A study published in Scientific Reports by de Montjoye, Hidalgo, Verleysen, and Blondel, analyzed fifteen months of mobility data for one and a half million individuals and found that just four randomly chosen location data points are enough to uniquely identify 95% of people in a large anonymized dataset. Even two points were sufficient to single out more than half. The study further showed that degrading the precision of location data, which is using larger geographic zones or longer time windows, reduces this re-identification risk only gradually, meaning that even coarse datasets provide little anonymity. For healthcare organizations, this creates a compliance exposure. Location data, in the right context, can be protected health information (PHI), and the systems creating it are found in devices, networks, and third-party systems.

 

What location data captures

Location data, in the healthcare context, does not only refer to GPS coordinates. Mobile operating systems record GPS trails, Wi-Fi networks generate connection logs, parking management systems log license plates against timestamps, and even patient portal apps with background location permissions can capture location data.

The study on human mobility uniqueness found that a person's whereabouts can be characterized from fewer than two locations on average, home and workplace are often sufficient anchors for re-identification. They also found that the outside information needed to link an anonymized trace back to a real person could come from anything publicly available such as a home address, a workplace, or a geotagged social media post.

These signals can reveal not just that someone visited a hospital, but which department they visited, how long they stayed, and how often they return. As the Office for Civil Rights (OCR) at HHS has stated in its Bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, an impermissible disclosure of PHI "can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals, and where an individual seeks medical treatment." Under HIPAA's definition of PHI, information that identifies an individual and relates to their health condition, treatment, or healthcare payment is protected.

 

The HIPAA interpretation gap

Firstly, much of the location data being created about a patient's hospital visits is created by apps patients installed voluntarily, by ad networks the marketing team contracted with for campaign analytics, and by third-party parking or visitor management vendors whose BAA status is nonexistent.

Secondly, the definition of what constitutes PHI is contextual. A GPS coordinate on its own is not PHI. But the OCR bulletin states that "individually identifiable health information collected on a regulated entity's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services." Organizations that assume raw location signals fall outside HIPAA's scope are taking a risk.

The FTC's 2024 enforcement actions against data brokers selling location data tied to sensitive health destinations, including abortion providers, addiction treatment centers, and mental health facilities show that even companies not subject to HIPAA can face federal action for monetizing this data. In the May 2026 settlement with Idaho-based data broker Kochava and its subsidiary, Collective Data Solutions. The FTC had originally sued Kochava in August 2022, alleging it had been selling location data from "hundreds of millions of mobile devices" in ways that exposed visits to health facilities and places of worship without consumers' knowledge or consent. Under the court order, both entities are now permanently barred from selling, sharing, or disclosing sensitive location data unless consumers have provided affirmative, explicit consent and only then when the data is used to deliver a service the consumer directly requested. The companies are also required to establish a sensitive location data program, audit their data suppliers for consent compliance, allow consumers to withdraw consent and request disclosure of who received their data, and maintain a formal data deletion schedule.

The OCR bulletin further notes that the FTC Act and the FTC's Health Breach Notification Rule "may apply in instances where a mobile health app impermissibly discloses a user's health information." For healthcare organizations, this means their vendors and partners may be creating exposure that goes back to the covered entity.

 

Where the risk lives

For IT and privacy teams conducting a gap analysis, the following areas would need to be evaluated.

  • Patient-facing mobile applications: Any app your organization publishes or endorses that requests location permissions is creating location records. The OCR bulletin specifically flags that "mobile apps may use a unique identifier from the app user's mobile device, such as a device ID or advertising ID" and that these "unique identifiers, along with any other information collected by the app, enable the mobile app owner or vendor or any other third party who receives such information to create individual profiles about each app user." Review what data these apps collect, where it is sent, and whether the recipients are covered by a BAA.
  • Wi-Fi and network infrastructure: Enterprise wireless controllers log device MAC addresses and connection timestamps. If your network captures these logs and they can be linked to patient identities you may be generating location-linked PHI. Verify retention policies, access controls, and whether this data is included in your PHI inventory.
  • Vendor and third-party integrations: Parking systems, visitor management kiosks, digital signage networks may be collecting location and device data about patients visits. The OCR bulletin notes that "a tracking technology vendor is a business associate if it meets the definition of a business associate, regardless of whether the required BAA is in place." Work with legal counsel to determine which vendors meet that threshold.
  • Marketing and advertising platforms: Healthcare marketing teams sometimes use geofencing and location-based advertising to reach potential patients. The OCR bulletin addresses this, stating that "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures." The bulletin also clarifies that "website banners that ask users to accept or reject a website's use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization."

 

Remediation steps

  • Identify every system that could generate or receive location data about patients, including mobile apps, network infrastructure, third-party platforms, and physical security systems.
  • Audit business associate agreements against this inventory. The OCR bulletin requires that regulated entities "ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed."
  • Review mobile application permissions with development and vendor management teams. Location permissions should follow the principle of minimum necessary. If an app does not require precise location to function, it should not request it.
  • Extend HIPAA training to include location data concepts. Developers, marketing staff, and IT infrastructure teams need to understand that PHI is not confined to the EHR. The OCR bulletin states that the same data handling obligations apply to location-linked health information generated outside traditional clinical systems.
  • Lastly, review breach notification procedures against location data scenarios. Per the OCR bulletin, where there is "no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor," there is a presumption of breach "unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised."

 

FAQs

What is the difference between what the FTC regulates and what HIPAA covers?

HIPAA applies to covered entities and their business associates, while the FTC's authority extends to companies handling health-related data that fall outside the HIPAA framework.

 

Are smaller or rural healthcare organizations at lower risk than large health systems?

Organization size does not reduce exposure, since the apps, networks, and third-party platforms generating location data operate the same way regardless of how large the covered entity is.

 

How does state privacy law interact with HIPAA on location data?

Several states have enacted health data privacy laws that are stricter than HIPAA and cover location information.