A quick rundown of options for HIPAA-Compliant Geocoding
Addresses, even if they are detached from patient names, are one of the 18 types of Personal Health Information (PHI) that are covered under HIPAA. According to the regulations:
All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census:
The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and,
The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
Additionally, in order to process patient data, a company must sign a Business Associate Agreement (BAA) that lays out the ways the vendor is required to safeguard patient privacy.
Many geocoders will not sign these agreements and are not HIPAA compliant. This includes most of the major players like Google Maps Platform, Bing Maps, HERE and Mapquest. A full list of geocoders that are not HIPAA compliant is below.
This prevents a challenge for companies and organizations in the health industry, as there have historically been limited options on the market.
To make it easier for companies to select a HIPAA-compliant geocoder, this article compares them to the extent possible using publicly-available information. The HIPAA-compliant geocoders currently on the market are Geocodio+HIPAA, Maptitude, MelissaData, and Esri.
Geocodio+HIPAA is a mirror of the regular Geocodio product, re-engineered to meet the strict security and privacy requirements of HIPAA. Geocodio is unique in that there are no restrictions on storing, caching, or transforming the results once returned. (Most geocoders prohibit storing their data.)
Pricing: Geocodio+HIPAA has one plan, Unlimited.
Formats: API and spreadsheet upload (cloud-based)
Data types available: HIPAA-compliant geocoding, reverse geocoding, Congressional districts and legislator contact information, state legislative districts, timezones, school districts, and Census data (blocks, FIPS codes, MSAs/CSAs)
According to Maptitude, their service is HIPAA-compliant since it runs offline on your own machine. It is essentially an offline version of Tableau.
Pricing: Starts at $695 per user per year; yearly updates are $395. Additional upgrades, such as upgrading to the cloud platform, are additional. See full pricing.
Formats: Software for download; cloud (not HIPAA compliant)
MelissaData is a data vendor that provides identity verification and contact data quality services. According to a 2017 press release, their services are HIPAA-compliant. They have two separate geocoding services: a forward geocoder and a reverse geocoder.
Pricing: MelissaData’s pricing is split by the quality of the data returned: rooftop (the exact parcel) and ZIP+4 (neighborhood). See full pricing details here.
Formats: Cloud-based, software for download, or FTP
Data types: Geocoding, reverse geocoding, Census tracts and blocks, FIPS codes, CBSA division levels, codes, and titles
Long the dominant player in the GIS world, Esri has two HIPAA-compliant options: ArcGIS on premises, and Spatialitics Health.
According to Esri’s head of health and human services practices, only ArcGis’ on-premises enterprise solution is HIPAA-compliant. Esri does not make the pricing for this transparently available, but according to the Esri community this starts at $30,000/year.
Spatialitics Health is a cloud-based solution powered by Esri. It is akin to Tableau but specifically for the health field. The product just launched in June and does not make their pricing information publicly available.