HIPAA Compliance in Geospatial Healthcare Analytics
Read how HIPAA compliance is maintained across the CARTO platform & about key use cases for customers working in the healthcare space.
Location Intelligence and Spatial Analysis is more and more frequently being leveraged by companies and organizations working in healthcare. In fact the healthcare industry is one of the areas where Location Intelligence technologies are actively being put to use in saving lives.
For example a city Department of Health may use Location Intelligence to assess coverage gaps optimize routes for emergency response and put plans into place to reach at risk citizens during a crisis. A hospital system may use analysis to inform budgeting and expansion plans as well as outreach and geomarketing. Like in many industries the benefits of analyzing location data are countless.
But often these organizations will be working with data that falls under HIPAA's Privacy Rule and they therefore must be compliant. Luckily Spatial Data Science best practices always involve processes for anonymization and aggregation. In fact not performing common operations for aggregation can make insights less accurate and more anecdotal.
What is HIPAA Compliance
HIPAA or the Health Insurance Portability and Accountability Act was legislation passed by the US Federal Government in 1996. In addition to serving as a way of streamlining the flow of data in the healthcare industry HIPAA also directly addresses data security. The legislation refers specifically to Personally Identifiable Information maintained by the healthcare and health insurance industries and how that data must be secured to help prevent instances of fraud identity theft and abuse.
HIPAA compliance directly protects data that they classify as falling under any one of the following 18 identifiers:
- Patient names
- Geographical elements (such as a street address city county or zip code)
- Dates related to the health or identity of individuals (including birthdates date of admission date of discharge date of death or exact age of a patient older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers such as website URLs
- IP addresses
- Biometric elements including finger retinal and voiceprints
- Full face photographic images
- Other identifying numbers or codes
The Challenge with HIPAA Compliance and Geocoding
After reviewing the 18 protected identifiers above it’s easy to see why using health information in spatial analysis can be a challenge.
With geocoding specifically there are two schools of thought. Some organizations interpret the legislation in that if the electronic protected health information (ePHI) such as address is removed from other identifiable information such as health status it is had been “deidentified” and is no longer a restricted ePHI under HIPAA. Other organizations believe that address data is always a protected data type under HIPAA and deidentification is therefore impossible. As HIPAA has some flexibility in the interpretation it is up to the organization to determine how they can geocode their data while remaining compliant.
HIPAA Compliance and CARTO
In order to maintain HIPAA compliance the only data that is sent to CARTO's geocoding provider is the address string column. For example to geocode '123 Main Street New York NY 10001' that is the only text that will be sent to the geocoding provider and the only thing that will be received by CARTO is the geocoding accuracy data and the geometry (lat/lng).
Based on this process it is unlikely that any individual can be re-identified with any degree of certainty just via this standalone location information (lat/lon) without any link to end-users or additional data. This qualifies as de-identification and meets the requirements set forth in the Privacy Rule.
CARTO also has offices and customers within the European Union and as a result ensures strict compliance to GDPR in regards to all personal and personally identifying data. The previous example of standalone address data is not considered personal information and falls outside the scope of GDPR. While HIPAA and GDPR differ the removal of additional personally identifying and patient information as well as the encryption processes described above have allowed our customers to use CARTO on-premises and LDS services successfully.
Key Use Cases
Social Determinant of Health Analysis
Seeking an understanding of resident health based on the social factors within a neighborhood is not a new concept. But efforts to do so have long been overly simplistic with analysis that largely explores only common factors such as poverty education and minority status.
In a recent study “Quantification of Neighborhood-Level Social Determinants of Health in the Continental United States ” Marynia Kolak from the Center for Spatial Data Science at the University of Chicago and colleagues from the Center for Health Innovation at the American Hospital Association sought out a deeper understanding of the social factors that determine health outcomes in the US.Read more about the study in our recent blog post.
Healthcare Access Analysis
Gaining spatial context on patients allows public & private healthcare systems to optimize resource allocation & provide superior services. Spatial analysis allows your organization to identify which location-factors may be the root cause of certain health problems allowing you to improve outreach services & intervention with a more detailed picture of healthcare access.
Medical Site Selection
Whether it's hospitals primary care residential homes or dental clinics selecting optimal locations to serve citizens & clients is fundamental to ensure quality service & profitability. By using spatial analysis with new data streams to enrich Open Data & your existing CRM data you will be able to monitor consolidate & expand effectively - avoiding expensive site selection mistakes.
For many of CARTO's customers working in the healthcare space maintaining HIPAA compliance is critical. These clients are often using our on-premises solution as well as third party Location Data Services.
Given our experience in the Healthcare and Insurance verticals CARTO is able to advise on which is the best option for your projects. No matter which is the right fit for your organization CARTO is able to provide a solution.
Want to find out more?