JMIR Publications

ABSTRACT

The Health Insurance Portability and Accountability Act (HIPAA) was an important milestone in protecting the privacy of patient data, but the HIPAA provisions specific to geographic data remain so vague as to hinder the ways in which epidemiologists and geographers use and share spatial health data. The literature on spatial health and select legal and official guidance documents present scholars with ambiguous guidelines that have led to the use and propagation of multiple interpretations of a single HIPAA safe harbor provision specific to geographic data. Misinterpretation of this standard has resulted in many entities sharing data at overly conservative levels while others offer definitions of safe harbor that potentially put patient data at risk. To promote understanding of, and adherence to, the safe harbor rule, this paper examines HIPAA law from its creation through to present day, elucidating the common misconceptions and presenting straightforward guidance to scholars. We focus on the 20,000-person population threshold and the 3-digit zip code stipulation of safe harbor which are central to the confusion surrounding how patient location data can be shared. A comprehensive examination of these two stipulations that integrates various expert perspectives and relevant studies, reveals how alternative methods to safe harbor can offer researchers better data and better data protection. Much has changed in the twenty years since the introduction of the safe harbor provision, and yet it continues to be the primary source of guidance (and frustration) for researchers trying to share maps, leaving many waiting for these rules to be revised in accordance with the times.