures to safeguard this information in order to protect its reputation with customers and the public – especially in the current climate, when this data may become more valuable and/or controversial.
Practical Guidance
- Health app/technology companies should revisit their data inventories to determine the nature of the data that they collect and whether they are subject to HIPAA, CMIA, CCPA, and CPRA. They should consider the purpose for collecting and employing systems for data minimization.
- Health app/technology companies should revisit their processes for consent to ensure that they have clear and affirmative consent when required, and that they provide consumers with the right to revoke their consent and/or change their preferences as required.
- Policies should be updated to ensure compliance with new privacy laws in California. It is also good practice to routinely review and update any privacy policy.
- Security of sensitive information is paramount. Health app/technology companies should conduct routine vulnerability tests, employ multi-factor authentication, and conduct security audits and internal training on a regular basis. In addition, these companies should ensure that they have tracked the flow of any personal information to make certain that they require all third parties to develop similar systems.
- See Cal. Civ. Code section 56.06(b).
Client Alert 2022-150