California passed Assembly Bill (AB) 2089, which amends the Confidentiality of Medical Information Act (CMIA) to include mental health application information under the definition of medical information. Under the revisions to CMIA, mental health application information is defined as information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.  Similarly, “mental health digital service” is defined as a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.

Under AB 2089 any business that offers a mental health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, is deemed to be a provider of health care subject to the requirements of the CMIA.

Moreover, the bill requires any business that offers a mental health digital service, when partnering with a provider of health care, to provide to the health care provider information regarding how to find data breaches reported, as specified, on the internet website of the Attorney General.