Health app providers may have confidentiality obligations under state law

The wave of new state laws limiting access to abortion have raised concerns about the privacy and security of reproductive health data not subject to the Health Insurance Portability and Accountability Act (HIPAA). Some vendors are not subject to HIPAA, and consumer-facing health apps (health apps), unless subcontracted by a vendor or health plan, are not no longer subject to HIPAA. Determining whether HIPAA applies to health data collected by health apps can be complicated.1


Whether or not HIPAA applies, some states have laws and regulations that may regulate health data held by health apps. California has been particularly active in enforcing these regulations.


In 2020, the California Department of Justice (AG) reached a landmark settlement with Glow Inc. (Glow), a technology company that provides a mobile ovulation and fertility tracking app (Glow App), to California Medical Information Act (CMIA), among others, for failing to implement basic security features and disclosing medical information without obtaining user consent.2


California Attorney General Bonta recently issued a press release reminding health apps of the following California laws:3


  • CMIA requires any business to retain information from a health care provider, health care service plan, pharmaceutical company, or contractor regarding medical history, mental state, or physical or treatment of a patient respects certain confidentiality and security restrictions.
  • The California Consumer Privacy Act (CCPA), which created individual privacy rights for California consumers, requires Covered Businesses to provide certain information to consumers about their data collection, use and sharing practices, and to provide affected California residents with means to opt out of certain sales or transfers of personal information, as well as the right to request, modify and delete personal information.


California Attorney General Bonta further encouraged all health apps, even those outside the regulatory scope of the CMIA and CCPA, to take steps to protect the privacy of reproductive health information. ; this advice, however, can be applied to any health apps that collect sensitive health information about a consumer. The Attorney General recommended health apps:4


  • Develop and maintain programs designed to protect the security, integrity, availability, and confidentiality of reproductive health information from unauthorized access and disclosure;
  • Protect the information they store using strong authentication protocols and, at a minimum, require two-factor authentication;
  • Obtain affirmative consent from users before sharing or disclosing personal, medical, reproductive or otherwise sensitive information, and allow users to revoke previously granted consent; and
  • Provide internal training to employees on online threats and reproductive rights privacy issues.


In addition to encouraging companies to voluntarily raise their privacy standards, the aforementioned measures provide guidance on factors that may persuade the California Attorney General to investigate a health app’s compliance with California privacy laws. .



1 For more information, please see Alex Dworkowitz, Brandon Reilly and Randi Seigel, When Healthcare and Consumer Data Rules Collide: Compliance with the Latest Generation of Data Privacy LawsCompliance Today (June 2022).


2 https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93


3 Attorney General Bonta Highlights Legal Obligation of Health Apps to Protect Reproductive Health InformationState of California, Office of the Attorney General (May 26, 2022).


4 Each metric listed was also a condition of the 2020 Glow settlement.


Leave a Comment