Privacy Invasion or Smart Marketing: Geofencing in Healthcare
The healthcare industry got a load introduction to geofencing marketing recently. The headlines were driven by a law firm targeting individuals going to an emergency room. In particular, the ads attempted to lure individuals into a personal injury suit. The type of action that would be sure to draw lines as personal injury is often a disfavored side of the law.
Naturally, the revelation that location could be used for targeted advertising created the usual rush of questioning whether the law firm violated HIPAA. The answer is almost certainly no since the law firm is probably not subject to HIPAA in any form. In the reported instance, the law firm was a personal injury firm, which means it wanted to represent the patients. If the law firm represents the patients, individuals are not covered by HIPAA with regard to their own information. Additionally, the firm was advertising for its own benefit and not for the benefit of the hospital or any other healthcare provider. As such, the law firm is outside the HIPAA regulatory scheme. However, there are a lot of questions to consider when it comes to geofencing and healthcare.
The first question to address is what does geofencing actually mean? It is the process of establishing an artificial perimeter around a specified location using either global positioning (GPS) or radio frequency identification (RFID). Once the geographic boundary is established, the entity or individual running the campaign can set “triggers” that will result in a certain action occurring when a device enters the identified area. In many instances, the action is to push an advertisement when a web browser is opened or otherwise generate targeted ads based. The content of the ads will be determined the entity or individual running the campaign.
Geofencing can be a powerful tool for any marketing campaign since it can be hyper-localized and capture a broad audience. Further, it is not really targeted to any one individual so much as anyone who enters that area. As such, geofencing is just another form of marketing
With a quick and general background of geofencing established, can healthcare entities really use this “new” digital tool for their own purposes? The answer is most likely yes. As indicated, geofencing is a form of general advertisement. A healthcare entity does not need to utilize any existing patient information or other sensitive information in its control. As explained, the ads are driven by targeting a particular location and then pinging any individual who enters the area. The geofencing can be analogized to distributing pamphlets or other written materials to anyone walking by on the street.
Since geofencing ads are broadly targeted and do not rely upon personal information currently held by an entity, HIPAA probably does not get invoked. HIPAA protects the privacy of protected health information in the hands of a healthcare provider, health plan or clearinghouse. PHI is information that relates to the past, present or future healthcare, services or payment for an individual. As already discussed, geofencing does not need to touch any of that information. Instead, geofencing establishes a perimeter-based upon predetermined requirements that sits waiting for anyone to enter the particular area. The healthcare entity does not need to know anything about an individual. he healthcare entity only needs to know that a person goes to a certain location that triggers the geofenced action. Given the circumstances, HIPAA will not apply to the establishment of the fence. However, information collected as a result of an individual responding to the targeting from geofencing or information otherwise provided to the healthcare entity could result in a different analysis.
While HIPAA may not present a barrier, there can still be other issues to consider. A settlement between the Massachusetts Attorney General and an advertising agency underscore that state law must be factored in. In the Massachusetts settlement, the agency targeted individuals going to certain health clinics with one-side points of view. The ads would then “follow” individuals for up to 30 days after going to the geofenced location. The MA Attorney General pursued the matter based upon state consumer protection laws. The AG determined that the ads violated protections by tracking a consumer’s location, disclosing the location information to third parties, and then using tracking to target the individuals with potentially unwanted advertising. The consumer protections underpinning the Massachusetts settlement are more broad-based privacy protections than relying solely upon the privacy and security provisions of HIPAA. The consumer protection provisions are also a hook that could have potentially more widespread applicability than just HIPAA too.
Arguably the bigger issues raised by geofencing are ethical ones. Is it ok to target individuals just because they happen to visit a certain location? For healthcare entities (or lawyers) is a risk of deceptive advertising, invasion of privacy, or some other concern raised? Those are open questions that will need to be addressed as geofencing and similar practices taking advantage of digital capacities continue to grow and/or get revealed. While the answer may not be clear, it should be expected that traditional notions of privacy are changing and unexpected approaches will be the norm.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.