Skip to main content

HIPAA Compliance and the Continuous Compliance Engine (KBA1340)




This document is designed with the intent to answer the question about whether the Continuous Compliance Engine (formerly known as the Delphix Masking Engine) is certified for HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance.


HIPAA compliance in the context of data in a database table refers to Protected Health Information (PHI) which is covered by HIPAA. PHI refers to individually identifiable data elements combined with health information about that person.

Examples of individually identifiable elements are any of the following:

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images

The Continuous Compliance Engine is used to efficiently obfuscate or redact (PHI) data so that it is still usable for organisations in the sense of the data having some meaning rather than being random text, importantly preserving referential integrity and disturbing statistical distributions.

The Continuous Compliance Engine is a Java application which reads in data and provides output based on the configuration specified by the user. Thus, as an application that does not actually use or display patient data, the Continuous Compliance Engine itself is not something that would be certified for HIPAA compliance. The measurement of whether data is compliant needs to be assessed based on the masking result, not on the application responsible for creating that result.

There is a HIPAA profile which a user can edit, but again the method of masking and the results are driven by the configuration any user puts in place.

As a comparison it is traditionally healthcare applications which are validated for HIPAA compliance. That validation or certification will tend to center around access to the underlying patient data.


The Continuous Compliance Engine provides a mechanism for removing PHI while retaining a semblance of data structure and sense. So the Continuous Compliance Engine, when used correctly, provides a way of eliminating sensitive data thereby facilitating HIPAA compliance.

As previously suggested, the Continuous Compliance Engine would not be considered a target for HIPAA compliance certification and indeed is not certified.