California is taking steps by way of Meeting Invoice 254 (the “Invoice”), accepted by the State’s Governor on September 27, 2023, to make sure that affected person data collected by way of reproductive or sexual well being functions enjoys protections underneath the Confidentiality of Medical Info Act (the “CMIA”).[1] Along with making use of to suppliers and plans, the CMIA applies to companies that provide software program or {hardware} to shoppers, akin to cellular functions, which preserve medical data for the aim of enabling administration of such medical data or to in any other case help analysis, remedy, or administration of a medical situation.[2] Because of this, software program and utility builders might have to think about the CMIA with respect to their obligations regarding this specific knowledge. Along with sure confidentiality necessities, the CMIA additionally prohibits sure advertising and marketing makes use of and disclosures and requires breach notification in sure qualifying situations.
The Invoice will increase the CMIA’s scope by revising its definition of “medical data” to seize “reproductive or sexual well being utility data” which can embrace “details about a shopper’s reproductive well being, menstrual cycle, fertility, being pregnant, being pregnant consequence, plans to conceive, or sort of sexual exercise collected by a reproductive or sexual well being digital service, together with, however not restricted to, data from which one can infer somebody’s being pregnant standing, menstrual cycle, fertility, hormone ranges, contraception use, sexual exercise, or gender identification.”[3] This growth is especially noteworthy for builders and innovators within the FemTech area, as they might want to assess their knowledge utilization actions to make sure conformance to the CMIA. That is significantly true, provided that the CMIA offers sufferers a non-public reason for motion.[4]
It’s also essential to notice that though the CMIA has traditionally prolonged safety to “delicate data” (which incorporates data pertinent to behavioral well being, sexual and reproductive well being, sexually transmitted ailments, and sure different matters), its protection was comparatively restricted because it was addressed solely in a restricted variety of the CMIA’s provisions. By together with reproductive or sexual well being utility data inside the definition of “medical data” (which is the first focus of the CMIA), the CMIA now affords far broader safety for data associated to that rising area. The California legislature doubtless enacted the Invoice to remove any query that the CMIA covers reproductive or sexual well being utility data in addition to to construct on its efforts to answer the overturning of Roe v. Wade. That is significantly true, provided that the legislature amended the CMIA in 2022 to ban regulated entities from releasing medical details about a person in search of or acquiring an abortion (or sure associated providers) to regulation enforcement or in response to a subpoena or different related course of primarily based on one other state’s regulation that interferes with a affected person’s rights underneath California regulation.[5]
“[R]eproductive or sexual well being utility data” is confined to data that’s collected by way of a “reproductive or sexual well being digital service,” which features a mobile-based utility or web web site that “collects reproductive or sexual well being utility data from a shopper, markets itself as facilitating reproductive or sexual well being providers to a shopper, and makes use of the knowledge to facilitate reproductive or sexual well being providers to a shopper.”[6] This definition casts a large web, and can doubtless seize functions which give basic healthcare providers that occur to overlap with the reproductive and sexual well being areas. Certainly, the Invoice will make it crystal clear that the CMIA is meant to afford safety to reproductive or sexual well being data collected by way of a digital service.
When you’ve got any questions in regards to the Invoice or its influence in your group, please contact a member of the Sheppard Mullin Healthcare Group.
FOOTNOTES
[1] The CMIA is a healthcare-specific privateness regulation which usually prohibits healthcare suppliers, well being care service plans, and different qualifying events from ensuring makes use of and disclosures of medical data, together with for advertising and marketing functions, with out the affected person’s authorization. Cal. Civ. Code § 56, et seq.
[2] Cal. Civ. Code § 56.06(b).
[3] Cal. Civ. Code § 56.05(p).
[4] Cal. Civ. Code § 56.35.
[5] Cal. Civ. Code § 56.108.
[6] Cal. Civ. Code § 56.05(q).
