California Attorney General Reminds Health App Developers of Their Obligations Under California Law

California Attorney General, Rob Bonta, recently issued a reminder to health app developers about their obligations to protect healthcare data – and specifically reproductive health data – under California law following the SCOTUS decision in Dobbs v. Jackson Women’s Health Organization.

The Confidentiality of Medical Information Act (CMIA) covers mobile apps that collect, store, and transmit medical information, which includes fertility tracking apps and other types of pregnancy-related connected products. Those products collect information such as ovulation, fertility test results, and data about users’ sexual activity.

CMIA established protections that go beyond those of federal laws to ensure the confidentiality of sensitive medical data. Many health app developers are not bound by HIPAA, since they are not business associates of HIPAA-covered entities; however, they are required to implement robust privacy and security safeguards to protect medical data under CMIA. Under CMIA, developers of these connected products must ensure the confidentiality of medical information, and they are prohibited from disclosing medical information without proper authorization.

“California has strong laws in place protecting reproductive freedom, including the right to safe and legal abortion,” said Attorney General Bonta. “Apps collecting medical information, particularly reproductive health information, need to comply with our state laws and protect such information from risks like improper disclosure or a data breach. Sensitive health data must remain secure and never be used against individuals seeking critical healthcare and exercising their right to abortion.”

Bonta drew attention to the settlement between the California Attorney General and Glow Inc. in 2020 over the failure to comply with CMIA. The company stored data related to users’ sexual and reproductive health but had security flaws that put that information at risk.

Bonta reminded app developers that the California Consumer Privacy Act (CCPA) requires businesses to comply with requests related to personal information, such as having data deleted and preventing individuals’ personal information from being sold. Health app developers must ensure that these requests are honored.

Bonta recommended health app developers, regardless of whether they are covered by HIPAA, CMIA, or CCPA, to develop and maintain an information security program to protect reproductive health data from unauthorized access, ensure strong authentication protocols and two-factor authentication are implemented, ensure affirmative consent is obtained from users prior to sharing or disclosing personal, medical, reproductive or otherwise sensitive information, and ensure a mechanism is in place to allow users to revoke previously granted consent. Internal employee training should also be provided on the importance of privacy related to reproductive rights and to raise awareness of online threats.03

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne