Is zip code PHI?
A ZIP code is considered PHI if it is collected, stored or used by a healthcare provider, health plan, healthcare clearinghouse or business associate of these entities and can be linked to an individual's health information.
The relevant section of HIPAA for this is 164 CFR 514 (b)(2)(i)(b), which specifies:
(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
This regulation provides clear criteria for when geographic information becomes PHI. In particular, street addresses are unequivocally considered PHI. Full ZIP codes are also deemed PHI, but they can be reduced to their first three digits (e.g., 14706 becomes 147xx) and if the resulting group of ZIP codes has more than 20,000 people, it is no longer considered PHI. However, for your specific analysis, you might require the complete ZIP code, which limits the usefulness of this provision.
Uploading this data to Google would be classified as a disclosure. As mentioned, the information you plan to analyze is PHI. In this context, Google would act as a Business Associate. Without either written consent from each patient in your dataset or a Business Associate Agreement with Google, such an action would violate HIPAA.
Another important concern, since it wasn't explicitly mentioned, is whether you have authorization from your employer or supervisor to export this information. Assuming this is part of your job responsibilities, exporting significant amounts of data from an EHR system will be tracked in an audit log, and without explicit approval, this could raise questions about your intentions. If you haven't already discussed this with your supervisor or weren't directed by them to do so, it would be prudent to get their approval first.
See more: PHI in HIPAA.
Conclusion
Understanding and complying with HIPAA regulations is critical when handling protected health information (PHI). The section 164 CFR 514 (b)(2)(i)(b) clearly outlines the parameters for when geographic data, such as ZIP codes and addresses, becomes PHI. It's crucial to remember that full street addresses and ZIP codes are PHI unless certain conditions are met.