"Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration."[1]

Data masking or data obfuscation is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel. Data obfuscation or masking is generally applied to protect PII and EPHI. It mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies policy assessment research and other endeavors.