Following the Supreme Court decision in Roe v. Wade, privacy and reproductive health advocates have expressed fears that data from period-tracking apps could be used to find people who have had abortions.
You’re right. The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, doesn’t apply to most apps that track menstrual cycles, nor does it apply to many health apps and home testing kits.
In 2015, ProPublica reported that HIPAA, which was passed in 1996, hasn’t kept up with technological changes and doesn’t cover home paternity testing, fitness trackers, or health apps.
The story was about a woman who bought a home paternity test from a local pharmacy and went online to get the results. Part of the lab’s website address caught her attention as a cybersecurity consultant. When she changed the URL slightly, a long list of test results from about 6,000 other people appeared.
She complained on Twitter and the site was shut down. But when she alerted the Office of Civil Rights at the US Department of Health and Human Services, which oversees HIPAA compliance, officials told her there was nothing they could do about it. That’s because HIPAA only covers patient data held by healthcare providers, insurers, and data clearing houses and their business partners.
Deven McGraw is the former Associate Director of Health Information Protection at the HHS Office for Civil Rights. She said the decision to overthrow Roe, called Dobbs v. Jackson Women’s Health Organization should spark a broader discussion about the limits of HIPAA.
“All of a sudden, people are waking up to the idea that there’s a lot of sensitive data being collected outside of HIPAA and they’re like, ‘What are we going to do?'” said McGraw, who is now responsible for data management at Invitae, a company for data exchange medical genetics. “It’s been like this for a while, but now it’s more visible.”
McGraw noted that this isn’t just the case for period tracking apps, but also for some apps that store COVID-19 vaccine records. Since Congress wrote HIPAA, lawmakers would need to update it to cover these cases. “Our health privacy practices are severely outdated,” she said. “But the agencies can’t fix that. That’s in Congress.”
Consumer Reports’ digital lab this spring evaluated eight period-tracking apps and found that four allowed third-party tracking by companies other than the app’s maker. Four apps stored data remotely, not just on the user’s device. That makes the information potentially subject to a data breach or a law enforcement subpoena, although one of the companies Consumer Reports polled said it would close down rather than release users’ data.
In a press release last week, HHS tried to allay concerns with some reassuring-sounding advice.
“Recent reports indicate that many patients are concerned that menstrual trackers and other health information apps on smartphones may compromise their right to privacy by exposing geolocation data, which could be misused by those who wish to refuse treatment,” HHS said in the press release .
The document quotes HHS Secretary Xavier Becerra on HIPAA protection: “HHS stands by patients and providers to protect HIPAA privacy rights and reproductive health information,” Becerra said. He urged anyone who believes their privacy rights have been violated to file a complaint with the Office of Civil Rights.
The press release later acknowledged that, in most cases, the HIPAA rules do not protect the privacy or security of individuals’ health information when they access or store personal cell phones or tablets. It provided guidance on steps people can take to protect their information.
Since the court decision to overturn Roe, some period-tracking apps have taken steps to minimize the risk of sharing personal information. One such company, named Flo, said it was developing an “anonymous mode” that would not require users to provide their name or email address.
“Flo does not share or sell health data with other companies, but wanted to take that extra step to reassure users living in states impacted by an abortion ban,” the company said in a press release. “It’s important to note that once this mode is enabled, users will no longer be able to recover data if the device is lost, modified, or stolen, and there may be limitations in using the app’s full personalization benefits. Because of this, Flo is offering affected users anonymous mode as an option instead of enabling it by default.”
In a statement following the Supreme Court decision, digital civil rights group Electronic Frontier Foundation said consumers should be “aware of privacy settings on the services they use, turn off location services for apps they don’t need, and use encrypted messaging services.”
“Organizations should protect users by allowing anonymous access, stopping behavioral tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring users are notified.” , when their data is stored,” reads the EFF statement. “And federal and state policymakers need to pass meaningful privacy laws. All of these steps are necessary to protect privacy and are long overdue.”