Comprehensive definitions of key HIPAA terms, acronyms, and compliance terminology.
An implementation specification that covered entities and business associates must assess. If reasonable and appropriate, it must be implemented. If not, the organization must document why and implement an equivalent alternative measure. Addressable does not mean optional - it requires careful consideration and documentation.
Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI). These include security management processes, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation, and business associate contracts.
The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI. HIPAA presumes all impermissible uses or disclosures are breaches unless a risk assessment demonstrates a low probability that the PHI has been compromised.
HIPAA rule requiring covered entities and business associates to provide notification following a breach of unsecured protected health information. Notifications must be made to affected individuals, the Secretary of HHS, and in some cases, the media. Breaches affecting 500+ individuals require notification within 60 days. Smaller breaches are logged and reported annually.
A person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve access to protected health information. Examples include IT vendors, billing companies, consultants, cloud service providers, and shredding services. Since 2013, business associates are directly liable for HIPAA violations.
A written contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, report breaches, ensure subcontractors sign BAAs, and return or destroy PHI upon contract termination. BAAs are required by HIPAA and must contain specific provisions.
Organizations that must comply with HIPAA rules. This includes: (1) Health care providers who transmit health information electronically (doctors, clinics, hospitals, dentists, etc.), (2) Health plans (insurance companies, HMOs, Medicare, Medicaid), and (3) Health care clearinghouses that process health information. Covered entities are directly regulated by HIPAA.
Health information that does not identify an individual and for which there is no reasonable basis to believe it can be used to identify an individual. De-identified information is not subject to HIPAA Privacy Rule restrictions. HIPAA provides two methods for de-identification: expert determination or removal of 18 specific identifiers plus no actual knowledge the remaining information could identify individuals.
The process of converting encrypted ePHI back into its original, readable form using the appropriate decryption key. Only authorized users with valid credentials should have access to decryption keys.
A group of records maintained by or for a covered entity that includes medical records, billing records, enrollment and payment records, and other records used to make decisions about individuals. Patients have rights to access, amend, and receive an accounting of disclosures from their designated record set.
The release, transfer, provision of access to, or divulging of information outside the entity holding the information. Under HIPAA, covered entities must track certain disclosures of PHI and provide an accounting to patients upon request.
Protected health information that is created, stored, transmitted, or received in electronic form. ePHI is subject to the HIPAA Security Rule in addition to the Privacy Rule. Examples include electronic medical records, emails containing PHI, databases with patient information, and digital images.
The process of encoding ePHI using an algorithmic process that transforms it into an unusable form without the proper decryption key. HIPAA considers encryption an addressable specification, but in practice it is essential. Properly encrypted ePHI is exempt from breach notification requirements if compromised. NIST standards define acceptable encryption methods.
HIPAA rule that establishes procedures for investigations, hearings, and imposition of civil monetary penalties for HIPAA violations. The Enforcement Rule is administered by the Office for Civil Rights (OCR) and defines the investigation process, penalty tiers, and factors considered when determining fines.
The electronic movement of health-related information among organizations according to nationally recognized standards. HIEs enable secure sharing of patient information across different healthcare systems while maintaining HIPAA compliance.
The federal agency responsible for enforcing HIPAA regulations. The Office for Civil Rights (OCR) within HHS handles HIPAA Privacy, Security, and Breach Notification Rule enforcement through complaint investigations, compliance reviews, and audits.
Federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA ensures individuals' health information is properly protected while allowing the flow of health data needed to provide quality healthcare. It includes the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
The person who is the subject of protected health information. Under HIPAA, individuals have specific rights including access to their records, right to amend information, accounting of disclosures, and confidential communications.
Protected health information that excludes 16 specific direct identifiers but may contain dates and geographic information. Limited data sets may be used for research, public health, or health care operations under a data use agreement without individual authorization.
HIPAA requirement that covered entities and business associates make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose. This standard does not apply to treatment-related uses and disclosures.
A security mechanism requiring two or more verification factors to gain access to a system. Factors include something you know (password), something you have (security token, phone), or something you are (biometric). MFA significantly reduces the risk of unauthorized access and is being proposed as mandatory under 2025 HIPAA Security Rule updates.
A document that covered entities must provide to patients explaining how their PHI may be used and disclosed, patient rights under HIPAA, and the organization's legal duties regarding PHI protection. The NPP must be provided at the first service delivery, posted prominently in facilities, and available on websites.
The division within HHS responsible for enforcing HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints, conducts compliance reviews, performs audits, and imposes civil monetary penalties for violations. OCR also provides guidance and educational resources on HIPAA compliance.
Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Examples include facility access controls, workstation use policies, workstation security, and device and media controls.
The individual designated by a covered entity to be responsible for the development and implementation of privacy policies and procedures. The Privacy Officer handles privacy complaints, provides training, and ensures compliance with the HIPAA Privacy Rule. Designation of a Privacy Officer is a required specification.
HIPAA rule establishing national standards for protecting individuals' medical records and other protected health information. The Privacy Rule addresses the use and disclosure of PHI, gives patients rights over their health information, and sets limits on who can access PHI. It applies to all forms of PHI: electronic, paper, and oral.
Individually identifiable health information transmitted or maintained in any form (electronic, paper, or oral) that relates to an individual's past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare. PHI includes 18 identifiers such as names, addresses, dates, Social Security numbers, medical record numbers, and biometric data.
An implementation specification that must be implemented by all covered entities and business associates. There is no option to implement an alternative - required specifications are mandatory. Examples include designated Privacy and Security Officials, workforce training, and risk analysis.
A required specification under the Security Rule that involves conducting an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The risk analysis must be documented and updated regularly (at least annually or when significant changes occur). Failure to conduct or document a risk analysis is one of the most common HIPAA violations.
The process of implementing security measures to reduce risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level. Risk management involves prioritizing risks, selecting appropriate safeguards, implementing controls, and monitoring effectiveness.
Protective measures prescribed to meet the security standards of the Security Rule. Safeguards are categorized as administrative (policies and procedures), physical (facility and equipment protection), or technical (technology-based controls). Implementation specifications for safeguards are either required or addressable.
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Covered entities and business associates must implement procedures to detect, respond to, and report security incidents. All incidents must be documented even if they do not rise to the level of a breach.
The individual designated by a covered entity or business associate to be responsible for the development and implementation of security policies and procedures. The Security Official oversees compliance with the HIPAA Security Rule, manages risk analysis and risk management processes, and coordinates incident response. Designation of a Security Official is a required specification.
HIPAA rule establishing national standards for protecting electronic protected health information (ePHI). The Security Rule requires implementation of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Unlike the Privacy Rule which covers all PHI, the Security Rule focuses specifically on ePHI.
An auditing standard developed by the American Institute of CPAs (AICPA) for service organizations handling customer data. SOC 2 reports evaluate controls related to security, availability, processing integrity, confidentiality, and privacy. While not a HIPAA requirement, many healthcare organizations and business associates pursue SOC 2 certification to demonstrate security practices to customers.
Technology and the policy and procedures for its use that protect ePHI and control access to it. Technical safeguards include access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Examples include user authentication, encryption, audit logging, and automatic logoff.
Three categories of permitted uses and disclosures of PHI that do not require patient authorization. Treatment includes care coordination and consultation. Payment includes billing and claims processing. Health Care Operations includes quality assessment, case management, and business planning. The Minimum Necessary standard applies to payment and operations but not treatment.
PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS (encryption and destruction). Breaches of unsecured PHI trigger notification requirements. Properly encrypted or destroyed PHI is considered secured and exempt from breach notification.
With respect to protected health information, the sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains it. Unlike disclosure (sharing outside the entity), use refers to activities within the organization. Both uses and disclosures must comply with the Minimum Necessary standard except for treatment purposes.
All employees, volunteers, trainees, and other persons whose conduct is under the direct control of a covered entity or business associate, whether or not they are paid. HIPAA requirements apply to all workforce members, and organizations must ensure proper training, access controls, and sanctions for policy violations across the entire workforce.
Comprehensive guide covering the Privacy Rule, Security Rule, and compliance requirements.
Frequently asked questions about HIPAA compliance, requirements, and best practices.
Templates, checklists, and resources to help you implement HIPAA compliance.