Most period-tracking apps are not covered by HIPAA, leaving user health data vulnerable to legal requests.
On November 6, a viral post on X (formerly Twitter) warned users to immediately stop using period and pregnancy trackers, urging them to delete their data for fear it could be used against them in abortion-related legal cases. The post gained significant attention, with over 10 million views, reigniting concerns about the privacy of personal health data. This came in the wake of increasing fears regarding how reproductive health data could be used following the overturning of Roe v. Wade in 2022. Amid these concerns, many have questioned whether the Health Insurance Portability and Accountability Act (HIPAA) protects data from apps that track menstrual cycles and pregnancy.
Read also: Period trackers and their risk to abortion data
HIPAA is a U.S. law designed to protect the confidentiality of patients' health information, but it applies only to specific covered entities that engage in electronic health transactions, such as billing. The law’s protections do not extend to most period-tracking apps, which are not considered covered entities unless they meet specific criteria.
Apps that track menstrual cycles, ovulation, or pregnancy typically collect user data that may be sensitive, but unless these apps are directly affiliated with healthcare providers or health plans that handle electronic transactions, the data is not covered under HIPAA. Despite claims by some apps about being “HIPAA compliant,” this is often a misleading term that holds little legal weight in the context of these apps.
See also: HIPAA Compliant Email: The Definitive Guide
“IMMEDIATELY STOP USING PERIOD AND PREGNANCY TRACKERS IN THE US. DONT PUT IN ANOTHER PIECE OF DATA. DELETE IT,” said an X post with over 10 million views.
According to VERIFY, Pam Dixon, founder of the World Privacy Forum, stated, “Any kind of healthcare provider that’s covered under HIPAA has to have something called a Notice of Privacy Practices. It’s a standardized privacy policy that is mandated by the HIPAA rule.” If a period-tracking app does not include such a notice in its privacy policy, Dixon said, it is not subject to HIPAA.
Alan Butler, executive director of the Electronic Privacy Information Center (EPIC), also weighed in: “Typically, apps that individuals might use to track fertility or for other personal health uses that are not billed as part of a medical service, which most of them are not, are not covered under HIPAA.”
Ovia Health, one of the few exceptions, explained that some of its services are covered by HIPAA when accessed through employer or health insurer partnerships, but only in certain premium versions of the app. The company’s spokesperson clarified, “When Ovia users use the free consumer versions of our apps, HIPAA does not apply.”
In other news: How Trump 2.0 could transform healthcare policies and privacy
With the rollback of Roe v. Wade, there are rising concerns that data from period-tracking apps could be used in abortion-related legal cases. Since HIPAA doesn’t cover these apps, user data may be more vulnerable to sharing or misuse. The lack of strict legal protections means users need to be vigilant about app privacy policies and proactive in protecting their personal health information.
In the U.S., privacy laws like the Federal Trade Commission Act can regulate how companies handle user data, especially if they make deceptive claims about privacy. However, these laws don’t provide the same level of protection as HIPAA. Apps based in the EU must also comply with the GDPR, which offers stricter protections.
In the absence of HIPAA protection, data from period-tracking apps could be subject to subpoenas or other legal requests. This risk is a key concern in states where abortion restrictions are now in place.
To safeguard your data, review app privacy policies, adjust privacy settings to limit data sharing, and avoid logging sensitive information if unsure of the app’s protections. Some users also choose apps that prioritize data privacy or are covered by GDPR if available.
In the U.S., you can report privacy concerns to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov, which handles complaints about deceptive practices related to data privacy.