Ready or not, Roe v. Wade leak or not, health app developers are on notice. Those that collect sensitive personal information, such as reproductive data, must carefully navigate both federal and state laws. These laws are continually in flux and warrant ongoing monitoring.

Last September, I wrote about the FTC’s Policy Statement on enforcing the Health Breach Notification Rule. This followed a blog I posted about Flo Health’s breach and failure to promptly notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

Businesswoman with smartphone
A businesswoman uses a smartphone.

Yesterday, the California Attorney General Rob Bonta issued a press release stating:

“The Confidentiality of Medical Information Act (CMIA) applies to mobile apps that are designed to store medical information, including some fertility trackers, and establishes privacy protections that go beyond federal law. In today’s alert, Attorney General Bonta urges health apps to adopt robust security and privacy measures to protect reproductive health information. At a minimum, these apps should assess the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.”

Consumer-facing health apps that are not subject to HIPAA as business associates must comply with CMIA if they collect information of California consumers, and apps that are subject to HIPAA must comply with any contrary and more stringent CMIA privacy and security requirements.

Finally, Attorney General Bonta pointed out that even if CMIA does not apply to certain apps, other California laws (such as the California Consumer Privacy Act) may apply and offer data rights and protections.

Health app developers must understand not only which data privacy and security laws apply, but how the nature and sensitivity of the data must dictate privacy and security design. If they do not, they risk scrutiny in what likely will be a closely watched area of data privacy for years to come. 

If you have any questions about how best to handle the reproductive data you receive and/or create as a vendor, or the applicability of HIPAA or state data and privacy laws to your company, please contact me at