California Expands Its Confidentiality of Medical Information Act to Regulate Mental Health Digital Services

Pratt's Privacy & Cybersecurity Law Report

In this article, the authors explain that businesses that collect and use information related to a consumer’s inferred or diagnosed mental health or substance use disorder, and that facilitate mental health services marketed to consumers, should be aware of their responsibilities under the newly amended Confidentiality of Medical Information Act.

California Governor Gavin Newsom has signed into law Assembly Bill 2089 (AB 2089), which amends the California Confidentiality of Medical Information Act (CMIA) to include “mental health application information” in its definition of “medical information,” and imposes additional obligations for businesses offering a mobile-based application or online “mental health digital service” to a consumer for the purpose of allowing the consumer to manage their own information, or for the diagnosis, treatment or management of a medical condition.

Under the September 28, 2022, amendment, any business that offers a “mental health digital service” is deemed to be a provider of healthcare for purposes of the CMIA, and subject to the CMIA’s provisions. “Mental health digital service” refers to a mobile-based application or Internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses such information to provide these services to the consumer.

The amendment also adds a new disclosure requirement for businesses offering a mental health digital service. Consumers may institute private causes of action to recover nominal and/or actual damages for violations arising under the CMIA, and violators may separately be subject to administrative fines and civil penalties.

To read the full article, please click here.

“California Expands Its Confidentiality of Medical Information Act to Regulate Mental Health Digital Services,” by Sharon R. Klein, Alex C. Nisenbaum, Jennifer J. Daniels, and Karen H. Shin was published in the February–March 2023 edition of Pratt’s Privacy & Cybersecurity Law Report (Vol. 9, No. 2), an A.S. Pratt Publication, LexisNexis. Reprinted with permission.

This article was first published as a Blank Rome Privacy, Security & Data Protection client advisory in October 2022.