California is taking steps via Meeting Invoice 254 (the “Invoice”), permitted by the State’s Governor on September 27, 2023, to make sure that affected person info collected via reproductive or sexual well being purposes enjoys protections underneath the Confidentiality of Medical Data Act (the “CMIA”).[1] Along with making use of to suppliers and plans, the CMIA applies to companies that supply software program or {hardware} to customers, akin to cell purposes, which preserve medical info for the aim of enabling administration of such medical info or to in any other case assist prognosis, remedy, or administration of a medical situation.[2] In consequence, software program and software builders may have to contemplate the CMIA with respect to their obligations referring to this explicit knowledge. Along with sure confidentiality necessities, the CMIA additionally prohibits sure advertising and marketing makes use of and disclosures and requires breach notification in sure qualifying situations.

The Invoice will broaden the CMIA’s scope by revising its definition of “medical info” to seize “reproductive or sexual well being software info” which is able to embrace “details about a shopper’s reproductive well being, menstrual cycle, fertility, being pregnant, being pregnant end result, plans to conceive, or sort of sexual exercise collected by a reproductive or sexual well being digital service, together with, however not restricted to, info from which one can infer somebody’s being pregnant standing, menstrual cycle, fertility, hormone ranges, contraception use, sexual exercise, or gender id.”[3] This growth is especially noteworthy for builders and innovators within the FemTech house, as they might want to assess their knowledge utilization actions to make sure conformance to the CMIA. That is notably true, provided that the CMIA provides sufferers a non-public explanation for motion.[4]

It is usually vital to notice that though the CMIA has traditionally prolonged safety to “delicate info” (which incorporates info pertinent to behavioral well being, sexual and reproductive well being, sexually transmitted ailments, and sure different matters), its protection was comparatively restricted because it was addressed solely in a restricted variety of the CMIA’s provisions. By together with reproductive or sexual well being software info throughout the definition of “medical info” (which is the first focus of the CMIA), the CMIA now affords far broader safety for info associated to that rising house. The California legislature possible enacted the Invoice to get rid of any query that the CMIA covers reproductive or sexual well being software info in addition to to construct on its efforts to reply to the overturning of Roe v. Wade. That is notably true, provided that the legislature amended the CMIA in 2022 to ban regulated entities from releasing medical details about a person looking for or acquiring an abortion (or sure associated providers) to regulation enforcement or in response to a subpoena or different comparable course of based mostly on one other state’s regulation that interferes with a affected person’s rights underneath California regulation.[5]

“[R]eproductive or sexual well being software info” is confined to info that’s collected via a “reproductive or sexual well being digital service,” which features a mobile-based software or web web site that “collects reproductive or sexual well being software info from a shopper, markets itself as facilitating reproductive or sexual well being providers to a shopper, and makes use of the data to facilitate reproductive or sexual well being providers to a shopper.”[6] This definition casts a large internet, and can possible seize purposes which give normal healthcare providers that occur to overlap with the reproductive and sexual well being areas. Certainly, the Invoice will make it crystal clear that the CMIA is meant to afford safety to reproductive or sexual well being info collected via a digital service.

If in case you have any questions in regards to the Invoice or its impression in your group, please contact a member of the Sheppard Mullin Healthcare Workforce.

FOOTNOTES

[1] The CMIA is a healthcare-specific privateness regulation which usually prohibits healthcare suppliers, well being care service plans, and different qualifying events from guaranteeing makes use of and disclosures of medical info, together with for advertising and marketing functions, with out the affected person’s authorization. Cal. Civ. Code § 56, et seq.

[2] Cal. Civ. Code § 56.06(b).

[3] Cal. Civ. Code § 56.05(p).

[4] Cal. Civ. Code § 56.35.

[5] Cal. Civ. Code § 56.108.

[6] Cal. Civ. Code § 56.05(q).