By Maggie Gorini
While there is a wide variety of health information apps on the market, from exercise trackers to glucose monitors, a growing number of menstrual cycle tracking apps have been developed to record users’ sexual history, pregnancy intention, pregnancy status, and other intimate details. Millions of women worldwide have downloaded a menstrual tracking app in recent years, but how comfortable are they with the possibility of their information becoming public?
App developers for Natural Cycles, Flo, and dozens more are not medical providers in the traditional sense and not legally obligated to adhere to health information privacy laws. The rules set down in the Health Insurance and Portability and Accountability Act (HIPAA) do not automatically apply to these “femtech” companies, so called because they focus on software and hardware products geared specifically for women’s health. In fact, many health apps are not covered by (i.e. obligated to comply with) HIPAA despite behaving similarly to covered “health care clearinghouses.” Additionally, even if some companies decide to become HIPAA-compliant such as the period tracker Glow in 2017, those changes are largely voluntary.
Some clauses within the policy are decidedly less reasonable. The company keeps personal and sensitive data for up to 5 years from the moment someone stops using their app. The company may disclose that data to regulators or use them in legal proceedings to protect the company and its partners. Formally requesting the data be erased does not ensure it will be deleted. There are cases where the company will not honor the request or will delay deletion. Natural Cycles also reserves the right to continue to process a user’s data if they have a “compelling legitimate reason…that outweighs [a user’s] interest, rights or freedoms,” or if they are involved in a legal case that requires the information.
While it is tempting to believe that anonymized information cannot be traced back to individuals, there are recent advances in data science that suggest otherwise. Researchers from the UK and Belgium have devised an algorithm that can re-identify almost all Americans using 15 pieces of demographic information from a data set. The code and model to this algorithm has been posted publicly as a way to advance data privacy research and alert organizations to potential privacy threats. However, that does not mean femtech companies have adjusted their business models accordingly to protect users.
We highlight Natural Cycles because its FDA clearance as a contraceptive can give users a false sense of security about the app’s safety (and effectiveness), but these privacy issues are endemic. Perhaps the most alarming example is the Femm app, a fertility tracking app developed by abortion and contraception opponents and promoted through religiously affiliated “crisis pregnancy centers.” Stay tuned for upcoming commentary on Femm and what using an developed to promote a right-wing ideology might mean for your private health information.
Maggie Gorini is the NWHN Policy Fellow