Flo on Priv: Data Privacy Challenges in Women’s Health Apps
December 14, 2022
In this week’s episode of Privacy Abbreviated, host Dona Fraser and new host Arlo Gilbert, CEO of Osano, are joined by Tsimafei Savitski, Chief Legal Compliance Officer, and Roman Bugaev, Chief Technology Officer of Flo, an app designed to track ovulation cycles. Due to the nature of the app, users are asked to share detailed information about their health and wellness, and Flo is well aware of this sensitivity. Listen now to hear how the Flo team is raising the bar for privacy by upholding anonymity on their platform.
00:00 – In episode five of Privacy Abbreviated, hosts Dona Fraser, Senior Vice President of Privacy Initiatives at BBB National Programs (BBB NP), and Arlo Gilbert, the CEO and founder of Osano, sit down to discuss data privacy measures among health apps. They’re joined by Tsimafei Savitski, Chief Legal Compliance Officer of the female health and wellness app Flo and Roman Bugaev, Chief Technology Officer of the app.
00:50 – The hosts open this episode by discussing the connection between HIPAA law and wellness apps. There are now a plethora of apps available that track everything from steps taken to calories burned to hours slept. While these apps can be extremely helpful in maintaining one’s health, the data collected by these apps are not covered by HIPAA law. This means personal information is not protected from being accessed and used without the user’s consent. This is a major concern for privacy advocates, who worry that the data could be used to discriminate against users or deny them insurance coverage. Even if the data is anonymized, there is still a risk that it could be used to identify individuals. For now, it is best to use caution when sharing health data through apps. Arlo then discusses the American Data Privacy and Protection Act (ADPPA) in the conversation, noting that the act may resurrect in 2023. The ADPPA is a bill that would create national standards and safeguards for personal information collected by companies, including protections intended to address potentially discriminatory impacts of algorithms. Although Congress is unlikely to enact the bill between now and the end of the year, the ADPPA represents progress toward a comprehensive data privacy law in the United States.
01:33 – The Federal Trade Commission (FTC) has stated its intention to broadly interpret the HIPAA Breach Notification Rule. HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.The growing necessity of revisiting the HIPAA Breach Notification Rule and the ADPPA is brought on by resurfacing conversations regarding consumers having more control over their personal data when using apps. In this episode, our hosts and guests discuss the relevance of these two mandates in pertinence to how sensitive personal health data is stored and maintained.
09:09 – Dona then proposes a question about the process of deleting personal data – can users request to have their data deleted? According to Roman, Flo maintains the highest possible standards with respect to all the data that they process, and users are able to simply request the deletion of their personal data if they wish. Roman also adds that Flo contains the users’ data worldwide, even though their infrastructure is located within the United States. As such, the company relies on cloud providers to store its data. Cloud providers are able to store data in multiple locations, making it easier for app developers to comply with data privacy regulations. In addition, cloud providers typically have sophisticated security systems in place to protect user data. As a result, outsourcing data storage to a cloud provider can be an effective way to collect and store data from users internationally.
25:26 – Roman explains that going forward, Flo will continue to carry out innovative privacy practices by encrypting data and performing regular third-party audits. Tsimafei agrees, saying that their goal is to be an example to other businesses in the industry. Flo made waves in the summer when it announced “anonymous mode,” an option for users who don’t want their data connected to their person. By stripping anonymous users of identifiers like IP address, email, or username, the accounts become unidentifiable by Flo and any third parties. At the moment, the setting is not default because it does have downsides that affect personal usability. Users in anonymous mode can’t track their data across multiple devices, and if their device is lost or stolen, the information can’t be recovered. However, Roman hopes to one day be able to make anonymity the default as the Flo team continues working to make their app more secure.
Subscribe to receive email notifications of new Privacy Abbreviated episodes.
Ad Watchers: How Can You Ensure Your DEI Efforts Are Authentic?
As the expectation for representation has continued to rise, advertisers are turning to Diversity, Equity, Inclusion, and Belonging (DEIB) efforts to ensure everyone feels seen. NAD recognizes the significance of authenticity in these diverse depictions and will be enforcing new standards to hold companies accountable when they endorse harmful...
Flo on Priv: Data Privacy Challenges in Women’s Health Apps
When we count steps with fitness trackers, log weight and diet information into apps, and share personal health information on platforms not covered by HIPAA, how is that information we input collected,...
The Future of EU-U.S. Data Transfers
On October 7, the negotiations between the U.S. and European Commission regarding the future of the data privacy frameworks behind the Privacy Shield program were completed with the release of a Presidential Executive...
Ad Watchers: Where is the Line Between Ethical Design and Dark Patterns?
Think about the times you felt tricked or frustrated by a membership or subscription that had a seamless signup process but was later difficult to cancel. Something that should be simple and transparent can be complicated, intentionally or unintentionally, in ways that impair consumer choice. These are examples of dark patterns. Unfortunately,...