California: AG settlement with Fertility App company

Xavier Becerra: ” Today’s settlement is a wake up call not just for Glow, but for every app maker that handles sensitive private data.”

Landmark settlement against GlowHQ – a fertility app that had serious privacy and security failures that risked exposing millions of women’s medical information.

As part of the settlement, Glow will be required to:

  • incorporate privacy and security design principles into its mobile apps,
  • get consent from users before sharing private information,
  • and allow users to revoke previously granted consent.

Link to settlement:

Link to complaint:

New Health Apps Section on

OCR launched a new feature on, titled Health Apps. This new webpage takes the place of OCR’s previous Health App Developer Portal, and is available at

The new webpage highlights OCR’s guidance on when and how the Health Insurance Portability and Accountability Act (HIPAA) regulations apply to mobile health applications, including:

Spanish DPA (AEPD): Analysis of Information Flows in Android – Tools for compliance with Accountability

The objectives of the study focus on:

  • Defining the context and conceptual framework of the detection of the personal data communications in applications executed on an Android operating system.
  • Demonstrating the elevated risk in the mobile application environment of leaks of personal data and the need to carry out an evaluation of data flows
  • Studying the existing techniques for the detection and analysis of personal information flows in Android Applications.

HHS Clarifies HIPAA Liability Around Third-Party Health Apps

Interesting article that tries to summarize some of the latest HHS guidance. Includes “If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained.