Alert

California Expands the CMIA to Regulate Mental Health Digital Services

Assembly Bill 2089 expands consumer rights and protections over individually identifiable health information by revising existing definitions under the California Confidentiality of Medical Information Act (“CMIA”) to include medical information collected through mobile-based applications or Internet websites. Businesses that collect and use information related to a consumer’s inferred or diagnosed mental health or substance use disorder, and that facilitate mental health services marketed to consumers, should be aware of their responsibilities under the newly amended CMIA.

California Governor Gavin Newsom signed into law Assembly Bill 2089 (“AB 2089”), which amends the CMIA[1] to include “mental health application information” in its definition of “medical information,” and imposes additional obligations for businesses offering a mobile-based application or online “mental health digital service” to a consumer for the purpose of allowing the consumer to manage their own information, or for the diagnosis, treatment or management of a medical condition.

Under the September 28, 2022, amendment, any business that offers a “mental health digital service” is deemed to be a provider of healthcare for purposes of the CMIA, and subject to the CMIA’s provisions. “Mental health digital service” refers to a mobile-based application or Internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses such information to provide these services to the consumer.

The amendment also adds a new disclosure requirement for businesses offering a mental health digital service. Consumers may institute private causes of action to recover nominal and/or actual damages for violations arising under the CMIA, and violators may separately be subject to administrative fines and civil penalties.

Background

The CMIA is a California state law that provides consumers rights and protections over their medical health information, additional to those under the federal Health Information Portability and Accountability Act (“HIPAA”).

Except in limited circumstances, a provider of health care subject to the CMIA may not use or disclose medical information obtained from a consumer without the consumer’s valid authorization. The authorization must be in writing and signed by the consumer, and it must specify certain information, including the uses and limitations on the types of medical information to be disclosed and the expiration date of the authorization. The CMIA also obligates a provider of health care that creates, maintains, stores, or destroys medical information, to do so in a manner that preserves confidentiality.[2]

Importantly, the CMIA provides a private right of action to consumers for privacy violations related to the unauthorized disclosure of the consumer’s individually identifiable medical information.

The Amendment

AB 2089 amends three key provisions of the CMIA: (1) it expands the definition of “medical information” to include “mental health application information,” (2) it adds related definitions for “mental health application information” and “mental health digital service,” and (3) it creates a new disclosure obligation regarding data breaches for certain businesses.[3]

As to the first two points, the amendment defines “mental health application information,” as information related to a consumer’s inferred or diagnosed mental health or substance use disorder and collected by a “mental health digital service” for purposes of managing the consumer’s medical information, or for the diagnosis, treatment, or management of a medical condition. “Mental health digital service” means a mobile-based application or Internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses such information to facilitate these services to a consumer.

As to the third point, California law requires a person or business that is required to issue a security breach notification pursuant to California Civil Code Section 1798.82 to more than 500 California residents as a result of a single breach of the security system to electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. The CMIA amendment adds notification requirements for businesses that offer a mental health digital service. Such businesses are now required, when partnering with a provider of health care, to give such providers information about how to find data breaches reported pursuant to Section 1798.82 on the Attorney General’s website.

Conclusion

With limited exceptions, the CMIA prohibits a provider of health care—including a health care service plan, contractor, pharmaceutical company, or mobile-based health applications—from disclosing the medical information obtained from a consumer without the consumer’s signed authorization.[4] Businesses that offer a mental health digital service to a consumer for the purpose of allowing the consumer to manage their own information, or for the diagnosis, treatment or management of a medical condition of the consumer, are now deemed to be providers of health care and subject to the requirements of the CMIA, including the new data breach disclosure requirements.

California, in keeping with the growing concern over mental health issues, including the establishment of a new 988 Suicide & Crisis alert number, has taken the lead in offering greater protection to California citizens being treated for mental health conditions. The amendments to the CMIA leave many questions as to how far the protections extend—such as the meaning of “consumer’s inferred or diagnosed mental health” and the scope of activities a business may engage in that would be deemed to be “marketing itself as facilitating mental health services to a consumer.”  Such ambiguity coupled with a private right of action will be sure to set up compliance challenges for businesses operating mobile applications that collect information related to mental health and substance abuse issues.

For more information or assistance, contact Sharon R. Klein, Alex C. Nisenbaum, Jennifer J. Daniels, Karen H. Shin, or another member of Blank Rome’s Privacy, Security & Data Protection group.

We thank Ann Huang for her writing assistance with this client alert.