Health data from period tracking apps not covered by HIPAA

After the leak of a draft Supreme Court opinion on Roe v. Wade, which suggested the court may overturn a federal ruling protecting U.S. abortion rights, Elizabeth McLaughlinlawyers, activists and writers, and Eva GalperinHe said on social media that people should delete period-tracking apps from their phones, he said on social media.

Both McLaughlin and Galperin have warned that if Roe v. Wade is overturned, personal health data shared on the apps could be used against people seeking abortions.

Google search and some News report Shows that many people want to know if health data from period tracking apps is included in Health Insurance Portability and Accountability Act of 1996widely known as HIPAA.

Is health data from period tracking apps HIPAA protected?

No, health data from almost all period tracking apps is not HIPAA protected.

If a person receives an app as a benefit from their health plan, healthcare provider or insurance company, such as some versions of the Ovia Health app, it may fall under HIPAA.

HIPAA According to the Centers for Disease Control and Prevention (CDC), it’s a federal law that sets national standards to protect sensitive patient health information from being shared without the patient’s consent or knowledge.

A spokesperson for the U.S. Department of Health and Human Services (HHS) told VERIFY in an email, HIPAA rules “Applies only to covered entities and, to some extent, their business partners.” Covered Entities Includes health plans and healthcare providers that conduct standard electronic transactions, such as electronically billed insurance.

Pam Dixon, founder and executive director of the World Privacy Forum, a nonprofit that conducts in-depth research and analysis in the field of data privacy, said most period-tracking apps fall outside the scope of HIPAA.She told VERIFY that if a period tracking app doesn’t include Notice of Privacy Practices for Protected Health Information In its privacy policy, health data shared on the app is not protected by HIPAA.

“Any type of healthcare provider covered by HIPAA must have something called a notice of privacy practices. It’s a standardized privacy policy enforced by the HIPAA rules. It states the seven rights you have under HIPAA, it tells you How to apply these rights to yourself,” Dixon said.

Alan Butler, executive director and president of the Electronic Privacy Information Center (EPIC), a nonprofit research center in Washington, D.C., agreed with Dixon.

“Typically, apps that an individual might use to track fertility or other personal health uses are not part of health care, most of which are not covered by HIPAA, so data, even if it is data about your body or related to you health-related data, which is not health data as defined by law,” Butler told VERIFY.

RELATED: No, Tennessee isn’t banning Plan B emergency contraception

Some period tracking apps such as glow, Claim on their website that they are “HIPAA Compliant”. However, Dixon said period tracking apps that claim to be HIPAA compliant are a “big red flag.”

“HIPAA compliance doesn’t mean period tracking apps are included in HIPAA. In fact, as far as HIPAA is concerned, it doesn’t make any sense — it’s a meaningless phrase,” Dixon said. “If you’re seeing this in your privacy policy, you’re probably dealing with a period tracking app that’s not covered by HIPAA.”

VERIFY reached out to Glow but received no response at the time of publication.Glow’s current privacy policy can be found here. It does not include a Notice of Privacy Practices for Protected Health Information, nor does it mention the HIPAA acronym or contain the phrase: “HIPAA Compliant.”

“In the privacy policy, the primary enforcement tool for health apps not covered by HIPAA is actually an obscure law called ‘FTC Act, Section 5. That means they can do and say almost anything, as long as they tell you the truth about what they’re doing,” Dixon said.

“So, if a health app is sharing your data or selling your data, they can use all sorts of dodgy words to explain that, and if you don’t understand the nuances of those dodgy words, it’s going to be very difficult The things that work for you when you realize your data has been shared and, in some cases, sold,” continued Dixon.

VERIFY looked into the privacy policies of 20 of the top period tracking apps found in the Apple App Store, but was only able to find one, Ovia Health, which told VERIFY that in some cases some health data shared in its apps could Protected by HIPAA, but not all.In its Privacy Policythe company said, “if a person receives the app as a benefit from their health plan or healthcare provider,” it may fall under HIPAA.

“HIPAA will apply when an Ovia user accesses Ovia’s Advanced Enterprise Edition application through their health insurance company or employer health plan. In this case, Ovia acts as a business partner to Ovia’s enterprise customer and requires business under HIPAA Partner agreements protect data. However, HIPAA does not apply when Ovia users use the free consumer version of our app,” an Ovia spokesperson said in an email.

RELATED: Claims that Plan B Emergency Contraceptives Have Weight Limits Need Context

January 2021, Federal Trade Commission (FTC) issue a complaint Flo Health Inc., maker of Flo, a health app that tracks periods, ovulation and pregnancy, said Flo shared sensitive health data on its app’s millions of users with marketing and analytics firms, including Facebook and Google, despite its promises Keep users’ health data private.

Six months later, in June 2021, the Federal Trade Commission reach a settlement This requires Flo to obtain affirmative consent from its app users before sharing their personal health information with others. The settlement also requires Flo to conduct an independent review of its privacy practices.

In March 2022, Flo completed an external independent privacy audit and, according to the company, its updated privacy practices “have no gaps or weaknesses.”Flo’s current privacy policy can be found, which also does not contain the Notice of Privacy Practices or the HIPAA acronym here.

Flo told VERIFY in a statement that the company “believes that women’s health data should be held with the utmost privacy and care,” adding that “Flo does not share personal health data with any third parties.”

“Flo will never ask users to document abortions or provide details they believe should be kept private. If users express concerns about submitted data, Flo’s customer support team will delete all historical data, which will completely delete all data from Flo’s servers, ‘ Flo said.

A spokesperson for Clue, another period and ovulation tracking app, told VERIFY that it is a European company, according to General Data Protection Regulation (GDPR) “Apply special protections to our users’ reproductive health data.”

In 2018, the GDPR was drafted and passed by the European Union (EU) and is considered one of the “strictest data privacy and security laws in the world” because it “imposes obligations on organisations anywhere as long as they target or collect data related to EU individuals. relevant data.”

“If Roe v. Wade is overturned, we fully understand the anxiety of how U.S. courts will use data. We want to reassure our users that their sensitive health data, especially any data about a pregnancy, miscarriage or abortion tracked in Clue , is confidential and secure. We do not sell it, and we never share it with ad networks,” a spokesperson for Clue said in an email.Clue’s current privacy policy can be found here.

FTC released method list People can protect their privacy when using health apps, such as period trackers. These tips include comparing privacy options, taking control of your information by checking the app’s settings to make sure it gives you control over the health data it shares with it, and understanding the risks of sharing your personal health information with apps.World Privacy Forum also shared HIPAA Patient Guidelines on its website. The comprehensive guide includes tips on how to protect your health privacy information.

“We still have a long way to go to ensure that people’s data is protected and that there are not too many unnecessary traces of data just because of our daily lives,” Butler said.

If you believe a period tracking app has shared your data without your permission, you can contact the FTC by ReportFraud.ftc.gov.

More from verification: Spain is considering offering menstrual leave, but it won’t be the first to do so