Print

Print


The great thing about compliance stuff like HIPPA/FERPA/PCI, etc. is
that they're so open to interpretation. My general rule when dealing
with any compliance issue is to make sure my university general
counsel's office is happy with whatever I do. Yes, it can be a pain to
do that, but you'll be better off in the long run. If they're happy and
a legal issue comes up, it's their problem, not mine, which is generally
where I want to be when it comes to compliance issues....

On Thu, Jun 05, 2014 at 12:07:56AM +0000, Sam Kome wrote:
> I'm not up on HIPPA and I am not a lawyer.   
> Years ago I created a system for anonymizing address data that passed muster with the FCC and US Census bureau. In a nutshell we had a third party create a unique hash to identify the record, and geocode to the US Census block group.  
> We never handled let alone stored the name or address ourselves.  We had an independent auditor audit our outsource party and our datasets. Block group is the US Census standard for protecting privacy - it really depends on what other data you retain though as to being able to reconstruct identity.
> 
> Cheers!
> 
> -----Original Message-----
> From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Simon Spero
> Sent: Monday, June 02, 2014 2:38 PM
> To: [log in to unmask]
> Subject: Re: [CODE4LIB] Anonymizing address data
> 
> This book might be useful (it's a year old)
> 
> Anonymizing Health Data <http://shop.oreilly.com/product/0636920029229.do>
> Case Studies and Methods to Get You Started
> By Khaled El Emam, Luk Arbuckle
> <http://shop.oreilly.com/product/0636920029229.do#tab_03_0>
> Publisher: O'Reilly Media
> Released: December 2013
> Pages: 212
> 
> 
> 
> 
> 
> On Mon, Jun 2, 2014 at 3:40 PM, Kyle Banerjee <[log in to unmask]>
> wrote:
> 
> > HIPPA compliant data cannot include personally identifiable information, a
> > category which includes address. The "safe harbor" approach where
> > geographic subdivisions smaller than states cannot be used frequently
> > renders data useless.
> >
> > The "expert determination" method is always an option and precompiling can
> > work in certain cases, but I was wondering what other methods people have
> > successfully employed? Thanks,
> >
> > kyle
> >

-- 
Thomas L. Kula <[log in to unmask]>
Senior Systems Engineeer, Unix Systems Group
Library Information Technology Office
Columbia University in the City of New York