HHS Issued Guidance to Protect Private Medical Information. Here Are Some Best Practices for Users of Period-Tracking Apps

Vice President Kamala Harris (left) and Jennifer Weiss-Wolf (right) participate in a June 14 roundtable with constitutional law, privacy and technology experts in anticipation of the Court’s overturn of Roe v. Wade. (Courtesy of the White House)

It has been less than a week since the Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and creating a national crisis. Among the urgent unmet needs now are ensuring that people’s private health information is vigorously safeguarded.

This includes period-tracking apps, used by millions of women to help chart and better understand their reproductive cycle. With a wide array of offerings—some apps are marketed to teens, others to people trying to conceive—all require users to input extensive personal data about their menstrual cycles, and often other sensitive information ranging from frequency of sex, to diet, to mood swings. Since the Dobbs decision was first leaked in May, technology and privacy experts have called out the risks that period-tracking apps pose, as well as the danger of other forms of cyber-surveillance.

As for the apps, in part the problem is rooted in the business model most employ—which entails selling or sharing aggregated data with marketing and analytics companies and advertisers. This practice now poses an even more insidious threat in light of ‘bounty hunter’ laws that create financial incentives for private citizens to report those suspected of aiding and abetting an abortion. 

Another challenge: Period trackers generally do not have to comply with privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). And with more states poised to criminalize abortion and pregnancy outcomes, the apps could be used as the basis for prosecution—a burden that already falls heaviest on Black and brown women, whose bodies are more frequently over-policed and targeted. Law enforcement can subpoena the companies for data stored on third party servers; and even when data is stored on the user’s own device, it still can be subject to a search warrant. 

On Wednesday, June 29, the U.S. Department of Health and Human Services (HHS) issued new guidance to help individuals protect their privacy when using period trackers and other health information apps. The guidance also addresses the treatment of private medical information on personal cell phones and tablets.

Critically, it also clarifies how federal law and regulations protect individuals’ private medical information relating to abortion and other sexual and reproductive care—including that health providers are not required to disclose private medical information to third parties.

“How you access healthcare should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive healthcare information,” said HHS Secretary Xavier Becerra in a statement. “Anyone who believes their privacy rights have been violated can file a complaint with the Office for Civil Rights (OCR) as we are making this an enforcement priority.”

One study of 24 health-related apps found 19 shared personal data with third-party sources, who could then transfer the information to hundreds of other companies. 

OCR is also issuing information about protecting the privacy and security of health information when using a cell phone or tablet, including steps to decrease how those devices collect and share personal information without the individual’s knowledge. And it will issue best practices for privacy protection when using a period-tracking app.

Among the features Ms. recommends in a period-tracking app:

  • Local data storage only (on user’s device vs. the cloud)
  • No third-party tracking (third parties are not accountable to the contract between the app and the user)
  • Public transparency reports
  • Data deletion on demand
  • Nonprofit or privately funded (no revenue from data sales or advertising)
  • No facial recognition, only a PIN code
  • No PIN recovery system
  • Emergency “dummy” PIN code that opens to a “dummy” page

The onus is now on the administration and federal and state lawmakers to fill the enormous breach created by the Supreme Court—and to rise to meet the dire emergency in reproductive health and bodily autonomy now facing this country. This guidance by HHS is a simple, smart and necessary start.

Sign and share Ms.’s relaunched “We Have Had Abortions” petition—whether you yourself have had an abortion, or simply stand in solidarity with those who have—to let the Supreme Court, Congress and the White House know: We will not give up the right to safe, legal, accessible abortion.

Up next:


Jennifer Weiss-Wolf is the executive director of Ms. partnerships and strategy. A lawyer, fierce advocate and frequent writer on issues of gender, feminism and politics in America, Weiss-Wolf has been dubbed the “architect of the U.S. campaign to squash the tampon tax” by Newsweek. She is the author of Periods Gone Public: Taking a Stand for Menstrual Equity, which was lauded by Gloria Steinem as “the beginning of liberation for us all,” and is a contributor to Period: Twelve Voices Tell the Bloody Truth. She is also the executive director of the Birnbaum Women’s Leadership Center at NYU Law. Find her on Twitter: @jweisswolf.