Health apps may not protect your medical info

In the wake of Roe v. Wade’s demise in June, those who use menstrual tracking apps have expressed privacy concerns over how the data they’ve collected can be shared. Some even worry that courts will begin using information from these apps to prosecute anyone thought to be illegally seeking abortion care.

This raises a big question: Where are the HIPAA protections?

The Health Insurance Portability and Accountability Act makes sure that doctors and other entities such as insurance providers cannot share your health information without your explicit consent. However, that same level of privacy and protection does not extend to the information that your phone or web browser may gather.

From mental health websites and WebMD searches to that app you use to chart your diet or your cholesterol, the data you create can legally be used in much broader ways than a doctor’s chart. Sometimes that means highly targeted ads based on your health-related browsing history, and sometimes it means being tracked to places you meant to keep private.

Tatum Hunter, a technology writer with The Washington Post, joined Marketplace’s Kimberly Adams to talk about the mismatch between health privacy and the way apps use our personal data. An edited transcript of their conversation is below.

Kimberly Adams: So doctors and hospitals aren’t supposed to share my medical information without my permission because of HIPAA. Why doesn’t that apply here when we’re talking about apps?

Tatum Hunter: So the way HIPAA is set up is that certain entities have to abide by it. That might be an insurer or a doctor. But health apps aren’t one of those entities. So if you are, you know, in a session with a therapist on a health app, that’s likely protected by HIPAA because they’re a provider. But if you’re clicking around, even outside of your therapy session on a therapy app, if you fired up a symptom checker such as Drugs.com, that’s not protected by HIPAA. And neither is what that app learns about you.

Adams: So what kind of information is being gathered? And where is it being shared?

Hunter: In this case, we saw your activities inside the app, such as what pages you visited, and in the case of WebMD and Drugs.com, what concerns you were researching, getting paired with user identifiers that are linked to your phone and then sent off to ad companies.

Adams: Some of this data comes from apps that we download and willingly use or websites that we go to on our own. And we sign off on these privacy policies, often without reading them. But in your reporting, you also found ways that our health information is shared even when we don’t opt in. What does that look like?

Hunter: So all of these apps have privacy policies that we accept when we use them. But we might not understand what that entails. For example, somebody who had said yes to Drugs.com’s privacy policy might not understand that that app is communicating with 100-plus third parties behind the scenes. So what is the user’s expectation when they say, “Sure, yeah, you can use my information to, for example, improve your services”? It’s hard to really wrap your mind around those downstream effects, such as information about your health concerns potentially landing in the hands of employers, insurers, credit grantors or government agencies. Because once information has kind of trickled out into the digital ad ecosystem, it’s incredibly difficult for journalists, researchers or especially consumers to keep track of where it lands.

Adams: All right. HIPAA is clearly not protecting all of our health information online at this point. What other protections might be out there for patients or consumers? Or is there anything in the works?

Hunter: Some lawmakers have identified that this is a problem and are trying to rein it in. For example, there’s a California Assembly member who’s proposed a bill that would redefine the state’s medical privacy law so that medical information includes data gathered by mental health apps. So right now, there are no good protections for this, but people are noticing it. As always, the burden kind of falls to consumers to decide what apps they want to engage with right now.

Adams: And what can people be doing now if they don’t want that information shared?

Hunter: So if you’re using an iOS device, such as an iPhone, when you get that prompt that says, “Ask app not to track,” go ahead and always ask them not to track you. If you’re using an Android device, you can do something called resetting your Android ad ID. You can punch that into Google to figure out how, and what that does is it basically wipes clean the set of numbers that’s linked to your phone so that advertisers have a harder time tracking you across the web. And recently, Google changed its policies so that you can turn off that ad ID altogether.