‘Femtech’ wanders into uncharted regulatory territory

So, where does the line exist between a technology company and healthcare, and how are compliance practitioners supposed to know when their organization wanders from one industry into another? That’s the question regulators and executives are grappling with, and one we’ll attempt to untangle.

First things first: What is Femtech?

The range of women’s health needs addressed by Femtech is far-reaching. It includes fertility and menstruation tracking; pelvic floor strengthening; contraceptives; and “smart” biosensing technologies like tampons, vibrators, and breast pumps—body-invasive devices that provide analytics to companion applications with which they’re synced.

Femtech—a term coined by the CEO of one of the first women’s health apps—first emerged in 2013 with the advent of Clue and Glow, two distinct menstrual cycle-tracking apps. The industry has since exploded as venture capital markets opened to startups. Investors have poured over $1 billion into Femtech, and market research firm Frost & Sullivan predicts the industry could be worth $50 billion by 2025.

Once considered a “niche” industry, Femtech has uncovered a lucrative sweet spot in the tech world. Eighty percent of household healthcare spending is done by women; working age females spend 29 percent more per capita on healthcare than males in the same age group; and women are 75 percent more likely to use digital tools for healthcare than men, according to Frost & Sullivan’s research.

While Femtech is subject to the Federal Trade Commission Act (FTC Act), the industry is unregulated on a federal level as it pertains to privacy and data security regs regarding protected health data. To date, Femtech firms that collect and store personal health data mainly fall outside the purview of the Health Insurance Portability and Accountability Act (HIPAA). Simply put, consumers’ digital health information collected by many of these apps could be rented and sold for profit by developers.

How HIPAA could apply to Femtech

Motion for change is underway. If recent proposals for HIPAA reform are granted, Femtech developers and companies will be held to a higher standard of accountability for protecting users’ privacy and data. To that end, these companies will need to expend resources to implement technical safeguards like data encryption.

HIPAA applies to specific “covered entities” encompassing three distinct categorizations: healthcare providers or healthcare plans, clearinghouses, and business associates.

Femtech applications do not fall under the first two categorizations. Most Femtech apps are not operated by physicians or healthcare providers; nor are they payment systems or technology infrastructures that serve as conduits of protected health information. Instead, they are private companies with specialized technologies that collect and store sensitive data concerning women’s health needs.

“HIPAA’s ‘business associate’ category is the only potential category that could sweep a Femtech mobile application under HIPAA regulation,” researcher Celia Rosas writes in “The Future is Femtech: Privacy and Data Security Issues Surrounding Femtech Applications,” published by Hastings Business Law Journal.

“Traditional health logs do not store and analyze a high volume of personal data to the extent emerging biosensing products do … Due to the advanced technology inherent in biosensing devices, it is not unreasonable to require that sophisticated products implement technical safeguards like data encryption.”

Celia Rosas, Author, “The Future is Femtech”

A “business associate” covers a person (or a company) who “creates, receives, maintains, or transmits protected health information” on behalf of another covered entity, according to the regulation text of HIPAA. Examples include “a Health Information Organization, e-Prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and requires access on a routine basis to such protected health information.”

Uniquely, Femtech app Glow is categorized as a “business associate” and displays its satisfactory HIPAA compliance on its company Website, Rosas points out.

Glow users can opt into the “Glow Fertility Program Patient Services Agreement.” The fertility program provides access to fertility clinics and lower pricing on IVF, IUI, ICSI, egg freezing, and medication, the company states. Glow serves as a conduit between healthcare providers of fertility-related services, other persons involved in the financing of healthcare services, and end users. Thus, because Glow receives, maintains, and transmits protected health information to other covered entities, it is subject to HIPAA.

“We maintain ‘protected health information’ (as defined in the Health Insurance Portability and Accountability Act, ‘HIPAA’) in compliance with applicable healthcare privacy and security rules and our contractual obligations with our business partners and customers, including healthcare providers and their contractors (who are also subject to HIPAA),” Glow’s privacy policy states. Glow might serve as a forerunner for other Femtech apps and companies that could be subject to HIPAA if the scope of regulation is expanded to include Femtech companies under “covered entities.”  

A covered entity under HIPAA must implement “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,” the U.S. Department of Health and Human Services Website states.

Covered entities must encrypt electronic protected healthcare information in motion—during data transmission. In Glow’s case, for instance, any end user’s protected health data transmitted to providers of fertility-related services or to persons involved in the financing of healthcare services must be encrypted during transmission. Glow, along with all covered entities, can choose its type of encryption as long as it is “reasonable and appropriate,” according to the National Institute of Standards and Technology (NIST) HIPAA Security Rule Guide. In addition, employees must be skilled in their use of the chosen data encryption.

Rosas believes a line should be drawn between two types of Femtech apps: those that provide simple tracking services and those that draw on smart biosensing products to capture data and sync it to companion apps.

Early apps like Clue offer features allowing users to answer a series of questions in the app and manually track menstruation symptoms on their fingertips; this is considered a simple, non-invasive tracking service. In contrast, apps like Next Gen Jane, Lioness, and Elvie use invasive devices that users insert or wear on their person to track their bodies on a whole new level.

NextGen Jane, for example, invented a smart tampon device that women can use to monitor their reproductive health by syncing the device with its companion app. “We’re developing … a way to listen to the molecular messages from the tissues of your body,” the company’s Website states.

If proposals for HIPAA reform are too sweeping, it could stifle innovation in the Femtech space, Rosas argues. By holding biosensing devices and their companion apps to a higher regulatory standard, traditional health logs offering simple tracking services will still be able to enter the market.

“Traditional health logs do not store and analyze a high volume of personal data to the extent emerging biosensing products do … Due to the advanced technology inherent in biosensing devices, it is not unreasonable to require that sophisticated products implement technical safeguards like data encryption,” Rosas argues.

Femtech regulation today

In May, concerns were raised about protecting data privacy, especially as it pertains to third-party apps, at the Senate Help Committee on the 21st Century Cures Act. Leaders from Congress, the Office of the National Coordinator for Health Information Technology (ONC), and the Center for Medicare and Medicaid Services (CMS) were all in attendance.

When a patient chooses to release private health information from a covered entity—such as their family medical history, for example—through an app that is not a covered entity or business associate under HIPAA, that patient data is no longer subject to HIPAA protections.

Senator Bill Cassidy (R-La.), who happens to be a medical doctor, asked ONC Chief Don Rucker whether third-party apps that collect private health data will eventually be classified as covered entities under HIPAA. Rucker said they will not. When asked whether third parties could sell the data, Rucker replied: “It’s a contractual thing to be negotiated between the patient and the app subject to FTC [(Federal Trade Commission)].”

While the future regulatory landscape of Femtech remains obtuse, the status quo demands consumers hold the ultimate responsibility in protecting their own health information when it comes to third-party apps that fall outside the purview of HIPAA. Consumers must read very carefully through Femtech apps’ privacy policies before offering up their highly personal information. Some companies, like period-tracking Glow, expressly state on their Websites they do not sell or rent data to third parties. Others do not.

It is also critical that Femtech firms ensure their terms of service and privacy policies are transparent, unequivocal, and prominent; for if the regulatory tide changes and Femtech’s time under the radar runs out, problems will surface.