On May 26, 2022, California Attorney General Rob Bonta called upon mobile health apps to step up efforts to protect user data from “unprecedented threats to reproductive freedom.” In an official press release, Attorney General Bonta urged health apps to adopt more robust security and privacy measures in order to protect reproductive health information. The official statement was released by the Office of the California Attorney General as the U.S. Supreme Court seemingly contemplates overturning Roe v. Wade, the landmark case that legalized abortion nationwide.
California law already imposes strong data privacy and security obligations on mobile apps that store reproductive health information. The Confidentiality of Medical Information Act (CMIA) is a state law that requires businesses that store medical information to preserve confidentiality and prevent unauthorized disclosures. Notably, the scope of CMIA is broader than that of the Health Insurance Portability and Accountability Act (HIPAA), the federal health privacy law enacted by U.S. Congress in 1996. HIPAA established national standards to safeguard sensitive health information by prohibiting unauthorized disclosure of such information by “covered entities,” which includes traditional health care entities such as health plans and healthcare providers. However, CMIA goes a step further than HIPAA by extending data privacy obligations beyond traditional healthcare entities. Specifically, the state law applies to “providers of health care,” which California broadly defines to include “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.”1 As such, reproductive health and fertility tracking apps tend to fall under the scope of CMIA, but not necessarily HIPAA, and are treated similarly to healthcare entities under California law in that they are required to take steps to ensure the protection of sensitive health information collected in the course of business. For California businesses, it is also worth noting that HIPAA establishes a floor of federal privacy protections and rights for individuals. To the extent CMIA provides greater privacy protection than a provision of HIPAA, and it is possible to comply with both the state law and HIPAA, the requirements of CMIA must be followed and HIPAA does not preempt state law.
Given the broader applicability of CMIA as compared to HIPAA, companies that offer fertility trackers and other pregnancy-related products are bound by CMIA even if they are not similarly bound by HIPAA. Per Attorney General Bonta’s recommendation, apps that are subject to CMIA obligations should, at a minimum, “assess the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare right.”
Attorney General Bonta’s statement also referenced a landmark settlement the California Department of Justice secured in 2020 with Glow, Inc. (Glow). The DOJ struck a settlement with the company following Glow’s alleged violation of CMIA stemming from unsafe user data storage practices. The Glow settlement was unique in that the DOJ required the company to consider how security breaches may disproportionately impact women.