1 2 Previous Next 17 Replies Latest reply on Jun 24, 2017 1:50 PM by Timothy Grove

    Where can I get HIPAA compliant Geocode?

    Mike Lee

      Hi everyone,

       

      I am brand new at this.  I am working for a Health care company and just recently purchased Tableau.  We are trying to create a map with Tableau showing our patient population.  To do this, I need GPS coordinate for each patient, which requires HIPAA compliance.  What would be the best way to do this within HIPAA compliance?

       

      Thank you in advance, everyone.

        • 1. Re: Where can I get HIPAA compliant Geocode?
          Helene Matassa

          Our health system has purchased a ESRI desktop license along with Streetmap for geocoding.  This was the best option to avoid the risk of sending PHI offsite.  I don't know that this was the best option but it seems to be working ok.  There seems to be some confusion around billing.  If anyone knows of a good alternative please share.

          • 2. Re: Where can I get HIPAA compliant Geocode?
            Mike Lee

            Thank you, Helene.  Does ESRI desktop provide latitude and longitude of an address?  Say if I had a list of patient address in Excel, can I get the GPS coordinate of each patient? 

            • 3. Re: Where can I get HIPAA compliant Geocode?
              Mike Lee

              Just to clarify my dilemma, I already have everything set up in Tableau map.  I am trying to add member information on the map showing each patient location on the map so the viewer can see each patient.  To do this, I need to have GPS coordinate of each patient, which I could get from Google Map.  The problem is that this would be HIPAA violation.  So in a nutshell, I need a way to get the GPS coordinates of a list of addresses without violating HIPAA. 

              • 4. Re: Where can I get HIPAA compliant Geocode?
                Jonathan Drummey

                Hi Mike,

                 

                Most likely you’ll have to pay a license for a geocoding data set since the free services don’t have the privacy guarantees.

                 

                If you’ve done this kind of thing before you can ignore this next bit, if not then here’s a few suggestions:

                 

                Plan on a fair bit of time for cleanup of the addresses…when I first went through this process I thought “Ok, I’ve got a bunch of addresses, and I’ve got a geocoding tool (Alteryx’s Core Data bundle) and this will go really fast!” ...and I was wrong. It turned out that places like elder care facilities and large apartment complexes literally had hundreds of variations of the address that did not accurately geocode and especially in the case of elder care facilities that were large sources of patients & encounters I needed to spend more time than I’d expected on dealing with the variations.

                 

                For example for the address lines 1 and 2 I’d find:

                 

                Nursing Home Name

                PO Box X

                 

                PO Box X

                Nursing Home Name

                 

                PO Box X

                Room N Nursing Home Name

                 

                PO Box X

                Room #N

                 

                Nursing Home Name Room #N

                 

                #N Nursing Home Name

                 

                Nursing Home Name

                #N

                 

                and so on...

                 

                I used Tableau a lot in the process of grouping these to get to a single canonical address for the nursing home. I created a view filtered for the city/state/zip with the address line 1 and address line 2 dimensions on Rows, Number of Records (the # of encounters) on Columns with the two address line dimensions sorted on Number of Records so I could get the most common values first, and created a parameter-based ‘Found Address’ dimension like:

                 

                CONTAINS(,[parameterValue]) OR (NOT ISNULL() AND CONTAINS(,[parameterValue]))

                 

                Where parameterValue would be set to 'Nursing Home Name’ or some variation of the nursing home name or use the PO Box. This Found Address dimension would be left-most on Rows sorting for True on top. Then I could see patterns and a) use them to build out regex or string matching in Alteryx and/or b) use ad hoc groups in Tableau to build out a group that I could then copy/export out of Tableau and use to build a table.

                 

                What I try to do is have two dimension tables: one has the canonical address & lat/long, the other is a table with all the addresses that point to a given canonical address. Note that this is separate from patient info, this way I can deal with multiple patients at a given address as well as patients moving from one place to another and ultimately reduce the amount of geocoding I need to do.

                 

                Jonathan

                • 5. Re: Where can I get HIPAA compliant Geocode?
                  Timothy Grove

                  There is an open source product that you can use.  email me at tigrove@lakelandhealth.org

                  • 6. Re: Where can I get HIPAA compliant Geocode?
                    Gregg Lathrop

                    I use GPS Visualizer's Easy Batch Geocoder: Convert addresses to coordinates

                    all you need is the address city state and free BING or Mapquest Key

                    • 7. Re: Where can I get HIPAA compliant Geocode?
                      Timothy Grove

                      Bing and Mapquest are not HIPAA compliant and will not sign a BAA.

                       

                      Timothy A. Grove, MBA, MCSE:BI, MCT

                      Lakeland Health | Business Intelligence Architect

                      tigrove@lakelandhealth.org<mailto:tigrove@lakelandhealth.org> | W: 269-983-8138 | C: 269-985-3333 |

                       

                      “Without data you’re just another person with an opinion” – W. Edwards Deming

                      • 8. Re: Where can I get HIPAA compliant Geocode?
                        Helene Matassa

                        Sorry for being so slow to respond to your question...  ESRI does provide latitude & longitude - I'm not sure about GPS.  They will sign a BAA.  There are a lot of free online resources but they are not HIPAA compliant so we will not use them under any circumstance.  ESRI does have on online solution but, again, it may not be the safest in terms of privacy which is why my recommendation is the desktop version so everything stays on your servers.

                         

                        Like Jonathan said - plan on spending time cleaning up data.  Once its done though the results are nothing short of awesome!

                        • 9. Re: Where can I get HIPAA compliant Geocode?
                          Timothy Grove

                          I set up a PostgreSQL/PostGIS server internally and followed their instructions to get the Census.GOV data loaded into it.

                           

                           

                          1.       Download the PostgreSQL installer (windows)

                           

                          a.       https://www.enterprisedb.com/downloads/postgres-postgresql-downloads#windows

                           

                          2.       Follow the instructions

                           

                          a.       http://www.postgresqltutorial.com/install-postgresql/

                           

                          b.       https://postgis.net/docs/postgis_installation.html

                           

                          3.       Review and refine batch geocoding techniques

                           

                          a.       https://dracodoc.github.io/2015/11/17/Geocoding/

                           

                          At this point, you have an internal geocoding server that you can run your addresses through and not have to send them to an external party to geocode.

                           

                          I highly recommend the following solution for those who want the option of going with open source, but also purchasing services to implement/etc.

                           

                          https://boundlessgeo.com/?gclid=CMblmcmA1NQCFdRWDQodweIG1A

                           

                           

                          Timothy A. Grove, MBA, MCSE:BI, MCT

                          Lakeland Health | Business Intelligence Architect

                          tigrove@lakelandhealth.org<mailto:tigrove@lakelandhealth.org> | W: 269-983-8138 | C: 269-985-3333 |

                           

                          “Without data you’re just another person with an opinion” – W. Edwards Deming

                          1 of 1 people found this helpful
                          • 10. Re: Where can I get HIPAA compliant Geocode?
                            Gregg Lathrop

                            true, I was just assuming only the address would be inserted into the geocoder, not the whole file with accounts, IDs, CPT. Geocoding an address doesn't go against HIPAA. Combining the lat long with the whole file and publishing it outside your walls would.

                            • 11. Re: Where can I get HIPAA compliant Geocode?
                              Helene Matassa

                              Addresses (all geographic subdivisions smaller than state, including street address, city county, and zip code) are PHI as far as I know.  Maybe that rule has changed?

                              • 12. Re: Where can I get HIPAA compliant Geocode?
                                Timothy Grove

                                We actually got gigged for sending just the address.  Always assume that any information is going to be treated as PHI if it leaves the organization.

                                 

                                Timothy A. Grove, MBA, MCSE:BI, MCT

                                Lakeland Health | Business Intelligence Architect

                                tigrove@lakelandhealth.org<mailto:tigrove@lakelandhealth.org> | W: 269-983-8138 | C: 269-985-3333 |

                                 

                                “Without data you’re just another person with an opinion” – W. Edwards Deming

                                • 13. Re: Where can I get HIPAA compliant Geocode?
                                  Derek Cyr

                                  I think the nuance here is whether a list of addresses (and nothing else) constitutes PHI.  And like many things, the answer is “it depends”…

                                   

                                  If it was a list of addresses with ICD-10 codes, then yes, PHI.

                                  If it was a list of addresses (alone), from a phonebook or other public source (census.gov), then no, that is not PHI

                                  If it was a list of addresses (alone) and the name of the file is Diabetes Patients, then yes, PHI.

                                   

                                  If it was a list of addresses (alone), from a query of your Claims system….  This seems to be where the ambiguity is….

                                   

                                  Technically, based on the definitions, I would call that PHI as it is derived from (and thus relates to) the provision of health care to an individual at your clinic or hospital.. (see below)…

                                   

                                  I believe the general argument goes something like “yeah, but how would they know?”…  I wouldn’t touch that with a 10 foot pole, and I would suggest deferring to your chief compliance officer.  ☺

                                   

                                  I really like the idea of having your own on premise geocoding like Timothy suggests…

                                   

                                  From hhs.gov:  (https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html)

                                  “Protected Health Information

                                   

                                  The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI)2<https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#_edn2>. Protected health information is information, including demographic information, which relates to:

                                  ·        the individual’s past, present, or future physical or mental health or condition,

                                  ·        the provision of health care to the individual, or

                                  ·        the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.

                                   

                                  For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient’s name and/or other identifying information associated with the health data content.

                                   

                                  By contrast, a health plan report that only noted the average age of health plan members was 45 years would not be PHI because that information, although developed by aggregating information from individual plan member records, does not identify any individual plan members and there is no reasonable basis to believe that it could be used to identify an individual.

                                   

                                  The relationship with health information is fundamental.  Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI.  For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data (see above).  If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.

                                  Hope this helps!  I know it doesn’t specifically answer the question, but I have heard a lot of people debate this and I used to sit on the phonebook side of the argument until I read the rule myself on a site representing the authority (hhs.gov)…  It was the “relating to the provision of care” piece that did it for me.

                                   

                                  Cheers!

                                  2 of 2 people found this helpful
                                  • 14. Re: Where can I get HIPAA compliant Geocode?
                                    Helene Matassa

                                    Thank You for clarifying that!  I LOVE these forums!  Constantly learning something new 

                                    1 2 Previous Next