The wave of new state legislation limiting abortion access has raised concerns about the privacy and security of reproductive health data not subject to the Health Insurance Portability and Accountability Act (HIPAA). Some providers are not subject to HIPAA, and consumer-facing health applications (health apps), unless they are contractors of a provider or a health plan, also are not subject to HIPAA. Determining whether HIPAA applies to health care data collected by health apps can be complicated.¹

Regardless of whether HIPAA applies, some states have laws and regulations that may regulate health data held by health apps. California has been particularly active in enforcing these regulations.

In 2020, the California Department of Justice (AG) secured a landmark settlement with Glow Inc. (Glow), a technology company that provides an ovulation and fertility-tracking mobile app (Glow App), for California Medical Information Act (CMIA) violations, among others, for failure to implement basic security features and disclosing medical information without obtaining the user’s consent.²

California Attorney General Bonta recently issued a press release reminding health apps of the following California laws:³

• CMIA requires any business maintaining information derived from a provider of health care, health care service plan, pharmaceutical company or contractor regarding a patient's medical history, mental or physical condition, or treatment to adhere to certain privacy and security restrictions.
• The California Consumer Privacy Act (CCPA), which created individual privacy rights for California consumers, requires covered businesses to provide certain disclosures to consumers about their data collection, use and sharing practices, and to provide affected California residents with ways to opt out of certain sales or transfers of personal information, as well as the right to request, modify and delete personal information.

California Attorney General Bonta further encouraged all health apps, even those that may fall outside the regulatory scope of the CMIA and CCPA, to take measures to protect the privacy of reproductive health information; this advice, however, can be applied to all health apps that collect sensitive health information about a consumer. The attorney general recommended the health apps:⁴

• Develop and maintain programs designed to protect the security, integrity, availability and confidentiality of reproductive health information against unauthorized access and disclosure;
• Protect the information they store by using strong authentication protocols, and, at a minimum, require two-factor authentication;
• Obtain affirmative consent from users prior to sharing or disclosing personal, medical, reproductive or otherwise sensitive information, and allow users to revoke previously granted consent; and
• Provide internal employee training on online threats and privacy issues related to reproductive rights.

Aside from encouraging companies to voluntarily strengthen their privacy standards, the aforementioned measures provide guidance regarding what factors may persuade the California attorney general to investigate a health app’s compliance with California privacy laws.

1 For further guidance, please see Alex Dworkowitz, Brandon Reilly and Randi Seigel, When healthcare and consumer data rules collide: Compliance with the latest generation of data privacy laws, Compliance Today (June 2022).

2 https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93

3 Attorney General Bonta Emphasizes Health Apps’ Legal Obligation to Protect Reproductive Health Information, State of California, Office of the Attorney General (May 26, 2022).

4 Each listed measure was also a condition of the 2020 Glow settlement.