Update June 24, 2022: On June 24, the Supreme Court overturned Roe v. Wade, a decades-old decision that federally protected abortion access across the U.S. This story has been updated to reflect their final decision.
Roe v. Wade was overturned by the Supreme Court on June 24, ending constitutional protections for abortion. States can now restrict, ban or protect the right to abortions with their own laws.
The ruling came more than a month after a draft opinion indicating the court was ready to overturn the landmark case leaked.
After the draft decision was published, Elizabeth C. McLaughlin, an attorney, activist and author, and Eva Galperin, who serves as the director of cybersecurity at the Electronic Frontier Foundation (EFF), a nonprofit digital rights group, said on social media that people should delete period-tracking apps off their phones.
Both McLaughlin and Galperin warned that the personal health data shared on these apps could potentially be used against people who are seeking an abortion once Roe v. Wade is overturned.
Google searches and some news reports indicate that many people are wondering if health data from period-tracking apps are covered under the Health Insurance Portability and Accountability Act of 1996, widely known as HIPAA.
THE QUESTION
Is health data from period-tracking apps protected under HIPAA?
THE SOURCES
- Centers for Disease Control and Prevention (CDC)
- Department of Health and Human Services (HHS)
- Federal Trade Commission (FTC)
- Alan Butler, executive director and president of the Electronic Privacy Information Center (EPIC)
- Pam Dixon, founder and executive director of the World Privacy Forum
- Review of 20 period-tracking app privacy policies available on the Apple App Store
- Statements from Clue, Flo and Ovia Health
THE ANSWER
No, health data from virtually all period-tracking apps is not protected under HIPAA.
If a person receives an app as a benefit from their health plan, health care provider or insurance company, such as some versions of the Ovia Health app, it may fall under HIPAA.
WHAT WE FOUND
HIPAA is a federal law that created national standards to protect sensitive patient health information from being shared without the patient’s consent or knowledge, according to the Centers for Disease Control and Prevention (CDC).
A U.S. Department of Health and Human Services (HHS) spokesperson told VERIFY in an email that HIPAA rules “apply only to covered entities and, to some extent, their business associates.” Covered entities include health plans and health care providers that conduct standard electronic transactions, such as billing insurance electronically.
Pam Dixon, the founder and executive director of the World Privacy Forum, a nonprofit that conducts in-depth research and analysis in the area of data privacy, says most period-tracking apps are not covered under HIPAA. She told VERIFY if a period-tracking app does not include a Notice of Privacy Practices for Protected Health Information in its privacy policy, then the health data shared on the app is not protected by HIPAA.
“Any kind of healthcare provider that's covered under HIPAA has to have something called a Notice of Privacy Practices. It's a standardized privacy policy that is mandated by the HIPAA rule. It will say the seven rights that you have under HIPAA and it will tell you how you can apply those rights to yourself,” Dixon said.
Alan Butler, the executive director and president of the Electronic Privacy Information Center (EPIC), a nonprofit research center based in Washington, D.C., agrees with Dixon.
“Typically, apps that individuals might use to track fertility or for other personal health uses that are not billed as part of a medical service, which most of them are not, are not covered under HIPAA, and therefore, the data, even though it's data about your body or data related to your health, it's not health data as the law defines it,” Butler told VERIFY.
Some period-tracking apps, like Glow, claim they are “HIPAA compliant” on their websites. However, Dixon says a period-tracking app claiming to be HIPAA compliant is a “big red flag.”
“HIPAA compliant does not mean that a period tracking app is covered under HIPAA. Actually, in terms of HIPAA, it doesn't mean anything — it's kind of a meaningless phrase,” Dixon said. “If you see that in a privacy policy, it's very likely that you're dealing with a period-tracking app that's not covered under HIPAA.”
VERIFY reached out to Glow but did not hear back by the time of publication. Glow’s current privacy policy can be found here. It does not include a Notice of Privacy Practices for Protected Health Information, nor does it mention the HIPAA acronym or include the phrase: “HIPAA compliant.”
“In the privacy policy, the main enforcement tool for a health app that is not covered under HIPAA is actually an obscure law, called ‘FTC Act, Section 5.’ What that means is that they can do and say almost anything, as long as they're telling you the truth about what they're doing,” Dixon said.
“So, if a health app is sharing your data or selling your data, they can use all sorts of weasel words to explain that, and if you don't understand the nuances of those weasel words, it's going to be a real hard thing for you when you realize your data has been shared, or even in some cases, sold,” Dixon continued.
VERIFY looked into the privacy policies of 20 of the top period-tracking apps found in the Apple App Store and could only find one, Ovia Health, that told VERIFY some of the health data shared in its app may be protected under HIPAA in some circumstances, but not all. In its privacy policy, the company says it may fall under HIPAA “if a person receives the app as a benefit from their health plan or health care provider.”
“When Ovia users gain access to Ovia’s premium enterprise versions of our apps through their health insurer or employer health plan, HIPAA will apply. In that case, Ovia acts as a business associate for the Ovia enterprise customer and is required to protect the data in accordance with its business associate agreement under HIPAA. However, when Ovia users use the free consumer versions of our apps, HIPAA does not apply,” an Ovia spokesperson said in an email.
In January 2021, the Federal Trade Commission (FTC) issued a complaint against Flo Health Inc., the makers of Flo, a health app that tracks periods, ovulation and pregnancy, saying that Flo shared sensitive health data from millions of users of its app with marketing and analytics firms, including Facebook and Google, despite promising to keep users’ health data private.
Six months later, in June 2021, the FTC finalized a settlement that required Flo to obtain the affirmative consent of its app’s users before sharing their personal health information with others. The settlement also required Flo to obtain an independent review of its privacy practices.
In March 2022, Flo completed an external, independent privacy audit, and according to the company, there are “no gaps or weaknesses” in its updated privacy practices. Flo’s current privacy policy, which also doesn’t contain a notice of privacy practices or the HIPAA acronym, can be found here.
Flo told VERIFY in a statement that the company “firmly believes women’s health data should be held with the utmost privacy and care,” and says “Flo does not share personal health data with any third party.”
“Flo will never require a user to log an abortion or offer details that they feel should be kept private. Should a user express concern about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers,” Flo said.
A spokesperson for Clue, another period and ovulation tracking app, told VERIFY it is a European company obligated under the General Data Protection Regulation (GDPR) to “apply special protections to our users’ reproductive health data.”
In 2018, the GDPR was drafted and passed by the European Union (EU), and is considered one of the “toughest data privacy and security laws in the world” because it “imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”
“We completely understand the anxiety around how data could be used in U.S. courts if Roe v. Wade is overturned. We want to reassure our users that their sensitive health data, particularly any data tracked in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe. We do not sell it, and we never share it with ad networks,” Clue’s spokesperson said in an email. Clue’s current privacy policy can be found here.
The FTC released a list of ways people can protect their privacy when using health apps, like period-trackers. These tips include comparing options on privacy, taking control of your information by checking the app’s settings to make sure it lets you control the health data you share with it and knowing the risks that come with sharing your personal health information with an app. The World Privacy Forum also shares the Patient’s Guide to HIPAA on its website. The comprehensive guide includes tips on how to guard your health privacy information.
“We have a long way to go to ensure that people's data is protected and that there is not an inordinate unnecessary data trail left behind just from living our daily lives,” Butler said.
If you think a period-tracking app shared your data without your permission, you can contact the FTC at ReportFraud.ftc.gov.