California Expands CMIA to Regulate Digital Mental Health Services | JD Supra

Assembly Bill 2089 expands consumer rights and protections over individually identifiable health information by revising existing definitions under the California Confidentiality of Medical Information Act (“CMIA”) to include collected medical information via mobile applications or websites. Companies that collect and use information related to a consumer’s inferred or diagnosed mental health or substance use disorder and that facilitate the marketing of mental health services to consumers should be aware of their responsibilities under the newly amended CMIA.

California Governor Gavin Newsom has signed into law Assembly Bill 2089 (“AB 2089”), which amends the CMIA[1] to include “mental health app information” in its definition of “medical information” and imposes additional obligations on companies offering a mobile app or online “mental health digital service” to a consumer for the purpose of to allow it to manage its own information, or for the diagnosis, treatment or management of a medical condition.

Under the September 28, 2022 amendment, any company that offers a “digital mental health service” is considered a healthcare provider within the meaning of the CMIA, and subject to the provisions of the CMIA. “Digital Mental Health Service” means a mobile application or Internet website that collects mental health application information from a consumer, presents itself as facilitating mental health services to a consumer, and uses these information to provide these services to the consumer.

The amendment also adds a new disclosure requirement for companies offering a digital mental health service. Consumers may sue privately for nominal and/or actual damages for violations arising from the CMIA, and violators may separately be subject to administrative fines and civil penalties.

Background

The CMIA is a California state law that provides consumers with rights and protections over their health information, in addition to those provided by the federal Health Information Portability and Accountability Act (“HIPAA”). .

Except in limited circumstances, a healthcare provider subject to the CMIA may not use or disclose medical information obtained from a consumer without the consumer’s valid authorization. The authorization must be in writing and signed by the consumer, and it must specify certain information, including the uses and limitations of the types of medical information to be disclosed and the expiration date of the authorization. The CMIA also requires a healthcare provider who creates, maintains, stores or destroys medical information, to do so in a manner that maintains confidentiality.[2]

Importantly, the CMIA provides consumers with a private right of action for a privacy breach related to the unauthorized disclosure of a consumer’s individually identifiable health information.

The Amendment

AB 2089 amends three key provisions of the CMIA: (1) it expands the definition of “medical information” to include “mental health application information”, (2) it adds related definitions for “mental health application information”. mental health” and “digital mental health information”. service,” and (3) it creates a new data breach disclosure obligation for certain companies.[3]

With respect to the first two points, the amendment defines “mental health application information” as information relating to an inferred or diagnosed mental health or substance use disorder of a consumer and collected by a “digital mental health service” for the purpose of managing consumer medical information. , or for the diagnosis, treatment or management of a medical condition. “Digital Mental Health Service” means a mobile application or Internet website that collects mental health application information from a consumer, presents itself as facilitating mental health services to a consumer, and uses that information to facilitate these services to a consumer.

With respect to the third point, California law requires that a person or company that is required to issue a security breach notification under California Civil Code Section 1798.82 to more than 500 California residents following a single security system breach electronically submits a single copy of this security breach notification, excluding any personally identifiable information, to the Attorney General. The CMIA amendment adds notification requirements for companies that offer a digital mental health service. These companies are now required, when partnering with a healthcare provider, to provide those providers with information on how to find data breaches reported pursuant to Section 1798.82 on the Attorney General’s website. .

Conclusion

With limited exceptions, the CMIA prohibits a health care provider, including a health care service plan, contractor, pharmaceutical company, or mobile health apps, from disclosing medical information obtained from a consumer without the consumer’s signed authorization.[4] Companies that offer a digital mental health service to a consumer for the purpose of enabling them to manage their own information, or for the diagnosis, treatment or management of a consumer’s medical condition, are now considered mental health providers. healthcare and subject to CMIA requirements, including new data breach disclosure requirements.

California, in line with growing concern over mental health issues, including the creation of a new 988 Suicide & Crisis alert number, has taken the initiative to provide greater protection for California citizens treated for mental health issues. The changes to the CMIA raise many questions about the scope of protections, such as the meaning of “suspected or diagnosed consumer mental health” and the scope of activities a business can engage in that would be considered ” marketing as facilitating mental health services to a consumer. Such ambiguity, coupled with a private right of action, is sure to create compliance issues for companies operating mobile apps that collect information related to mental health and addictions issues.