- In a new trend that could raise patient privacy concerns, personal injury attorneys and marketers are using geofencing technology to deliver targeted advertisements to patients’ mobile phones when they visit emergency rooms or clinics, reported NPR.
Geofencing creates an electronic fence around a specified location that is tripped when a person enters the fenced area with a smartphone or other mobile device. Once the geofence is tripped, an advertiser displays an ad on the person’s mobile device.
An advertiser can identify someone’s location by grabbing the device ID from Wi-Fi, cell data, or GPS.
The geofencing technology has been used by retailers for years to deliver coupons and special offers to consumers when they enter a store. But its use in healthcare settings could raise concerns about patient privacy.
Bill McGeveran, an attorney who teaches internet and technology law at the University of Minnesota, said that HIPAA doesn’t apply because it covers “hospitals and clinics and doctors and insurance companies,” not the lawyers and marketers in this case.*
Under HIPAA, PHI includes information "which relates to the individual’s past, present, or future physical or mental health or condition; the provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.”
To date, federal or state agencies have not classified location data as PHI. In the future, it could be considered information that relates to “past, present, or future physical or mental condition” and/or "the provision of healthcare." In either case, the practice of healthcare geofencing has drawn the attention of patient privacy advocates.
Massachusetts Attorney General Maura Healy believes that the ads violate her state’s consumer protection laws and raise health privacy concerns. Her office reached a settlement last year with Copley Advertising, an advertising company that uses geofencing to deliver mobile ads to people entering reproductive health centers and methadone clinics.
“While geofencing can have positive benefits for consumers, it is also a technology that has the potential to digitally harass people and interfere with health privacy,” said Healey in a statement.
“Consumers are entitled to privacy in their medical decisions and conditions. This settlement will help ensure that consumers in Massachusetts do not have to worry about being targeted by advertisers when they seek medical care.”
Under the settlement, Copley Advertising is prohibited from using geofencing around Massachusetts healthcare facilities.
At the federal level, the Federal Trade Commission (FTC) could become involved, said McGeveran. He noted that the FTC reached a settlement with a company that developed a flashlight app that shared location information and the device ID with advertisers without informing consumers.
“I think information about health, sexuality, finances, political views, people feel really differently about than they do about the brand of toothpaste they prefer,” McGeveran said. “And a higher level of sensitivity makes sense with this kind of sensitive information.”
At the same time, some people see geofencing as technology that can enhance healthcare security.
“By implementing geofencing, healthcare institutions keep information in by restricting access to devices or applications while inside a specified perimeter—and out—by making it impossible for devices outside the perimeter to access the network,” argued Roman Foeckl, CEO at Endpoint Protector (then called CoSoSys), in a HealthITSecurity.com contributed article.
There is no question that geofencing is an innovative technology that has privacy and security implications. It can be seen as an invasion of privacy, a legitimate marketing method, or as an essential security tool in a mobile healthcare environment.
Update: This article has been revised to make it clear that the lawyers and marketers in this story are not "business associates" under HIPAA, and therefore their use of geofencing would not raise HIPAA compliance issues.