Accountability for Privacy Violations in Mobile Health Apps: Flo Health and the Health Breach Notification Rule

Digital privacy concerns were raised once again following the overturn of Roe v. Wade in June 2022. These concerns were exacerbated when messages sent via Facebook Messenger discussing a medication-induced abortion were the basis for further search warrants that were used to prosecute a mother and daughter in Nebraska. As exemplified in the Nebraska case, tech companies must comply with search warrants issued by courts, sewing privacy concerns particularly in period tracking app users. Following the overturn of Roe v. Wade, menstruating people were encouraged to delete period tracking apps all together, but data experts warned that deleting the apps alone may not protect users.

Privacy concerns are not new to period tracking apps. Flo Health is a period tracking app, used by more than 100 million users, with a history of privacy concerns. From 2016 to 2019, Flo Health promised users to keep their health data private yet released identifiable health information to third party applications, including Facebook’s analytics division. In 2020, the Federal Trade Commission (FTC) filed a complaint against Flo Health alleging that the app had misled users about how their health information was stored and used. Flo had been sharing user data with third party firms under app event names such as “R_Pregancy_Week_Chosen,” explicitly communicating their health information. Flo Health reached a settlement with the FTC in 2021. Flo Health is just one example of how mobile apps struggle with privacy compliance.

While the Health Insurance Portability and Accountability Act (“HIPAA”) applies to many institutions who store personal health records, its application to mobile health apps, such as Flo Health, can be complicated.  The FTC has released an interactive tool for mobile health app developers to determine if certain regulations apply to their app. One such regulation is the Health Breach Notification Rule (“HBN”). The HBN was enacted in 2009, but, as of 2021, the FTC has never brought  an action to enforce it.  The HBN was enacted to ensure accountability when entities not covered by HIPAA compromise consumers’ sensitive health information.  The regulation requires subjected entities to inform users and the FTC of any breach of security of unsecured personal health records. A breach of security is considered any acquisition of identifiable health records that is not authorized by the consumer.

While the FTC did not charge Flo Health with a violation of HBN, two Commissioners released a joint statement arguing that its application was warranted in the case. Commissioners Rohit Chopra and Rebecca Kelly Slaughter argue that Flo Health shared user data with Facebook and other entitles, without obtaining the user’s authorization to do so. The Commissioners seek enforcement of the HBN as a way to, “induce firms to take greater care in collecting and monetizing our most sensitive information.” The FTC has also published further guidance for mobile health app developers that store sensitive health information. The guidance includes minimizing data collected, storing it in a de-identified form, and limiting operating systems’ access to the data.

Despite this guidance, Flo Health, and apps like it, still store detailed, identifiable information about their users, including personal notes left by the user. However some progress has been made as Flo Health released an “anonymous mode” after the overturn of Roe v. Wade in June, allowing users remove their name, email address, and technical identifiers. However, a user’s privacy and control over their health information should not be an afterthought only brought about by changes in case law, especially when regulations already exist to hold entities accountable for releasing sensitive information without the user’s authorization.

Leave a Reply

Your email address will not be published. Required fields are marked *