The Health Insurance Portability and Accountability Act of 1996:  the Standards Guide for Healthcare Among its provisions, HIPAA requires healthcare agencies to establish national standards for electronic health care transactions. It regulates the safeguarding of private, individually identifiable health information. It also creates several programs to control fraud and abuse within the health care system. Under HIPAA, the Department of Health and Human Services publicized five rules:

  • -the Privacy Rule,
  • -the Transactions and Code Sets Rule,
  • -the Security Rule,
  • -the Unique Identifiers Rule,
  • -the Enforcement Rule


for covered entities such as:

  • -health plans
  • -health care providers health care clearinghouses
  • -billing services
  • -community health information systems
  • -health insurers medical service providers
  • -employer sponsored health plans

The following provisions can be safeguarded by using data masking components:

Section 164.308

Information access management's implementation specifications: Implement policies and procedures for granting access to electronic, protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Such mechanisms can involve on-the-fly or static data masking for sensitive data such as social security, medicare number and patient namesfor unauthorized parties.

Section 164.312

Access control's implementation specifications:

  • (i) Unique user identification. Assign a unique name and/or number for identifying and tracking user identity.
  • (iv) Encryption and decryption

  • These requirements are reliably accomplished with substitution and enryption  components.


Section 164.502

Minimum necessary applies specification: When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.


Organizations can dependably limit data to contractors or third party by masking the values.


Privacy Act defines Protected Health Information (PHI) that identifies rather broadly, sensitive data: "PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual."