New York's Healthcare Geofencing Ban: What Advertisers Must Know

Most healthcare advertisers operating in New York know something changed a couple years ago. Few know the specifics. That ambiguity is dangerous — because the law doesn’t reward good intentions, it enforces bright-line rules with civil liability attached.

New York General Business Law § 394-G became effective July 2, 2023. It was embedded in the state budget bill and signed by Governor Hochul in May of that year. The law’s origin matters: it was written directly in response to Dobbs v. Jackson Women’s Health Organization, the 2022 Supreme Court decision that eliminated the federal constitutional right to abortion. Legislators were specifically alarmed that advertisers could geofence Planned Parenthood locations and deliver targeted messaging to people inside the building.

The law went considerably broader than its origin story. It now covers every health care facility in the state — from Level 1 trauma centers to a physician’s private office — and it prohibits far more than just advertising.

What the Statute Actually Says

Rather than paraphrase around the edges, let’s read the operative language directly from the enrolled bill text.

Section 2(b) is where agencies get tripped up. Advertisers often focus on the ad-delivery prohibition and miss that the statute also independently bans establishing a geofence for purposes of building consumer profiles or inferring health status — even if no ad is ever delivered. Data collection alone triggers liability.

Statutory Definitions You Need to Memorize

The definitions embedded in the statute are precise and deliberately expansive. These aren’t regulatory interpretations that could shift — they’re codified legislative text.

Term	Statutory Definition
Geofencing	The process of identifying whether a device enters, exits, or is present within a geographic area through the use of any information stored, transmitted, or received by such device — including GPS, IP address, Wi-Fi access, Bluetooth, or near-field communication data.
Vicinity	Within 250 feet of the perimeter of a health care facility. This is the hard boundary. No exceptions for public sidewalks, parking structures, or adjacent commercial property.
Health Care Facility	Any governmental or private agency, department, institution, clinic, laboratory, hospital, physician's office, nursing care facility, HMO, association, or similar entity providing medical care under the Public Health Law or Mental Hygiene Law — including the building and structure in which it is located.
Digital Advertisement	Any communication delivered by electronic means intended for marketing, solicitation, or dissemination of information related to goods or services. This includes email, app notifications, web display ads, and SMS.
User	A natural person who owns or uses a mobile device or any other connected electronic device capable of receiving digital advertisements.

The 250-foot vicinity rule is not intuitive when you’re configuring campaigns in a DSP. Most city blocks are 250–900 feet. A standard geofence centered on a hospital address will almost always extend into the prohibited zone — and the law covers the perimeter of the building, not just its centroid.

Why HIPAA Doesn’t Cover This

Healthcare marketers often assume HIPAA compliance provides adequate coverage. It doesn’t — not for geofencing. HIPAA’s Privacy Rule regulates covered entities (hospitals, insurers, providers) and their business associates. It governs what happens to protected health information after it enters the healthcare system. A DSP, ad network, or location data broker is almost never a covered entity or business associate under HIPAA.

The FTC has moved aggressively to fill the federal vacuum. Enforcement actions against GoodRx (2023), BetterHelp (2023), and Premom (2024) all turned on health data shared with third-party advertising platforms outside any HIPAA framework. The FTC cited its Section 5 authority over unfair or deceptive acts — the same authority it would use against a New York advertiser running a non-compliant geofence campaign, independent of the state law.

The Dobbs Connection and What It Means for Scope

Legislators in Albany were primarily motivated by the prospect of anti-abortion organizations geofencing reproductive health clinics to deliver targeted messaging to patients inside. That political context is documented in the bill’s sponsor memo. But the text of the statute doesn’t limit itself to reproductive health facilities, or to advocacy advertising, or to sensitive health categories. It applies to every health care facility, every digital advertisement, every advertiser — including the healthcare provider marketing its own competing services.

There is one explicit carve-out: a health care facility may geofence its own locations. A hospital system can run location-based ads targeted to people on its own campus. No third party can do the same for any facility it doesn’t own.

Federal Landscape: What Washington and the FTC Set in Motion

New York’s law did not emerge in isolation. Washington State’s My Health My Data Act (effective July 2023 for large regulated entities, March 2024 for others) created the most comprehensive state-level consumer health data framework in the country. It includes geofencing prohibitions, explicit consent requirements for health data collection, deletion rights, and a private right of action. New York’s GBL § 394-G is narrower — it does not create the same data handling obligations as MHMD — but it tracks the same legislative logic.

What Compliance Actually Requires

Complying with GBL § 394-G is less about adding safeguards to your existing campaigns and more about understanding which campaigns are categorically off the table.

Audit Your Location Data Supply Chain

The prohibition attaches to whoever establishes the geofence — which includes agencies, DSPs, and data brokers acting on a client’s behalf. If your data provider is building audience segments derived from device presence at health care facilities, purchasing that segment makes you party to the underlying geofence. You need contractual representations from every location data partner confirming their data was not derived from geofencing around New York healthcare facilities.

The 250-Foot Problem in Campaign Configuration

Standard geotargeting interfaces don’t display a 250-foot exclusion radius around healthcare facilities. You can’t rely on the platform to enforce this. It requires manual verification — taking facility addresses, calculating the 250-foot perimeter (roughly 75 meters, or about 3/4 of a standard Manhattan block), and excluding that zone from bid requests. In dense urban areas with high concentrations of medical facilities, this can meaningfully constrain targeting reach in ways that must be disclosed to clients.

Consumer Profile Prohibition

This is the provision most agencies overlook. You cannot establish a geofence around a healthcare facility to build a consumer profile — even if that profile is never used for advertising. Analytics-only campaigns, attribution modeling that relies on visit data from health facility locations, and competitive intelligence tools using device location signals all fall within this prohibition if the underlying data is derived from the statutory vicinity of a healthcare facility.

• Audit all location data vendor contracts for representations about healthcare facility proximity
• Configure DSP exclusion zones manually — do not rely on platform defaults
• Review audience segment definitions for any healthcare-adjacent location signals
• Discontinue any visit attribution or foot traffic analytics relying on health facility geofences
• Document compliance steps and maintain records — enforcement actions begin with data requests
• Confirm your healthcare clients understand the provider exception is limited to their own facilities

What the Old Article Got Wrong

If you found this page because you were reading a version of this content that talked about “sophisticated compliance audits powered by AI” and recommended you “utilize advanced reporting tools to monitor ad impressions” — that content misunderstood the law fundamentally. GBL § 394-G is a prohibitory statute, not a reporting framework. It doesn’t establish a compliance program you can audit your way into. It prohibits specific conduct outright. There is no approved version of geofencing a hospital for advertising purposes. The question isn’t whether your reports show non-compliant delivery — it’s whether your campaigns run at all inside the statutory boundary.

Regulatory enforcement in this space does not primarily come from automated compliance audits. It comes from FTC investigations, state AG enforcement actions, and — critically — civil litigation. The FTC has Section 5 authority. New York has a robust consumer protection enforcement apparatus. Neither is running your ad dashboards to look for violations.