2022-07-07
Federal Patient Privacy Law Does Not Cover Most Period-Tracking Apps
by Charles Ornstein
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
Following the Supreme Court’s decision overturning Roe v. Wade, advocates for privacy and reproductive health have expressed fears that data from period-tracking apps could be used to find people who’ve had abortions.
They have a point. The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track menstrual cycles, just as it doesn’t apply to many health care apps and at-home test kits.
In 2015, ProPublica reported how HIPAA, passed in 1996, has not kept up with changes in technology and does not cover at-home paternity tests, fitness trackers or health apps.
The story featured a woman who purchased an at-home paternity test at a local pharmacy and went online to get the results. A part of the lab’s website address caught her attention as a cybersecurity consultant. When she tweaked the URL slightly, a long list of test results of some 6,000 other people appeared.
She complained on Twitter and the site was taken down. But when she alerted the Office for Civil Rights within the U.S. Department of Health and Human Services, which oversees HIPAA compliance, officials told her they couldn’t do anything about it. That’s because HIPAA only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners.
Deven McGraw is the former deputy director for health information privacy at the HHS Office for Civil Rights. She said the decision overturning Roe, called Dobbs v. Jackson Women’s Health Organization, should spark a broader conversation about the limits of HIPAA.
“All of a sudden, people are waking up to the idea that there’s a lot of sensitive data being collected outside of HIPAA and asking, ‘What are we going to do?’” said McGraw, who is now the lead for data stewardship and data sharing at Invitae, a medical genetics company. “It’s been that way for a while, but now it’s in sharper relief.”
McGraw noted how that’s not just the case for period-tracking apps but also some apps that store COVID-19 vaccine records. Because Congress wrote HIPAA, lawmakers would have to update it to cover those cases. “Our health data protections are badly out of date,” she said. “But the agencies can’t fix this. This is on Congress.”
Consumer Reports’ digital lab evaluated eight period-tracking apps this spring and found that four allowed third-party tracking by companies other than the maker of the app. Four apps stored data remotely, not just on the user’s device. That makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, though one of the companies surveyed by Consumer Reports has said it would shut down rather than turn over users’ data.
In a press release last week, HHS sought to allay worries with some advice that sounds reassuring.
“According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care,” HHS said in the release.
The document quoted HHS Secretary Xavier Becerra about the protections provided by HIPAA: “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” Becerra said. He urged anyone who thinks their privacy rights have been violated to file a complaint with the Office for Civil Rights.
The release later acknowledged that, in most cases, HIPAA rules do not protect the privacy or security of individuals’ health information when they access or store it on personal cellphones or tablets. It offered guidance on steps people can take to protect their information.
Since the court’s decision overturning Roe, some period-tracking apps have taken steps to minimize the risk of personal information being shared. One such company called Flo said it is developing an “anonymous mode” that would not require users to provide their name or email address.
“Flo does not share or sell any health data with any other company, but wanted to take this additional step to reassure users who are living in states affected by an abortion ban,” the company said in a press release. “It is important to note that once this mode is activated, users will no longer be able to recover data when the device is lost, changed, or stolen and there may be limitations to using the app’s full personalization benefits. This is why Flo is offering Anonymous Mode as an option for concerned users instead of activating it by default.”
In a statement after the Supreme Court decision, the digital civil liberties group Electronic Frontier Foundation said consumers should pay attention to “privacy settings on the services they use, turn off location services on apps that don’t need them, and use encrypted messaging services.
“Companies should protect users by allowing anonymous access, stopping behavioral tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring that users get notice when their data is being sought,” the EFF statement said. “And state and federal policymakers must pass meaningful privacy legislation. All of these steps are needed to protect privacy, and all are long overdue.”