Our commitment to HIPAA compliance
Background
HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996 that safeguards the privacy and security of individuals' medical information. It establishes strict regulations and standards for healthcare providers, insurers, and other entities handling protected health information (PHI) to ensure the confidentiality and integrity of patient data.
We are fortunate to work with many different customers from across the US (and international) health care industry as well as many academic researchers working with health care data.
Data protection and privacy are key commitments to all customers. This page lays out our commitment to HIPAA compliance.
Note: as a business based in the European Union (Germany), we are also legally bound by the EU's General Data Protection Regulation (GDPR). Please see our GDPR page where we lay out all the details of how we ensure data privacy for all customers.
Have questions?
Should you have any questions about this topic feel free to write to write to us at dataprotection @ opencagedata.com or via our contact form.
What data do we collect when you use our API?
When you send us a geocoding API request we send you a response and then log the query. We later analyze the logs to see how we can improve our service. All logs are deleted after six months.
While you should only ever be sending us
geographic data and NOT personal data, if you use
the optional
no_record
parameter
when calling the geocoding API, we will not store your query in our logs.
In this case we have no record of what the query was.
We encourage you to use this parameter.
Encrypted Data Transfer
Customers have the option to use industry standard SSL encryption (HTTPS) when using our API. Unencrypted transfer via standard HTTP is discouraged for all customers, regardless of HIPAA compliance.
Business Associate Agreements (BAA)
We are happy to sign a BAA, though we should note that (due to GDPR) becoming a customer of our service already implies acceptance of our Data Processing Agreement, unless otherwise explicitly agreed with us in writing.
Security of Data
All servers are secured and accessible only via secure methods. This and other forms of access control is covered in detail on our Security Policies page.
Written Contingency Plan
HIPAA rules require that covered entities have a written contingency plan for responding to system emergencies, and that this plan includes a detailed plan concerning data backup and recovery and related processes in the event of a disaster. We have such a plan and it is reviewed regularly.
Reporting issues
We make every effort to keep your data secure. If you find a vulnerability please report it to security @ opencagedata.com, we will follow up with you promptly. You can find our public key on our security.txt. Thank you.
We welcome vulnerability reports via our security bounty program.
Stay informed
Meaningful changes to this document will be announced on our Mastodon account and our blog.