I work at a HIPAA compliant academic hospital setting, in a research role, creating customizable web mapping tool and ecological data analyses. Prior to 2018, I solely used ArcMap, which I felt was able to balance privacy with the need for spatial data analysis and mapping. In 2018, I started to utilize ArcGIS Pro and Online, but had some issues with the privacy and HIPAA concerns, and aimed to use open-source software, like QGIS until ESRI figured out a way to balance privacy with spatial data analysis.
As a way to get ahead of the curve, I enrolled in a graduate degree in GIS, with a concentration on programming. I learned how to program desktop and web mapping tools while figuring out how to balance privacy and spatial analysis. In 2020 when doing my capstone project my mentor assigned me to redevelop a web mapping tool that uses health-related ecological data. However, when looking at ArcGIS Online it did not have the functionality that we needed, which required me to learn Dojo JavaScript. When looking at the technical guidelines at the time the IT at the time was concerned that the web mapping functionality was not HIPAA complaint, therefore I terminated my ArcGIS Online functionality and utilized ArcGIS Pro, similar to ArcMap, which may have to be thoroughly reviewed by the hospital IT staff to ensure no personally identifiable health information (PHI) exists, unless it is approved by an institutional review board (IRB) for research, or a quality improvement project, which the NIH views as non-research, due to not generating generalizable knowledge (https://grants.nih.gov/policy-and-compliance/policy-topics/human-subjects/research). Which, for my capstone project, I developed a web mapping tool and used a usability assessment survey, and the IRB deemed it as non-human subjects consideration, which was done during COVID, but despite having small sample size it produced good results (https://pubmed.ncbi.nlm.nih.gov/35496652/).
However, for the web mapping tool my mentor and I decided to utilize Leaflet JavaScript, an open-source equivalent with other solutions on GitHub to develop the web mapping tool. It is my recommendation for people who use ArcGIS Online to be careful that the data ensures privacy and confidentiality concerns. I recently got my GIS professional (GISP) certification and took an exam prep course and was shocked at the lack of knowledge about HIPAA and privacy concerns. In 2022, I moved it to the hospital website, which until recently my code-based website worked with no concerns. In fact I developed a technical paper on how it was developed (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10665118/). After publication, I developed bivariate mapping and other functionality and updated the datasets. However, in 2024, the hospital moved to an automated website, with minimal code and now the website is not able to link to the hospital server. However, with ArcGIS Online, still in the gray area on whether it is HIPAA complaint and protects patient privacy, something has to give.
My question is how to better use ArcGIS Online and ArcGIS Pro to protect privacy and ethical considerations.
