Episode Show Notes: Flo on Priv: Data Privacy Challenges in Women’s Health Apps

00:00 – In episode five of Privacy Abbreviated, hosts Dona Fraser, Senior Vice President of Privacy Initiatives at BBB National Programs (BBB NP), and Arlo Gilbert, the CEO and founder of Osano, sit down to discuss data privacy measures among health apps. They’re joined by Tsimafei Savitski, Chief Legal Compliance Officer of the female health and wellness app Flo and Roman Bugaev, Chief Technology Officer of the app. 

00:50 – The hosts open this episode by discussing the connection between HIPAA law and wellness apps. There are now a plethora of apps available that track everything from steps taken to calories burned to hours slept. While these apps can be extremely helpful in maintaining one’s health, the data collected by these apps are not covered by HIPAA law. This means personal information is not protected from being accessed and used without the user’s consent. This is a major concern for privacy advocates, who worry that the data could be used to discriminate against users or deny them insurance coverage. Even if the data is anonymized, there is still a risk that it could be used to identify individuals. For now, it is best to use caution when sharing health data through apps. Arlo then discusses the American Data Privacy and Protection Act (ADPPA) in the conversation, noting that the act may resurrect in 2023. The ADPPA is a bill that would create national standards and safeguards for personal information collected by companies, including protections intended to address potentially discriminatory impacts of algorithms. Although Congress is unlikely to enact the bill between now and the end of the year, the ADPPA represents progress toward a comprehensive data privacy law in the United States.  

01:33 – The Federal Trade Commission (FTC) has stated its intention to broadly interpret the HIPAA Breach Notification Rule. HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.The growing necessity of revisiting the HIPAA Breach Notification Rule and the ADPPA  is brought on by resurfacing conversations regarding consumers having more control over their personal data when using apps. In this episode, our hosts and guests discuss the relevance of these two mandates in pertinence to how sensitive personal health data is stored and maintained.  

02:10 – After a brief discussion of these mandates, Roman shares some information about the female health and wellness app Flo. What started in 2015 as an app that allows women to track their ovulation cycles, has evolved into a thriving platform with personalized health insights, virtual dialogs, and dozens of courses to learn how your cycle affects your body and well being. The FTC had investigated Flo regarding claims that Flo was not upholding its stated data collection and sharing promises. A recent independent audit found that Flo’s policies and handling of personal data are consistent with its publicly stated privacy policy. 

09:09 – Dona then proposes a question about the process of deleting  personal data – can users request to have their data deleted? According to Roman, Flo maintains the highest possible standards with respect to all the data that they process, and users are able to simply request the deletion of their personal data if they wish. Roman also adds that Flo contains the users’ data worldwide, even though their infrastructure is located within the United States. As such, the company relies on cloud providers to store its data. Cloud providers are able to store data in multiple locations, making it easier for app developers to comply with data privacy regulations. In addition, cloud providers typically have sophisticated security systems in place to protect user data. As a result, outsourcing data storage to a cloud provider can be an effective way to collect and store data from users internationally. 

25:26 – Roman explains that going forward, Flo will continue to carry out innovative privacy practices by encrypting data and performing regular third-party audits. Tsimafei agrees, saying that their goal is to be an example to other businesses in the industry. Flo made waves in the summer when it announced “anonymous mode,” an option for users who don’t want their data connected to their person. By stripping anonymous users of identifiers like IP address, email, or username, the accounts become unidentifiable by Flo and any third parties. At the moment, the setting is not default because it does have downsides that affect personal usability. Users in anonymous mode can’t track their data across multiple devices, and if their device is lost or stolen, the information can’t be recovered. However, Roman hopes to one day be able to make anonymity the default as the Flo team continues working to make their app more secure. 

Explore BBB NP’s Privacy Initiatives 
Subscribe To Never Miss An Episode
Listen to the complete episode here.