Addresses, even if they are detached from patient names, are one of the 18 types of Personal Health Information (PHI) that are covered under HIPAA. According to the regulations:

All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census:

The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and,

The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

Additionally, in order to geocode patient addresses, a company must sign a Business Associate Agreement (BAA) that lays out the ways the vendor is required to safeguard patient privacy.

Many geocoders will not sign these agreements and are not HIPAA compliant. This includes most of the major players like Google Maps Platform, Bing Maps, HERE and Mapquest. A full list of geocoders that are not HIPAA compliant is below.

This prevents a challenge for companies and organizations in the health industry, as there have historically been limited options on the market.

To make it easier for companies to select a HIPAA-compliant geocoder, this article compares them to the extent possible using publicly-available information. The HIPAA-compliant geocoders currently on the market are Geocodio+HIPAA, Maptitude, MelissaData, and Esri.

HIPAA-Compliant Geocoders

Geocodio+HIPAA

Geocodio+HIPAA can be used to geocode patient addresses and is a mirror of the regular Geocodio product, re-engineered to meet the strict security and privacy requirements of HIPAA. Geocodio is unique in that there are no restrictions on storing, caching, or transforming the results once returned. (Most geocoders prohibit storing their data.)

Pricing:

Entitles the user to a dedicated private instance of the Geocodio platform, capable of geocoding up to 4.8M patient addresses per day. Example: price for 1,000,000 addresses: $2,500 or less

Month-to-month : $2,500/month without commitment, or $1,500/month with annual commitment.

: $2,500/month without commitment, or $1,500/month with annual commitment. Annual : $1,500/month

: $1,500/month On-premises available.

Features

Formats : API and spreadsheet upload (cloud-based), or on-premise

: API and spreadsheet upload (cloud-based), or on-premise Data types available : HIPAA-compliant geocoding, reverse geocoding, Congressional districts and legislator contact information, state legislative districts, timezones, school districts, and Census data (blocks, FIPS codes, MSAs/CSAs)

Maptitude

According to Maptitude, their service is HIPAA-compliant since it runs offline on your own machine. It is essentially an offline version of Tableau.

Pricing: Starts at $695 per user per year; yearly updates are $395. Additional upgrades, such as upgrading to the cloud platform, are additional. See full pricing.

Formats: Software for download; cloud (not HIPAA compliant)

MelissaData

MelissaData is a data vendor that provides identity verification and contact data quality services. According to a 2017 press release, their services are HIPAA-compliant. They have two separate geocoding services: a forward geocoder and a reverse geocoder.

Pricing: MelissaData's pricing is split by the quality of the data returned: rooftop (the exact parcel) and ZIP+4 (neighborhood). See full pricing details here. Example: price for 1,000,000 addresses: $4,000

Rooftop: Starts at $9/1,000, minimum order size $150

ZIP+4: Starts at $6/1,000, minimum order size $60

Features

Formats : Cloud-based, software for download, or FTP

Data types : Geocoding, reverse geocoding, Census tracts and blocks, FIPS codes, CBSA division levels, codes, and titles

Esri

Long the dominant player in the GIS world, Esri has two HIPAA-compliant options: ArcGIS on premises, and Spatialitics Health.

According to Esri's head of health and human services practices, only ArcGis' on-premises enterprise solution is HIPAA-compliant. Esri does not make the pricing for this transparently available, but according to the Esri community this starts at $30,000/year.

Spatialitics Health is a cloud-based solution powered by Esri. It is akin to Tableau but specifically for the health field. The product just launched in June and does not make their pricing information publicly available.

Texas A&M Geoservices (Only Government & Academia)

The Texas A&M Geocoder can be HIPAA compliant, but only for academics and government researchers. From their Terms of Service: "If you are an academic or government researcher working on health or other secure data, you may need to do an Institutional Review Board (IRB) application to get your data geocoded."

Pricing: Starts at $.02/record; see full pricing

Features

Format : API

Data types : Geocoding, reverse geocoding, and Census tracts. See full features.

Not HIPAA Compliant

The following geocoders are not HIPAA compliant and will not sign the required BAA in order to geocode patient address data.