HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?

Questions are being raised about whether HIPAA Rules are being violated when attorneys send text messages and push notifications to patients who have visited emergency rooms and other medical facilities using geofencing technology.

Marketers are using a range of clever tactics to sell products and services such as remarketing – The displaying of advertisements on websites to individuals who have previously viewed products on another website but not made a purchase.

Similarly, the use of geofencing is growing in popularity. Geofencing is the creation of a digital fence around a specific location. When an individual crosses that invisible boundary, a push notification is sent to the users mobile phone. That location could be a store or any location. Retailers have been using the technology for some time, Google sends push notifications based on location, and now attorneys are getting in on the act.

This tactic of targeting specific individuals is being offered by at least one digital marketing firm and the service is being offered to attorneys. In this case the geofence is around healthcare facilities, specifically emergency rooms. When an individual enters the ER, they are sent a push notification through their phone offering them legal assistance.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

NPR reports that Tell All Digital, a New York marketing firm, has been offering this service to law firms and there is no shortage of takers. It is one of the biggest growth areas for the firm and lawyers from several states are trialling the marketing tactic.

The benefits to attorneys are clear. The technology allows the attorney to be virtually in an Emergency Room or healthcare facility targeting individuals who have more than likely been injured. They are sent advertisements about the option of making a personal injury claim. While only a percentage of patients will have a valid claim, it certainly improves the odds of finding a prospective client.

As with remarketing, an individual can be targeted with adverts for a set period after the visit. Potentially ads or messages could be received for up to a month after a visit to an emergency room, according to the NPR report.

While it is certainly an innovative way for attorneys to find clients that have a higher than average chance of qualifying for a personal injury claim, many view this as an invasion of privacy. But could this also constitute a violation of HIPAA?

HIPAA Rules apply to healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA covered entities. While attorneys can certainly be business associates, HIPAA Rules would be unlikely to apply in this case.

HIPAA covered entities are not supplying any protected health information, the only information that is being supplied is the fact that an individual is in a medical facility, and that information is not passed over by any healthcare company.

While this tactic may not be a violation of HIPAA Rules, it could certainly violate state laws or federal laws other than HIPAA. NPR cites a settlement that was reached last year over similar tactics used by an advertising company to target women who had visited reproductive healthcare facilities. In that case, Copley Advertising set geofences around reproductive health centers and methadone clinics. They were sent messages such as ‘Pregnancy Help’, ‘You Have Choices’, and ‘You Are Not Alone’, with the clients including a Christian pregnancy counselling and adoption agency.

Massachusetts’ attorney general Maura Healey took action and reached a settlement with the advertising agency over potential violations of state consumer protection laws, which the use of geofencing allegedly violated. Under the settlement, Copley was prohibited from using geofencing technology in the state of Massachusetts at or near healthcare facilities to infer the health status or medical conditions of individuals. Healey claimed the actions were tantamount to digital harassment.

Whether the practice violates state laws is open to interpretation, although as the practice appears to be gaining momentum, regulators may have to step in, certainly with respect to visits to healthcare facilities.

While this may not be a matter for the HHS to deal with, it could be dealt with at the state level or it is possible this is more in the realm of the Federal Trade Commission. However, whether the practice actually violates any laws is unclear. What is clear is that unless action is taken, the practice will continue, and its popularity will likely grow.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.