On September 28, the governor of California signed into law AB 2089, which expands the scope of California’s Confidentiality of Medical Information Act (“CMIA”) to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services.
Specifically, AB 2089 amends the definition of “medical information” to include “mental health application information,” defined as “information related to a consumer’s inferred or diagnosed mental health or substance use disorder . . . collected by a mental health digital service.” “Mental health digital service” is in turn defined to mean “a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.”
In addition to expanding the scope of “medical information,” AB 2089 also provides that “any business that offers mental health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual” will be considered a provider of health care for purposes of the CMIA. AB 2089 further requires that any business that partners with and provides a mental health digital service to a provider of health care must offer the provider of health care information related to data breaches that must be reported to the California Attorney General.
The legislature passed the law in response to the recent increase in consumer utilization of mobile applications to access mental health care. While mental health information collected by a traditional health care provider, such as a psychologist, was clearly covered by the CMIA prior to the passage of AB 2089, there was ambiguity as to whether that same information collected by a mobile application or website, outside of a medical facility, fell within the scope of the CMIA. With the passage of AB 2089, the state has clarified that digital health solutions providing mental health services are subject to the CMIA’s restrictions on the use, disclosure, and maintenance of medical information and could face increased legal exposure under the CMIA’s private right of action.