The settlement is the FTC’s first ban on selling sensitive location data.
The Biden administration stopped a company from selling data on people’s medical visits on Tuesday, its first settlement on a privacy issue that has many Americans concerned about who can see their most sensitive personal data — particularly visits to abortion providers.
After an investigation, the Federal Trade Commission said it had reached a settlement with Outlogic, a location data broker formerly known as X-Mode Social, which had been collecting information on people’s visits to medical centers.
The settlement is the first major enforcement on location data since a 2022 executive order directed the government to ramp up privacy protections for anyone seeking an abortion.
The FTC has been cracking down on health privacy violations after the U.S. Supreme Court ruled there is no constitutional right to an abortion when it overturned Roe v. Wade in 2022. A Biden executive order in July 2022 directed federal agencies to protect people’s privacy related to reproductive health care services.
This is not the function of HIPAA exactly. HIPAA is primarily used as a way to regulate the sharing of health information, and provides very specific requirements for the sharing of health information, with many caveats.
HIPAA specifically targets healthcare providers (covered entities) and the third-parties (Business Associates) which they work with. More specifically, it provides requirements for the sharing and storage of data from a covered entity to a business associate, and establishes liability in the event of a data compromise for either party.
If the data did not originate from a healthcare provider, likely HIPAA does not apply.
In this instance, the applications identified as sharing the data are not covered entities or even business associates.