California strengthens protection of mental health information shared through digital health apps

With the growing mental health crisis intensified by the COVID-19 pandemic, the telemental health industry has exploded in recent years. According to recent estimates, as many as 325,000 health and wellness apps are available for download, and 10,000 to 20,000 apps have been designed specifically for mental health. Many of these programs require customers to register their symptoms, which has led to reports of privacy issues as these companies can profit from targeted advertising based on potential diagnoses. In turn, these growing concerns may inhibit and discourage the use of health-related apps, despite their recent boom.

To address these privacy concerns, California recently passed Assembly Bill 2089 that expands data privacy protections under the Medical Information Privacy Act (CMIA). AB2089 expressly includes “mental health application information” in the definition of “medical information” and considers “any company that offers a digital mental health service to a consumer for the purpose of enabling the individual to manage the information of the individual, or for the diagnosis, treatment or management of a medical condition of the individual” to be a health care provider subject to the requirements of the CMIA.

Context of the CMIA

The CMIA is a California law that protects the privacy and security of individually identifiable health information obtained by health care providers, insurers and their contractors. The CMIA also extended to “any business organized for the primary purpose of maintaining medical information in order to make that information available to an individual or health care provider.” Prior to the amendment, the CMIA only applied to “medical information”, defined as “any individually identifiable information, whether in electronic or physical form, in the possession of or derived from a health care provider, health care services, a pharmaceutical company or a contractor regarding the medical history, mental or physical condition or treatment of a patient.”

Among other provisions, the CMIA generally:

  1. prohibits covered health care providers from disclosing patients’ medical information without first obtaining the person’s written permission
  2. requires covered healthcare providers who create, retain, store or destroy medical information to do so in a manner that preserves the confidentiality of the information
  3. allows the California Attorney General’s office to impose civil penalties for violations
  4. requires covered health care providers to notify the California Attorney General’s office in the event of a medical information breach affecting more than 500 California residents, including attaching a copy of the breach notification letter to be sent to patients and
  5. provides a private right of action for individuals whose medical information has been used or disclosed in violation of the CMIA.

Amendment of the CMIA

While some mental health information was arguably already covered by the CMIA, policymakers were concerned that the lack of an express inclusion of mental health apps in the law would make disclosures of sensitive mental health information subject to vulnerable when exchanged through digital health apps and websites.

In order to ensure adequate privacy protections for such mental health information, this amendment to the CMIA has added or revised the following definitions:

Medical Information” means any individually identifiable information, whether in electronic or physical form, in the possession or derived from a healthcare provider, healthcare service plan, pharmaceutical company or contractor regarding a patient’s medical history, mental health app information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identification information sufficient to permit the identification of the individual, such as name, address, e-mail address, phone number telephone or social security number of the patient, or other information which, alone or in combination with other publicly available information, reveals the identity of the individual.

Information about mental health appsmeans information relating to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in section 1374.72 of the Health and Safety Code, collected by a digital mental health service.

Mental Health Digital Service” means a mobile application or website that collects mental health application information from a consumer, presents itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer. consumer.

Sensitive services“means all health services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorders, gender affirming care and domestic violence, and includes services described in sections 6924, 6925, 6926, 6927, 6928, 6929 and 6930 of the Family Code, and articles 121020 and 124260 of the Health and Safety Code, obtained by a patient who has reached or exceeded the minimum age specified for consent to the service specified in the article.

Potential impact and next steps

According to the bill’s authors, the predatory advertising and misleading privacy standards provided by mental health apps and other digital services create a false sense of security for consumers. When Californians are at their most vulnerable point, they need to know that their information is safe and that their health information is private and secure.

However, the changes to the CMIA also pose challenges. The definition of “mental health application information” is subject to various interpretations. “Information relating to a consumer’s presumed mental health” is both overbroad and ambiguous, leaving open questions about the intended scope of its application. The amendment further requires that “when partnering with a health care provider to provide a digital mental health service, any company that offers a digital mental health service must provide the health care provider with information on how to find data breaches reported pursuant to Section 1798.82 on the Attorney General’s website No guidance has been issued at this time regarding the form or content of this notification.

While no reported opposition to the bill remains, questions persist about the scope of this new mental health protection and what activities qualify as “selling themselves as facilitating mental health services to a consumer.” During the legislative process, stakeholder groups have expressed concern that the bill is both overbroad and unnecessary and will create unnecessary burdens on technology platforms that facilitate interactions between providers. state-approved mental health care and patients. This lack of precision is likely to create compliance issues for mental telemedicine providers and software vendors in the future.

Despite the current unknowns under the CMIA Amendment, providers offering a mental health app or other businesses engaged in offering a digital mental health service should familiarize themselves with the CMIA requirements and ensure that appropriate processes are in place to limit disclosures of information and to make required notifications.

As mental health care continues to evolve, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Health or Data Privacy practice groups with any questions regarding data collection compliance. consumer health.

Comments are closed.