HIPAA Glossary

Navigating HIPAA requires understanding a specialised vocabulary. This glossary defines the key terms you will encounter in HIPAA regulations, enforcement actions, and compliance discussions.

A

Administrative Safeguards

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. These include risk analysis, workforce training, and security management processes.

Authorisation

A detailed, written document that gives a covered entity permission to use or disclose PHI for purposes beyond treatment, payment, and healthcare operations. Must contain specific elements required by the Privacy Rule.

B

Breach

The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the information.

Business Associate (BA)

A person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI, or provides services to a covered entity where the provision of the service involves access to PHI.

Business Associate Agreement (BAA)

A written contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the business associate.

C

Covered Entity

A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a HIPAA-standard transaction.

Civil Monetary Penalty (CMP)

A financial penalty assessed by the HHS Office for Civil Rights for HIPAA violations, ranging from $145 to over $2.1 million per violation category per year.

D

De-identification

The process of removing identifying information from health data so that it can no longer be used to identify an individual. HIPAA provides two methods: Safe Harbor and Expert Determination.

Designated Record Set

A group of records maintained by or for a covered entity that includes medical and billing records, as well as enrolment, payment, and claims records used to make decisions about individuals.

E

ePHI (Electronic Protected Health Information)

PHI that is created, stored, transmitted, or received in electronic form. Subject to the HIPAA Security Rule's technical safeguard requirements.

Expert Determination

A method of de-identification where a qualified statistical expert determines that the risk of identifying an individual from a dataset is very small.

H

HHS (Department of Health and Human Services)

The federal department responsible for administering HIPAA. The Office for Civil Rights (OCR) within HHS enforces the Privacy and Security Rules.

HITECH Act

The Health Information Technology for Economic and Clinical Health Act of 2009, which strengthened HIPAA enforcement, extended requirements to business associates, and established the Breach Notification Rule.

M

Minimum Necessary Standard

The principle that covered entities must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose.

N

Notice of Privacy Practices (NPP)

A document that covered entities must provide to patients describing how their PHI may be used and disclosed, and outlining their rights under the Privacy Rule.

O

OCR (Office for Civil Rights)

The office within HHS responsible for enforcing the HIPAA Privacy and Security Rules through complaint investigations, compliance reviews, and civil monetary penalties.

Omnibus Rule

Published in 2013, this final rule implemented HITECH Act provisions, extended HIPAA liability to business associates and subcontractors, and strengthened patient rights.

P

PHI (Protected Health Information)

Individually identifiable health information held or transmitted by a covered entity or business associate, in any form or medium.

Physical Safeguards

Physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorised intrusion.

Privacy Rule

The HIPAA regulation that establishes national standards for protecting individuals' medical records and other personal health information. Applies to PHI in all forms.

R

Risk Analysis

An assessment of the risks and vulnerabilities that could affect the confidentiality, integrity, and availability of ePHI. Required under the Security Rule and the most commonly cited deficiency in OCR enforcement actions.

S

Safe Harbor

A method of de-identification that requires the removal of all 18 HIPAA identifiers, with no actual knowledge that the remaining information could identify an individual.

Security Rule

The HIPAA regulation that establishes national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Requires administrative, physical, and technical safeguards.

Technical Safeguards

Technology and related policies and procedures that protect ePHI and control access to it, including access controls, audit controls, integrity controls, and transmission security.

T

Treatment, Payment, and Healthcare Operations (TPO)

The three categories of uses and disclosures of PHI that do not require patient authorisation. Treatment includes care coordination, payment includes billing and claims, and operations includes quality assessment and training.

This glossary covers the most frequently referenced HIPAA terms. For the complete regulatory definitions, refer to 45 CFR Parts 160 and 164.