⚠️ January 2025 HIPAA Security Rule Updates Now in Effect — New MFA, encryption, and notification requirements.

HIPAA Glossary

Comprehensive definitions of key HIPAA terms, acronyms, and compliance terminology. Click any term to learn more.

A

Addressable Specification

An implementation specification that must be assessed and either implemented or replaced with an equivalent alternative measure.

Administrative Safeguards

Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

Breach

The impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

Breach Notification Rule

HIPAA rule requiring notification to affected individuals, HHS, and sometimes media following a breach of unsecured PHI.

Business Associate (BA)

A person or entity that performs functions involving access to PHI on behalf of a covered entity.

Business Associate Agreement (BAA)

A written contract establishing the permitted uses and disclosures of PHI between a covered entity and a business associate.

Covered Entity

Health care providers, health plans, and health care clearinghouses that must comply with HIPAA rules.

De-identified Information

Health information from which all individually identifiable elements have been removed, exempt from Privacy Rule restrictions.

Decryption

The process of converting encrypted ePHI back into its original, readable form using the appropriate decryption key.

Designated Record Set

The group of records maintained by a covered entity that includes medical, billing, and enrollment records used for individual decisions.

Disclosure

The release, transfer, or provision of access to PHI outside the entity holding the information.

Electronic Protected Health Information (ePHI)

PHI that is created, stored, transmitted, or received in electronic form, subject to both the Privacy and Security Rules.

Encryption

The process of encoding ePHI into an unusable form without the proper decryption key, providing safe harbor from breach notification.

Enforcement Rule

HIPAA rule establishing procedures for investigations, hearings, and civil monetary penalties for violations.

Health Information Exchange (HIE)

The electronic movement of health-related information among organizations according to nationally recognized standards.

HHS (Department of Health and Human Services)

The federal agency responsible for enforcing HIPAA regulations through the Office for Civil Rights (OCR).

HIPAA (Health Insurance Portability and Accountability Act)

Federal law enacted in 1996 establishing national standards for protecting sensitive patient health information.

Individual

The person who is the subject of PHI, with specific rights under HIPAA including access to records and amendments.

Limited Data Set

PHI with 16 direct identifiers removed that may be used for research, public health, or operations under a data use agreement.

Minimum Necessary Standard

The requirement to use, disclose, and request only the minimum PHI necessary to accomplish the intended purpose.

Multi-Factor Authentication (MFA)

A security mechanism requiring two or more verification factors to access systems, significantly reducing unauthorized access risk.

Notice of Privacy Practices (NPP)

A document covered entities must provide explaining how PHI may be used, patient rights, and the organization's privacy duties.

OCR (Office for Civil Rights)

The HHS division responsible for enforcing HIPAA through complaint investigations, compliance reviews, audits, and penalties.

Physical Safeguards

Physical measures, policies, and procedures to protect electronic information systems and facilities from hazards and unauthorized access.

Privacy Officer

The designated individual responsible for developing and implementing privacy policies and ensuring Privacy Rule compliance.

Privacy Rule

HIPAA rule establishing national standards for protecting individuals' medical records and PHI in all forms.

Protected Health Information (PHI)

Individually identifiable health information in any form relating to health conditions, healthcare provision, or payment.

Required Specification

A mandatory implementation specification that must be implemented by all covered entities and business associates.

Risk Analysis

A required assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Risk Management

The process of implementing security measures to reduce risks identified in the risk analysis to reasonable levels.

Safeguards

Protective measures categorized as administrative, physical, or technical to meet Security Rule standards.

Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in a system.

Security Official

The designated individual responsible for developing and implementing security policies and Security Rule compliance.

Security Rule

HIPAA rule establishing national standards for protecting ePHI through administrative, physical, and technical safeguards.

SOC 2 (System and Organization Controls 2)

An AICPA auditing standard evaluating controls related to security, availability, integrity, confidentiality, and privacy.

Technical Safeguards

Technology and related policies that protect ePHI and control access, including access controls, audit logs, and encryption.

Treatment, Payment, and Health Care Operations (TPO)

Three categories of permitted PHI uses and disclosures that do not require patient authorization.

Unsecured Protected Health Information

PHI not rendered unusable through encryption or destruction, triggering breach notification requirements if compromised.

Use

The sharing, examination, or analysis of PHI within an entity, as opposed to disclosure outside the entity.

Workforce

All employees, volunteers, trainees, and other persons under the direct control of a covered entity or business associate.

Complete HIPAA Guide

Comprehensive guide covering the Privacy Rule, Security Rule, and compliance requirements.

Read guide

FAQs

Frequently asked questions about HIPAA compliance, requirements, and best practices.

View FAQs

Resources

Templates, checklists, and resources to help you implement HIPAA compliance.

Browse resources

Assess Your HIPAA Compliance

Take our free self-assessment to understand your current compliance status and identify gaps.