Flo on Priv: Data Privacy Challenges in Women’s Health Apps
December 14, 2022
In this week’s episode of Privacy Abbreviated, host Dona Fraser and new host Arlo Gilbert, CEO of Osano, are joined by Tsimafei Savitski, Chief Legal Compliance Officer, and Roman Bugaev, Chief Technology Officer of Flo, an app designed to track ovulation cycles. Due to the nature of the app, users are asked to share detailed information about their health and wellness, and Flo is well aware of this sensitivity. Listen now to hear how the Flo team is raising the bar for privacy by upholding anonymity on their platform.
00:00 – In episode five of Privacy Abbreviated, hosts Dona Fraser, Senior Vice President of Privacy Initiatives at BBB National Programs (BBB NP), and Arlo Gilbert, the CEO and founder of Osano, sit down to discuss data privacy measures among health apps. They’re joined by Tsimafei Savitski, Chief Legal Compliance Officer of the female health and wellness app Flo and Roman Bugaev, Chief Technology Officer of the app.
00:50 – The hosts open this episode by discussing the connection between HIPAA law and wellness apps. There are now a plethora of apps available that track everything from steps taken to calories burned to hours slept. While these apps can be extremely helpful in maintaining one’s health, the data collected by these apps are not covered by HIPAA law. This means personal information is not protected from being accessed and used without the user’s consent. This is a major concern for privacy advocates, who worry that the data could be used to discriminate against users or deny them insurance coverage. Even if the data is anonymized, there is still a risk that it could be used to identify individuals. For now, it is best to use caution when sharing health data through apps. Arlo then discusses the American Data Privacy and Protection Act (ADPPA) in the conversation, noting that the act may resurrect in 2023. The ADPPA is a bill that would create national standards and safeguards for personal information collected by companies, including protections intended to address potentially discriminatory impacts of algorithms. Although Congress is unlikely to enact the bill between now and the end of the year, the ADPPA represents progress toward a comprehensive data privacy law in the United States.
01:33 – The Federal Trade Commission (FTC) has stated its intention to broadly interpret the HIPAA Breach Notification Rule. HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.The growing necessity of revisiting the HIPAA Breach Notification Rule and the ADPPA is brought on by resurfacing conversations regarding consumers having more control over their personal data when using apps. In this episode, our hosts and guests discuss the relevance of these two mandates in pertinence to how sensitive personal health data is stored and maintained.
09:09 – Dona then proposes a question about the process of deleting personal data – can users request to have their data deleted? According to Roman, Flo maintains the highest possible standards with respect to all the data that they process, and users are able to simply request the deletion of their personal data if they wish. Roman also adds that Flo contains the users’ data worldwide, even though their infrastructure is located within the United States. As such, the company relies on cloud providers to store its data. Cloud providers are able to store data in multiple locations, making it easier for app developers to comply with data privacy regulations. In addition, cloud providers typically have sophisticated security systems in place to protect user data. As a result, outsourcing data storage to a cloud provider can be an effective way to collect and store data from users internationally.
25:26 – Roman explains that going forward, Flo will continue to carry out innovative privacy practices by encrypting data and performing regular third-party audits. Tsimafei agrees, saying that their goal is to be an example to other businesses in the industry. Flo made waves in the summer when it announced “anonymous mode,” an option for users who don’t want their data connected to their person. By stripping anonymous users of identifiers like IP address, email, or username, the accounts become unidentifiable by Flo and any third parties. At the moment, the setting is not default because it does have downsides that affect personal usability. Users in anonymous mode can’t track their data across multiple devices, and if their device is lost or stolen, the information can’t be recovered. However, Roman hopes to one day be able to make anonymity the default as the Flo team continues working to make their app more secure.
Subscribe to receive email notifications of new Privacy Abbreviated episodes.
Privacy for Start-Ups
With tens of thousands of entrepreneurs in the United States, how do these business leaders ensure privacy is part of any pivots or growth plans? What are the data wants vs the must haves? Priv hosts are joined by the Tech Diplomacy Network’s Katharina Koerner and Santa Clara University’s Professor Linsey Krolik to discuss the privacy questions entrepreneurs face when getting their business started.
The Government Purchase of Private Data
In this episode of Privacy Abbreviated, professor Matthew Tokson joins our hosts to discuss how the collection and sale of private data may help government agencies circumvent legal requirements.
Ad Watchers: What is the appeal of an appeal? Getting to Know NARB
In this episode of Ad Watchers, your hosts discuss a critical link in the chain of advertising industry self-regulation: the National Advertising Review Board, or NARB, the appellate body for National Advertising Division cases.
Filling Privacy Gaps with Soft Law Solutions
In this episode of Privacy Abbreviated, our hosts are joined by the Future of Privacy Forum’s Jameson Spivack to discuss how industry-developed standards and best practices can guide policymaking allowing hard law to adopt the lessons learned from soft law.