By: Eliana Lindenberg

Published on: October 1, 2024

In the wake of Dobb’s v. Jackson Women’s Health Organization overturning of the landmark decision of Roe v. Wade, women’s health and privacy needs reliable protections now more than ever. With states criminalizing abortion, forcing people to travel out-of-state to obtain such services, women’s health data must be kept secure. While some states have enacted laws keeping women’s health data safe from subpoenas in criminal cases, these protections are not enough. Women’s health data exists outside of hospital and physician records. Apps like Flo that allow a woman to track her menstrual cycle, fertility, and pregnancy are ripe with women’s health data, and this data is not protected by HIPAA. This blog argues that protections for this type of data are needed.

HIPAA, passed in 1996, is the Health Insurance Portability and Accountability Act. Under HIPAA, people are empowered to “take” their health coverage with them, regardless of their employer.[1] HIPAA protects health information, but not in the way one night think. Contrary to popular belief, HIPAA does not prevent someone from asking about an individual’s vaccination status. HIPAA protects electronically transmitted health information only to those entities to which it applies. That means that HIPAA does not apply to everyone. Only health plans, healthcare clearinghouses, and healthcare providers transmit health information electronically in connection with a transaction for which the U.S. Department of Health and Human Services (“HHS”) has published standards.[2] Accordingly, health apps are generally not covered.[3]

Does HIPPA not applying to everyone mean that all health data on health apps can be used whichever way without protection? Of course not. The Health Breach Notification Rule  under the Federal Trade Commission (“FTC”) Act requires that health apps notify consumers when a data breach occurs.[4] Although not all health data is protected under HIPAA, the FTC can provide some protections for this type of private health data that falls through the cracks not covered by HIPAA –– thus far, the FTC has failed to provide these protections.

In January 2021, a lawsuit was filed against the fertility-tracking app Flo, alleging the unauthorized sharing of users’ private health data with third-party companies, including Facebook and Google.[5] The complaint alleges that Flo Health violated the users’ privacy by disclosing information about users’ sexual health, menstrual cycles, and other information to third parties despite assurances that it would not.[6] Although the FTC finalized a settlement that requires Flo to receive affirmative consent from users before sharing their personal health information, the settlement does not require Flo to give users control over how their intimate health data is used.[7]

These protections are not sufficient to protect women post-Dobbs. With states criminalizing abortions, some safe-harbor states have recognized the need to provide subpoena protections for those women coming from out-of-state to obtain abortions.[8] Such protections cannot be understated because HIPAA cannot protect health information from a court order, and may not be able to prevent a subpoena from obtaining such information either.[9] Regarding health data covered only by the FTC’s Health Breach Notification Rule, there are no protections in place to prevent law enforcement from obtaining access to health data.[10] Effectively, this means that a woman living in Idaho who travels out-of-state for an abortion could find a subpoena for data she may have put on a period tracking app for use in a criminal case against her upon her return. This is an extreme example, but protections of private health data are necessary to protect and prevent people from encountering these extreme examples.

[1] HIPAA Privacy and Security for Beginners, Wiley (July 2014), https://www.wiley.law/newsletter-5029.

[2] HIPAA For Dummies, The HIPAA Guide, https://www.hipaaguide.net/hipaa-for-dummies/ (last visited Mar. 30, 2024).

[3] See Steve Alder, Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA, The HIPAA J. (July 26, 2023), https://www.hipaajournal.com/americans-mistakenly-believe-health-app-hipaa/#:~:text=There%20is%20a%20common%20misconception,or%20transmitted%20by%20the%20apps.

[4] Id.

[5] See Sara Merken, Fertility App Maker Flo Health Faces Consolidated Privacy Lawsuit, Reuters, (Sept. 3, 2021, 9:59 PM), https://www.reuters.com/legal/litigation/fertility-app-maker-flo-health-faces-consolidated-privacy-lawsuit-2021-09-03/.

[6] Id.

[7] See FTC Finalizes Order with Flo Health, A Fertility-Tracking App That Shared Sensitive Health Data with Facebook, Google, and Others, Fed. Trade Comm’n, (June 22, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared-sensitive-health-data-facebook-google (In addition to requiring Flo to receiver affirmative consent from users, Flo must also notify affected users of the disclosure of their data to third-parties. Flo is also prohibited from misrepresenting the purposes it collects, uses, or discloses data; how much consumers can control data use; its compliance with any privacy, security, or compliance program; and how it collects and deals with that data once collected.).

[8] See Simmone Shah, What Abortion Safe Haven States Can Do, Time, (June 27, 2022, 4:45 PM),  https://time.com/6191581/abortion-safe-haven-states/.

[9] Court Orders and Subpoenas, U.S. Dep’t of Health and Hum. Servs., https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html (last visited Mar. 30, 2024).

[10] Ashley Gold & Oriana González,  Post-Roe, Prosecutors Can Seek Unprotected Reproductive Health Data, Axios, (Mar. 1, 2023), https://www.axios.com/2023/03/01/post-roe-unprotected-reproductive-health-data.

[11] Id.

[12] Id.

[13] Id.

[14] 117 Cong. Rec. H5831 (daily ed. June 23, 2022) (statement of Rep. Jacobs).