Why HIPAA doesn’t cover period tracking apps

Most period-tracking apps are not directly associated with a healthcare provider or covered entity. They typically collect data for consumer use rather than for healthcare treatment, billing, or operational purposes and, therefore, don’t fall under the scope of HIPAA. As a result, any health data they collect, even if sensitive, isn’t considered PHI in a HIPAA-regulated sense unless it is being shared with a healthcare provider for treatment purposes.

HIPAA, period-tracking apps, and recent privacy concerns

On November 6, 2024, a viral post on X (formerly Twitter) warned users to immediately stop using period and pregnancy tracking apps. With over 10 million views, the post urged people to delete their health data from these apps, stressing concerns that personal information on reproductive health could be used in legal cases against those seeking an abortion. This warning echoes the response seen when Roe v. Wade was overturned in 2022, spurring similar fears about how digital health data might be weaponized under restrictive laws.

As more people wonder if data from these apps is protected under HIPAA, it’s essential to clarify that HIPAA’s Privacy Rules generally do not apply to period-tracking apps. Health privacy experts like Alan Butler of the Electronic Privacy Information Center (EPIC) and Pam Dixon of the World Privacy Forum emphasize that these apps do not qualify as covered entities under HIPAA. Period-tracking apps are typically not linked to healthcare providers or insurance companies, meaning that the sensitive information users log isn’t protected by the same privacy standards.

A spokesperson for Ovia, a digital health platform focused on supporting women's reproductive health, pregnancy, and family wellness, told VERIFY that “when Ovia users gain access to Ovia’s premium enterprise versions of our apps through their health insurer or employer health plan, HIPAA will apply.

Read also: Period trackers and their risk to abortion data

HIPAA and period trackers

HIPAA was designed to safeguard patient information within specific healthcare-related environments. The law’s privacy rules apply to covered entities, which include healthcare providers, health insurers, and healthcare clearinghouses that process electronic transactions. HIPAA’s protections also extend to business associates who work directly with covered entities to manage or process patient data.

However, most period-tracking apps operate independently from healthcare providers and health insurers. Since these apps aren’t typically affiliated with healthcare services or used as part of clinical treatment, they aren’t classified as covered entities or business associates under HIPAA. As a result, the law’s strict data protections simply do not apply to them.

See also: HIPAA Compliant Email: The Definitive Guide

Privacy concerns and legal risks

With the 2022 reversal of Roe v. Wade, there is a renewed focus on how health data could be used in legal proceedings in states with restrictive abortion laws. Data shared in a period-tracking app could potentially be subpoenaed in a legal case, especially if it includes information that could suggest pregnancy or termination.

Several popular period-tracking apps have even faced scrutiny for sharing user data without proper consent. For instance, in 2021, Flo Health settled with the Federal Trade Commission (FTC) after it was found to have shared sensitive health data with third-party marketing and analytics firms despite assuring users that their data was private.

Protecting your privacy on period-tracking apps

While HIPAA does not protect period-tracking app data, there are still steps users can take to protect their information:

• Read the privacy policy: Carefully review an app’s privacy policy to understand how it handles your data. Look for statements on data sharing, and avoid apps that have vague or overly broad sharing policies.
• Adjust privacy settings: If the app allows, limit data sharing by adjusting the privacy settings. This may include opting out of data-sharing practices with third parties.
• Be selective about data: Avoid logging extremely sensitive information, especially if you're unsure about an app’s privacy policies. Some users choose to leave out details related to pregnancy or other reproductive health data that could be legally sensitive.

FAQs

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law designed to protect sensitive patient health information from being shared without consent. It applies to covered entities such as healthcare providers, health plans, and their business associates who process electronic health transactions.

What kind of data do period-tracking apps collect?

Period-tracking apps typically collect data related to menstrual cycles, fertility, ovulation, pregnancy, and related health indicators such as mood, symptoms, and physical well-being. Some apps may also track sexual health and provide predictions about the next period or ovulation window.