HIPAA Security Rules


Next Steps
Overview Classify & Find PHI Encrypt, Obfuscate, More Risk Score Generalize Services

Through numerous data discovery, classification, and field-level masking functions in the IRI FieldShield, DarkShield, and CellShield data masking products -- or IRI Voracity platform which includes them -- you can find and de-identify protected health information (PHI) subject to HIPAA regulations in structured and unstructured data sources.

And, to protect and audit traffic across databases containing PHI, the IRI Chakra Max DB firewall monitors, alerts, blocks, dynamically masks, and records all access and activity in secure logs. This trail can be searched or reported on from the GUI, or analyzed in SIEM environments like Splunk ES.

Those regulations include 45 CFR 164.312 and 170.210 which require the encryption, hashing, etc. of ePHI.

IRI software supports the HIPAA Safe Harbour standard directly by redacting or otherwise obfuscating the key identifiers. And, through integrated re-ID risk scoring and anoymization technology, you can determine re-identifiability risk and blur quasi-identifiers to comply with the Expert Determination Method standard, too. 

hipaa regulation 45 cfr 170.210

IRI can also deliver professional services and refer you to expert statisticians, HIPAA consultancies, and regulatory attorneys with whom we partner. You can leverage these tools and teams as needed to obtain compliance certification and cybersecurity insurance, and to defend against fines or breach-related claims. See our free course details below.

Learn more about HIPAA-mandated de-identification and IRI solutions for it


De-identification refers to processes that disassociate personally identifiable information (PII) within protected health information (PHI) repositories and other "data at risk."

PHI de-identification is a specific requirement in the healthcare industry, where for example, it is used in both "safe harbor" and "expert determination method" practices in medical research (to remove patient identities from study models). De-identification is also a blanket term referring to the anonymization or masking of PII in many other industries.

The most recent Security Rule in HIPAA regulations (45 CFR Parts 160 and 164) spell out the compliance requirements for those entities managing PHI. HIPAA rules apply to 18 specific identifiers:

Phone #
Fax #
Email Address
Social Security #
Medical Record #
Health Insurance Beneficiary #
Account #
Certificate #
Vehicle ID #
Device ID #
Personal URL
IP Address
Biometric ID
Facial Image
Other Unique ID Code

Each of the data masking software products in the IRI Data Protector suite helps you find and classify, and then  protect PII, PAN, PHI, etc. in multiple data sources for Safe Harbor rule compliance. They also work hand-in-hand with free, advanced re-ID risk scoring technology for compliance with the Expert Determination Method rule.

HIPAA compliance requires either:

Redaction - Safe Harbour 

Manipulating, masking, or removing these key identifiers so that it is difficult or impossible to identify an individual or restore the original data.

De-Identification - Expert Determination Method

Stripping the identifiers, and generalizing quasi-identifiers until an expert determines the statistical risk of re-identification is very low.


Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.