On September 28, the governor of California signed into law AB 2089, which expands the scope of California’s Confidentiality of Medical Information Act (“CMIA”) to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services. 

Specifically, AB 2089 amends the definition of “medical information” to include “mental health application information,” defined as “information related to a consumer’s inferred or diagnosed mental health or substance use disorder . . . collected by a mental health digital service.”  “Mental health digital service” is in turn defined to mean “a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.”  

In addition to expanding the scope of “medical information,” AB 2089 also provides that “any business that offers mental health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual” will be considered a provider of health care for purposes of the CMIA.  AB 2089 further requires that any business that partners with and provides a mental health digital service to a provider of health care must offer the provider of health care information related to data breaches that must be reported to the California Attorney General.

The legislature passed the law in response to the recent increase in consumer utilization of mobile applications to access mental health care.  While mental health information collected by a traditional health care provider, such as a psychologist, was clearly covered by the CMIA prior to the passage of AB 2089, there was ambiguity as to whether that same information collected by a mobile application or website, outside of a medical facility, fell within the scope of the CMIA.  With the passage of AB 2089, the state has clarified that digital health solutions providing mental health services are subject to the CMIA’s restrictions on the use, disclosure, and maintenance of medical information and could face increased legal exposure under the CMIA’s private right of action.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Tara Carrier Tara Carrier

Tara Carrier advises clients on a variety of health care compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. She routinely advises on regulatory compliance and…

Tara Carrier advises clients on a variety of health care compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. She routinely advises on regulatory compliance and enforcement risk, commercial transactions, and administrative and legislative policy opportunities. Tara also has experience counseling clients on investigations and compliance matters, including implementing and operating under HHS OIG Corporate Integrity Agreements.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.