Why geofencing may not represent a HIPAA concern
The healthcare industry got a rude introduction to geofencing marketing recently. The headlines were driven by a law firm targeting individuals going to an emergency department. In particular, the ads attempted to lure individuals into filing personal injury suits.
Naturally, the revelation that location could be used for targeted advertising created the usual rush of questioning about whether the law firm violated HIPAA requirements. The answer is almost certainly no, because the law firm is probably not subject to HIPAA in any form.
In this instance, the law firm was a personal injury firm, which means it wanted to represent patients. If the law firm represents the patients, individuals are not covered by HIPAA with regard to their own information. Additionally, the firm was advertising for its own benefit and not for the benefit of the hospital or any other healthcare provider. As such, the law firm is outside the HIPAA regulatory scheme.
However, there are a lot of questions to consider when it comes to geofencing and healthcare.
The first question to address is what does geofencing actually mean? It is the process of establishing an artificial perimeter around a specified location, using either global positioning services (GPS) or radio frequency identification (RFID). After that geographic boundary is established, the entity or individual running the campaign can set “triggers” that will result in a certain action occurring when a device enters the identified area. In many instances, the action is to push an advertisement when a web browser is opened or otherwise generate targeted ads. The content of the ads will be determined by the entity or individual running the campaign.
Geofencing can be a powerful tool for any marketing campaign because it can be hyper-localized and capture a broad audience. Further, it is not really targeted to any one individual—rather, it’s aimed at anyone who enters that area. As such, geofencing is just another form of marketing
With this understanding of geofencing, can healthcare entities really use this digital tool for their own purposes? The answer is most likely yes. As indicated, geofencing is a form of general advertisement. A healthcare entity does not need to utilize any existing patient information or other sensitive information in its control. The ads are driven by targeting a particular location and then pinging any individual who enters it. The geofencing can be likened to distributing pamphlets or other written materials to anyone walking by on the street.
Because geofencing ads are broadly targeted and do not rely upon personal information currently held by an entity, HIPAA probably does not get invoked. HIPAA protects the privacy of protected health information in the hands of a healthcare provider, health plan or clearinghouse. PHI is information that relates to the past, present or future healthcare, services or payment for an individual. As already discussed, geofencing does not need to touch any of that information. Instead, geofencing establishes perimeter-based predetermined requirements that wait for anyone to enter the particular area. The healthcare entity does not need to know anything about an individual. The healthcare entity only needs to know that a person goes to a certain location that triggers the geofenced action.
Given the circumstances, HIPAA will not apply to the establishment of the fence. However, information collected as a result of an individual responding to the targeting from geofencing or information otherwise provided to the healthcare entity could result in a different analysis.
While HIPAA may not present a barrier, there can still be other issues to consider. A settlement between the Massachusetts Attorney General and an advertising agency underscores that state law must be factored in. In the Massachusetts settlement, the agency targeted individuals going to certain health clinics with one-sided points of view. The ads would then “follow” individuals for up to 30 days after going to the geofenced location.
The MA Attorney General pursued the matter based upon state consumer protection laws. The AG determined that the ads violated protections by tracking a consumer’s location, disclosing the location information to third parties and then using tracking to target the individuals with potentially unwanted advertising. The consumer protections underpinning the Massachusetts settlement are more broad-based privacy protections that are more consequential than the privacy and security provisions of HIPAA. The consumer protection provisions are also a hook that could have potentially more widespread applicability than just HIPAA.
Arguably, the biggest issues raised by geofencing are ethical ones. Is it acceptable to target individuals just because they happen to visit a certain location? For healthcare entities (or lawyers), is a risk of deceptive advertising, invasion of privacy or some other concern raised? Those are open questions that will need to be addressed as geofencing and similar practices taking advantage of digital capacities continue to grow or get revealed. While the answer may not be clear, it should be expected that traditional notions of privacy are changing and unexpected approaches will be the norm.