Your App Knows You Got Your Period. Guess Who It Told?

“We have huge opportunities to improve our collective understanding of female health.”

— Carolyn Witte, chief executive and co-founder of the women’s health clinic Tia

In Her Words is available as a newsletter. Sign up here to get it delivered to your inbox.

Every day, Flo, a women’s health app, invites its more than 100 million users to enter intimate details about their bodies that they might not share even with their closest friends or family: the color and consistency of vaginal discharge, the length of their periods, whether they had protected or unprotected sex, whether they feel frisky or have a low libido.

For many, this level of detail helps keep track of and demystify the reproductive cycle from its most fertile days to its least.

Users with privacy concerns might have found comfort in Flo’s promise to keep select information collected through its app secret, noting that, even as it might share some personal data with other companies, it would not disclose details about “cycles, pregnancy, symptoms notes and other information that is entered by you.”

It turns out that promise was misleading, regulators say.

From 2016 to 2019, the company behind Flo, which was founded in 2015, passed on certain intimate health details of its users to marketing and analytics companies like Facebook and Google, according to the Federal Trade Commission, which filed a complaint in January saying it had reason to believe that the company had misled its users.

The agency said that Flo’s data-sharing practices had allowed third-party companies to use that “personal health information expansively, including for advertising,” though both Flo and Google said last week that the information had not been used for advertising. Facebook did not respond to a request for comment.

And here lies the crux of the problem with women’s consumer health technology, or “femtech” as it is known in investor speak: The sheer volume of data collected in apps like Flo is ripe for privacy violations, but that same data may also open the door to unraveling some of the biggest, understudied riddles of female health.

“With the data collected by these products, we have huge opportunities to improve our collective understanding of female health and well-being in really powerful ways,” said Carolyn Witte, chief executive and co-founder of Tia, a membership-based women’s health clinic, nodding to the shallow understanding of women’s bodies and reproductive health.

But, Ms. Witte added, there is now an unregulated gray area surrounding the health data users provide in these apps that, were it shared with a doctor, would be protected by strict patient privacy law.

More Than ‘Buyer Beware’

In the United States, about one in five women between the ages of 18 and 49 currently use health apps — those that track fitness, nutrition, sleep and other health-related metrics — according to a Gallup poll conducted in November. And femtech in particular, including medical devices, by some estimates, could become a $50 billion market by 2025 — a small slice of the broader global digital health market (including telemedicine, wearable devices and so on), which is expected to reach $600 billion by 2024.

But as long as health apps make only general wellness claims — like meditation apps marketed to soothe you to sleep — they do not need to be vetted by federal health regulators. Moreover, and to the surprise of many users, those consumer health apps also generally do not have to comply with a federal privacy law called the Health Insurance Portability and Accountability Act, known as HIPAA, which specifically covers patient data collected by and shared among doctors, hospitals, labs and health insurers.

In other words, the personal health data you enter into consumer apps — even apps that you have to pay for — are not protected by federal safeguards for patient privacy.

The Federal Trade Commission, which enforces fair business rules, may crack down on apps that break their privacy promises, which is what regulators charged in the Flo case.

Flo agreed to settle the F.T.C. charges. The proposed settlement prohibits Flo Health, the company that owns Flo, from misleading users about its data-handling practices. It also requires Flo to obtain users’ consent before sharing their health details and to obtain an independent review of its privacy practices.

In settling the case, Flo did not admit to any wrongdoing. The company said in a statement that it had used third-party analytical tools in the past “to gain a better understanding of how our users interact with our app and ultimately enhance” their experience and that users’ data had been used “solely for analytical purposes.” The company added that the app does not share information about users’ health without their permission.

“We are committed to ensuring that the privacy of our users’ personal health data is absolutely paramount,” the company statement added.

Privacy experts said the Flo case could cause wider user mistrust of women’s health apps.

“It’s become even more cynical than just ‘buyer beware,’” Deven McGraw, the chief regulatory officer of Ciitizen, a company that helps people gain access to and control their health information, said of consumer health apps. “You did your homework. You read this app’s privacy policy. You thought you were putting your data in a trusted place. And turns out that the company didn’t take its obligation seriously.”

Flo certainly isn’t the only app accused of mishandling intimate data. In 2019, Privacy International, a nonprofit group in Britain, studied a number of popular period-tracking apps s and reported that two of them transmitted sensitive information — such as details on users’ symptoms and contraceptive use — to Facebook and other companies.

Over the last two years, lawmakers and state attorneys general in the U.S. have begun scrutinizing period-tracking and fertility apps. Last March, several members of Congress sent letters to Apple and Google asking the companies to remove any period trackers that collected users’ health data without obtaining their explicit permission, in an attempt to place more responsibility on the gatekeepers.

In the European Union, the onus is squarely on app developers, giving consumers broad rights to control their data. In particular, a comprehensive E.U. law — called the General Data Protection Regulation — typically requires companies to obtain explicit permission before collecting or sharing sensitive personal information like health details.

Moving Science Forward

Deceptive data mining, misleading privacy policies and other troubling practices do not negate the need for women’s health apps. But regulators going after leaky apps, one by one, doesn’t give consumers much confidence or clarity either.

What’s needed, experts suggest, is a new regulatory framework that enables health care providers and researchers to work with consumer apps to better understand women’s health, whether it’s symptoms, medications or different responses to disease.

Until recently, women have been underrepresented in medical research, clinical trials for drugs and vaccines, and even biology textbooks, leaving health care providers with large blind spots in their understanding of and ability to care for women’s bodies, which often have very different needs and responses than men’s bodies.

Femtech not only presents researchers with a new opportunity to access real and authentic data from millions of users that until recently has been difficult to gather, but also helps women take greater control of their health, said Ida Tin, co-founder and chief executive of Clue, another cycle-tracking app that was founded in 2013, based in Germany.

“I have always seen the app as a facilitator for conversation,” said Ms. Tin, who in fact coined the term femtech. “The more people know about their bodies and themselves, the more they will know when something’s off, and they’ll go seek help.”

Clue, which has over 12 million monthly active users, provides scientific institutions with information from its app, she said, stripping that data of unique identifiers that could be traced back to users, all on a noncommercial basis. Its privacy policy clearly states that the company works with scientific researchers and offers users the option to opt out of sharing their data or even delete their data. The company also, according to its privacy policy, publishes the results of its academic, clinical or internal research with its users.

“Actually we find that that’s something that many users are quite excited about — the idea that you literally move science forward every time you type in a data point,” Ms. Tin added, an indication that users may be open to the idea of their data being put to good use.

Apple, too, is using its tools — such as its iPhone, Apple Watches and apps built specifically for research surveys — to advance women’s health research, working with Harvard School of Public Health on an ambitious study that aims to enroll a million women over a decade. And women who participate in the study may choose which types of information — such as heart or physical activity data — they share with researchers.

Tia clinic offers a different example of how medicine and technology can work together. The company started out as a digital platform offering sexual health and gynecological advice — “a WebMD for women’s health,” as Ms. Witte described it — then evolved into a period cycle-tracker app and then into a full blown brick-and-mortar medical practice in 2019.

Patients can add daily updates into the Tia app, which is covered by HIPAA, and can control whether their doctor can view that information.

“There’s a big gap in the market between consumer app data — so things that are in your Apple Watch or a Fitbit or sleep tracker or a cycle tracker — and the health data that a typical doctor has, and there’s actually immense value when that data can be shared between them,” Ms. Witte said.

Source: Read Full Article