We increasingly rely on technology to stay fit and healthy. Wearable devices can track heart rates, blood pressure, glucose levels, sleep patterns, or menstrual cycles. You can research medical conditions online to learn more about medical issues and your mental health. Price-comparison websites can deliver significant savings on costly prescription drugs.

These resources, which collect highly personal information, may seem to provide confidential help, but in most cases their parent companies are allowed to save, share, and sell your info for profit to data brokers, which are largely unregulated and not always required to tell you what they’ve collected or shared.

Click below to listen to our Consumerpedia podcast episode on health-tracking apps and websites.

A recent report from the Duke University Technology Policy Lab found that 10 major brokers “advertised highly sensitive mental health data on Americans including data on those with depression, attention disorder, insomnia, anxiety, ADHD, and bipolar disorder...”

Laws Don’t Protect All of Your Medical Information

Unlike doctors or other medical pros, most of these apps, websites, and device-makers are not required to keep your health information confidential.

The Health Insurance Portability and Accountability Act (HIPAA) prohibits medical providers (doctors, dentists, mental health professionals, chiropractors, clinics, pharmacies, nursing homes, etc.) and health insurance plans (including government programs such as Medicare and Medicaid) from sharing health information without a patient’s authorization.

But HIPAA generally does not cover:

• Data collected from searches done on your phone or web browser.
• Information you provide to a website or app not affiliated with your medical provider.
• Health data generated by smartphones, smartwatches, and other wearable tech, or internet-connected medical devices, unless that technology is provided by an entity covered by HIPAA for treatment purposes.

For example, if you see a doctor about depression or anxiety, your visit is covered under HIPAA—the physician, practice staff, your insurer, etc., can’t share information about your condition or treatment without your consent. But if you do an online search for information about your condition, or download a coupon for Xanax or other medication, HIPAA does not apply. And if you share your official medical record with a non-healthcare provider, HIPAA privacy protections do not protect that information. Info collected by websites and software you use can be—and likely will be—scooped up by companies and traded or sold to data brokers.

The American Medical Association (AMA) warns that collecting and sharing of health data like this may be harmful. Its “Privacy Is Good Business: A case for privacy by design in app development” says “This kind of information may not seem like medical data when the user was entering it into the app, but as a picture of a person’s health begins to evolve from the information submitted, it starts to look more and more like what might be found in a medical record. A marketer, an insurance company, or an employer could have access to that information and use it in ways that the consumer may not have imagined.”

Ever Try Reading a Privacy Policy?

Companies that collect and share private medical info often require customers to agree to terms and conditions that include privacy policies allowing them to store and share medical data. Good luck reading these agreements; many are deliberately vague or difficult to understand.

Jen Caltrider, a privacy researcher at the Mozilla Foundation (the nonprofit behind the Firefox browser), reads privacy policies for a living, and even she gets confused. She finds that many companies bury their privacy terms in lengthy documents or use vague language such as “We could do this,” or “We may do that.”

“Your data is a business asset to them, and they’re going to try and make money off of it,” Caltrider told Checkbook.

The privacy policies of some companies state that what they collect, store, and share do not include customer names. But these “de-identified” data are still a valuable commodity that can be used to target ads to a select group of people. Digital security experts have shown that, with enough data points, it is possible to put names to anonymous profiles.

Troubling Findings About Mental Health Apps

Since 2017, researchers at Mozilla have monitored the privacy and security features provided by more than 100 popular apps. They found that most of them fail to protect consumer information. For a May 2023 report on mental health apps, Mozilla found that 20 of 32 tested apps (62.5 percent) failed to meet the group’s minimum standards for privacy. Even more troubling, 40 percent of the apps had changed their privacy practices to make them less protective than the year before.

“The worst offenders are still letting consumers down in scary ways, tracking and sharing their most intimate information and leaving them incredibly vulnerable,” the report concluded.

Mozilla’s researchers found that several mental health apps, including BetterHelp, Happify, and Talkspace, “pushed consumers into taking questionnaires upfront without asking for consent or showing their privacy policies first.”

Caltrider told Checkbook that the privacy policies for these apps say they can use data about sexual orientation and mental health status (“Are you depressed?” “Are you suicidal?”) to target you with ads. “That’s creepy, bordering on harmful,” she said.

Mozilla researchers ranked the app Replika as one of the worst they’ve ever reviewed. Replika shares personal data uploaded by the user—including personal photos, videos, voice messages, and text messages—with advertisers.

Mozilla recommended only two of the 32 apps it tested: Wysa AI Coach, a chatbot programmed to help people work “through negative thoughts and emotions”; and PTSD Coach, offered by the U.S. Department of Veterans Affairs.

Be Skeptical of Privacy Claims

Many patients ask their physicians to recommend apps or wearable devices. But don’t assume your docs or other medical providers know the data collection policies of technology they suggest. Do your own checks. Unless you know whether HIPAA rules regulate the website, device, or app, assume your personal data can and will be shared.

And don’t assume it’s safer to download apps from Apple’s or Google’s app stores. Companies selling software are required to provide disclosures about data collection and sharing, but that info is not verified.

“Don’t trust that,” Mozilla’s Caltrider told Checkbook. “For 80 percent of the apps that we reviewed [in the Google Play Store], that information was incorrect and misleading to varying degrees.”

Privacy labels used by app stores are often meaningless. Apple and Google indicate with blue checkmarks apps that supposedly don’t share any of your data. But when Washington Post technology columnist Geoffrey Fowler tested these guardrails in January 2023, he found Apple’s privacy labels fell short of being helpful or even accurate. “Many are false,” he reported.

Federal Trade Commission (FTC) Tries to Plug Enormous Privacy Loophole

So far this year, the FTC has sued three companies for sharing users’ sensitive personal information with third parties without their consent and in violation of the companies’ own stated privacy policies.

In March 2023, it took action against BetterHelp for sharing the health information of more than 7 million users with Facebook, Snapchat, Pinterest, and other online platforms for advertising purposes, in violation of the company’s own policies, which promised such information would “stay private between you and your counselor.” The company agreed to institute policies to better protect health information and pay $7.8 million in partial refunds to customers.

The FTC has initiated similar lawsuits against discount prescription website GoodRx and ovulation tracking app Premom. In announcing those cases, Samuel Levine, director of the FTC’s Bureau of Consumer Protection, warned that the government would take action against companies collecting and sharing personal health information without consent, even if apps, gadgets, and websites aren’t covered by HIPAA.

“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation,” Levine said. “The FTC will not tolerate health privacy abuses,” and it “plans to defend consumers’ health data from exploitation.”

Protect Yourself

Few of us have the time to read or the ability to understand most privacy policies. You can search for words such as “share,” or “sell,” but that’s an awkward way to make such an important decision.

If the privacy policy has a separate section for California residents, it’s worth reading, even if you live in a different state. California law requires a clear disclosure of what information would be shared, so it may be easier to understand.

Pam Dixon, executive director of the World Privacy Forum, advises: Only use an application, device, or website that you are “absolutely 100 percent certain” is covered under HIPAA regulations.

The only way to do that, Dixon told Checkbook, is to look for two things in the privacy policy: a “Notice of Privacy Practices,” and a detailed list of your rights under HIPAA and how to exercise those rights. Both are mandatory disclosures for entities covered by HIPAA privacy regulations. Don’t be fooled by phrases like “HIPAA compliant”—it’s meaningless. Companies that are not regulated by HIPAA sometimes display a HIPAA seal to build credibility, Dixon warned.

“If a company is actually regulated under HIPAA, they need to say we are HIPAA-covered or a HIPAA-regulated entity,” she said.

To limit information sharing, don’t link health apps to your Facebook or Google accounts. If when installing or using an app you get a popup asking for permission to access data, deny it. For any already-installed apps, check your phone’s settings to see what permissions are enabled and disable data sharing, if you don’t want that. If the app won’t run after you disable data sharing, consider uninstalling it.

Dixon said she would like to see regulations requiring that all health-related websites or digital services not regulated by HIPAA post a “clear and prominent statement” in their privacy policies warning that any information you share is not protected by HIPAA. But for now, she advises: “Hang on to your data, or assume it’s being shared.”