California is taking steps through Assembly Bill 254 (the “Bill”), approved by the State’s Governor on September 27, 2023, to ensure that patient information collected through reproductive or sexual health applications enjoys protections under the Confidentiality of Medical Information Act (the “CMIA”).[1] In addition to applying to providers and plans, the CMIA applies to businesses that offer software or hardware to consumers, such as mobile applications, which maintain medical information for the purpose of enabling management of such medical information or to otherwise support diagnosis, treatment, or management of a medical condition.[2] As a result, software and application developers may need to consider the CMIA with respect to their obligations relating to this particular data. In addition to certain confidentiality requirements, the CMIA also prohibits certain marketing uses and disclosures and requires breach notification in certain qualifying instances.

The Bill will expand the CMIA’s scope by revising its definition of “medical information” to capture “reproductive or sexual health application information” which will include “information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.”[3] This expansion is particularly noteworthy for developers and innovators in the FemTech space, as they will need to assess their data usage activities to ensure conformance to the CMIA. This is particularly true, given that the CMIA gives patients a private cause of action.[4]

It is also important to note that although the CMIA has historically extended protection to “sensitive information” (which includes information pertinent to behavioral health, sexual and reproductive health, sexually transmitted diseases, and certain other topics), its coverage was relatively limited as it was addressed only in a limited number of the CMIA’s provisions. By including reproductive or sexual health application information within the definition of “medical information” (which is the primary focus of the CMIA), the CMIA now affords far broader protection for information related to that emerging space. The California legislature likely enacted the Bill to eliminate any question that the CMIA covers reproductive or sexual health application information as well as to build on its efforts to respond to the overturning of Roe v. Wade. This is particularly true, given that the legislature amended the CMIA in 2022 to prohibit regulated entities from releasing medical information about an individual seeking or obtaining an abortion (or certain related services) to law enforcement or in response to a subpoena or other similar process based on another state’s law that interferes with a patient’s rights under California law.[5]

“[R]eproductive or sexual health application information” is confined to information that is collected through a “reproductive or sexual health digital service,” which includes a mobile-based application or internet website that “collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer.”[6] This definition casts a wide net, and will likely capture applications which provide general healthcare services that happen to overlap with the reproductive and sexual health spaces. Indeed, the Bill will make it crystal clear that the CMIA is intended to afford protection to reproductive or sexual health information collected through a digital service.

FOOTNOTES

[1] The CMIA is a healthcare-specific privacy law which generally prohibits healthcare providers, health care service plans, and other qualifying parties from making certain uses and disclosures of medical information, including for marketing purposes, without the patient’s authorization. Cal. Civ. Code § 56, et seq.

[2] Cal. Civ. Code § 56.06(b).

[3] Cal. Civ. Code § 56.05(p).

[4] Cal. Civ. Code § 56.35.

[5] Cal. Civ. Code § 56.108.

[6] Cal. Civ. Code § 56.05(q).