Fertility Apps Bound by Weak Disclosure Rules in Post-Roe World

A 2021 FTC settlement with fertility program Flo Health Inc. after it allegedly compromised users’ sensitive health information, offers a window into how the federal government can partially protect that data if Roe v. Wade is overturned.

The leak of a draft Supreme Court decision that reverses Roe prompted calls to scrap apps that track periods amid fears that states with new abortion bans could use data from those apps for criminal proceedings. More than 100 million people track their periods using mobile apps, according to a 2020 paper.

Fertility programs are not covered by the Health Insurance Portability and Accountability Act (HIPAA), the law that requires health providers, insurers and third-party administrators to protect patients’ health data.

“The US doesn’t protect your information just because it’s related to your health,” says Kayte Spector-Bagdady, associate director at the Center for Bioethics and Social Sciences in Medicine and an assistant professor of obstetrics and gynecology. the University of Michigan Medical School. “It only protects your health information that is collected by your doctor or your hospital or your health plan. And if you put health information somewhere other than a clinic’s form in a clinic, it may not be protected.”

Although HIPAA does not apply to personal health applications, other agencies may still exercise some oversight, albeit with limited authority. The Federal Trade Commission’s health breach notification rule requires companies to notify consumers, the FTC and potentially the media if there is a leak of identifying health information. The FTC rule applies to most apps and health technologies, unless HIPAA already covers the health data. Health technologies used in settings such as hospitals are covered by HIPAA.

The agency settled with Flo Health last year over allegations that the company shared sensitive health data with marketing and analytics firms, including Facebook and Google.

“Some of this was actually shared as one would normally expect an app to share data with third parties that help improve user experience,” said Leah Fowler, a research assistant professor at the University of Houston Law Center, whose research focuses on the intersection look, said. of the law and consumer health technologies. Flo Health violated the FTC rule because some of the shared data included menstrual information, and there were no provisions about what the third party could do with it later, she said.

The FTC has had the authority to enforce the breach notification rule since 2010, and it clarified last year that the rule applies to health apps.

There is renewed interest in the rule with a Democrat-led FTC. The Flo Health settlement shows the agency’s reasoning: “If we don’t tell consumers how we share their data with more specificity, that’s technically a violation,” Fowler said. “People think that Flo could be a harbinger of how the FTC intends to handle the health breach notification rule.”

In a state where abortion is illegal, the FTC can say that disclosing health data indicating an identifiable person’s pregnancy termination without their consent is a violation, but only if the data goes to a third party. The rule has an exception for law enforcement, which says notification of a disclosure can be delayed if it would impede a criminal investigation or harm national security. If an app’s privacy policy spells out that it will share data with law enforcement, a disclosure directly to law enforcement is unlikely to be considered a violation.

How the FTC defines a violation is of great importance, because one of the main concerns about how data from these apps can be used to reveal abortion activities is through the sale of the information to third parties. Companies now routinely pull identifiable information from dating apps, social media, fertility apps and the like and sell it to marketers, Spector-Bagdady said. “If there is money associated with sharing information about women accessing abortion care, that would be another potentially profitable reason to sell or share health information.”

The European Union’s General Data Protection Regulation has stricter privacy protections compared to the US and gives individuals more rights over their personal data. The GDPR allows data to be sold for marketing purposes if that sale is clearly set out in the consent form. Furthermore, an EU code of conduct for mobile health apps states that a user must be informed before an app developer enters into an agreement with a third party.

A company required to follow GDPR is unlikely to be able to transfer data implying a terminated pregnancy without that person’s consent. However, a recent analysis of the most popular women’s mobile health apps found poor data privacy, sharing and security standards. Twenty of the 23 apps shared data with third parties, and 13% collected data before consent was obtained.

Companies that do business in Europe and allow data to flow freely between the two continents must comply with the Transatlantic Data Privacy Framework. Details of that framework are still being finalised.

Criminal Investigation

If an app detects a user who has resumed their period after a two-month lapse, it raises the question of whether the authorities will start calling and asking what happened to that pregnancy, Spector-Bagdady said.

“You will have to confirm in some way that you had a natural miscarriage, she said. “If access to abortion care becomes illegal in your state, that would be information that could potentially be related to criminal activity.”

Last year, Texas Governor Greg Abbott signed a ban on almost all abortions after about six weeks. Other states are expected to follow as Roe is overturned. A six-week pregnancy is essentially four weeks after a missed period, Fowler said. “These apps are just kind of a convenient collection of data” about when pregnant people seeking abortions are at risk of running afoul of the law.

Programs less private than paper

The narrow scope of HIPAA is not always clear to the general public, often leading to misunderstandings about how it applies and how secure their data is.

“During the pandemic, we realized the limitations of how people understand HIPAA,” Spector-Bagdady said. “Everyone who argued that they didn’t have to show their vaccine record because HIPAA protected that information didn’t understand that HIPAA only protects information collected by certain people. And it doesn’t protect an individual from sharing their health information to access services.”

Abortion patients have a limited privacy shield: HIPAA explained

The ability of fertility apps to make predictions about ovulation depends on inputting information such as menstrual cycle dates, dates of intercourse and cervical mucus consistency, according to Stephanie Morain, a core faculty member at Johns Hopkins University’s Bioethics Institute and an assistant -professor in the public health school.

“Period tracking apps track highly intimate and personal datayet the terms of service and privacy policies that govern these apps are not easily accessible or understandable to most users,” she wrote in an email.

Morain and Fowler reviewed user agreements and privacy statements of many popular fertility apps and found that all allowed companies to change their terms and to decide whether to unilaterally notify users of that change later. “Companies can say they won’t sell or share data, but then change their policy to do just that.”

“Notably, one of the reasons some users report wanting to use these apps, rather than paper or other digital calendars, is that they perceive apps to be MORE private than other methods,” Morain wrote.

There’s also often language in user agreements that says the company will share information with law enforcement, Fowler said. Third party data sharing agreements are also common.

After the fact

The FTC’s enforcement arm may be the best U.S. agency to monitor the sharing of health data, though its authority is probably best used to urge health apps not to share data. With a new Democratic majority, protecting consumer data is poised to be a priority for the commission. The agency has already indicated an interest in protecting consumers in a number of FDA-regulated areas, such as stem cell clinics that sell unproven therapies and pharmacy benefit managers.

Flo Health, for one, is out of the data-sharing business. “Flo does not share personal health data with any third party, and an independent audit conducted in March found the company had no gaps or weaknesses in its privacy practices,” it said in a statement to Bloomberg Law.

“Furthermore, Flo will never require a user to log an abortion or provide details they feel should be kept private. Should a user raise concerns about data submitted, Flo’s customer support team will delete all historical data which will completely remove all data from Flo’s servers,” the statement said.

Fowler said the FTC health breach notification rule is weak in the context of abortion tracking because it is reactive. “It does not establish any kind of data standards for applications. It only requires that consumers be notified of a violation, which is also true for state-level consumer protection offices.”

“The damage has to happen before any recommendations or enforcement actions or lawsuits can actually happen,” she said.

Tips for use

If someone wants to use these apps, there are ways to do due diligence to find those that have better privacy protections “at least on paper,” Fowler said, such as choosing apps that follow the GDPR. “It’s important to understand what your application does, how it does it, what data it does it with, and to go into it with open eyes.”

Spector-Bagdady said a person can go so far as to never write down health information unless it is within the context of filling out a form to give to a doctor or clinic. She also recommended adjusting privacy settings. Default settings usually allow location and app data to be collected even when that app is not in use.

These consumer watchdogs are a poor substitute for government protection, Fowler said. “I don’t necessarily believe that the onus of protection should be on the consumer because I think that misses the point of why we have consumer protection in general.”