This story was originally published by ProPublicaâs Charles Ornstein.
Following the Supreme Courtâs decision overturning Roe v. Wade, advocates for privacy and reproductive health have expressed fears that data from period-tracking apps could be used to find people whoâve had abortions.
They have a point. The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track menstrual cycles, just as it doesnât apply to many health care apps and at-home test kits.
In 2015, ProPublica reported how HIPAA, passed in 1996, has not kept up with changes in technology and does not cover at-home paternity tests, fitness trackers or health apps.
The story featured a woman who purchased an at-home paternity test at a local pharmacy and went online to get the results. A part of the labâs website address caught her attention as a cybersecurity consultant. When she tweaked the URL slightly, a long list of test results of some 6,000 other people appeared.
She complained on Twitter and the site was taken down. But when she alerted the Office for Civil Rights within the U.S. Department of Health and Human Services, which oversees HIPAA compliance, officials told her they couldnât do anything about it. Thatâs because HIPAA only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners.
Deven McGraw is the former deputy director for health information privacy at the HHS Office for Civil Rights. She said the decision overturning Roe, called Dobbs v. Jackson Women's Health Organization, should spark a broader conversation about the limits of HIPAA.
âAll of a sudden, people are waking up to the idea that thereâs a lot of sensitive data being collected outside of HIPAA and asking, âWhat are we going to do?ââ said McGraw, who is now the lead for data stewardship and data sharing at Invitae, a medical genetics company. âItâs been that way for a while, but now itâs in sharper relief.â
McGraw noted how thatâs not just the case for period-tracking apps but also some apps that store COVID-19 vaccine records. Because Congress wrote HIPAA, lawmakers would have to update it to cover those cases. âOur health data protections are badly out of date,â she said. âBut the agencies canât fix this. This is on Congress.â
Consumer Reportsâ digital lab evaluated eight period-tracking apps this spring and found that four allowed third-party tracking by companies other than the maker of the app. Four apps stored data remotely, not just on the userâs device. That makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, though one of the companies surveyed by Consumer Reports has said it would shut down rather than turn over usersâ data.
In a press release last week, HHS sought to allay worries with some advice that sounds reassuring.
âAccording to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care,â HHS said in the release.
The document quoted HHS Secretary Xavier Becerra about the protections provided by HIPAA: âHHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,â Becerra said. He urged anyone who thinks their privacy rights have been violated to file a complaint with the Office for Civil Rights.
The release later acknowledged that, in most cases, HIPAA rules do not protect the privacy or security of individualsâ health information when they access or store it on personal cellphones or tablets. It offered guidance on steps people can take to protect their information.
Since the courtâs decision overturning Roe, some period-tracking apps have taken steps to minimize the risk of personal information being shared. One such company called Flo said it is developing an âanonymous modeâ that would not require users to provide their name or email address.
âFlo does not share or sell any health data with any other company, but wanted to take this additional step to reassure users who are living in states affected by an abortion ban,â the company said in a press release. âIt is important to note that once this mode is activated, users will no longer be able to recover data when the device is lost, changed, or stolen and there may be limitations to using the appâs full personalization benefits. This is why Flo is offering Anonymous Mode as an option for concerned users instead of activating it by default.â
Privacy Not Included: Federal Law Lags Behind New Tech
In a statement after the Supreme Court decision, the digital civil liberties group Electronic Frontier Foundation said consumers should pay attention to âprivacy settings on the services they use, turn off location services on apps that donât need them, and use encrypted messaging services.
âCompanies should protect users by allowing anonymous access, stopping behavioral tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring that users get notice when their data is being sought,â the EFF statement said. âAnd state and federal policymakers must pass meaningful privacy legislation. All of these steps are needed to protect privacy, and all are long overdue.â