The great thing about compliance stuff like HIPPA/FERPA/PCI, etc. is that they're so open to interpretation. My general rule when dealing with any compliance issue is to make sure my university general counsel's office is happy with whatever I do. Yes, it can be a pain to do that, but you'll be better off in the long run. If they're happy and a legal issue comes up, it's their problem, not mine, which is generally where I want to be when it comes to compliance issues....
On Thu, Jun 05, 2014 at 12:07:56AM +0000, Sam Kome wrote: > I'm not up on HIPPA and I am not a lawyer. > Years ago I created a system for anonymizing address data that passed muster > with the FCC and US Census bureau. In a nutshell we had a third party create > a unique hash to identify the record, and geocode to the US Census block > group. > We never handled let alone stored the name or address ourselves. We had an > independent auditor audit our outsource party and our datasets. Block group > is the US Census standard for protecting privacy - it really depends on what > other data you retain though as to being able to reconstruct identity. > > Cheers! > > -----Original Message----- > From: Code for Libraries [mailto:[email protected]] On Behalf Of Simon > Spero > Sent: Monday, June 02, 2014 2:38 PM > To: [email protected] > Subject: Re: [CODE4LIB] Anonymizing address data > > This book might be useful (it's a year old) > > Anonymizing Health Data <http://shop.oreilly.com/product/0636920029229.do> > Case Studies and Methods to Get You Started > By Khaled El Emam, Luk Arbuckle > <http://shop.oreilly.com/product/0636920029229.do#tab_03_0> > Publisher: O'Reilly Media > Released: December 2013 > Pages: 212 > > > > > > On Mon, Jun 2, 2014 at 3:40 PM, Kyle Banerjee <[email protected]> > wrote: > > > HIPPA compliant data cannot include personally identifiable information, a > > category which includes address. The "safe harbor" approach where > > geographic subdivisions smaller than states cannot be used frequently > > renders data useless. > > > > The "expert determination" method is always an option and precompiling can > > work in certain cases, but I was wondering what other methods people have > > successfully employed? Thanks, > > > > kyle > > -- Thomas L. Kula <[email protected]> Senior Systems Engineeer, Unix Systems Group Library Information Technology Office Columbia University in the City of New York
