[arin-ppml] Clarify /29 assignment identification requirement

William Herrin bill at herrin.us
Fri May 4 11:36:45 EDT 2012

On 5/4/12, John Curran <jcurran at arin.net> wrote:
> On May 4, 2012, at 10:24 AM, William Herrin wrote:
>> But let me turn the question around: ARIN staff have been doing this
>> for quite a while. How would staff handle the hospital as ISP scenario
>> I posited? HIIPA says you don't get to look at the user data. It's the
>> law. So what would data would staff seek for their audit instead?
> Your hypothetical lacks sufficient detail to answer with certainty.  It's
> likely we would request customer reassignment data to verify utilization.
> I am confident that sufficient information could be provided to ARIN under
> NDA as needed which would not violate HIPPA's "protected health
> information"
> requirements, just as we have been able to work with parties with PII,
> and related issues.

Hi John,

HIPAA restricts the use of 18 categories of information about a health
care customer including:

All geographical identifiers smaller than a state
Phone numbers
Email addresses

By law, a U.S. hospital may only provide you with "de-identified data"
about their customers. Even under NDA.

But don't take my word for it, check with ARIN counsel.


William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the ARIN-PPML mailing list