Does HIPAA protect period tracking app data?

No. HIPAA does not cover standalone period tracker apps. The law applies to covered entities (healthcare providers, health insurers, clearinghouses) and their business associates. A period tracker app that operates independently of a healthcare provider is not a covered entity and is not bound by HIPAA's privacy rules. The FTC's enforcement authority under Section 5 of the FTC Act is the primary check on how these apps handle user data.

What should I look for in a telehealth privacy policy?

Look for explicit statements about what data is shared with analytics providers, advertising networks, or data brokers. Check whether the platform uses third-party SDKs (often disclosed in a separate privacy addendum or cookie policy). Confirm whether the platform is a HIPAA Business Associate Agreement (BAA) signatory if it handles data from an employer health plan. If the policy says data may be shared for business purposes or service improvement without specific limits, treat that as a red flag.

Can law enforcement access my telehealth records?

Data held by a HIPAA-covered entity requires a subpoena, court order, or specific legal process to disclose. However, data held by non-HIPAA apps can often be accessed with a lower legal bar. Some states have enacted additional protections for reproductive health data. Washington's My Health My Data Act (2023) is one of the most expansive. On-device storage, where the company has no copy of your data, is the only architecture that makes this question moot.

privacy-in-practice

Telehealth and Period Tracking: Data Risks Explained

When you share cycle data with a telehealth provider, HIPAA may not protect it. Here's what happens to that data and how to protect yourself.

The HIPAA Gap in Telehealth Telehealth has expanded a lot, and with it the assumption that sharing reproductive health data online is protected the same way a doctor visit would be. That assumption is often wrong. HIPAA, the Health Insurance Portability and Accountability Act, applies to covered entities: healthcare providers who conduct electronic transactions, health insurers, and healthcare clearinghouses. It also applies to their business associates when those associates handle protected health information. What HIPAA does not cover is consumer facing health apps that operate outside of a clinical care relationship. Most period tracking apps are not HIPAA covered. The FTC made this clear in its 2021 enforcement action against Flo Health, which found that Flo shared user reproductive health data with Facebook and Google via embedded analytics SDKs. Flo was not prosecuted under HIPAA because HIPAA did not apply. The FTC used Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, to take action. The same logic applies to telehealth platforms that operate as subscription wellness services rather than traditional medical providers. Whether your data is protec