Healthcare Data Security

 

Next Steps
Overview Classify & Find PHI Encrypt, Obfuscate, More Risk Score Generalize Services

The 1996 Health Insurance Portability and Accountability Act (HIPAA) is now being regularly enforced across the country, and fallout from breaches of protected health information (PHI data) remains constant, and damaging. If you're a "covered entity" under HIPPA, what are you and your business associates doing about HIPAA compliance as it relates to PHI protection?

The pages in this section of the IRI web site take a closer look at the key US healthcare data security rules and how you can comply with them (and prove it). If you would like more information or need help, contact us to learn how we have helped others, and can help you.

PHI subject to the HIPAA Safe Harbor security rule, regulations like 45 CFR 164.312 and 170.210 specify encryption or hashing of 18 key (direct, unique) identifiers. Long-proven data masking tools from IRI support HIPAA security rule compliance with multiple data obfuscation and data anonymization functions within job wizards purpose-built for the discovery and consistent de-identification of protected health information.

More specifically, the built-in data classification and masking functions in the IRI FieldShield, DarkShield, and CellShield data masking tools -- or the IRI Voracity platform which includes them -- help you find, catalog, and de-identify PHI in structured, semi-structured, and unstructured data sources automatically.

These sources (whether in your on-premise network or cloud infrastructure) include: relational and NoSQL databases; flat and free-text files; Excel, PDF and Word documents; PowerPoint presentations; HL7, X12 and FHIR EDI files; DICOM studies; Parquet and audio files; and, most popular image file formats.

PHI List

Alternatively, the HIPAA Expert Determination Method Rule, allows compliance through certified mitigation of re-identification risk. Integrated re-ID risk scoring and anonymization technology in IRI data masking software statistically measures that risk, and blurs quasi-identifiers to comply with this rule, too.

PHI List
Learn more about HIPAA-mandated de-identification and IRI solutions

De-Identification

De-identification refers to processes that disassociate personally identifiable information (PII) within protected health information (PHI) repositories and other "data at risk."

PHI de-identification is a specific requirement in the healthcare industry, where for example, it is used in both "safe harbor" and "expert determination method" practices in medical research (to remove patient identities from study models). De-identification is also a blanket term referring to the anonymization or masking of PII in many other industries.

The most recent Security Rule in HIPAA regulations (45 CFR Parts 160 and 164) spell out the compliance requirements for those entities managing PHI. HIPAA rules apply to 18 specific identifiers:

Name
Address
Birthdate
Phone #
Fax #
Email Address
Social Security #
Medical Record #
Health Insurance Beneficiary #
Account #
Certificate #
Vehicle ID #
Device ID #
Personal URL
IP Address
Biometric ID
Facial Image
Other Unique ID Code

Each of the data masking software products in the IRI Data Protector suite helps you find and classify, and then protect PII, PAN, PHI, etc. in multiple data sources for Safe Harbor rule compliance. They also work hand-in-hand with included re-ID risk scoring technology for compliance with the Expert Determination Method rule. See this article in HIPAA Journal for more information about what constitutes PHI.

HIPAA compliance requires either:

Redaction - Safe Harbor

Manipulating, masking, or removing these key identifiers so that it is difficult or impossible to identify an individual or restore the original data.

De-Identification - Expert Determination Method

Stripping the identifiers, and generalizing quasi-identifiers until an expert determines the statistical risk of re-identification is very low.


In addition to healthcare data protection software, IRI can also deliver professional services and refer you to expert statisticians, HIPAA consultancies, and regulatory attorneys with whom we partner.

You can leverage these tools and teams as needed to obtain compliance certification and cybersecurity insurance, and to defend against fines or breach-related claims. See our free course details below:

Other Resources

Frequently Asked Questions (FAQs)

1. What is HIPAA and why does it matter for data masking?
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that mandates the protection of patients’ personal health information (PHI). Data masking helps organizations comply by de-identifying or redacting PHI across various data sources.
2. What types of data are considered PHI under HIPAA?
HIPAA defines 18 identifiers as PHI, including names, addresses, birthdates, Social Security numbers, medical record numbers, biometric data, IP addresses, and more. These must be protected or removed to meet compliance requirements.
3. How can IRI tools help with HIPAA Safe Harbor compliance?
IRI FieldShield, DarkShield, and CellShield can redact or mask the 18 HIPAA identifiers using built-in job wizards. These tools remove or transform the data so it cannot be used to re-identify an individual, supporting Safe Harbor de-identification.
4. How does IRI support the Expert Determination Method?
IRI tools include re-ID risk scoring capabilities that statistically assess the likelihood of re-identifying individuals from quasi-identifiers. This supports compliance with the Expert Determination Method by allowing risk to be measured and mitigated.
5. What is the difference between redaction and de-identification?
Redaction removes or obscures direct identifiers (Safe Harbor), while de-identification also involves generalizing or blurring quasi-identifiers (Expert Determination). Both aim to prevent re-identification, but the latter requires statistical validation.
6. How does IRI identify and mask PHI across different data types?
IRI tools automatically search, classify, and mask PHI across structured data (databases, flat files), semi-structured data (HL7, X12, FHIR), and unstructured data (PDFs, Word files, DICOMs, images, audio, etc.), both on-premise and in the cloud.
7. Can IRI tools help with audit and documentation for HIPAA compliance?
Yes. IRI tools generate detailed logs and audit trails for every masking job, including who ran the job, when, where, and what identifiers were protected—helping you prove compliance during assessments or legal reviews.
8. How does re-ID risk scoring work in IRI’s HIPAA solutions?
Re-ID risk scoring calculates the probability that an individual could be identified based on remaining data after masking. IRI uses statistical models to assign a score, guiding further anonymization steps if needed.
9. What file types can be protected using IRI’s HIPAA masking tools?
IRI supports PHI discovery and masking in databases, Excel spreadsheets, text files, PDFs, Word docs, HL7/FHIR/X12 EDI files, images, audio files, DICOMs, PowerPoints, and more—across both legacy and modern systems.
10. What encryption or anonymization techniques are available?
IRI tools offer multiple de-identification methods, including pseudonymization, redaction, hashing, format-preserving encryption, blurring, and noise injection. You can choose based on your use case, security requirements, and reversibility needs.
11. Can IRI solutions be deployed in cloud environments?
Yes. IRI solutions run in your infrastructure—whether on-premise or in your private/public cloud. Your data stays within your environment; IRI does not store or process it externally.
12. How can IRI help beyond software implementation?
In addition to software, IRI provides HIPAA compliance services through certified partners. These include access to statisticians, consultants, and legal experts to assist with compliance certification and breach defense preparation.
13. What is included in IRI’s HIPAA data compliance course?
IRI offers a 3-hour online course covering PHI de-identification across multiple data types, re-ID risk scoring, and insights into breach insurance and legal protection strategies—ideal for IT, compliance, and healthcare professionals.
14. Can IRI tools be used for research data anonymization?
Yes. IRI’s de-identification methods are widely used in healthcare research to remove PHI from patient records before analysis, making datasets HIPAA-compliant while preserving analytical value.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.