No, health data from most period-tracking apps is not protected under HIPAA
No, health data from most period-tracking apps is not protected under HIPAA
HIPAA applies to covered entities, like health care providers that conduct electronic transactions — not the vast majority of apps that track periods and pregnancy.
Donald Trump was elected the 47th president of the United States on Wednesday, Nov. 6.
That same day, a viral post on X warned that some of the personal data shared on apps that track menstrual cycles and pregnancy could potentially be used against people seeking an abortion in the United States.
“IMMEDIATELY STOP USING PERIOD AND PREGNANCY TRACKERS IN THE US. DONT PUT IN ANOTHER PIECE OF DATA. DELETE IT,” said an X post with over 10 million views.
Similar warnings circulated online when Roe v. Wade, a decades-old decision that federally protected abortion access in the U.S., was overturned by the Supreme Court on June 24, 2022.
Recent online search trends show that some people are wondering if private health data from period-tracking apps is covered under the Health Insurance Portability and Accountability Act of 1996, a federal law widely known as HIPAA.
THE QUESTION
Is health data from period-tracking apps protected under HIPAA?
THE SOURCES
THE ANSWER
No, health data from virtually all period-tracking apps is not protected under HIPAA.
WHAT WE FOUND
Health data from virtually all apps that track menstrual cycles is not protected under the federal patient privacy law known as HIPAA. This is because most period-tracking apps are not considered covered entities under the law.
HIPAA is a federal law that created national standards to protect sensitive patient health information from being shared without the patient’s consent or knowledge, according to the U.S. Centers for Disease Control and Prevention (CDC).
HIPAA rules “apply only to covered entities and, to some extent, their business associates,” a spokesperson at the U.S. Department of Health and Human Services (HHS) said. Covered entities include health plans and health care providers that conduct standard electronic transactions, such as billing insurance electronically.
Pam Dixon, the founder and executive director of the World Privacy Forum, a nonprofit that conducts in-depth research and analysis in the area of data privacy, told VERIFY if a period-tracking app does not include a Notice of Privacy Practices for Protected Health Information in its privacy policy, then the health data shared on the app is not protected by HIPAA.
“Any kind of healthcare provider that’s covered under HIPAA has to have something called a Notice of Privacy Practices. It’s a standardized privacy policy that is mandated by the HIPAA rule. It will say the seven rights that you have under HIPAA and it will tell you how you can apply those rights to yourself,” Dixon explained.
Alan Butler, the executive director and president of the Electronic Privacy Information Center (EPIC), a nonprofit research center based in Washington, D.C., agrees with Dixon.
“Typically, apps that individuals might use to track fertility or for other personal health uses that are not billed as part of a medical service, which most of them are not, are not covered under HIPAA,” Butler said. “Even though it’s data about your body or data related to your health, it’s not health data as the law defines it.”
Some period-tracking apps claim they are “HIPAA compliant” on their websites. However, Dixon says a period-tracking app claiming to be HIPAA compliant is a “big red flag.”
“HIPAA compliant does not mean that a period tracking app is covered under HIPAA. Actually, in terms of HIPAA, it doesn’t mean anything — it’s kind of a meaningless phrase,” Dixon said. “If you see that in a privacy policy, it’s very likely that you’re dealing with a period-tracking app that’s not covered under HIPAA.”
VERIFY reviewed the privacy policies of 20 of the top period-tracking apps found in the Apple App Store. We could only find one company, Ovia Health, that states in its privacy policy that some of the health data shared in its app may be protected under HIPAA in certain circumstances, but not all.
“When Ovia users gain access to Ovia’s premium enterprise versions of our apps through their health insurer or employer health plan, HIPAA will apply,” an Ovia spokesperson told VERIFY.
“In that case, Ovia acts as a business associate for the Ovia enterprise customer and is required to protect the data in accordance with its business associate agreement under HIPAA. However, when Ovia users use the free consumer versions of our apps, HIPAA does not apply,” the spokesperson added.
In January 2021, the Federal Trade Commission (FTC) issued a complaint against Flo Health Inc., the makers of Flo, a health app that tracks periods, ovulation and pregnancy, saying that Flo shared sensitive health data from millions of users of its app with marketing and analytics firms, including Facebook and Google, despite promising to keep users’ health data private.
Six months later, in June 2021, the FTC finalized a settlement that required Flo to obtain the affirmative consent of its app’s users before sharing their personal health information with others. The settlement also required Flo to obtain an independent review of its privacy practices.
In March 2022, Flo completed an external, independent privacy audit, and according to the company, there are “no gaps or weaknesses” in its updated privacy practices. Flo’s current privacy policy, which also doesn’t contain a notice of privacy practices or the HIPAA acronym, can be found here.
Flo told VERIFY in a statement that the company “firmly believes women’s health data should be held with the utmost privacy and care,” and says “Flo does not share personal health data with any third party.”
“Flo will never require a user to log an abortion or offer details that they feel should be kept private. Should a user express concern about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers,” Flo said.
A spokesperson for Clue, another period and ovulation tracking app, told VERIFY it is a European company obligated under the General Data Protection Regulation (GDPR) to “apply special protections to our users’ reproductive health data.”
The GDPR was drafted and passed by the European Union (EU) in 2018, and is considered one of the “toughest data privacy and security laws in the world” because it “imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”
“We completely understand the anxiety around how data could be used in U.S. courts. We want to reassure our users that their sensitive health data, particularly any data tracked in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe. We do not sell it, and we never share it with ad networks,” a Clue spokesperson said. Clue’s current privacy policy can be found here.
The FTC published a list of ways people can protect their privacy when using health apps, like period-trackers. These tips include comparing privacy options, taking control of your information by checking the app’s settings to make sure it lets you control the health data you share with it and knowing the risks that come with sharing your personal health information with an app.
The World Privacy Forum also shares the Patient’s Guide to HIPAA on its website. The comprehensive guide includes tips on how to guard your health privacy information.
“We have a long way to go to ensure that people’s data is protected and that there is not an inordinate unnecessary data trail left behind just from living our daily lives,” Butler said.
If you think a period-tracking app shared your data without your permission, you can contact the FTC at ReportFraud.ftc.gov.