Over the last few weeks, in anticipation of the potential of the Supreme Court overturning Roe v. Wade, I’ve been reading up on and sharing information about app data privacy on Instagram and Twitter to bolster my existing professional knowledge. I felt like it was time to put together cohesive thoughts on the intersection of data privacy, health policy, and FemTech for women/ people with uteruses/ people who love them. 

In this post, I’ll be covering: 

• What does HIPAA protect? 

• What laws exist (and don’t exist) to protect your consumer health data and digital footprint? 

• FemTech and Data Security: Menstrual tracking apps as a case study 

• How your phone and internet data could be used against you in a reproductive health case. 

Let’s Go. 

What does HIPAA protect? 

Many people assume that HIPAA, the federal law that protects health information, applies to all companies or organizations that hold any type of health or wellness data. This is not true. The law specifically applies to covered entities and their business associates. A covered entity is anyone who provides treatment, payment or operations in healthcare. An example of a covered entity would be a doctor, nurse, insurance company, or federal health plan (ex: Medicare.) Their obligation is to protect your medical information and provide only you, or an indicated representative access to it. 

Legal guidelines get hairy when it comes to third party health technology. Many companies ARE business associates with hospitals, such as electronic medical records companies, and their software is held to the highest standards of privacy and protection, AND they are legally bound to the same rules as the healthcare organization they contract with. 

In the case of consumer health technology, it is the wild west, and largely up to the company and their state’s laws (more on that in a bit.) Companies like Fitbit are not covered entities with responsibilities under HIPAA. As a user, you are personally opting in to that company having access to your data and using it in whatever way they outline in their user agreement and privacy policies. You know– the things that everyone rapidly scrolls past and clicks “accept” so they can get on with using the app. You need to read them if you have concerns about the way your personal information could be used for targeted ads, user research, marketing, app functionality, and more.  

What laws exist (and don’t exist) to protect your consumer health data and digital footprint?

Last I checked (June 2022), there is no single federal law regulating how companies share, store and use your data. In this 2021 article from the New York Times, they share:

•  “In most states, companies can use, share, or sell any data they collect about you without notifying you that they’re doing so.

• No national law standardizes when (or if) a company must notify you if your data is breached or exposed to unauthorized parties.

• If a company shares your data, including sensitive information such as your health or location, with third parties (like data brokers), those third parties can further sell it or share it without notifying you.”

You can see where your state consumer data protection legislation stands on this site. The passage of GDPR in the European Union is one of the most protective rulings in the world. Academic experts who participated in the formulation of the GDPR wrote that the law "is the most consequential regulatory development in information policy in a generation.” One of the benefits of GDPR globally, is that to comply with the European regulations, many companies are adding pop-ups on their sites that inform you what data may be tracked through the use of cookies, and your choice to opt in or opt out. Typically, I opt in for site functionality (often you can’t remove that) and opt out of marketing, location tracking, and third party sharing. 

FemTech and Data security: Menstrual Tracking Apps as a case study: 

Menstrual tracking apps were one of the first FemTech apps available starting around the birth of the smartphone in 2007, and are widely used by millions of women to track when they may get their period, as well as what their potential fertile days may be, when they have had sexual intercourse, and their physical and mental symptoms during the course of the cycle. 

Remember how I said you shouldn’t just scroll past the privacy policies? 

Women’s Health Magazine has a list of popular period tracking apps,  and I’ve linked the privacy policies for some of the most widely used. Clue and Flo have over 55 million users combined. 

• Clue (privacy policy)

• Flo (privacy policy) 

• Ovia Fertility (privacy policy) 

• Glow (privacy policy) 

• You can also track your cycle in Apple’s Health App and Apple Watch (privacy policy.)

MobiHealthNews reported in May 2022, that out of the top 20 period apps on the market, nine use data for third party ads, 10 collected coarse location, and eight collected video and photo library data. Based upon this information, I would steer clear of Eve, Glow, Ovia, Clover, Period Tracker by GP Apps, Flo, and My Calendar. 

How your phone and internet data could be used against you in a reproductive health case:

I am not going to rehash everything covered in this article (June 24, 2022), but a few points of note include that Google gets search warrant and subpoena requests constantly, and there is precedence of its use in court cases. Phone locations have been used to target women at abortion clinics with ads to pursue alternatives. To lock down your digital footprint you should turn off exact location services on your phone, or limit them to when using the app, and search for reproductive health care and/or abortion support using private browser windows or VPNs. Text messages, search history, location data putting you at an abortion clinic could all be subpoenaed in a court case.

Senator Elizabeth Warren introduced the Health and Location Data Protection Act which would:

• “Ban data brokers from selling or transferring location data and health data and require the Federal Trade Commission (FTC) to promulgate rules to implement the law within 180 days, while making exceptions for HIPAA-compliant activities, protected First Amendment speech, and validly authorized disclosures.

• Ensure robust enforcement of the bill’s provisions by empowering the FTC, state attorneys general, and injured persons to sue to enforce the provisions of the law.

• Provide $1 billion in funding to the Federal Trade Commission over the next decade to carry out its work, including the enforcement of this law.”

I hope this goes through!

At its core, Roe v. Wade protected a woman’s right to privacy and personal autonomy. Privacy looked a lot different in the 1970s than it does today. The digital footprint we leave every time we open our phones or go online can be used for good or malice. In the absence of comprehensive legal protection of consumer data, it’s essential to do a little digital housekeeping and review how all of the apps on your phone collect your information, search on a private browser, and read privacy policies and terms of use for your health apps. 

Take care of yourself, 

Katie

Disclaimer: I am not a lawyer. This information is based upon my research and professional experience. If you have concerns about how your personal data is being used, contact an attorney.