The conventional approach to preserving the confidentiality of health records aggregates all records within a geographical area that has a population large enough to ensure prevention of disclosure. Though this approach normally protects the privacy of individuals, the use of such aggregated data limits the types of research one can conduct and makes it impossible to address many important health problems. In this paper we discuss the design and implementation of geographical masks that not only preserve the security of individual health records, but also support the investigation of questions that can be answered only with some knowledge about the location of health events. We describe several alternative methods of masking individual-level data, evaluate their performance, and discuss both the degree to which we can analyse masked data validly as well as the relative security of each approach, should anyone attempt to recover the identity of an individual from the masked data. We conclude that the geographical masks we describe, when appropriately used, protect the confidentiality of health records while permitting many important geographically-based analyses, but that further research is needed to determine how the power of tests for clustering or the strength of other associative relationships are adversely affected by the characteristics of different masks.