[arin-ppml] Clarify /29 assignment identification requirement

John Curran jcurran at arin.net
Fri May 4 13:12:59 EDT 2012

On May 4, 2012, at 11:36 AM, William Herrin wrote:

> Hi John,
> HIPAA restricts the use of 18 categories of information about a health
> care customer including:
> Names
> All geographical identifiers smaller than a state
> Phone numbers
> Email addresses
> By law, a U.S. hospital may only provide you with "de-identified data"
> about their customers. Even under NDA.
> But don't take my word for it, check with ARIN counsel.

Bill - 
 I ran a highly secure data center for more than 5 years with nearly 
 every compliance issue you can imagine (including HIPPA) and its 
 application is not as facile as you outline above.  I will not delve 
 into every aspect of your hypothetical case and HIPPA, but will note 
 that there are also statistical approaches that are allowed based on 
 the removal of individually identifying information.  

 As I noted in my reply, your hypothetical lacked sufficient information 
 to more specifically answer. For example, if the network in question is 
 actually a hospital (i.e. an end-user) as opposed to hospital service 
 network, then under policy for end-user organizations we'd be asking for 
 a brief description of each hospital subnet's purpose and the number of 
 IP addresses projected to be used both short-term and within one year. 
 If it really is a network which serves hospitals and medical institutions, 
 we only need to understand their _organizational_ customers (i.e. medical 
 service providers) IP usage not their individual patients IP assignments.
 I suppose you can contrive a hypothetical which is a cross-between these
 cases, but I think we'll deal with it when it actually arises.


John Curran
President and CEO

More information about the ARIN-PPML mailing list