Is there a law that stops insurers from using data broker health profiles?

Not a comprehensive one. The Genetic Information Nondiscrimination Act (GINA) prohibits using genetic information in health and employment decisions. The ACA prohibits health status underwriting for health insurance. But there's no federal law that prohibits life or disability insurers from using commercially purchased health data. Some states have stricter laws; most don't.

Should I delete my period tracker data before applying for life insurance?

Exercising your deletion rights with a server-based app is a reasonable step. Submit a deletion request through the app's account settings before you begin the underwriting process. Note that data already sold to or acquired by brokers may not be deletable from those downstream sources. On-device apps never created a server-side copy, so the deletion question doesn't arise.

If I switch to an on-device tracker now, does that protect data I've already logged in Flo or Clue?

No. Data already on Flo's or Clue's servers exists regardless of your future app choice. Submit account deletion requests for old apps you're leaving. What switching to an on-device tracker does is prevent future data from entering the commercial ecosystem.

privacy-in-practice

Period Tracker Data and Health Insurance Discrimination

Period tracker data isn't covered by HIPAA. Here's how it can reach insurers through data brokers, what the ACA protects, and how to reduce exposure.

The HIPAA Gap That Affects Every Period Tracker User Most people assume health data has legal protection. It does, but only when held by covered entities: doctors, hospitals, health insurers, and their business associates. That protection is HIPAA, the Health Insurance Portability and Accountability Act. Consumer apps are not covered entities. The FTC confirmed this clearly in its enforcement action against Flo Health in 2021. The FTC found Flo shared period dates, pregnancy status, and health symptoms with Facebook and Google. The FTC's authority came from general consumer protection law (Section 5 of the FTC Act), not HIPAA, because HIPAA simply didn't apply. The $59.5M class action that settled in September 2025 was a civil action. The data sharing itself wasn't illegal under HIPAA because HIPAA never covered Flo's data. This gap is the foundation of every insurance risk that follows. How Data Reaches Insurers The direct path, an insurer subpoenaing your period tracker, is not the realistic concern. A major insurer issuing targeted subpoenas to consumer app companies would trigger significant legal and public relations consequences and isn't a common practice. The realistic path