The wave of new state legislation limiting abortion access has raised concerns about the privacy and security of reproductive health data not subject to the Health Insurance Portability and Accountability Act (HIPAA). Some providers are not subject to HIPAA, and consumer-facing health applications (health apps), unless they are contractors of a provider or a health plan, also are not subject to HIPAA. Determining whether HIPAA applies to health care data collected by health apps can be complicated.1
Regardless of whether HIPAA applies, some states have laws and regulations that may regulate health data held by health apps. California has been particularly active in enforcing these regulations.
In 2020, the California Department of Justice (AG) secured a landmark settlement with Glow Inc. (Glow), a technology company that provides an ovulation and fertility-tracking mobile app (Glow App), for California Medical Information Act (CMIA) violations, among others, for failure to implement basic security features and disclosing medical information without obtaining the user’s consent.2
California Attorney General Bonta recently issued a press release reminding health apps of the following California laws:3
California Attorney General Bonta further encouraged all health apps, even those that may fall outside the regulatory scope of the CMIA and CCPA, to take measures to protect the privacy of reproductive health information; this advice, however, can be applied to all health apps that collect sensitive health information about a consumer. The attorney general recommended the health apps:4
Aside from encouraging companies to voluntarily strengthen their privacy standards, the aforementioned measures provide guidance regarding what factors may persuade the California attorney general to investigate a health app’s compliance with California privacy laws.
1 For further guidance, please see Alex Dworkowitz, Brandon Reilly and Randi Seigel, When healthcare and consumer data rules collide: Compliance with the latest generation of data privacy laws, Compliance Today (June 2022).
3Attorney General Bonta Emphasizes Health Apps’ Legal Obligation to Protect Reproductive Health Information, State of California, Office of the Attorney General (May 26, 2022).
4 Each listed measure was also a condition of the 2020 Glow settlement.
pursuant to New York DR 2-101(f)
© 2022 Manatt, Phelps & Phillips, LLP.
All rights reserved