Geospatial Data and HIPAA

How have privacy regulations affected the use of GIS data?

Since 1854, when John Snow used geospatial mapping to locate the well spreading cholera in London, GIS data has been a cornerstone of public health and epidemiology research.  Today, a wealth of data sources are available for research.  For example, locate a patient within a census tract in the United States, and a variety of information such as average income in the area, demographic data, and other census information can be linked directly to your patient-specific study data.  Alternatively, in this innovative study from Brazil GIS mapping software was used to determine that the distance an expectant mother had to travel through urban transportation networks to reach healthcare was an important risk factor for death during pregnancy.  Similar studies have used GIS data to examine infant mortality, rural population HIV-mortality, and tuberculosis control measures.  While geocoding large amounts of data for medical epidemiology studies can be extremely informative, you need to be careful not to run afoul of government privacy laws, especially the HIPAA privacy rule in the United States.

The Health Information Portability and Accountability Act (HIPAA) rules define personal health information (PHI), which may include diagnoses, test results, payment or visit information.  The intent was to protect people against disclosure of health information in conjunction with information that could reveal their identity.  This identification information consists of 18 identifiers, such as name, social security number, and date of birth.  The definition of “identifiable information” also includes any data that would allow another person to re-identify a person directly or indirectly without access to a specific code or key.  For geospatial information, the personal identifiers include a person’s street address and ZIP code.  GIS coordinates are considered  an “equivalent geocode”, meaning that they are as good as a street address.  Imagine a map plotting the location of eight people infected with HIV in a sparsely populated rural area.  It would not take much to match that data up with a specific person.  The point is that all such information needs to be de-identified before it can be released or worked on outside of a HIPAA compliant data storage and analysis environment.

De-identification of GIS data in healthcare research can be thought of as a two part process:  de-identifying data while obtaining a set of coordinates used to plot a person’s location, called geocoding, and de-identifying the data when presenting the results of your research.

Geocoding is the process of translating an address into set of XY coordinates that can be used to plot a location on a map.  You could do this easily by feeding a list addresses into one several geocoding services on the internet such as bulkgeocoderGoogle, Mapquest, cloudmade, or  ArcGIS Online.  But, if you have lists of patient data, this could be a massive HIPAA violation. The best way to make sure you are HIPAA compliant is to use a geocoding firm with which you have a business association agreement (BAA) that will take your information and generate the geocodes in a HIPAA compliant and secure environment. An important best practice is to process a list of addresses that have been separated from any other information, and can only be linked by a secure, randomized key.  Once the geocoding service returns your data, you can link it back to your complete research file.  It is unclear, however, whether submitting a list of  addresses using an e-mail address containing information about a diagnosis (e.g. Researcher@DiabetesInstituteResearch.Org) outside of a BAA would constitute a breach, since one might infer the diagnosis of people at addresses on the list from the organization name.  Best to consult your organization’s privacy officer about this issue.

Once you have done your analysis, and wish to publish plotted geocoded data, it must be done in a way that you cannot identify an individual by examining the data set alone or in combination with other publicly available data.  Think of the map of firearm owners in Westchester county published by a local newspaper.  If it had been a map of people with a diagnosis of leukemia, it would have been a HIPAA violation.  Deidentification methods could be quite sophisticated, such as statistical de-identification.  An interesting workshop sponsored by the department of Health and Human Services discussing these issues can be found here.  Several methods are available to avoid this pitfall:

  • Point aggregation – combining points into geographic bins, such as zip code areas, counties, states, or other areas.  This way, no individual data point is identifiable as a person, but the bins must have a sufficient population and subject density.
  • Geostatistical analysis – One example is creating a probability map, where any area represents the probability of a study subject having a particular condition or value.  Again, no individual points are plotted.
  • “Jittering” data involves adding or subtracting some random values to a precise GIS location so that an individual point is not precisely located on a diagram.
  • Data point displacement by translation, rotation, or change of scale.

Resolution of the map is also important, as is the population density of the area you are plotting data for.  One needs to be careful, as well, that the de-identification methods do not change the validity of your research results.

So, the use of large GIS data sets is a tremendous opportunity for population health research, but requires specific practices with respect to de-identification when analyzing and publishing that data.  Geocode and aggregate carefully!

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *