A wave of new state legislation restricting access to abortion has raised concerns about the privacy and security of reproductive health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). Some providers are not covered by HIPAA, and consumer-facing health apps (health apps) unless they are contractors of the provider or health plan are also not covered by HIPAA. Determining whether HIPAA applies to medical data collected by health apps can be difficult.one
Whether or not HIPAA applies, some states have laws and regulations that may govern health data stored on health apps. California has been especially active in enforcing these rules.
In 2020, the California Department of Justice (AG) secured a landmark settlement with Glow Inc. (Glow), a technology company that provides an ovulation and fertility tracking mobile app (Glow App) for California Health Information Law (CMIA) violations, including failing to perform basic security functions and disclosing medical information without obtaining user consent.2
California Attorney General Bonta recently released a press release reminding healthcare apps of the following California laws:3
- SMIA requires that any business that maintains information received from a health care provider, health plan, pharmaceutical company, or contractor relating to a patient’s medical history, mental or physical condition, or treatment, adhere to certain confidentiality and security restrictions.
- California Consumer Privacy Act (CCPA), which created individual privacy rights for California consumers, requires affected companies to provide consumers with certain information about their data collection, use, and sharing practices, and provides affected California residents with ways to opt out of certain sales or sharing of personal information, and as well as the right to request, change and delete personal information.
California Attorney General Bonta also called on all health apps, even those that may fall outside the scope of CMIA and CCPA regulation, to take steps to protect the privacy of reproductive health information; however, this advice can be applied to all health apps that collect sensitive medical information about a consumer. The Attorney General recommended health apps:four
- Develop and maintain programs designed to protect the security, integrity, availability, and confidentiality of reproductive health information from unauthorized access and disclosure;
- Protect the information they store using strong authentication protocols and require two-factor authentication at a minimum;
- Obtain positive consent from users before transferring or disclosing personal, medical, reproductive or other sensitive information and allow users to withdraw consent previously granted; as well as
- Provide internal training to employees on online threats and privacy issues related to reproductive rights.
In addition to encouraging companies to voluntarily tighten their privacy standards, the above measures provide insight into what factors might persuade the California Attorney General to investigate a health app’s compliance with California privacy laws.
1 For further guidance see Alex Dvorkowitz, Brandon Reilly, and Randy Seigel, When Health and Consumer Data Contradict: Compliance with the Latest Generation of Data Privacy Laws, Compliance Today (June 2022).
4 Each measure listed was also a condition of the Glow 2020 Settlement Agreement.