HIPAA Compliance in Geospatial Healthcare Analytics

Location Intelligence and Spatial Analysis is more and more frequently being leveraged by companies and organizations working in healthcare. In fact the healthcare industry is one of the areas where Location Intelligence technologies are actively being put to use in saving lives.

For example, a city Department of Health may use Location Intelligence to assess coverage gaps, optimize routes for emergency response, and put plans into place to reach at risk citizens during a crisis. A hospital system may use analysis to inform budgeting and expansion plans, as well as outreach and geomarketing. Like in many industries, the benefits of analyzing location data are countless.

But often these organizations will be working with data that falls under HIPAA’s Privacy Rule, and they therefore must be compliant. Luckily, Spatial Data Science best practices always involve processes for anonymization and aggregation. In fact, not performing common operations for aggregation can make insights less accurate and more anecdotal.

What is HIPAA Compliance

HIPAA, or the Health Insurance Portability and Accountability Act, was legislation passed by the US Federal Government in 1996. In addition to serving as a way of streamlining the flow of data in the healthcare industry, HIPAA also directly addresses data security. The legislation refers specifically to Personally Identifiable Information maintained by the healthcare and health insurance industries, and how that data must be secured to help prevent instances of fraud, identity theft, and abuse.

HIPAA compliance directly protects data that they classify as falling under any one of the following 18 identifiers:

1. Patient names
2. Geographical elements (such as a street address, city, county, or zip code)
3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers
13. Device attributes or serial numbers
14. Digital identifiers, such as website URLs
15. IP addresses
16. Biometric elements, including finger, retinal, and voiceprints
17. Full face photographic images
18. Other identifying numbers or codes

The Challenge with HIPAA Compliance and Geocoding

After reviewing the 18 protected identifiers above, it’s easy to see why using health information in spatial analysis can be a challenge.

With geocoding specifically there are two schools of thought. Some organizations interpret the legislation in that if the electronic protected health information (ePHI), such as address, is removed from other identifiable information, such as health status, it is had been “deidentified” and is no longer a restricted ePHI under HIPAA. Other organizations believe that address data is always a protected data type under HIPAA and deidentification is therefore impossible. As HIPAA has some flexibility in the interpretation, it is up to the organization to determine how they can geocode their data while remaining compliant.

HIPAA Compliance and CARTO

In order to maintain HIPAA compliance, the only data that is sent to CARTO’s geocoding provider is the address string column. For example, to geocode ‘123 Main Street, New York, NY 10001’ that is the only text that will be sent to the geocoding provider, and the only thing that will be received by CARTO is the geocoding accuracy data, and the geometry (lat/lng).

Based on this process, it is unlikely that any individual can be re-identified with any degree of certainty just via this standalone location information (lat/lon) without any link to end-users or additional data. This qualifies as de-identification and meets the requirements set forth in the Privacy Rule.

CARTO also has offices and customers within the European Union, and as a result ensures strict compliance to GDPR in regards to all personal and personally identifying data. The previous example of standalone address data is not considered personal information and falls outside the scope of GDPR. While HIPAA and GDPR differ, the removal of additional personally identifying and patient information as well as the encryption processes described above have allowed our customers to use CARTO on-premises and LDS services successfully.

Key Use Cases

Social Determinant of Health Analysis

Seeking an understanding of resident health based on the social factors within a neighborhood is not a new concept. But efforts to do so have long been overly simplistic, with analysis that largely explores only common factors such as poverty, education, and minority status.

In a recent study, “Quantification of Neighborhood-Level Social Determinants of Health in the Continental United States,” Marynia Kolak from the Center for Spatial Data Science at the University of Chicago and colleagues from the Center for Health Innovation at the American Hospital Association sought out a deeper understanding of the social factors that determine health outcomes in the US. Read more about the study in our recent blog post.

Healthcare Access Analysis

Gaining spatial context on patients allows public & private healthcare systems to optimize resource allocation & provide superior services. Spatial analysis allows your organization to identify which location-factors may be the root cause of certain health problems, allowing you to improve outreach, services & intervention with a more detailed picture of healthcare access.

Medical Site Selection

Whether it’s hospitals, primary care, residential homes or dental clinics, selecting optimal locations to serve citizens & clients is fundamental to ensure quality service & profitability. By using spatial analysis with new data streams to enrich Open Data & your existing CRM data, you will be able to monitor, consolidate & expand effectively - avoiding expensive site selection mistakes.

For many of CARTO’s customers working in the healthcare space, maintaining HIPAA compliance is critical. These clients are often using our on-premises solution as well as third party Location Data Services.

Given our experience in the Healthcare and Insurance verticals, CARTO is able to advise on which is the best option for your projects. No matter which is the right fit for your organization, CARTO is able to provide a solution.