This story was originally published by . ProPublica’s Charles Ornstein Following the Supreme Court’s overturning Roe v. Wade, advocates for privacy and reproductive health that data from period-tracking apps to find people who’ve had abortions. decision have expressed fears could be used They have a point. The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track menstrual cycles, just as it doesn’t apply to many health care apps and at-home test kits. In 2015, ProPublica how HIPAA, passed in 1996, has not kept up with changes in technology and does not cover at-home paternity tests, fitness trackers or health apps. reported The story featured a woman who purchased an at-home paternity test at a local pharmacy and went online to get the results. A part of the lab’s website address caught her attention as a cybersecurity consultant. When she tweaked the URL slightly, a long list of test results of some 6,000 other people appeared. She complained on Twitter and the site was taken down. But when she alerted the Office for Civil Rights within the U.S. Department of Health and Human Services, which oversees HIPAA compliance, officials told her they couldn’t do anything about it. That’s because HIPAA kept by health providers, insurers and data clearinghouses, as well as their business partners. only covers patient information Deven McGraw is the former deputy director for health information privacy at the HHS Office for Civil Rights. She said the decision overturning Roe, called Dobbs v. Jackson Women's Health Organization, should spark a broader conversation about the limits of HIPAA. “All of a sudden, people are waking up to the idea that there’s a lot of sensitive data being collected outside of HIPAA and asking, ‘What are we going to do?’” said McGraw, who is now the lead for data stewardship and data sharing at Invitae, a medical genetics company. “It’s been that way for a while, but now it’s in sharper relief.” McGraw noted how that’s not just the case for period-tracking apps but also some apps that store COVID-19 vaccine records. Because Congress wrote HIPAA, lawmakers would have to update it to cover those cases. “Our health data protections are badly out of date,” she said. “But the agencies can’t fix this. This is on Congress.” Consumer Reports’ this spring and found that four allowed third-party tracking by companies other than the maker of the app. Four apps stored data remotely, not just on the user’s device. That makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, though one of the companies surveyed by Consumer Reports has said it would shut down rather than turn over users’ data. digital lab evaluated eight period-tracking apps In a , HHS sought to allay worries with some advice that sounds reassuring. press release last week “According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care,” HHS said in the release. The document quoted HHS Secretary Xavier Becerra about the protections provided by HIPAA: “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” Becerra said. He urged anyone who thinks their privacy rights have been violated to file a complaint with the Office for Civil Rights. The release later acknowledged that, in most cases, HIPAA rules do not protect the privacy or security of individuals’ health information when they access or store it on personal cellphones or tablets. It offered on steps people can take to protect their information. guidance Since the court’s decision overturning Roe, some period-tracking apps have taken steps to minimize the risk of personal information being shared. One such company called Flo said that would not require users to provide their name or email address. it is developing an “anonymous mode” “Flo does not share or sell any health data with any other company, but wanted to take this additional step to reassure users who are living in states affected by an abortion ban,” the company said in a press release. “It is important to note that once this mode is activated, users will no longer be able to recover data when the device is lost, changed, or stolen and there may be limitations to using the app’s full personalization benefits. This is why Flo is offering Anonymous Mode as an option for concerned users instead of activating it by default.” Privacy Not Included: Federal Law Lags Behind New Tech In a after the Supreme Court decision, the digital civil liberties group Electronic Frontier Foundation said consumers should pay attention to “privacy settings on the services they use, turn off location services on apps that don’t need them, and use encrypted messaging services. statement “Companies should protect users by allowing anonymous access, stopping behavioral tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and ensuring that users get notice when their data is being sought,” the EFF statement said. “And state and federal policymakers must pass meaningful privacy legislation. All of these steps are needed to protect privacy, and all are long overdue.”
