Healthcare Data: Privacy-Safe Signals for Payers

Healthcare analytics buyers — pharma commercial teams, payers, health systems, and specialty-life-sciences researchers — live under a compliance envelope that most alt-data vendors never engineered for. HIPAA sets the federal floor, HHS OCR's 2022 bulletin on online tracking made clear that geolocation near covered entities carries risk, and state regimes (California CMIA, Washington My Health My Data Act) layer in additional specific protections. The practical implication: a signal product that's fine for retail or CPG work may be unlicensable for healthcare without specific architectural adjustments. This piece is the working playbook — what privacy-safe healthcare signals actually look like, which use-cases hold up, and the procurement questions buyers should run before signing. For the adjacent mobility-compliance framing, see what privacy-safe actually means when buying location data.

The Compliance Envelope: HIPAA + State Regimes

HIPAA applies to Covered Entities (providers, plans, clearinghouses) and their Business Associates. Many alt-data vendors are neither — which doesn't exempt them from healthcare privacy risk, it just shifts the analytical framing. HHS OCR's 2022 online-tracking bulletin and follow-on 2024 OCR guidance made explicit that even non-CE data brokers handling signals that could be re-identified to individuals near covered locations carry meaningful risk. State regimes extend the envelope: California's CMIA protects medical-information-adjacent data; Washington's My Health My Data Act (effective 2024) covers a broad category of consumer health data beyond HIPAA's scope; Connecticut (CTDPA) and Colorado (CPA) treat reproductive and behavioral-health location data as sensitive by default. The defensible procurement posture is to assume the strictest state regime applies.

Sensitive-Category Exclusions: Pipeline, Not Just Contract

The enforcement pattern from the 2024 FTC cases (X-Mode/Outlogic and InMarket Media) set a clear standard: sensitive-category exclusions must be enforced at the pipeline stage, not only in contract language. For healthcare work, the exclusion list must cover:

• All provider categories under HHS Safe Harbor — hospitals, outpatient clinics, physician offices, urgent care, dialysis centers, home-health offices.
• Reproductive-health facilities (specifically called out in FTC and state guidance as highest-sensitivity).
• Behavioral-health, mental-health, and substance-use treatment facilities.
• Specialty facilities: oncology infusion centers, HIV clinics, gender-affirming-care providers, methadone clinics.
• Pharmacies in some state regimes (CMIA in particular).

GSDSI's Global Mobility & Location Data product and POI & Geofencing product run these exclusions at the ingestion layer. The diagnostic question for any vendor is: can they show the exclusion polygon set and document when it was last refreshed against category updates?

De-Identification: Safe Harbor vs. Expert Determination

For datasets that touch PHI-adjacent signals, HHS's de-identification guidance defines two compliant paths:

1. **Safe Harbor** — removal of 18 enumerated identifier categories plus absence of actual knowledge that remaining data could re-identify. Checklist-based, auditable, conservative.
2. **Expert Determination** — a qualified statistician certifies that re-identification risk is very small. More flexible for complex datasets but requires documented methodology and ongoing re-assessment.

Buyers should verify which standard applies and who performed the determination. CMS's de-identification primer provides additional procurement context. For GSDSI's broader identity-graph approach to de-identified linkage, see identity graphs 101: deterministic matching across MAID, HEM, IP, CTV ID.

Use-Cases That Hold Up Under Healthcare Compliance

When the architecture is right, several healthcare analytics use-cases are well-supported by commercial alt-data:

• **Pharma commercial market sizing** — POI-matched visit data (with sensitive-category exclusions) informs physician-office footprint analysis, patient-flow proxies at the DMA level, and launch-readiness market selection.
• **Payer network adequacy** — mobility patterns help identify underserved geographies and validate network-access assumptions without individual-level data.
• **Life-sciences site selection** — clinical-trial site selection increasingly uses aggregated patient-flow and demographic-overlay data; see how CRE investors use origin-destination data for site selection for the methodological parallel.
• **Consumer health behavior research** — web and app engagement around wellness, fitness, and over-the-counter health categories via GSDSI's Clickstream Web Intent holds up under state regimes when consent posture is clean.

For the industries/healthcare landing context that supports these use-cases, see the healthcare industry page.

Procurement Diagnostics for Healthcare Buyers

Before licensing any alt-data product for healthcare work, verify:

1. Sensitive-category exclusion list — does it cover the full HHS + state-AG category set? Is it enforced at pipeline ingestion or only contractually?
2. De-identification standard — Safe Harbor or Expert Determination? Who performed it? When was it last re-assessed?
3. Consent chain — for mobility-origin data, what upstream CMP captured consent, and does the vendor honor downstream opt-outs within a defined window?
4. State-regime compliance — specifically CMIA (California), MHMDA (Washington), and any reproductive-health-specific state protections.
5. Business Associate Agreement availability — if the use case requires BAA coverage, can the vendor execute one?

Healthcare is the hardest compliance envelope in commercial alt-data and it's also where the margin on sound procurement is largest. Vendors who engineered for it from the start have a defensible posture; vendors retrofitting from retail/CPG roots usually don't.