May 28, 2026
What providers need to know about restrictions on geofencing and vendor technology
California has strengthened patient privacy protections related to location-based data at or near in-person healthcare facilities including reproductive and gender affirming healthcare locations. These changes primarily affect geofencing and other location based technologies that could reveal whether someone visited a healthcare provider.
Most routine clinical and administrative activities are not impacted. However, physicians, practitioners and other providers should understand how vendors and third party technologies use location data to avoid privacy and compliance risks.
What you need to know
- Location-based tracking and targeted outreach near certain healthcare facilities are restricted.
- Geofencing and similar tools cannot be used to identify, track or market to patients based on healthcare visits.
- Physicians, practitioners and other providers are responsible for understanding how vendors and third parties use location-based technologies on their behalf.
- If current practices already comply, no immediate action is required.
What is geofencing
Geofencing is technology that uses location data (e.g., GPS, Wi Fi or mobile signals) to create a virtual boundary around a physical location. When a person or mobile device enters, leaves or remains within that boundary, the technology can be used to:
- Detect the presence of an individual at a specific location.
- Collect personal or device-level information.
- Trigger messages, alerts or advertisements based on location.
What is restricted
The use of geofencing around in person healthcare facilities is generally prohibited when used for certain purposes, either directly by a physician, practitioner and other provider, or through third parties.
Geofencing may not be used to:
- Identify or track individuals seeking, receiving or providing healthcare services.
- Collect personal information related to healthcare visits.
- Send health related notifications or alerts based on location.
- Deliver health related advertising or marketing based on location.
The collection, use, sale, sharing or retention of personal information from individuals who are at or near family planning centers is also limited, unless a narrow legal exception applies.
Physician, practitioner and other provider responsibility and vendor oversight
Physicians, practitioners and other providers are responsible for ensuring that vendors, contractors and technology partners supporting in person healthcare services comply with these requirements.
You should:
- Review how vendors use location-based technologies, including tracking, analytics and marketing tools.
- Confirm that vendors do not use geofencing near in person healthcare facilities for prohibited purposes.
- Ensure vendor agreements and practices align with applicable California privacy laws, including the California Medical Information Act (CMIA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Failure to address vendor practices may increase privacy and compliance risks.
Already compliant? No action needed
If your current practices and vendor arrangements already comply with these requirements, no immediate action is required.
Regulatory references
These requirements are driven by California Assembly Bill 45 (AB 45), which strengthens patient privacy protections for location based data at in person healthcare facilities. The law went into effect on January 1, 2026.
- California Legislative Information: View AB45 at https://bit.ly/AB45_Privacy.
- Consumer Federation of California: View CMIA at https://bit.ly/ConfMedInfoAct.
- Consumer Federation of California: View HIPAA at https://bit.ly/HealthInfoPort_AcctAct.
Need help? Contact us
If you have questions regarding the information contained in this update, contact 1-866-999-3945.
This information applies to Physicians and Practitioners, Independent Practice Associations (IPAs), Hospitals, Ancillary Providers, and Behavioral Health Providers.
