HIPPA compliant geocoder

5940
8
09-23-2016 08:47 AM
JeffreyUtter2
Occasional Contributor

Does anyone know of a HIPPA compliant Geocoder?

Thanks.

8 Replies
TimMinter
Occasional Contributor III

Hi Jeffrey,

At Washington State Department of Social and Health Services (DSHS), we have devised a specific approach to meeting this need.  You may find our requirements and solution to be useful examples in your search.  See the WA DSHS Geospatial Data Confidentiality Guidelines, section 6. Remote Geospatial Services for disposition and requirements.

We have participated in the development and operational maintenance of the Washington Master Addressing Services (WAMAS) system and are using it as our solution.

Cheers and good luck,

tim

ChrisSmith7
Frequent Contributor

Check out Texas A&M University Georservices:

Texas A&M Geoservices Privacy & Security 

Data Security Agreements & IRBs

If you are an academic or government researcher working on health or other secure data, you may need to do an Institutional Review Board (IRB) application to get your data geocoded. We have done this many times and to help researchers use our services. Contact us to help you through this process.

0 Kudos
JosephGenther
Esri Contributor

ArcGIS Desktop and ArcGIS Server are on-prem software that can be used in a completely private and secure environment to comply with HIPAA requirements. Add StreetMap Premium for geocoding services with up to date data.

0 Kudos
EstellaGeraghty1
Esri Contributor

I've just published an executive brief on HIPAA compliant geocoding - on premise or in the cloud. See the paper here: HIPAA Compliant Geocoding in the Cloud | LinkedIn 

HIPAA‌#geocoders

VictorBhattacharyya
Esri Contributor

As previously mentioned, the only way to be truly HIPPA compliant would be to build your own locator and deploy your geocoder on-premises behind your Organizational firewall.

Use the World Geocoding Service at your own risk. Although Esri does not store batch geocoding requests, sending customer data over the internet can break HIPPA compliance. Make sure to check your organization's data privacy requirements before sending customer data to any geocoder that's not behind your organizational firewall. 

JoeBorgione
MVP Emeritus

I think Victor has a valid point:  if it were me, I'd get the zip code polygons for my area of interest and use them locally...

That should just about do it....
0 Kudos
JosephGenther
Esri Contributor

Este's post regarding our partner that provides an API service is great for those people who must use a web API service. Otherwise you may need an on-site ArcGIS software and data solution.

As Joe mentions, when address point data is not needed you may aggregate to geographic boundaries, like ZIP codes. ArcGIS Maps for Office is the easiest way to aggregate data in Excel to ZIP code boundaries and upload to ArcGIS Online.

0 Kudos
MicheleHansen
New Contributor

You are smart to ask this question, since patient address data is considered PHI. Per the rules, the only part of an address that is not PHI are the first three digits of the ZIP code provided it contains more than 20,000 people. 

There are a couple of different HIPAA-compliant geocoders. You can see a comparison of them in this article:

  • Geocodio+HIPAA -- generally the most affordable option and is fully HIPAA compliant. Cloud-based by default but with on prem available. (API and spreadsheet upload)
  • MelissaData -- usually more expensive. API, spreadsheets via FTP, or PC software
  • Texas A&M, but only by special board review as mentioned above. More affordable. API only.
  • Spatialitics Health, powered by Esri. Like Tableau but for health. Pricing not listed on website.

Most of the popular geocoders are not HIPAA compliant and will not sign a BAA. This includes Google Maps Platform, Bing Maps, HERE, Census Geocoder, and so forth. (A full list of the non-compliant geocoders is in the article above).

0 Kudos