Millions of people rely on period tracking apps to monitor their cycles, manage symptoms, and plan for everything from family planning to general wellness. However, as these apps handle deeply personal data, many are left wondering: Does HIPAA offer protection for this information? This article examines the complexities of HIPAA's reach in the context of digital health apps and offers practical advice on what users need to know about their data privacy.
Why Are People Deleting Their Period Tracking Apps?
Period tracking apps are convenient tools for monitoring menstrual and ovulation cycles. These phone apps give notifications for menstruation and ovulation dates and provide insight into cycle abnormalities. Flo, a trendy period tracker with over 100 million subscribers, goes a step further in women’s health to provide support to women with menstrual conditions, fertility issues, and even menopause (1).
Since the reversal of Roe v Wade, social media influencers and activists have urged women to ditch their period-tracking apps to avoid unauthorized surveillance and breaches in data security and privacy (2). Furthermore, in a recent interview with the Times, former president Donald Trump alluded to the possibility of states monitoring people’s pregnancies (3). This event has added more steam to the movement.
Does HIPAA Protect My Cycle Tracking App Data?
The shortest answer is no; it doesn’t.
HIPAA stands for Health Insurance Portability and Accountability Act. According to HHS.gov,
"The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as "protected health information") and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." (4)
Because healthcare providers do not own these third-party cycle tracking apps, the apps do not need to adhere to HIPAA regulations. This means that all data on the apps can be used without regard to a person's right to medical privacy. Users willingly use these apps to store their data, agreeing to their data being shared when agreeing to the terms and conditions of the app.
When downloading an app, the user usually agrees to the terms put forward by the app (i.e. the small print). These terms are typically long-winded and full of jargon that most people do not bother to read. By accepting the terms, a user agrees to the information being collected, retained, and shared.
Even if a company outside the United States owns the app, the company may comply with legal requests for the data. Data may also be stored elsewhere, making it subject to review from legal parties.
Is Period Tracking Data PHI?
Protected health information includes all information, including demographic data that can relate to a person’s past, present or future, health condition, healthcare management, and healthcare payment, and can be used to identify an individual. According to HIPAA, there are 18 PHI identifiers; examples are name, date of birth, email addresses, Web URL, IP address, device identifier, and serial numbers.
It is worth noting that all of the abovementioned items are typically used in most period tracking apps. For example, Flo processes user's names, email addresses, and physical addresses (5).
So yes, period tracking data is protected health information. However, a lot of these apps are not required to be HIPAA compliant because they are not owned by healthcare providers.
How Can I Protect My Data Security and Privacy When Using Period Tracking Apps?
There is no sure way to completely protect your privacy and security when using period tracking apps. This is because third-party apps are notorious for selling and sharing users’ data without their consent.
A study conducted in 2019 revealed that 79% of "health" apps that users frequented to monitor drugs and medicine and prescribe information regularly shared and sold the user data without being transparent to the users (6). Even more concerning is the fact that in 2019, The Wall Street Journal reported that the popular app Flo leaked sensitive data to companies like Facebook and Google (7). The data leaked included personal information to ad companies to target advertisements to app users based on where they were in their cycle. They did this despite transparency, the company boosting the phrase "your body, your data" to falsely gain trust from users.
But we do have good news.
In April 2023, Democrats in Washington’s State legislature approved the “My Health My Data” Act. This Act will prevent third-party sharing health apps from sharing and selling users’ health data without consent (8).
How Does HIPAA Apply to Third-Party Apps Used by Healthcare Providers?
Third-party apps are not regulated by HIPAA. This places third-party apps in a grey area, where their regulation and compliance on mobile app security are left to a case-by-case interpretation.
For example, under HIPAA laws, in cases where a patient requests that their health care providers transmit their electronic PHI through third-party apps, the covered entity is not liable to breaches in data security and privacy, as long as the third-party app is not a business associate of the healthcare provider.
However, the healthcare provider is liable if it has a business associate relationship with the third-party app. HHS defines this relationship as one where the entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity.
Stay Risk-Free, Get Trained Today
If you are a healthcare provider or a business associate, we highly recommend our HIPAA training courses for business associates. We also have custom-made courses for healthcare workers, HR professionals, and dental offices. These courses are thorough and easy to understand. They help you build a solid base on the fundamentals of HIPAA compliance, and arm you with the right knowledge to stay risk-free. Head to our website to get started today!
References
1. Flo (2024). About us
2. Glamour (2024). Is It Time to Delete Your Period Tracker App?
3. Times (2024). What Trump’s Abortion Comments to TIME Reveal About His Plans For a Second Term
4. US Department of Health and Human Services (2024). Health Information Privacy
5. Flo (2024). Privacy Policy
6. Grundy, Q., Chiu, K., Held, F., Continella, A., Bero, L., & Holz, R. (2019). Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis. bmj, 364.
7. The Wall Street Journal (2024). You Give Apps Sensitive Personal Information, Then They Tell Facebook
8. CNN (2024). Washington state bill would make period-tracking apps follow privacy laws in reflection of post-Roe fear
