Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

Administrative Safeguards

Administrative Safeguards are actions, policies, and procedures to manage the development, implementation, and maintenance of security measures to protect PHI. It guides covered entities to be compliant with the HIPAA security rule. In order to comply with Administrative Safeguards, one must evaluate their existing security controls, accurately analyze risks to the systems, and evaluate documented…

Availability

Availability means the healthcare facility should keep their hardware and software systems up and running properly. This requires covered entities and business associates to keep their infrastructure updated to protect it against security threats. Availability is a requirement for HIPAA technical and physical safeguards. Its goal is to allow authorized individuals to access necessary information…

BAA

A Business Associate Agreement (BAA) is a signed agreement between covered entities and business associates. HIPAA privacy rule mandates that covered entities who share PHI with third party service providers specify the responsibilities of each party to secure PHI. A BAA must describe the permitted rules to use or disclose PHI and require the business…

Business Associates

Business Associates are individuals or entities who work for or provide a service for a covered entity. The work involves use and disclosure of Protected Health Information (PHI). They must comply with the privacy rule of HIPAA. Business Associates perform functions like claims processing, data analysis, quality assurance, practice management, repricing, and more.

Covered Entities

Covered Entities can be a health plan, health care clearinghouse, or health care provider. They electronically transmit health information as per HHS standards and include individuals and organizations. – Health plans are individuals or groups who provide medical care or cover its expenses. – Health care clearinghouses are private or public firms who process health…

Data Use Agreement

A Data Use Agreement (DUA) is an agreement that oversees the sharing of data between research collaborators that fall under covered entities in the HIPAA privacy rule. A DUA defines the ways in which the information is established as a limited data set, its use by the intended recipient, and how well it is protected.

De-Identified Information

De-Identified Information is health information that does not identify an individual if covered entities hold that there is no reasonable cause to believe that it can be used to identify an individual. The HIPAA privacy rule specifies two methods to de-identify PHI. – Expert determination method which applies statistical or scientific principles to conclude that…

Designated Record Set

Designated record sets include billing records, medical records, payment and claim records, case management records, health plan enrollment records, as well as other records used, in part or in whole or by or for a covered entity, to reach conclusions about individuals.

DHS

The Department of Human Services, or DHS, provides and sponsors many types of health and social services as well as determines persons’ eligibility to receive those services. They collect personal and health information about you and/or your family, which is kept private and called “protected health information.”

Direct Treatment Relationships

A healthcare provider is said to have a Direct Treatment Relationship with the patient if they provides services, diagnoses, products, or results directly to the patient.

Disaster Recovery Plan

A HIPAA disaster recovery plan (HIPAA DRP) is a formal proposition that specifies the processes, actions, and methodologies that must be embraced to secure and restore electronic health records (EHR) in case of a natural or manmade disaster, calamity or similar event.

Electronic Media

Electronic Media refers to storage systems such as hard drives, computers, USB, optical disk or any medium in which data can be stored in the digital format. Additionally, any medium used to transmit data such as the internet, extranet, dial up lines, private networks are considered as electronic media.

Emergency Mode Operations Plan

Emergency Mode Operations Plan is a process that requires health care services to continue their business operation during a disastrous event. These include fire, earthquake, robbery, data theft, system failure, or any natural or man made disaster.

EMO Plan

An Emergency Mode Operation (EMO) plan is an organization’s contingency plan for continuous operations in the event of a fire, natural disaster, vandalism, or system failure. Budget and resources should be allocated for EMO and tested in a controlled environment.

ePHI

Any patient data that is created, stored, managed, transmitted, or shared via electronic means is Electronic Protected Health Information (ePHI). As per the HIPAA regulation, there are 18 HIPAA identifiers that qualify as ePHI. Covered entities and business associates are required to protect ePHI as per HIPAA security and privacy rule.

External Entity

An external entity could imply any individual, organization or government body other than the applicant group that is dealing with or utilizing PHI.

Facility Security Plan

All HIPAA-Covered Components have to implement a facility security plan to safeguard the facility and the equipment within from unauthorized physical access, theft, and tampering for all locations that store and/or access ePHI.

Health Care Clearinghouse

A Health Care Clearinghouse can be any organization that processes non standard health information into a standard content format; on behalf of another entity or service.

Health Care Component

Health Care Component (HCC) is a component or a combination of components of a HIPAA hybrid entity. A hybrid entity is a covered entity whose business activities include covered and noncovered functions.

Health Care Provider

The term “Health Care Provider” includes: – a hospital, home health entity, skilled nursing facility, nursing facility, – long-term care facilities such as health care clinics, renal dialysis facilities, community mental health centers, blood centers, -emergency medical services provider, ambulatory surgical center, -Federally qualified health center, group practice, practitioner, pharmacist, physician, pharmacy, laboratory, a rural…

HHS

The United States Department HHS, or Health and Human Services, is a cabinet-level executive branch of the U.S. federal government created to safeguard the health of all American citizens and provide essential human services.

HIC

The Department of Public Health’s (DPH) Human Investigations Committee (HIC) is responsible for monitoring, reviewing, and approving research by utilizing identifiable health information obtained by the Department with the purpose of protecting the rights and the well-being of the research subjects.

HIPAA Liaison

HIPAA Liaisons are designated by each HCC to work with the Office of HIPAA Privacy and are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Liaisons may receive requests from patients as well, including but not limited to access, appeals, amendment, and accountings…

Hybrid Entity

A legal entity that carries out both covered as well as non-covered functions may designate itself as a hybrid Entity under HIPAA and may choose not to apply the Privacy Rule to its non-healthcare components, whereas all covered healthcare components must be in compliance with HIPAA, and the covered entity retains security compliances, oversight, and…

Limited Data Set

A limited data set is detailed as health information that excludes certain listed direct identifiers but that may include city; ZIP Code; state; elements of date; telephone numbers, fax numbers and other characteristics, numbers, or codes not listed as direct identifiers. The direct identifiers defined in the Privacy Rule’s limited data lays down provisions that…

OCR

The Office for Civil Rights (OCR) promotes medical excellence throughout the nation by ensuring equal access to certain health and human services while protecting the privacy and security of health information.

PHI

Protected Health Information (PHI) refers to any data in a medical data record that can be used to identify an individual. This data was created, used, or disclosed during the course of offering health services to a patient. The Privacy Rule of HIPAA extensively covers the rights an individual has over this information. Covered entities…

Physical Safeguards

Physical safeguards as the physical measures, procedures, and policies to protect a covered entity’s electronic information systems and related equipment and buildings from natural and unnatural hazards and unauthorized intrusion.

Privacy Official

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Officer is responsible for developing, managing, and implementing processes to ensure the organizations are in compliance with applicable federal as well as state HIPAA regulations and guidelines, particularly for the organizations having access to and using protected health information (PHI).

Public Health Activities

Public health activities include the reporting of disease or injury; conducting public health surveillance; reporting vital events (e.g., births or deaths); reporting child abuse and neglect; investigations or interventions; and monitoring adverse outcomes related to drugs, food (including dietary supplements), biological products, and medical devices. Covered entities may report adverse activities related to public agencies or…

Risk Assessment

A risk assessment validates if your organization is compliant with HIPAA’s technical, administrative, and physical safeguards. A risk assessment also helps identify areas where your organization’s Protected Health Information (PHI) is vulnerable to breach.

Risk Management

Risk Management is a formal plan to identify and rectify risks. Some of these basic practices will help you achieve security compliance without breaking your budget. – Put in place “Technical, Administrative, and Physical Safeguards” to protect Public Health Information(PHI) – Identify and fix vulnerabilities in your system – Work on it consistently and perform…

Security Official

The Security Officer for HIPAA deals with all forms of data to monitor risks, assess for threats and create policies and compliances to manage vulnerabilities. They are responsible for creating, implementing, and enforcing an organization’s security program as per the physical, administrative, and technical, based on the security rule.

SRA Tool

The OCR in partnership with the Office of the National Coordinator for Health Information Technology, developed a downloadable Security Risk Assessment (SRA) Tool that guides users through the security risk assessment process by utilizing a simple, wizard-based approach as asked for by the CMS or the Centers for Medicare and Medicaid Service Electronic Health Record…

Subcontractors

Subcontractors are individuals to whom business associates delegate a task or function or service that involves creation, transmission, or management of PHI. They work on behalf of a BA and are subject to comply with HIPAA privacy requirements.

Unsecured Protected Health Information

It refers to protected health information that has not been rendered unusable, indecipherable, or unreadable to unauthorized personnel through the use of a technology or procedure specified by the Secretary in guidance.

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

BAA

A Business Associate Agreement (BAA) is a signed agreement between covered entities and business associates. HIPAA privacy rule mandates that covered entities who share PHI with third party service providers specify the responsibilities of each party to secure PHI. A BAA must describe the permitted rules to use or disclose PHI and require the business…

External Entity

An external entity could imply any individual, organization or government body other than the applicant group that is dealing with or utilizing PHI.

HIC

The Department of Public Health’s (DPH) Human Investigations Committee (HIC) is responsible for monitoring, reviewing, and approving research by utilizing identifiable health information obtained by the Department with the purpose of protecting the rights and the well-being of the research subjects.

Risk Assessment

A risk assessment validates if your organization is compliant with HIPAA’s technical, administrative, and physical safeguards. A risk assessment also helps identify areas where your organization’s Protected Health Information (PHI) is vulnerable to breach.

Privacy Official

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Officer is responsible for developing, managing, and implementing processes to ensure the organizations are in compliance with applicable federal as well as state HIPAA regulations and guidelines, particularly for the organizations having access to and using protected health information (PHI).

Physical Safeguards

Physical safeguards as the physical measures, procedures, and policies to protect a covered entity’s electronic information systems and related equipment and buildings from natural and unnatural hazards and unauthorized intrusion.