Period-tracking apps’ health data not covered under HIPAA

HIPAA applies to covered entities, such as healthcare providers, who conduct electronic transactions, but not to most period tracking apps found on an app store.

Update June 24, 2022: On June 24, the Supreme Court overturned Roe v. Wade, a decades-old decision protecting access to abortion in the US at the federal level. This story has been updated to reflect her final decision.

Roe v. Wade was overturned by the Supreme Court on June 24, ending constitutional protections for abortion. States can now restrict, prohibit or protect the right to abortion with their own laws.

The ruling came more than a month after a leaked draft opinion indicated the court was poised to overturn the landmark case.

After publication of the draft decision Elizabeth C McLaughlinan attorney, activist and author, and Eva Galperinwho serves as director of cybersecurity at the Electronic Frontier Foundation (EFF), a nonprofit digital rights group, said on social media that people should delete period-tracking apps from their phones.

Both McLaughlin and Galperin warned that once Roe v. Wade is lifted.

Google searches and some news reports suggest many people are wondering if health data from period tracking apps falls under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.


Is health data from period tracking apps protected under HIPAA?



That's wrong.

No, health data from virtually all period tracking apps is not protected by HIPAA.

When a person receives an app as a benefit from their healthcare plan, healthcare provider, or insurance company, such as B. some versions of the Ovia Health app, it may fall under HIPAA.

Sign up for the daily VERIFY Fast Facts newsletter!


According to the Centers for Disease Control and Prevention (CDC), HIPAA is a federal law that created national standards to protect patients’ confidential health information from disclosure without the patient’s consent or knowledge.

A spokesman for the U.S. Department of Health and Human Services (HHS) told VERIFY in an email that the HIPAA rules “apply only to affected businesses and, to a degree, their business partners.” Businesses covered include health insurance companies and healthcare providers that perform standard electronic transactions such as B. the electronic billing of insurance companies.

Pam Dixon, the founder and executive director of the World Privacy Forum, a nonprofit organization that conducts in-depth research and analysis on privacy, says most period-tracking apps aren’t HIPAA-compliant. She told VERIFY that if a period tracking app doesn’t include a reference to privacy practices for protected health information in its privacy policy, then the health data shared in the app isn’t protected by HIPAA.

“Every healthcare provider that falls under HIPAA must have what is known as a Notice of Privacy Practices. It is a standardized privacy policy mandated by the HIPAA rule. It will list the seven rights you have under HIPAA and it will tell you how to apply those rights to yourself,” Dixon said.

Alan Butler, executive director and president of the Electronic Privacy Information Center (EPIC), a nonprofit research center based in Washington, DC, agrees with Dixon.

“Typically, apps that individuals use for fertility tracking or other personal health purposes that aren’t billed as part of a medical service, which most of them aren’t, don’t fall under HIPAA and so does the data, though.” that data about your body or data related to your health is not health data within the meaning of the law,” Butler told VERIFY.

RELATED: No, Tennessee hasn’t banned the Plan B emergency contraceptive

Some period tracking apps like Glow state on their websites that they are “HIPAA compliant”. However, Dixon says a period-tracking app that claims to be HIPAA-compliant is a “big red flag.”

“HIPAA compliant does not mean a period tracking app falls under HIPAA. It doesn’t really mean anything in terms of HIPAA — it’s kind of a meaningless phrase,” Dixon said. “If you see that in a privacy policy, there’s a good chance you’re dealing with a period-tracking app that isn’t HIPAA-compliant.”

VERIFY has reached out to Glow but has not received a response at the time of publication. Glow’s current privacy policy can be found here. It does not contain a notice of privacy practices for protected health information, nor does it mention the HIPAA acronym or contain the phrase: “HIPAA Compliant.”

“In the Privacy Policy, the primary enforcement tool for a non-HIPAA health app is actually an obscure piece of legislation called the ‘FTC Act, Section 5.’ That means they can do and say almost anything as long as they tell the truth about what they’re doing,” Dixon said.

“So when a health app shares your data or sells your data, they can use all sorts of weasel words to explain it, and if you don’t understand the nuances of those weasel words, it becomes a really difficult thing for you when you realize, that your data was shared or even sold in some cases,” Dixon continued.

VERIFY examined the privacy policies of 20 of the top period tracking apps on the Apple App Store and was only able to find one, Ovia Health, which told VERIFY that some of the health data shared on its app might be protected under HIPAA under certain circumstances, but not everything. In its privacy policy, the company says it could fall under HIPAA “if a person receives the app as a benefit from their healthcare plan or healthcare provider.”

“When Ovia users are granted access to Ovia’s premium enterprise versions of our apps through their health insurance or employer health plan, HIPAA applies. In this case, Ovia is acting as a business partner for the Ovia Enterprise Customer and is obligated to protect the data in accordance with its Business Partner Agreement under HIPAA. However, when Ovia users use the free consumer versions of our apps, HIPAA does not apply,” an Ovia spokesperson said in an email.

RELATED: Claim Plan B’s emergency contraceptive pill has context for weight limit

In January 2021, the Federal Trade Commission (FTC) filed a complaint against Flo Health Inc., the makers of Flo, a health app that tracks periods, ovulation and pregnancy, saying that Flo leaks sensitive health data from millions of users of its App shared with marketing and analytics companies, including Facebook and Google, despite promises to keep users’ health data private.

Six months later, in June 2021, the FTC completed a settlement that required Flo to obtain consent from users of its app before sharing their personal health information with others. The settlement also prompted Flo to seek an independent review of its privacy practices.

In March 2022, Flo completed an external, independent privacy review, and according to the company, there are “no loopholes or weaknesses” in its updated privacy practices. Flo’s current privacy policy, which also does not contain any reference to privacy practices or the HIPAA acronym, can be found here.

Flo told VERIFY in a statement that the company “strongly believes that women’s health information should be kept with the utmost privacy and care,” saying, “Flo does not share any personally identifiable health information with third parties.”

“Flo will never require a user to log an abortion or offer details that it believes should be kept secret. Should a user raise a concern about the data submitted, Flo’s customer service team will delete all historical data, which will completely remove all data from Flo’s servers,” Flo said.

A spokesman for Clue, another period and ovulation tracking app, told VERIFY that it is a European company that is required under the General Data Protection Regulation (GDPR) to “provide special protections for our users’ reproductive health data apply”.

Drafted and adopted by the European Union (EU) in 2018, the GDPR is considered one of the “toughest privacy and security laws in the world” because it “imposes obligations on organizations everywhere as long as they target or collect data relating to individuals source in the EU.”

“We understand concerns about how data could be used in US courts if Roe v. Wade is lifted. We want to assure our users that their sensitive health information, especially any information collected in Clue about pregnancy, miscarriage or abortion, is kept private and secure. We don’t sell it and we never share it with ad networks,” Clue’s rep said in an email. Clue’s current data protection declaration can be found here.

The FTC has released a list of ways people can protect their privacy when using health apps like period trackers. These tips include comparing privacy options, taking control of your information by checking the app’s settings to ensure you can control the health data you share with it, and understanding the risks associated with using the app sharing your personal health information with an app. The World Privacy Forum also publishes the Patient’s Guide to HIPAA on its website. The comprehensive guide includes tips for protecting your health data.

“We still have a long way to go to ensure people’s data is protected and not just leaving an excessive unnecessary data trail through our daily lives,” Butler said.

If you think a period tracking app has shared your information without your permission, you can contact the FTC at

More from VERIFY: Spain is considering offering menstrual leave but would not be the first country

The VERIFY team works to separate fact from fiction so you can understand what is true and what is false. Please consider subscribing to our daily newsletter, text notifications and YouTube channel. You can also follow us on Snapchat, Twitter, Instagram, Facebook and TikTok. Learn more “

follow us

Want something VERIFIED?

Text: 202-410-8808 Period-tracking apps’ health data not covered under HIPAA

Alley Einstein is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button