Improvement

Sciences
Glossary of HIPAA Terms

Term Definition
Able to get to and use data or authorized system
Access
resources

Policies and procedures that permit a person or

Access Authorization
organization access to PHI

Hardware, software, policies, procedures and practices

that authenticate and restrict, typically by role, a person,
Access Controls
organization or software program requesting access to
protected or secured information

The permitted uses, typically by role, of a resource by a

Access Level
particular user

Procedures, policies and practices for monitoring all

Access Monitoring
log-in attempts, both successful and unsuccessful

Ensuring that "who does what" to a specific system re-

Accountability source is tracked so responsibility for a specific action
can be determined

Tracking and reporting all disclosures of PHI and other

Accounting for Disclosures
health information (see also, "audit")

Organizational policies, procedures, processes and

practices, based on the findings of risk and security
Administrative Safeguards analyses that define and manage the workforce
practices that implement and maintain the security
measures to protect PHI

That section (Title II, Subtitle F) of HIPAA that requires

Administrative Simplification standard code sets, transaction methods, national
identifiers and other methods to protect PHI
 Term Definition

An individual software program that runs on a computer

Application
and accomplishes one specific task

An independent review of activity in a facility or system

Audit to validate conformity with established safeguards and
policies and procedures

Hardware, software, wetware and other processes

Audit Controls that define standards to record and examine activity in
information systems with PHI

Validating a user's identity (e.g., with passwords,

Authentication security tokens, or biometrics (e.g., fingerprints, eye
scan))

Restricted permission, typically by role or use, and for

Authorization a defined limited time, to access or disclose generally
confidential data (e.g., PHI) for a specific purpose

Terminating a session with a device or access point

Automatic Logoff
when a user is not active for a specified time

Availability Data is accessible to authorized users when requested

An electronic copy of important data; software and

Backup configuration information that can be used to restore an
electronic system

Using biological characteristics, like eye scans,

Biometrics signatures, voice prints, or fingerprints, to identify users
to determine access to systems and PHI

An impermissible use or disclosure under the Privacy

Breach Rule that compromises the security or privacy of the
protected health information (HHS)
 Term Definition

"A covered entity, other than a member of the workforce

of a covered entity, who performs functions or activities
on behalf of, or provides certain services to, a covered
entity that involve access by the business associate to
Business Associate
protected health information (HHS)

A business associate can also be a covered entity in its

own right (CMS)"

CE See covered entity

Centers for Medicare & Medicaid The agency of the federal government responsible for
overseeing and enforcing the HIPAA Administration
Services Simplification rules (except privacy - that's mostly OCR)

CFR See Code of Federal Regulations

Data that has been rendered ordinarily unreadable

Ciphertext
through encryption

Defining levels of security for PHI or otherwise secured

Classification information, and granting access only to users
authorized to access a particular level

Clear text Data not encrypted or decrypted

Cloud Data centers available over the Internet

CMS See Centers for Medicare and Medicaid Services

The official compilation of all federal rules and

Code of Federal Regulations
requirements
 Term Definition

A system of defined terms and their descriptions; the

codes are typically used to represent variable data from
Code Set a medical record (e.g., words describing a diagnosis);
HIPAA lists both administrative and medical code sets
that must be used

The principle of preventing information from being

Confidentiality disclosed, or otherwise revealed, to unauthorized
individuals, entities or processes

A pre-predefined set of activities (e.g., immediate

response, restoring from backup, re-establishing
Contingency Plan normal operations) to ensure that critical resources
are available after a major incident (e.g., equipment
damage, hacking, willful destruction)

(1) health plans, (2) health care clearinghouses, and (3)

health care providers who electronically transmit any
Covered Entity
health information in connection with transactions for
which HHS has adopted standards (NIH)

Data Any set of facts that an organization deems important

Policies, procedures and processes used to confirm the

Data Authentication
origin and integrity of data

A copy of critical data and systems that can be used to

Data Backup
restore data or a system that has been corrupted

Formal, written and tested policies and procedures

Data Backup Plan used to ensure that critical data and systems have been
backed up

Assuring that data are accurate and unchanged over

Data Integrity
time, and have not been modified, altered, or destroyed

"A data repository or specifically defined collection of

data such as a health care record,
Data set
electronic medical record, claims record, research data,
etc. (AHRQ)"
 Term Definition

Retaining information over time in a reliable medium

Data storage
(e.g., hard drive, secure cloud)

An agreement into which the covered entity enters

with the intended recipient of a limited data set that
Data Use Agreement establishes the ways in which the information in
the limited data set may be used and how it will be
protected (NIH)

Revealing data, using a secure key, that has been

Decryption
encrypted so an authorized can access the information

Individual health records with redacted or edited

data that prevents data from being associated with a
De-identified Health Information
specific individual. See the HIPAA Privacy Rule for de-
identification guidelines (AHRQ)

The process whereby an enterprise would restore any

Disaster Recovery loss of data in the event of fire, vandalism, natural
disaster, or system failure

The plan for a process to restore loss of data from a

Disaster Recovery Plan significant incident (e.g., breach, natural disaster). Part
of an overall contingency plan (vide supra)

Revealing PHI to any party that is not the entity that

Disclosure
stores, controls or manages the PHI

Reporting, typically to a patient, how and when PHI has

Disclosure History
been disclosed and to whom

Policies, procedures and processes for securely making

Disposal PHI permanently unreadable (e.g., though physical
destruction of media, securely erasing media, etc.)

Written plans, rules, procedures, instructions and

Documentation training that describes or records processes,
requirements and actions

Electronic Protected Health

PHI stored in, or transmitted by, electronic media
Information (ePHI)
 Term Definition

Electronic devices, including hard drives, thumb (USB)-

Electronic Storage Media drives, tapes, optical disks, offsite storage, that maintain
PHI in electronic form

A process that transforms readable information

(cleartext) into unreadable ("scrambled"), but
Encryption recoverable (with the appropriate biometric or text-
based key), text (ciphertext). Prevents unauthorized
access to otherwise confidential information

A physical place, a building, including the interior and

Facility
the outside perimeter

Policies, procedures, processes and practices used to

Facility Access Controls restrict physical access to a site with systems and PHI
to only properly authorized individuals

Attempting to gain unauthorized access (compromising

Hacking
or bypassing security) to a computer or network

The physical parts of a computer or computer network;

Hardware
the parts that can be touched

Care, services, or prescribed supplies related to the

health of an individual; e.g., diagnosis, treatment,
Health Care
prescribing or dispensing drugs or durable medical
equipment

Entities that receive and process health information

Health Care Clearinghouse
from another entity

A person who is trained and licensed to give health

care. Also, a place that is licensed to give health care.
Health Care Provider
Doctors, nurses, and hospitals are examples of health
care providers (CMS)

Health Insurance Portability and The law (and in common use, as "HIPAA" all the
regulations as well), that defines the standards,
Accountability Act of 1996 (HIPAA) including for protecting the use and disclosure of PHI
 Term Definition

An individual or group plan that provides, or pays the

Health Plan cost of, medical care; includes government programs
(e.g., Medicare, Medicaid)

The United States Department of Health and Human

HHS Services; the department that is in charge of all things
HIPAA

Individual The person (patient) for whom health information exists

Written policies, procedures and processes for granting

Information Access Control authorized users appropriate access, typically based on
role

Implementing policies and procedures, consistency

with HIPAA with the HIPAA security and other rules, to
Information Access Management
control access to e-PHI to an authorized user, based on
their role

All components that work together to store, secure,

Information System maintain, and deliver PHI and other information to
authorized people, organizations or processes

Implementing security policies, procedures, processes

and practices to ensure that PHI and other confidential
Integrity Controls information are not improperly modified, and to detect
attempts to change the data, until data are properly
disposed of

The in-house review of the records of system activity

Internal Audit (for example, logins, file accesses, security incidents)
maintained by an organization

A piece of information (biometric data, password) that

Key
enables ciphertext to be transformed into cleartext

(MALicious softWARE) any software intended to

Malware corrupt, destroy, damage, steal or compromise data or
devices
 Term Definition

Devices, frequently portable, that store data (e.g., hard

Media
drives USB drives, CD/DVD)

Formal, documented policies and procedures that

govern how hardware/software (for example, diskettes,
Media controls
tapes) move into and out of a facility. See also Integrity
Controls; Disposal

The least information reasonably necessary to

Minimum Necessary accomplish the intended purpose of the use, disclosure,
or request (NIH)

A vulnerability or threat from a person, typically

Misuse Threat a trusted employee, who exploits their role to
inappropriately access and use information

Any computing device (e.g., laptop, tablet, smart phone)

Mobile Devices
that can be carried and used in different settings

"Adequate notice of how a covered entity may use

and disclose protected health information about the
individual, as well as his or her rights and the covered
entity’s obligations with respect to that information.
Notice of Privacy Practices
(HHS)

Typically posted at an entity's facility and given to the

patient on their first visit"

The part of HHS that is charged with overseeing HIPAA

Office for Civil Rights
privacy regulations; central authority for breaches

Password A character-based form of use authentication

Practices, policies and procedures that describe

Password Management
creating, changing, and safeguarding passwords
 Term Definition

Information about an individual that can be used to

Personally Identifiable Information
(PII)
distinguish or trace an individual‘s identity (e.g., such as
name, social security number, date and place of birth,
mother‘s maiden name, or biometric records) or that is
uniquely linked or linkable to an individual (e.g., medical,
educational, financial, and employment information
(GAO)

The policies, procedures and processes that ensure

Personnel Security that each person is vetted and given only the necessary
access to PHI, required by their role

Documented policies and procedures that describe and

Personnel Security Policy define how only the appropriate people have access to
PHI

A vulnerability that requires physical access to device

Physical Threat or network under threat (can include theft, intentional
destruction, tampering, surveillance)

Formal, documented policies, procedures and practices

that limit physical access to an entity's facility or
Physical Access Controls physical resources (e.g., room or cabinet containing
computer network hardware) while permitting
authorized access

Policies, procedures and practices that secure an

Physical Safeguards entity's facility, including information systems and
equipment, from loss

Individually identifiable health information that is

transmitted or maintained in any form or medium
Protected Health Information (electronic, oral, or paper) by a covered entity or its
business associates, excluding certain educational and
employment records (NIH)

Formal documented policies, procedures and practices

that define the actions, including mitigation, future
Response Procedures and Reporting prevention, recovery and documentation, to be
undertaken if a suspected or proven security incident
occurs
 Term Definition

Examination of an entity's facility and practices to

Risk Analysis
identify the risk to an information system and to PHI

Designing and implementing responses and protections,

Risk Management based on a risk analysis, to protect the assets of an
entity

Security managed at a level that corresponds closely

to the organization's structure. Each user is assigned
one or more roles, and each role is assigned one or
more privileges that are permitted to users in that
Role-Based Access Control
role. Security administration with RBAC consists of
determining the operations that must be executed by
persons in particular jobs, and assigning employees to
the proper roles (NIST)

Protective measures and controls prescribed to meet

the security requirements specified for an information
system. Safeguards may include security features,
Safeguards
management constraints, personnel security, and
security of physical structures, areas, and devices
(NIST)

Actions to be taken if the covered entity's workforce

Sanctions fail to comply with its privacy policies , procedures and
practices

Any attempted or successful unauthorized access, use,

disclosure, modification, or destruction of information
Security Incident
or interference with system operations in an information
system (HHS)

Formal, documented policies, procedures and practices

Security Incident Procedures
for responding to and reporting security breaches

Implementing policies, procedures and practices to

Security Management Process prevent, detect, mitigate, respond to and correct security
violations

All administrative, physical, and technical safeguards

Security or Security Measures
implemented to secure PHI
 Term Definition

Formal, documented policies, procedures and practices

Security Policy that define the necessary levels of information security,
based on a comprehensive risk analysis

Manipulating people to gain important security or

Social Vulnerability
confidential information

Computer programs, including commercial applications,

Software
scripts that enable a device to complete a specific task

Formal, documented policies, procedures and practices,

Technical Safeguards as well as hardware and software, necessary to secure
PHI

Thumb Drive See USB

Information exchange, for administrative or medical

Transaction
purposes, related to health care between two entities

Any character or number string use to unambiguously

and specifically identify a person or organization
Unique User Identifier
(e.g., Social Security number, Tax ID number, National
Provider Identifier) (NPI)

"Universal Serial Bus," a common connector found

on computing devices; can be used to attach "thumb
USB
drives," and other portable devices or media, to
computing devices

An entity, including a person or organization (e.g.,

User
business associate) with authorized access to a system
 Term Definition

Flaw or weakness in system security procedures,

design, implementation, or internal controls that could
Vulnerability cause accidental loss (e.g., lack of backup) or exploited
for a security breach or a violation of the system’s
security policy

People - techie talk for "software installed by Mother

Wetware
Nature"

Any person, paid or unpaid, who is under the direct

Workforce
control of, and performs work for, an entity

On entity's formal, documented policies, procedures

Workforce Security and practices that define workforce access to facilities,
systems and data that include PHI

Formal, documented policies, procedures and practices

Workstation Use Policy that define appropriate, secure use of workstations that
store or access PHI