Health apps may not protect your medical information

Since the end of Roe v. Wade in June, those who use period-tracking apps have raised privacy concerns about how the data they’ve collected could be shared. Some even worry that courts will begin using information from these apps to prosecute anyone believed to be illegally seeking abortion care.

This raises a big question: Where are the HIPAA protections?

The Health Insurance Portability and Accountability Act ensures that doctors and other entities such as insurance providers cannot share your health information without your express consent. However, the same level of privacy and protection does not extend to the information your phone or web browser may collect.

From mental health websites and WebMD searches to that app you use to chart your diet or your cholesterol, the data you create can legally be used in much broader ways than a doctor’s chart. Sometimes that means highly targeted ads based on your health-related browsing history, and sometimes it means being tracked to places you want to keep private.

Tatum Hunter, technology writer for The Washington Post, joined Marketplace’s Kimberly Adams to talk about the disconnect between health privacy and how apps use our personal data. Below is an edited transcript of their conversation.

Kimberly Adams: So doctors and hospitals don’t have to share my medical information without my permission because of HIPAA. Why doesn’t that apply here when we talk about apps?

Tatum Hunter: So the way HIPAA is set up is that certain entities have to comply with it. This could be an insurer or a doctor. But health apps are not one of those entities. So if you’re, you know, in a session with a therapist on a health app, that’s probably HIPAA protected because they’re a provider. But if you’re ticking around, even outside of your therapy session in a therapy app, if you’ve run a symptom checker like, that’s not HIPAA protected. Nor what the app learns about you.

Adams: So what kind of information is collected? And where is it shared?

hunter: In this case, we saw your in-app activities, such as which pages you visited, and in the case of WebMD and, what issues you researched, paired with user IDs that are associated with your phone and then sent to advertising companies.

Adams: Some of this data comes from apps we download and use voluntarily or websites we visit ourselves. And we sign these privacy policies, often without reading them. But in your reports, you also found ways in which our health information is shared even when we haven’t opted in. What does this look like?

hunter: So all these apps have privacy policies that we accept when we use them. But we may not understand what that means. For example, someone who has said yes to’s privacy policy may not realize that this app communicates with over 100 third parties behind the scenes. So what is the user’s expectation when they say, “Sure, yes, you can use my information to improve, for example, your services”? It’s hard to really wrap your mind around these downstream impacts, such as information about your health issues potentially falling into the hands of employers, insurers, creditors or government agencies. Because once information has permeated the digital advertising ecosystem, it’s incredibly difficult for journalists, researchers, or especially consumers to track where it goes.

Adams: Okay. At this point, HIPAA clearly does not protect all of our health information online. What other protections might there be for patients or consumers? Or is something being worked on?

hunter: Some lawmakers have identified this as a problem and are trying to curb it. For example, there is a member of the California Assembly who has proposed a bill that would redefine the state’s medical privacy law so that medical information includes data collected from mental health apps. So there are no good defenses for it right now, but people are noticing it. As always, the onus is on users to decide what apps they want to engage with right now.

Adams: And what can people do now if they don’t want that information shared?

hunter: So if you’re using an iOS device like an iPhone, when you get that prompt that says “Ask the app not to track,” go ahead and always ask them not to track you. If you’re using an Android device, you can do something called resetting your Android Advertising ID. You can Google this to find out how, and what it does is it basically deletes the number set that’s associated with your phone so that it’s harder for advertisers to track you on the web. And recently, Google changed its rules so you can turn off this ad identifier entirely.

There’s a lot going on in the world. Through it all, Marketplace is here for you.

You rely on Marketplace to break down world events and tell you how they affect you in a fact-based and accessible way. We rely on your financial support to continue to make this possible.

Your donation today powers the independent journalism you rely on. For just $5/month, you can help keep Marketplace going so we can keep reporting on the things that matter to you.

Leave a Comment

Your email address will not be published. Required fields are marked *