Signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) outlines the rules and regulations for medical data protection. The act sets out the standards for data handling, security, insider access, and billing.


Information covered by HIPAA includes protected health information (PHI) and electronically protected health information (ePHI), or simply put, sensitive patient data.


PHI includes the following information:

  • Medical history

  • Health care information

  • Payments and billing history

  • Common patient identifiers such as name, address, date of birth, and social security number

  • Medical records

  • Communication with healthcare providers

  • Medication history

  • Health insurance details

Under HIPAA, the Department of Health and Human Services publicized five rules:

  • the Privacy Rule

  • the Transactions and Code Sets Rule

  • the Security Rule

  • the Unique Identifiers Rule

  • the Enforcement Rule

Most entities that handle patient data will fall under the jurisdiction of HIPAA, such as health plans, billing services, pharmacies, health insurers, community health information systems and even employer-sponsored health plans.

Data Masking is a trusted and proven method of data protection that meets the requirements of the following provisions of HIPAA:

Section 164.308

This section deals with information access and management of implementation specifications for granting access to electronic, protected health information. Such mechanisms can involve on-the-fly or static data masking for sensitive data such as social security, medicare number, and patient names for unauthorized parties.

Section 164.312

This section deals with access control and implementation specifications of:
(i) Unique user identification.
(iv) Encryption and decryption

Section 164.502

This section deals with the minimum necessary specifications when using or disclosing protected health information or when requesting protected health information from another covered entity. Organizations can dependably limit data to contractors or third parties by masking the values.

Learn more about privacy laws here.


The Health Information Technology for Economic and Clinical Health Act (HITECH) deals with the privacy and security of health information that is electronically transmitted.

HITECH includes stringent data security requirements for healthcare entities as well as their partner services.

The HITECH act essentially widens the landscape for the exchange of electronically protected healthcare information (ePHI) between doctors, clinics, health insurance companies, and other services that process healthcare information.

Any organization that handles ePHI needs to ensure that patient data is well-protected or risk heavy penalties for non-compliance.

How Hush-Hush can help with healthcare compliance

Protecting PHI and ePHI is a requirement of HIPAA and HITECH. In many cases, this information is needed by other parties, such as pharmacists, therapists and insurance companies.

Data masking removes the identifiers from health information, lowering the risk of a data breach, whilst retaining the data's referential integrity for study, referral, billing and research. That means medical data can be freely shared without breaking your patient's trust.

BuildNumber = dev_20210906.1