In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers. As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance on multiple issues concerning the collection and sharing of personal health data. Recently, they issued guidance clarifying the extent to which information collected by cycle trackers and other health apps is protected. The OCR also provided tips for individuals wishing to protect the data stored on their personal devices or potentially shared with third parties.
Key Takeaway: Most importantly, the OCR made clear that the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) generally do not protect the privacy or security of your health information when it is stored on your personal mobile device. Those rules protect the privacy and security of your medical and other health information only when it is created, received, maintained or transmitted by covered entities, including health plans and most healthcare providers, and their business associate vendors.
This means that internet search history, information voluntarily shared online and geographic location information is not protected by the HIPAA rules and could potentially be collected or viewed by others. In most cases, the HIPAA rules also do not protect the privacy of data you download or input to apps for personal use, regardless of where the information came from. There is a limited exception for apps (such as Epic’s electronic medical record patient portal app, MyChart) that were contracted by or on behalf of a covered entity to assist with patient or member services; however, information stored on most widely used apps would not be protected.
The guidance further warns that simply downloading or using a health app may be enough to give the developer permission not only to collect and retain your information but also to sell or share it with data brokers, marketing and analytics firms, law enforcement personnel or others. It’s important to note that agreements governing the relationship between app developers and third parties oftentimes do not limit how the third party may use or further disclose the information.
Proactive Steps: For those wishing to protect the information on their personal devices, the OCR outlined steps individuals can take, namely changing the settings on their phone, to prevent certain data from being collected. These steps include:
- Avoiding giving any app permission to access your device’s location data unless absolutely necessary.
- Turning off location services and tracking tools, such as cookies, on your devices.
- Seeking apps that use strong encryption when transmitting data.
- Deleting your account and/or specific information (location, activity, history) from apps you no longer use.
If an employer receives questions about the privacy of health information, they can explain that health information stored on mobile devices is most likely not protected by HIPAA. Additionally, it is important to note that while individuals can reduce the amount of information collected – and potentially shared – on their mobile devices, it is not possible to eliminate one’s digital footprint completely.
If you would like to speak to a member of the BakerHostetler Privacy team or the Dobbs Decision Taskforce, please reach out to Aleksandra Vold, Robyn Feldstein, Courtney Litchfield or your BakerHostetler contact.
 Period and cycle tracking apps allow users to record specific details about their menstrual cycle to obtain predictions about when they are ovulating and most fertile. Some individuals use these apps to help them get pregnant, and others use them to avoid pregnancy.