Are Period Tracker Apps Covered by HIPAA?

HIPAA: The Health Insurance Portability and Accountability Act, a US federal law that sets privacy and security standards for protected health information. HIPAA applies specifically to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. Consumer health apps not connected to a healthcare provider are generally not covered.

Covered entity: An organization that must comply with HIPAA: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. A period tracker app that operates independently and is not affiliated with a healthcare provider or insurer is not a covered entity.

Business associate: A person or company that performs services for a HIPAA covered entity that involve access to protected health information. A software vendor serving a hospital, for example, is a business associate. A consumer app sold directly to the public is not.

FTC Section 5: The section of the Federal Trade Commission Act that prohibits unfair or deceptive acts or practices in commerce. This is the primary federal law applied to consumer health app privacy violations. The FTC's enforcement actions against Flo (2021) and Premom (2023) were brought under Section 5.

The HIPAA Misconception

Many people assume that health data is protected by HIPAA. This assumption is reasonable — HIPAA is the most prominent health privacy law in the US — but it leads to a false sense of security when using consumer health apps.

HIPAA was designed for the healthcare system: hospitals, clinics, insurers, and the companies that serve them. When you share health information with your doctor, HIPAA governs how that information can be used and disclosed. When you enter the same information into a consumer app, HIPAA does not apply.

This is not a loophole — it is an intentional scope limitation. HIPAA was enacted in 1996, long before consumer health apps existed. Congress has not updated the law to cover them.

What FTC Section 5 Actually Provides

The FTC’s enforcement authority under Section 5 covers unfair and deceptive practices. Applied to period trackers, this means:

A company that says it will not share your data and then shares it can face an FTC enforcement action (as Flo did in 2021)
A company that shares data in ways users would not reasonably expect may face enforcement
A company that accurately discloses in its privacy policy that it shares data with advertisers is, from the FTC’s perspective, not being deceptive

The standard is not “protect health data.” The standard is “do not lie about what you do with health data.” This is meaningfully weaker.

State Laws: A Patchwork of Protections

California’s CCPA gives residents rights to know what data is collected, opt out of sale, and request deletion. Washington’s My Health MY Data Act (effective March 2024) created specific protections for consumer health data. Texas and other states have enacted their own frameworks.

If you are a California, Washington, or similarly covered resident, your state law provides more specific health data protections than federal law. If you are not, your protections depend primarily on the FTC’s enforcement posture and the app’s voluntary commitments.

The Architectural Alternative to Legal Protection

Legal protections depend on companies complying, regulators enforcing, and laws keeping pace with technology. Architectural protection — using an app that never sends your data to a server — does not depend on any of these. It works regardless of the legal environment because there is no data at the company end to protect, misuse, or produce.

Is Flo HIPAA compliant?

Flo is not a HIPAA covered entity and is not required to be HIPAA compliant in the same way a hospital or insurer is. Flo may voluntarily implement some HIPAA-aligned security practices, but the legal protections HIPAA provides — its specific breach notification rules, minimum necessary standards, and individual rights — do not apply to Flo's relationship with its users. The law that the FTC used against Flo was Section 5 of the FTC Act, not HIPAA.

Do period tracker apps have to follow HIPAA?

Generally no. HIPAA covers healthcare providers, health plans, and their business associates. A standalone consumer period tracker app that you download from an app store and use independently is not a covered entity. If a period tracker were integrated into a healthcare provider's patient portal or offered by a health plan, those specific integrations might bring it into HIPAA scope — but the consumer app itself typically does not qualify.

If not HIPAA, what law protects my period data?

In the US, the primary federal protection is FTC Section 5 (unfair and deceptive practices). Some states add protections: CCPA covers California residents, and several states have passed health data privacy laws. No federal law specifically designed for consumer health app data exists at the time of writing. The gap between HIPAA's strong protections and the weaker FTC standard is a recognized policy issue.

Take back your privacy.

Floriva is built on the architecture you just read about.

Want a tracker built on real privacy architecture?

14-day free trial
No account required
Data never leaves your device

Learn More

Frequently Asked Questions

Can a period tracker company sell my health data?

Under current federal law, there is no outright prohibition on consumer health app companies selling health data, as long as doing so is disclosed in their privacy policy. The FTC enforcement actions against Flo and Premom targeted companies that shared data without adequate disclosure or contrary to their stated policies — not the act of sharing itself.

Does the FTC have the power to fine period tracker companies for privacy violations?

Yes, though the structure varies. The FTC can seek civil penalties in some cases and require injunctive relief (consent orders requiring specific changes). The $59.5M that Flo faced was through a class action lawsuit (Reuters, September 25, 2025), not the FTC action itself. FTC consent orders can require companies to change practices and submit to audits, but the FTC's civil penalty authority for first-time violations is limited.

Are health data privacy laws getting stricter?

The trend is toward stricter state-level protections. Several states have passed laws specifically addressing consumer health data. Federal comprehensive privacy legislation covering health data remains absent as of 2026. The most protective posture is to use an app that collects no server-side data at all, rather than relying on laws that may change.

Ready to track with real privacy?

Start Your Free Trial

Related Guides

Best Private Period Tracker Apps in 2026

Ranked by privacy architecture — on-device storage, enforcement history, data model, and legal jurisdiction. Not just policy promises.

Best Period Tracker Apps That Don't Sell Your Data (2026)

Five period tracker apps with no documented history of selling or sharing reproductive health data. Ranked by privacy architecture, not just policy promises.

Flo App Alternative: 7 Period Trackers That Don't Sell Your Data

Looking for a Flo alternative? We document what Flo did with your data and which period trackers store everything on your device instead.

How Period Tracker Apps Collect and Use Your Data

Period tracker apps collect far more than cycle dates. This guide explains what data is collected, how it is used, and what the FTC enforcement actions against Flo and Premom revealed.

Reproductive Data Privacy Laws in California (2026)

California has constitutionally protected abortion access and the strongest data privacy laws in the US, giving period tracker users strong protections.

Reproductive Data Privacy Laws in Texas (2026)

Texas has a near-total abortion ban with both criminal and civil enforcement mechanisms. Despite having a data privacy law, period tracker users face high subpoena risk.