California expands scope of Confidentiality of Medical Information Act, strengthening protections for mental health information exchanged through digital health applications
With the mounting mental health crisis intensified by the COVID-19 pandemic, the telemental health industry has exploded in recent years. According to recent estimates, as many as 325,000 health and wellness apps are available for download, and 10,000-20,000 apps have been designed specifically for mental health. Many of these programs require clients to record their symptoms, which has led to reports of privacy concerns, because these companies may profit from targeted advertisements based on potential diagnoses. In turn, these growing concerns may inhibit and discourage the use of health-related apps, despite their recent boom.
In an effort to address these privacy concerns, California recently passed Assembly Bill 2089 which expands data privacy protections under the Confidentiality of Medical Information Act (CMIA). AB2089 expressly includes “mental health application information” under the definition of “medical information” and deems “any business that offers a mental health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual” to be a provider of healthcare subject to CMIA’s requirements.
Background on the CMIA
The CMIA is a California law that protects the confidentiality and security of individually identifiable medical information obtained by health care providers, insurers, and their contractors. CMIA also extended to “any business organized for the primary purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care.” Pre-amendment, the CMIA applied only to “medical information,” defined as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”
Among other provisions, the CMIA generally:
- prohibits covered health care providers from disclosing patient medical information without first obtaining written authorization from the individual
- requires covered healthcare providers that create, maintain, store or destroy medical information to do so in a manner that preserves the confidentiality of the information
- allows the California Attorney General’s Office to impose civil penalties for violations
- requires covered healthcare providers to notify the California Attorney General’s office upon a breach of medical information affecting more than 500 California residents, including enclosing a copy of the breach notification letter to be sent to patients and
- permits a private right of action for individuals whose medical information has been used or disclosed in violation of the CMIA.
Amendment to the CMIA
While certain mental health information was arguably already covered under the CMIA, policymakers were concerned that absence of an express inclusion of mental health applications under the law would leave disclosures of sensitive mental health information subject to vulnerability when exchanged through digital health applications and websites.
In an effort to ensure adequate privacy protections for this mental health information, this amendment to the CMIA added or revised the following definitions:
“Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, healthcare service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.
“Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.
“Mental health digital service” means a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.
“Sensitive services” means all healthcare services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.
Potential impact and next steps
According to the bill’s authors, predatory advertising and misleading privacy standards provided by mental healthcare applications and other digital services create a false sense of security for consumers. When Californians are at their most vulnerable point, they must know their information is safe and their health information is private and secure.
However, the changes made to the CMIA pose challenges as well. The definition of “mental health application information” is subject to varying interpretations. “Information related to a consumer’s inferred mental health” is both overbroad and ambiguous, leaving open questions as to the intended scope of its application. The amendment further requires that “when partnering with a provider of health care to provide a mental health digital service, any business that offers a mental health digital service shall provide to the provider of health care information regarding how to find data breaches reported pursuant to Section 1798.82 on the internet website of the Attorney General.” No guidance has been issued to date regarding the form or content of this notification.
While no reported opposition to the bill remains, questions persist as to the scope of this new mental health protection and which activities qualify as “marketing itself as facilitating mental health services to a consumer.” During the legislative process, stakeholder groups expressed concern that the bill is both overly broad and unnecessary and that it will create unnecessary burdens on technology platforms which facilitate interactions between state-licensed mental health care providers and patients. This lack of precision is likely to create compliance challenges for telemental healthcare providers and software vendors going forward.
Despite the current unknowns under the CMIA amendment, providers offering a mental health application or other businesses engaged in the offering of a mental health digital service should familiarize themselves with the CMIA’s requirements and ensure that the proper processes are in place to limit disclosures of information and to make required notifications.
As mental healthcare continues to evolve, please contact your DLA Piper relationship partner, the authors of this alert or any member of our Healthcare or Data Privacy practice groups with any questions regarding consumer health data collection compliance.