[arin-ppml] Clarify /29 assignment identification requirement
jcurran at arin.net
Fri May 4 13:12:59 EDT 2012
On May 4, 2012, at 11:36 AM, William Herrin wrote:
> Hi John,
> HIPAA restricts the use of 18 categories of information about a health
> care customer including:
> All geographical identifiers smaller than a state
> Phone numbers
> Email addresses
> By law, a U.S. hospital may only provide you with "de-identified data"
> about their customers. Even under NDA.
> But don't take my word for it, check with ARIN counsel.
I ran a highly secure data center for more than 5 years with nearly
every compliance issue you can imagine (including HIPPA) and its
application is not as facile as you outline above. I will not delve
into every aspect of your hypothetical case and HIPPA, but will note
that there are also statistical approaches that are allowed based on
the removal of individually identifying information.
As I noted in my reply, your hypothetical lacked sufficient information
to more specifically answer. For example, if the network in question is
actually a hospital (i.e. an end-user) as opposed to hospital service
network, then under policy for end-user organizations we'd be asking for
a brief description of each hospital subnet's purpose and the number of
IP addresses projected to be used both short-term and within one year.
If it really is a network which serves hospitals and medical institutions,
we only need to understand their _organizational_ customers (i.e. medical
service providers) IP usage not their individual patients IP assignments.
I suppose you can contrive a hypothetical which is a cross-between these
cases, but I think we'll deal with it when it actually arises.
President and CEO
More information about the ARIN-PPML