HIPAA does not go far enough to protect health-related information inferred from location data collected by cellphones.
Today, the average person carries around a cellphone incessantly. Smartphones join employees at work, capture family vacation memories, and help busy people find stores as they run errands. All the while, these phones are continuously collecting location information through a myriad of sources, including GPS, WiFi, Bluetooth signals, and cellphone towers.
This vast collection of location data is jaw-dropping.
It is one thing for companies to know where someone lives or works, but it is a different ballgame for them to have enough data to paint a comprehensive picture of an individual’s fluid movements.
As the U.S. Supreme Court recently described, location data provide “an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’” Location data can reveal many different facets of private lives, but one particular insight is especially galling: the sheer magnitude of health information that can be inferred just from knowing someone’s location.
Imagine someone is sitting in a doctor’s office waiting room for a weekly chemotherapy treatment. To pass the time, this person scrolls through social media on a smartphone. To the person’s surprise, the phone displays targeted advertising for wigs and compression socks.
How did these companies know about this person’s cancer diagnosis and the potential need for these products?
The diagnosis itself would be protected by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the nation’s primary health privacy law. Yet, the advertising companies could still have inferred the potential cancer diagnosis by virtue of where this person was sitting.
GPS location at a cancer clinic provides advertisers enough information to infer that someone may spend money on various goods. Indeed, the companies could construct their marketing scheme to show these advertisements to anyone who came within a certain proximity of the hospital or clinic, through a practice called geofencing.
Targeted geofencing advertising has been used in various health care settings. One notable example involved an advertising company sending text messages to “abortion-minded women” in close proximity to reproductive health care clinics. This campaign was driven by an effort to sway the health care decisions of these women and provide information about alternatives to abortion.
This example is only one of many. Private companies can collect, use, and sell information that reveals health status with problematic ease under the current U.S. health and data privacy landscape.
Location data can reveal health information by providing insights into diverse aspects of health. Some examples of these insights include: health care activities, such as visiting a cancer clinic; health behaviors, such as going to the gym or eating fast food; social determinants of health, such as by indicating what neighborhoods and environments a person lives and works in; and social networks that may influence health, such as close contact during the COVID-19 pandemic.
Across these categories, location data are the observed or collected data, and health information is the inferred data. Yet studies have shown that people conceptualize the privacy of observed and inferred data differently. For example, when individuals give a weather app permission to access their location information, they likely only think about how it will facilitate localized weather forecasts—not about the vast amount of location information that could then be sold to third parties and possibly used to infer their health status.
Many inferences can be drawn from location data. Health inferences, however, are especially problematic. Location data reveal linkages to the very same health information normally protected within the health care setting. In many ways, location data are health data.
Existing U.S. health privacy law does not adequately address this reality.
For example, HIPAA prohibits a health care provider from broadly sharing a patient’s treatment for substance use. But, at the same time, GPS location data can reveal the individual’s regular visits to methadone treatment facilities. These data are regularly collected by private companies and sold without regulation.
As is often discussed, HIPAA protects health information based upon who collects the data, rather than on the basis of the data themselves. HIPAA applies only to narrow settings of health plans, health care clearinghouses, health care providers, and their business associates. HIPPA’s coverage leaves substantial gaps. Private companies can collect, aggregate, and infer health data without running afoul of HIPAA.
To protect health information more fully through HIPAA, the law could be expanded to cover entities outside of health care settings and to constrain health inferences that can be drawn from health location data. This end could be achieved by regulating the creation of health-related profiles and other health inferences. For example, regulation could allow for the collection of location information for certain purposes, such as localized weather forecasts, but prohibit the creation of health profiles based on that location information.
Expanding HIPAA to reach more covered entities and health inferences, however, would constitute a significant expansion of HIPAA privacy rights because many companies have access to location or other data that can be used to infer health information.
For this reason, the location-as-health problem may be best addressed through a comprehensive data privacy law.
The United States does not currently have a national data privacy law, but there have been many recent efforts to move toward comprehensive data protections. The California Consumer Privacy Act is one example. This law gives California citizens several rights over their data including the “right to know about the personal information a business collects about them and how it is used and shared” and the “right to delete personal information collected from them.”
Given these efforts, the time is ripe to address concerns about how health information can be inferred from data, including location data. Several protections must be included in new laws to help regulate inferred data, such as limiting the collection of information to legitimate purposes and limiting health profiling. For example, in the European Union (EU), the General Data Protection Regulation (GDPR) regulates inferences by generally requiring individual consent for automated profiling to occur. The EU describes the GDPR as “the toughest privacy and security law in the world.”
Such changes would be no small feat and would significantly alter data norms in the country. But without the implementation of these protections, the very same health data that are currently protected by HIPAA within the medical realm will remain freely available for companies to collect, sell, and use with few restrictions. Without greater regulation, there is little individuals can do to prevent such intrusion into their health privacy.
This essay is part of a six-part series, entitled Reflecting on 25 Years of HIPAA.