A 2021 FTC settlement with fertility app Flo Health Inc. after it allegedly compromised users’ sensitive health information offers a window into how the federal government could partially protect that data if Roe v. Wade is overturned.
The leak of a draft Supreme Court decision reversing Roe prompted calls to delete apps tracking menstruation amid fears that states with new abortion bans could use data from those apps for criminal proceedings. More than 100 million people track their menstruation using mobile applications, according to a 2020 paper.
Fertility apps aren’t covered by the Health Insurance Portability and Accountability Act (HIPAA), the law that requires health providers, insurers, and third-party administrators to protect patients’ health data.
“The US does not protect your information just because it’s related to your health,” said Kayte Spector-Bagdady, associate director at the Center for Bioethics and Social Sciences in Medicine and an assistant professor of obstetrics and gynecology at the University of Michigan Medical School. “It only protects your health information that’s collected by your doctor or your hospital or your health plan. And if you are putting health information into somewhere other than a clinician’s form, in a clinic, it might not be protected.”
Even though HIPAA doesn’t apply to personal health apps, other agencies can still exert some oversight, albeit with limited authority. The Federal Trade Commission’s health breach notification rule requires companies to notify consumers, the FTC, and possibly the media if there’s a leak of identifying health information. The FTC rule applies to most apps and health technologies unless HIPAA already covers the health data. Health technologies used in settings like hospitals are covered by HIPAA.
The agency settled with Flo Health last year on allegations the company shared sensitive health data with marketing and analytics firms, including
“Some of these were actually being shared the way one would normally anticipate an app sharing data with third parties that help improve user experience,” said Leah Fowler, a research assistant professor at the University of Houston Law Center whose research primarily looks at the intersection of law and consumer health technologies. Flo Health violated the FTC rule because some of the shared data included menstrual information, and there were no stipulations on what the third party could subsequently do with it, she said.
The FTC has had the authority to enforce the breach notification rule since 2010, and it clarified last year the rule applies to health apps.
There’s new interest in the rule with a Democrat-led FTC. The Flo Health settlement shows the agency’s reasoning: “If we’re not telling consumers how we’re sharing their data with more specificity, that technically is a breach,” Fowler said. “People are thinking that Flo might be a harbinger of how the FTC intends to deal with the health breach notification rule.”
How the FTC defines a breach is of keen interest because one of the main concerns about how data from these apps might be used to reveal abortion activity is through the sale of the information to third parties. Companies now regularly pull identifiable information from dating apps, social media, fertility apps, and the like and sell it to marketers, Spector-Bagdady said. “If there is money associated with sharing information about women accessing abortion care, that would be another potentially lucrative reason to sell or share health information.”
The European Union’s General Data Protection Regulation has more stringent privacy protections compared to the US and gives individuals more rights over their personal data. The GDPR allows data to be sold for marketing purposes if that sale is clearly laid out in the consent form. Further, an EU code of conduct for mobile health apps says a user should be informed before an app developer enters into an agreement with a third party.
A company that has to follow GDPR would likely be unable to turn over data implicating a terminated pregnancy without that person’s consent. However, a recent analysis of the most popular women’s mobile health apps found poor data privacy, sharing, and security standards. Twenty of the 23 apps shared data with third parties, and 13% collected data before obtaining consent.
Companies that conduct business in Europe and allow data to flow freely between the two continents must comply with the Trans-Atlantic Data Privacy Framework. Details of that framework are still being finalized.
If an app tracks a user who resumed their period after a two-month lapse, it raises the question of whether authorities will start calling and asking what happened to that pregnancy, Spector-Bagdady said.
“You’d have to affirmatively establish somehow that you had a natural miscarriage, she said. “If accessing abortion care becomes illegal in your state, this will be information potentially related to a criminal activity.”
Texas Gov. Greg Abbott signed into law last year a ban on almost all abortions after about six weeks. Other states are expected to follow suit if Roe is overturned. A six-week pregnancy is essentially four weeks after a missed period, Fowler said. “These apps are just kind of a convenient trove of data” about when pregnant people seeking abortions risk running afoul of the law.
In case the problem here is not self evident:— Kayte Spector-Bagdady JD, MBe (@KayteSB) May 3, 2022
Your period information can be used to track if and when you got pregnant. And if and when you are no longer pregnant. And that information can have absolutely no protections for who gets it (and how they use it). https://t.co/0guoh4LO8V
Apps Less Private Than Paper
The narrow scope of HIPAA isn’t always clear to the general public, often leading to misunderstandings about how it applies and how secure their data are.
“We realized during the pandemic the limitations of how people understand HIPAA,” Spector-Bagdady said. “Everyone who was arguing that they didn’t have to show their vaccine card because HIPAA protected that information didn’t understand that HIPAA only protects information collected by certain people. And it doesn’t protect an individual from having to share their health information to access services.”
The ability of fertility apps to make predictions about ovulation hinges on inputting information such as menstrual cycle dates, dates of intercourse, and cervical mucus consistency, according to Stephanie Morain, a core faculty member at the Johns Hopkins University bioethics institute and an assistant professor in the public health school.
“Period tracking apps track highly intimate and personal data, yet the terms of service and privacy policies that govern these apps are neither easily accessible nor comprehensible to most users,” she wrote in an email.
Morain and Fowler reviewed user agreements and privacy statements of many popular fertility apps and found all of them allowed companies to change their terms and to decide whether to subsequently notify users of that change unilaterally. “Companies could state they wouldn’t sell or share data but then change their policy to do exactly that.”
“Notably, one of the reasons some users report wanting to use these apps, rather than paper or other digital calendars, is that they perceive apps to be MORE private than other methods,” Morain wrote.
There also is often language in user agreements that says the company will share information with law enforcement, Fowler said. Third-party data sharing agreements are also common.
After the Fact
The FTC enforcement arm may be the best US agency to keep an eye on health data sharing, although its authority is probably best used to incentivize health apps not to share data. With a new Democratic majority, consumer data protections are poised to be a priority for the commission. The agency has already indicated an interest in protecting consumers on a number of FDA-regulated areas, such as stem cell clinics selling unproven therapies and pharmacy benefit managers.
Flo Health, for one, is out of the data sharing business. “Flo does not share personal health data with any third party, and an independent audit conducted in March found the company had no gaps or weaknesses in its privacy practices,” it said in a statement to Bloomberg Law.
“Beyond this, Flo will never require a user to log an abortion or offer details that they feel should be kept private. Should a user express concern about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers,” the statement said.
Fowler said the FTC health breach notification rule is weak in the abortion-detecting context because it’s reactive. “It doesn’t establish any sort of data standards for apps. It just requires consumers to be told about a breach, which is also true for state-level consumer protection offices.”
“The harm has to happen before any recommendations or enforcement actions or lawsuits can really transpire,” she said.
Tips for Use
If someone wants to use these apps, there are ways to conduct due diligence to find ones that have better privacy protections “at least on paper,” Fowler said, such as selecting apps that follow the GDPR. “It’s important to understand what your app does, how it does it, what data it’s doing it with, and to go into it with open eyes.”
Spector-Bagdady said a person could go so far as never writing down health information unless it’s within the context of filling out a form to give to a doctor or clinician. She also recommended adjusting privacy settings. Default settings generally allow for location and app data to be collected, even when that app isn’t in use.
These consumer guards are a poor replacement for government protection, Fowler said. “I don’t necessarily believe that the onus of protection ought to be on the consumer, because I think that kind of misses the point of why we have consumer protections in general.”