Following the Supreme Court docket’s resolution overturning Roe v. Wade, advocates for privateness and reproductive well being have expressed fears that knowledge from period-tracking apps might be used to search out individuals who’ve had abortions.
They’ve a degree. The Well being Insurance coverage Portability and Accountability Act, the federal affected person privateness regulation referred to as HIPAA, doesn’t apply to most apps that monitor menstrual cycles, simply because it doesn’t apply to many well being care apps and at-home check kits.
In 2015, ProPublica reported how HIPAA, handed in 1996, has not saved up with modifications in expertise and doesn’t cowl at-home paternity checks, health trackers or well being apps.
The story featured a girl who bought an at-home paternity check at a neighborhood pharmacy and went on-line to get the outcomes. Part of the lab’s web site handle caught her consideration as a cybersecurity advisor. When she tweaked the URL barely, a protracted listing of check outcomes of some 6,000 different folks appeared.
She complained on Twitter and the positioning was taken down. However when she alerted the Workplace for Civil Rights inside the U.S. Division of Well being and Human Providers, which oversees HIPAA compliance, officers informed her they couldn’t do something about it. That’s as a result of HIPAA solely covers affected person info saved by well being suppliers, insurers and knowledge clearinghouses, in addition to their enterprise companions.
Deven McGraw is the previous deputy director for well being info privateness on the HHS Workplace for Civil Rights. She mentioned the choice overturning Roe, known as Dobbs v. Jackson Ladies’s Well being Group, ought to spark a broader dialog in regards to the limits of HIPAA.
“Rapidly, individuals are waking as much as the concept that there’s plenty of delicate knowledge being collected outdoors of HIPAA and asking, ‘What are we going to do?’” mentioned McGraw, who’s now the lead for knowledge stewardship and knowledge sharing at Invitae, a medical genetics firm. “It’s been that means for some time, however now it’s in sharper aid.”
McGraw famous how that’s not simply the case for period-tracking apps but additionally some apps that retailer COVID-19 vaccine data. As a result of Congress wrote HIPAA, lawmakers must replace it to cowl these instances. “Our well being knowledge protections are badly outdated,” she mentioned. “However the businesses can’t repair this. That is on Congress.”
Client Experiences’ digital lab evaluated eight period-tracking apps this spring and located that 4 allowed third-party monitoring by corporations aside from the maker of the app. 4 apps saved knowledge remotely, not simply on the consumer’s gadget. That makes the data probably topic to an information breach or a subpoena from regulation enforcement businesses, although one of many corporations surveyed by Client Experiences has mentioned it might shut down slightly than flip over customers’ knowledge.
In a press launch final week, HHS sought to allay worries with some recommendation that sounds reassuring.
“In line with latest stories, many sufferers are involved that interval trackers and different well being info apps on smartphones might threaten their proper to privateness by disclosing geolocation knowledge which can be misused by these searching for to disclaim care,” HHS mentioned within the launch.
The doc quoted HHS Secretary Xavier Becerra in regards to the protections supplied by HIPAA: “HHS stands with sufferers and suppliers in defending HIPAA privateness rights and reproductive well being care info,” Becerra mentioned. He urged anybody who thinks their privateness rights have been violated to file a grievance with the Workplace for Civil Rights.
The discharge later acknowledged that, typically, HIPAA guidelines don’t shield the privateness or safety of people’ well being info after they entry or retailer it on private cellphones or tablets. It provided steerage on steps folks can take to guard their info.
Because the courtroom’s resolution overturning Roe, some period-tracking apps have taken steps to reduce the chance of private info being shared. One such firm known as Flo mentioned it’s creating an “nameless mode” that may not require customers to supply their identify or e mail handle.
“Flo doesn’t share or promote any well being knowledge with every other firm, however wished to take this extra step to reassure customers who’re residing in states affected by an abortion ban,” the corporate mentioned in a press launch. “You will need to observe that after this mode is activated, customers will not be capable to recuperate knowledge when the gadget is misplaced, modified, or stolen and there could also be limitations to utilizing the app’s full personalization advantages. That is why Flo is providing Nameless Mode as an possibility for involved customers as a substitute of activating it by default.”
In a press release after the Supreme Court docket resolution, the digital civil liberties group Digital Frontier Basis mentioned shoppers ought to take note of “privateness settings on the providers they use, flip off location providers on apps that don’t want them, and use encrypted messaging providers.
“Firms ought to shield customers by permitting nameless entry, stopping behavioral monitoring, strengthening knowledge deletion insurance policies, encrypting knowledge in transit, enabling end-to-end message encryption by default, stopping location monitoring, and guaranteeing that customers get discover when their knowledge is being sought,” the EFF assertion mentioned. “And state and federal policymakers should move significant privateness laws. All of those steps are wanted to guard privateness, and all are lengthy overdue.”
Story by Charles Ornstein