ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to get stories like this delivered to your inbox,
Following the Supreme Court’s decision to overturn Roe v. Wade, privacy and reproductive health advocates have expressed fears that data from period-tracking apps could be used to find people with abortions.
They have a point. The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track the menstrual cycle, like many health care apps and at-home test kits. Is.
In 2015, ProPublica reported how HIPAA, passed in 1996, hasn’t kept up with changes in technology and doesn’t cover at-home paternity tests, fitness trackers or health apps.
The story featured a woman who bought an at-home paternity test at a local pharmacy and went online to get the results. Part of the address on the lab’s website caught his attention as a cyber security consultant. When he slightly changed the URL, a long list of test results from about 6,000 others appeared.
She complained on Twitter and the site was taken down. But when she alerted the U.S. Department of Health and Human Services’ Office of Civil Rights, which oversees HIPAA compliance, officials told her there was nothing they could do about it. This is because HIPAA only covers patient information held by health providers, insurers and data clearinghouses, as well as their business partners.
Deven McGraw is the former deputy director for health information privacy in the HHS Office for Civil Rights. She said the decision to reverse the row, called Dobbs v. Jackson Women’s Health Organization, should lead to a wider conversation about the limitations of HIPAA.
“All of a sudden, people are waking up to the idea that a lot of sensitive data is being collected outside of HIPAA and asking, ‘What are we going to do? McGraw, who is now the leader for data stewardship and data sharing at medical genetics company Invite. “It’s been like that for a while, but now it’s in sharp relief.”
McGraw noted how not only for period-tracking apps but also some apps that store COVID-19 vaccine records. Since Congress wrote HIPAA, lawmakers would have to update it to cover those cases. “Our health data security is horribly out of date,” she said. “But agencies can’t fix it. It’s up to the Congress.”
Consumer Reports’ Digital Lab this spring evaluated eight period-tracking apps and found that four allowed third-party tracking by companies other than the app’s maker. The four apps stored the data remotely, not just on the user’s device. This makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, although one of the companies surveyed by Consumer Reports has said it will turn users’ data off rather than on it.
In a press release last week, HHS sought to address the concerns with some advice that seems reassuring.
HHS said in the release, “In line with recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data, which can be misused by care denials.” can be done by
The document quoted HHS Secretary Javier Becerra about the protection provided by HIPAA: “HIPAA stands with HHS patients and providers to protect privacy rights and reproductive health care information,” Becerra said. He urged anyone who thinks their privacy rights have been violated, to file a complaint with the Office of Civil Rights.
The release later acknowledged that, in most cases, HIPAA regulations do not protect the privacy or security of individuals’ health information when they access or store it on personal cellphones or tablets. It provided guidance on steps people can take to protect their information.
Since the court ruling, some period-tracking apps have taken steps to reduce the risk of personal information being shared. One such company called Flow said it is developing an “anonymous mode” that will not require users to provide their name or email address.
“Flow does not share or sell any health data with any other company, but intends to take this additional step to reassure users living in states affected by abortion restrictions,” the company said in a press release. “It is important to note that once this mode is activated, users will not be able to recover data if the device is lost, replaced or stolen and there may be limitations on using the full personalization benefits of the app. Huh. This is why Flow is offering Anonymous Mode as an option for concerned users instead of activating it by default.”
In a statement following the Supreme Court ruling, digital civil liberties group Electronic Frontier Foundation said consumers should “pay attention to the privacy settings of the services they use, turning off location services on the apps they need.” No, and use encrypted messaging services.
“By allowing companies anonymous access, preventing behavior tracking, strengthening data deletion policies, encrypting data in transit, enabling end-to-end message encryption by default, preventing location tracking, and must ensure that users receive notice when their data is demanded,” the EFF statement said. “And state and federal policymakers must pass meaningful privacy legislation. All of these steps are needed to protect privacy, and all are long overdue.”