Update June 24, 2022: On June 24, the Supreme Court overturned Roe v. Wade, a decades-old decision that federally protected abortion access across the U.S. This story has been updated to reflect their final decision.
Roe v. Wade was overturned by the Supreme Court on June 24, ending constitutional protections for abortion. States can now restrict, ban or protect the right to abortions with their own laws.
The ruling came more than a month after a draft opinion indicating the court was ready to overturn the landmark case leaked.
After the draft decision was published, Elizabeth C. McLaughlin, an attorney, activist and author, and Eva Galperin, who serves as the director of cybersecurity at the Electronic Frontier Foundation (EFF), a nonprofit digital rights group, said on social media that people should delete period-tracking apps off their phones.
Both McLaughlin and Galperin warned that the personal health data shared on these apps could potentially be used against people who are seeking an abortion once Roe v. Wade is overturned.
Google searches and some news reports indicate that many people are wondering if health data from period-tracking apps are covered under the Health Insurance Portability and Accountability Act of 1996, widely known as HIPAA.
Is health data from period-tracking apps protected under HIPAA?
- Centers for Disease Control and Prevention (CDC)
- Department of Health and Human Services (HHS)
- Federal Trade Commission (FTC)
- Alan Butler, executive director and president of the Electronic Privacy Information Center (EPIC)
- Pam Dixon, founder and executive director of the World Privacy Forum
- Review of 20 period-tracking app privacy policies available on the Apple App Store
- Statements from Clue, Flo and Ovia Health
No, health data from virtually all period-tracking apps is not protected under HIPAA.
If a person receives an app as a benefit from their health plan, health care provider or insurance company, such as some versions of the Ovia Health app, it may fall under HIPAA.
WHAT WE FOUND
HIPAA is a federal law that created national standards to protect sensitive patient health information from being shared without the patient’s consent or knowledge, according to the Centers for Disease Control and Prevention (CDC).
A U.S. Department of Health and Human Services (HHS) spokesperson told VERIFY in an email that HIPAA rules “apply only to covered entities and, to some extent, their business associates.” Covered entities include health plans and health care providers that conduct standard electronic transactions, such as billing insurance electronically.
Alan Butler, the executive director and president of the Electronic Privacy Information Center (EPIC), a nonprofit research center based in Washington, D.C., agrees with Dixon.
“Typically, apps that individuals might use to track fertility or for other personal health uses that are not billed as part of a medical service, which most of them are not, are not covered under HIPAA, and therefore, the data, even though it's data about your body or data related to your health, it's not health data as the law defines it,” Butler told VERIFY.
Some period-tracking apps, like Glow, claim they are “HIPAA compliant” on their websites. However, Dixon says a period-tracking app claiming to be HIPAA compliant is a “big red flag.”
“So, if a health app is sharing your data or selling your data, they can use all sorts of weasel words to explain that, and if you don't understand the nuances of those weasel words, it's going to be a real hard thing for you when you realize your data has been shared, or even in some cases, sold,” Dixon continued.
“When Ovia users gain access to Ovia’s premium enterprise versions of our apps through their health insurer or employer health plan, HIPAA will apply. In that case, Ovia acts as a business associate for the Ovia enterprise customer and is required to protect the data in accordance with its business associate agreement under HIPAA. However, when Ovia users use the free consumer versions of our apps, HIPAA does not apply,” an Ovia spokesperson said in an email.
In January 2021, the Federal Trade Commission (FTC) issued a complaint against Flo Health Inc., the makers of Flo, a health app that tracks periods, ovulation and pregnancy, saying that Flo shared sensitive health data from millions of users of its app with marketing and analytics firms, including Facebook and Google, despite promising to keep users’ health data private.
Six months later, in June 2021, the FTC finalized a settlement that required Flo to obtain the affirmative consent of its app’s users before sharing their personal health information with others. The settlement also required Flo to obtain an independent review of its privacy practices.
Flo told VERIFY in a statement that the company “firmly believes women’s health data should be held with the utmost privacy and care,” and says “Flo does not share personal health data with any third party.”
“Flo will never require a user to log an abortion or offer details that they feel should be kept private. Should a user express concern about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers,” Flo said.
A spokesperson for Clue, another period and ovulation tracking app, told VERIFY it is a European company obligated under the General Data Protection Regulation (GDPR) to “apply special protections to our users’ reproductive health data.”
In 2018, the GDPR was drafted and passed by the European Union (EU), and is considered one of the “toughest data privacy and security laws in the world” because it “imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”
The FTC released a list of ways people can protect their privacy when using health apps, like period-trackers. These tips include comparing options on privacy, taking control of your information by checking the app’s settings to make sure it lets you control the health data you share with it and knowing the risks that come with sharing your personal health information with an app. The World Privacy Forum also shares the Patient’s Guide to HIPAA on its website. The comprehensive guide includes tips on how to guard your health privacy information.
“We have a long way to go to ensure that people's data is protected and that there is not an inordinate unnecessary data trail left behind just from living our daily lives,” Butler said.
If you think a period-tracking app shared your data without your permission, you can contact the FTC at ReportFraud.ftc.gov.