Period trackers have become popular among women for monitoring ovulation, fertility, and menstruation-related concerns. These apps allow for sharing information with healthcare professionals. However, it's important to note that using these apps requires disclosing protected health information (PHI) for their effectiveness. While the Flo app is popular and useful, it does not notably meet some HIPAA compliance standards.
What is Flo?
Flo is an app that allows users to log and monitor various aspects of their menstrual health, including cycle length, symptoms, mood, etc. Flo claims to provide users with insights into their menstrual patterns and reproductive health, helping them better understand and manage their menstrual cycles and fertility.
The data collected is common amongst period trackers of its caliber. This includes:
- Weight
- Body temperature
- Menstrual cycle dates
- Details of your pregnancy (if you select the pregnancy mode)
- Various symptoms related to your menstrual cycle, pregnancy, and health
- Other information about your health, physical and mental well-being, and related activities, including personal life.
Flo's privacy policy
Flo specifies the requirement for user consent for processing personal data for content customization, automated decision-making based on cycle data and providing recommendations and offers. Customization features are opt-in, allowing users to control their preferences.
This allows personal data to be used for specific purposes, such as supporting app functions, delivering products and services, and responding to user requests. It clarifies that data is not sold or rented and is only shared with service providers as described in the privacy policy.
There is, however, the potential for third-party intervention in the case of data integration between the app and website for onboarding purposes. Flo explicitly claims that it will not use data from Apple HealthKit and Google Fit for advertising or sell it to advertising platforms, data brokers, or information resellers.
HIPAA compliance for applications
HIPAA's Privacy Rule establishes the standards for protecting individuals' PHI held by healthcare providers, clearinghouses, and health plans. HIPAA compliance includes the requirement for covered entities to sign Business Associate Agreements (BAAs) with their business associates.
The BAA outlines the responsibilities and obligations of both parties in safeguarding PHI and ensures that business associates understand and comply with HIPAA regulations. By signing the BAA, the covered entity and business associate establish a contractual relationship that enforces HIPAA compliance and protects the privacy and security of PHI.
Related: HIPAA Compliant Email: The Definitive Guide
Flo and HIPAA compliance
Period trackers like Flo and other similar apps are primarily used by consumers for personal tracking and self-management of menstrual cycles and related information. These apps are not typically utilized directly by healthcare providers in the context of protected health information (PHI) or for medical treatment purposes.
As a result, period tracker apps are not legally obligated to meet the specific requirements outlined in the HIPAA to be considered HIPAA compliant. The responsibility and decision to use these apps, along with any associated privacy and security risks, lie with the individual user or patient.
Related: Reproductive health data isn't always protected under HIPAA
Flo violations
It is important to note that although Flo and other period trackers are not required to be HIPAA compliant, they still collect and store sensitive health-related data. In recent years Flo and other period trackers have come under fire for potentially sharing private data with unauthorized third parties.
The settlement between Flo and the Federal Trade Commission (FTC) in 2021 is a notable case that highlights concerns regarding the privacy and data handling practices of period tracker apps. The settlement resulted from allegations that Flo Health misled users about how their personal data was being shared.
The case followed an investigation by The Wall Street Journal, which raised questions about the potential sharing of data, including details about users' menstrual cycles and pregnancy intentions, with social media platforms like Facebook. As a result, the proposed settlement "requires Flo Health, Inc. to, among other things, obtain an independent review of its privacy practices and get app users' consent before sharing their health information."
The future of health apps and user data:
Period trackers may not currently be subject to HIPAA regulations, but you should carefully consider the privacy policies, terms of service, and data handling practices of period tracker apps to assess the level of protection provided to their personal information.
State legislation like Washington's My Health My Data Act, set to take effect on March 31, 2024, extends privacy protections to health data not covered under federal Health Insurance. This will likely serve as a model for new legislation at the state and national levels soon.
Related: Washington state enacts pioneering health data privacy law
Kirsten Peremore
