For HIPAA purposes, there is no such thing as anonymized info if someone can coax out zip code, gender, and birth date. That's the current SotA standard in terms of k-deanonymization.
And yes. BAA's apparently allow companies to throw that shit around like hot cakes. Remember, it isn't actually illegal until someone has been sued for it, and they lose (no settlement).
And yes. BAA's apparently allow companies to throw that shit around like hot cakes. Remember, it isn't actually illegal until someone has been sued for it, and they lose (no settlement).