Federal Patient Privacy Law Does Not Cover Most Period-Tracking Apps

A patient privacy law known as HIPAA, passed in 1996, hasn’t kept pace with new technologies and at-home tests.
phone with eye
(Getty Images)
Start your day with TPM.
Sign up for the Morning Memo newsletter

This article first appeared at ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

Following the Supreme Court’s decision overturning Roe v. Wade, advocates for privacy and reproductive health have expressed fears that data from period-tracking apps could be used to find people who’ve had abortions.

They have a point. The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track menstrual cycles, just as it doesn’t apply to many health care apps and at-home test kits.

In 2015, ProPublica reported how HIPAA, passed in 1996, has not kept up with changes in technology and does not cover at-home paternity tests, fitness trackers or health apps.

The story featured a woman who purchased an at-home paternity test at a local pharmacy and went online to get the results. A part of the lab’s website address caught her attention as a cybersecurity consultant. When she tweaked the URL slightly, a long list of test results of some 6,000 other people appeared.

She complained on Twitter and the site was taken down. But when she alerted the Office for Civil Rights within the U.S. Department of Health and Human Services, which oversees HIPAA compliance, officials told her they couldn’t do anything about it. That’s because HIPAA only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners.

Deven McGraw is the former deputy director for health information privacy at the HHS Office for Civil Rights. She said the decision overturning Roe, called Dobbs v. Jackson Women’s Health Organization, should spark a broader conversation about the limits of HIPAA.

“All of a sudden, people are waking up to the idea that there’s a lot of sensitive data being collected outside of HIPAA and asking, ‘What are we going to do?’” said McGraw, who is now the lead for data stewardship and data sharing at Invitae, a medical genetics company. “It’s been that way for a while, but now it’s in sharper relief.”

McGraw noted how that’s not just the case for period-tracking apps but also some apps that store COVID-19 vaccine records. Because Congress wrote HIPAA, lawmakers would have to update it to cover those cases. “Our health data protections are badly out of date,” she said. “But the agencies can’t fix this. This is on Congress.”

Consumer Reports’ digital lab evaluated eight period-tracking apps this spring and found that four allowed third-party tracking by companies other than the maker of the app. Four apps stored data remotely, not just on the user’s device. That makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, though one of the companies surveyed by Consumer Reports has said it would shut down rather than turn over users’ data.

In a press release last week, HHS sought to allay worries with some advice that sounds reassuring.

“According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care,” HHS said in the release.

The document quoted HHS Secretary Xavier Becerra about the protections provided by HIPAA: “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” Becerra said. He urged anyone who thinks their privacy rights have been violated to file a complaint with the Office for Civil Rights.

The release later acknowledged that, in most cases, HIPAA rules do not protect the privacy or security of individuals’ health information when they access or store it on personal cellphones or tablets. It offered guidance on steps people can take to protect their information.

Since the court’s decision overturning Roe, some period-tracking apps have taken steps to minimize the risk of personal information being shared. One such company called Flo said it is developing an “anonymous mode” that would not require users to provide their name or email address.

“Flo does not share or sell any health data with any other company, but wanted to take this additional step to reassure users who are living in states affected by an abortion ban,” the company said in a press release. “It is important to note that once this mode is activated, users will no longer be able to recover data when the device is lost, changed, or stolen and there may be limitations to using the app’s full personalization benefits. This is why Flo is offering Anonymous Mode as an option for concerned users instead of activating it by default.”

In a statement after the Supreme Court decision, the digital civil liberties group Electronic Frontier Foundation said consumers should pay attention to “privacy settings on the services they use, turn off location services on apps that don’t need them, and use encrypted messaging services.

“Companies should protect users by allowing anonymous access, stopping behavioral tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring that users get notice when their data is being sought,” the EFF statement said. “And state and federal policymakers must pass meaningful privacy legislation. All of these steps are needed to protect privacy, and all are long overdue.”

Latest News
26
Show Comments

Notable Replies

  1. Avatar for paulw paulw says:

    The companies (large and small) need to stop collecting data that will identify people. Because states will come after them for it. Google’s plan to lose location data near reproductive health clinics is a start, but only a start.

  2. Researchers, according to Peck, will be “crafting studies” on “the health fallout for women” and what will “happen” with “abortion rates.”

    “Economists will, of course, also look at economics,” Peck notes. “Some household financial impact will happen quickly. For example, pregnancy can force women out of work, and have an immediate effect on families. The (New York Times) profiles a bookkeeper in Texas who was earning $35/hour, but couldn’t access an abortion in Texas. Pregnancy complications forced her out of work. She now relies on a charity program for help.”

  3. I had no idea what a period tracking ap was so I asked. It I have it right you input what info you have…like the day you last started and the ap then predicts maxim times of fertility and such. The interesting thing is I got that information from my employees ( all younger women ) and all of them said they’ve deleted the things. Seems warnings have been out there long before the fall of Roe.

  4. This Nineteen Eighty-Four / The Handmaid’s Tale crossover is really gonna suck.

Continue the discussion at forums.talkingpointsmemo.com

20 more replies

Participants

Avatar for discobot Avatar for valgalky23 Avatar for lestatdelc Avatar for paulw Avatar for sandi Avatar for josephebacon Avatar for fgs Avatar for richardinjax Avatar for jeffgee1 Avatar for mondfledermaus Avatar for eldonlazar Avatar for irasdad Avatar for DuckmanGR Avatar for yskov Avatar for sparrowhawk Avatar for gr Avatar for theghostofeustacetilley Avatar for califdemdreamer Avatar for rickjones Avatar for john819 Avatar for brian512

Continue Discussion
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Deputy Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: