The wave of new state legislation restricting access to abortion has raised concerns about the confidentiality and security of reproductive health data, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA). Some providers are not subject to HIPAA, and healthcare applications targeted at consumers (healthcare applications), unless they are providers of a provider or health plan, are also not subject to HIPAA. Determining whether HIPAA applies to health data collected from health applications can be challenging.1
Whether or not HIPAA applies, some states have laws and regulations that can regulate health data stored by health applications. California has been particularly active in enforcing these provisions.
In 2020, the California Department of Justice (AG) secured a remarkable agreement with Glow Inc. (Glow), a technology company that provides a mobile ovulation and fertility tracking application (Glow App), for California Medical Information Act (CMIA) violations, inter alia, for failure to perform basic security functions and disclosure of medical information without obtaining the consent of the user.2
California Attorney General Bonta recently issued a press release recalling health apps for the following laws in California:3
- CMIA requires any business that maintains information obtained from a health care provider, health care plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment to adhere to certain privacy and security restrictions.
- IN California Consumer Privacy Act (CCPA) which has created individual privacy rights for consumers in California, requires covered companies to provide certain disclosures to consumers about their data collection, use and sharing practices and to provide affected Californians with ways to opt out of certain sales or transfers. personal information, as well as the right to request, change and delete personal information.
California Attorney General Bonta further encouraged all healthcare applications, even those that may fall outside the regulatory scope of the CMIA and CCPA, to take steps to protect the confidentiality of reproductive health information; however, this advice can be applied to all healthcare applications that collect sensitive health information for a user. The Attorney General recommended the health applications:4
- Development and maintenance of programs designed to protect the security, integrity, availability and confidentiality of reproductive health information against unauthorized access and disclosure;
- Protect the information they store by using strong authentication protocols and, as a minimum, require two-factor authentication;
- Obtain affirmative consent from users before sharing or disclosing personal, medical, reproductive or otherwise sensitive information and allow users to withdraw an earlier consent; and
- Provide internal training to employees on online threats and privacy issues related to reproductive rights.
In addition to encouraging companies to voluntarily raise their privacy standards, the aforementioned measures provide guidance on what factors might persuade the California Attorney General to investigate health compliance with California’s privacy laws.
1 For further guidance, please see Alex Dvorkowitz, Brandon Riley and Randy Siegel, When Healthcare and Consumer Data Policy Collaps: Compliance with the latest generation of data privacy laws, Compliance Today (June 2022).
3 Attorney General Bonta emphasizes the legal obligation of Health Apps to protect reproductive health information, California, Office of the Attorney General (May 26, 2022).
4 Each of these measures was also a condition for Glow 2020.