California Attorney General, Rob Bonta, recently issued a reminder to health app developers about their obligations to protect healthcare data – and specifically reproductive health data – under California law following the SCOTUS decision in Dobbs v. Jackson Women’s Health Organization.
The Confidentiality of Medical Information Act (CMIA) covers mobile apps that collect, store, and transmit medical information, which includes fertility tracking apps and other types of pregnancy-related connected products. Those products collect information such as ovulation, fertility test results, and data about users’ sexual activity.
CMIA established protections that go beyond those of federal laws to ensure the confidentiality of sensitive medical data. Many health app developers are not bound by HIPAA, since they are not business associates of HIPAA-covered entities; however, they are required to implement robust privacy and security safeguards to protect medical data under CMIA. Under CMIA, developers of these connected products must ensure the confidentiality of medical information, and they are prohibited from disclosing medical information without proper authorization.
“California has strong laws in place protecting reproductive freedom, including the right to safe and legal abortion,” said Attorney General Bonta. “Apps collecting medical information, particularly reproductive health information, need to comply with our state laws and protect such information from risks like improper disclosure or a data breach. Sensitive health data must remain secure and never be used against individuals seeking critical healthcare and exercising their right to abortion.”
Bonta drew attention to the settlement between the California Attorney General and Glow Inc. in 2020 over the failure to comply with CMIA. The company stored data related to users’ sexual and reproductive health but had security flaws that put that information at risk.
Bonta reminded app developers that the California Consumer Privacy Act (CCPA) requires businesses to comply with requests related to personal information, such as having data deleted and preventing individuals’ personal information from being sold. Health app developers must ensure that these requests are honored.
Bonta recommended health app developers, regardless of whether they are covered by HIPAA, CMIA, or CCPA, to develop and maintain an information security program to protect reproductive health data from unauthorized access, ensure strong authentication protocols and two-factor authentication are implemented, ensure affirmative consent is obtained from users prior to sharing or disclosing personal, medical, reproductive or otherwise sensitive information, and ensure a mechanism is in place to allow users to revoke previously granted consent. Internal employee training should also be provided on the importance of privacy related to reproductive rights and to raise awareness of online threats.03