Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

A

Administrative Safeguards

Administrative Safeguards are actions, policies, and procedures to manage the development, implementation, and maintenance of security measures to protect PHI. It guides covered entities to be compliant with the HIPAA security rule.  In order to comply with Administrative Safeguards, one must evaluate their existing security controls, accurately analyze risks to the systems, and evaluate documented…
Learn More Administrative Safeguards

Availability

Availability means the healthcare facility should keep their hardware and software systems up and running properly. This requires covered entities and business associates to keep their infrastructure updated to protect it against security threats.  Availability is a requirement for HIPAA technical and physical safeguards. Its goal is to allow authorized individuals to access necessary information…
Learn More Availability

BAA

A Business Associate Agreement (BAA) is a signed agreement between covered entities and business associates. HIPAA privacy rule mandates that covered entities who share PHI with third party service providers specify the responsibilities of each party to secure PHI.  A BAA must describe the permitted rules to use or disclose PHI and require the business…
Learn More BAA

Business Associates

Business Associates are individuals or entities who work for or provide a service for a covered entity. The work involves use and disclosure of Protected Health Information (PHI). They must comply with the privacy rule of HIPAA.  Business Associates perform functions like claims processing, data analysis, quality assurance, practice management, repricing, and more.
Learn More Business Associates

Covered Entities

Covered Entities can be a health plan, health care clearinghouse, or health care provider. They electronically transmit health information as per HHS standards and include individuals and organizations.  – Health plans are individuals or groups who provide medical care or cover its expenses.   – Health care clearinghouses are private or public firms who process health…
Learn More Covered Entities

Data Use Agreement

A Data Use Agreement (DUA) is an agreement that oversees the sharing of data between research collaborators that fall under covered entities in the HIPAA privacy rule. A DUA defines the ways in which the information is established as a limited data set, its use by the intended recipient, and how well it is protected.
Learn More Data Use Agreement

De-Identified Information

De-Identified Information is health information that does not identify an individual if covered entities hold that there is no reasonable cause to believe that it can be used to identify an individual.  The HIPAA privacy rule specifies two methods to de-identify PHI.  – Expert determination method which applies statistical or scientific principles to conclude that…
Learn More De-Identified Information

Designated Record Set

Designated record sets include billing records, medical records, payment and claim records, case management records, health plan enrollment records, as well as other records used, in part or in whole or by or for a covered entity, to reach conclusions about individuals.
Learn More Designated Record Set

DHS

The Department of Human Services, or DHS, provides and sponsors many types of health and social services as well as determines persons’ eligibility to receive those services. They collect personal and health information about you and/or your family, which is kept private and called “protected health information.”
Learn More DHS

Disaster Recovery Plan

A HIPAA disaster recovery plan (HIPAA DRP) is a formal proposition that specifies the processes, actions, and methodologies that must be embraced to secure and restore electronic health records (EHR) in case of a natural or manmade disaster, calamity or similar event.
Learn More Disaster Recovery Plan

Electronic Media

Electronic Media refers to storage systems such as hard drives, computers, USB, optical disk or any medium in which data can be stored in the digital format. Additionally, any medium used to transmit data such as the internet, extranet, dial up lines, private networks are considered as electronic media.
Learn More Electronic Media

EMO Plan

An Emergency Mode Operation (EMO) plan is an organization’s contingency plan for continuous operations in the event of a fire, natural disaster, vandalism, or system failure. Budget and resources should be allocated for EMO and tested in a controlled environment.
Learn More EMO Plan

ePHI

Any patient data that is created, stored, managed, transmitted, or shared via electronic means is Electronic Protected Health Information (ePHI). As per the HIPAA regulation, there are 18 HIPAA identifiers that qualify as ePHI. Covered entities and business associates are required to protect ePHI as per HIPAA security and privacy rule. 
Learn More ePHI

Facility Security Plan

All HIPAA-Covered Components have to implement a facility security plan to safeguard the facility and the equipment within from unauthorized physical access, theft, and tampering for all locations that store and/or access ePHI.
Learn More Facility Security Plan

Health Care Provider

The term “Health Care Provider” includes: – a hospital, home health entity, skilled nursing facility, nursing facility, – long-term care facilities such as health care clinics,  renal dialysis facilities, community mental health centers, blood centers,  -emergency medical services provider, ambulatory surgical center,  -Federally qualified health center, group practice, practitioner, pharmacist, physician, pharmacy, laboratory, a rural…
Learn More Health Care Provider

HHS

The United States Department HHS, or Health and Human Services, is a cabinet-level executive branch of the U.S. federal government created to safeguard the health of all American citizens and provide essential human services.
Learn More HHS

HIC

The Department of Public Health’s (DPH) Human Investigations Committee (HIC) is responsible for monitoring, reviewing, and approving research by utilizing identifiable health information obtained by the Department with the purpose of protecting the rights and the well-being of the research subjects.
Learn More HIC

HIPAA Liaison

HIPAA Liaisons are designated by each HCC to work with the Office of HIPAA Privacy and are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Liaisons may receive requests from patients as well, including but not limited to access, appeals, amendment, and accountings…
Learn More HIPAA Liaison

Hybrid Entity

A legal entity that carries out both covered as well as non-covered functions may designate itself as a hybrid Entity under HIPAA and may choose not to apply the Privacy Rule to its non-healthcare components, whereas all covered healthcare components must be in compliance with HIPAA, and the covered entity retains security compliances, oversight, and…
Learn More Hybrid Entity

Limited Data Set

A limited data set is detailed as health information that excludes certain listed direct identifiers but that may include city;  ZIP Code; state; elements of date; telephone numbers, fax numbers and other characteristics, numbers, or codes not listed as direct identifiers. The direct identifiers defined in the Privacy Rule’s limited data lays down provisions that…
Learn More Limited Data Set

OCR

The Office for Civil Rights (OCR) promotes medical excellence throughout the nation by ensuring equal access to certain health and human services while protecting the privacy and security of health information.
Learn More OCR

PHI

Protected Health Information (PHI) refers to any data in a medical data record that can be used to identify an individual. This data was created, used, or disclosed during the course of offering health services to a patient.  The Privacy Rule of HIPAA extensively covers the rights an individual has over this information. Covered entities…
Learn More PHI

Physical Safeguards

Physical safeguards as the physical measures, procedures, and policies to protect a covered entity’s electronic information systems and related equipment and buildings from natural and unnatural hazards and unauthorized intrusion.
Learn More Physical Safeguards

Privacy Official

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Officer is responsible for developing, managing, and implementing processes to ensure the organizations are in compliance with applicable federal as well as state HIPAA regulations and guidelines, particularly for the organizations having access to and using protected health information (PHI).
Learn More Privacy Official

Public Health Activities

Public health activities include the reporting of disease or injury; conducting public health surveillance; reporting vital events (e.g., births or deaths); reporting child abuse and neglect;  investigations or interventions; and monitoring adverse outcomes related to drugs, food (including dietary supplements), biological products, and medical devices. Covered entities may report adverse activities related to public agencies or…
Learn More Public Health Activities

Risk Assessment

A risk assessment validates if your organization is compliant with HIPAA’s technical, administrative, and physical safeguards. A risk assessment also helps identify areas where your organization’s Protected Health Information (PHI) is vulnerable to breach.
Learn More Risk Assessment

Risk Management

Risk Management is a formal plan to identify and rectify risks. Some of these basic practices will help you achieve security compliance without breaking your budget. – Put in place “Technical, Administrative, and Physical Safeguards” to protect Public Health Information(PHI) – Identify and fix vulnerabilities in your system – Work on it consistently and perform…
Learn More Risk Management

Security Official

The Security Officer for HIPAA deals with all forms of data to monitor risks, assess for threats and create policies and compliances to manage vulnerabilities. They are responsible for creating, implementing, and enforcing an organization’s security program as per the physical, administrative, and technical, based on the security rule.
Learn More Security Official

SRA Tool

The OCR in partnership with the Office of the National Coordinator for Health Information Technology, developed a downloadable Security Risk Assessment (SRA) Tool that guides users through the security risk assessment process by utilizing a simple, wizard-based approach as asked for by the CMS or the Centers for Medicare and Medicaid Service Electronic Health Record…
Learn More SRA Tool

Subcontractors

Subcontractors are individuals to whom business associates delegate a task or function or service that involves creation, transmission, or management of PHI. They work on behalf of a BA and are subject to comply with HIPAA privacy requirements. 
Learn More Subcontractors

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

OCR

The Office for Civil Rights (OCR) promotes medical excellence throughout the nation by ensuring equal access to certain health and human services while protecting the privacy and security of health information.

HHS

The United States Department HHS, or Health and Human Services, is a cabinet-level executive branch of the U.S. federal government created to safeguard the health of all American citizens and provide essential human services.

SRA Tool

The OCR in partnership with the Office of the National Coordinator for Health Information Technology, developed a downloadable Security Risk Assessment (SRA) Tool that guides users through the security risk assessment process by utilizing a simple, wizard-based approach as asked for by the CMS or the Centers for Medicare and Medicaid Service Electronic Health Record…

Disaster Recovery Plan

A HIPAA disaster recovery plan (HIPAA DRP) is a formal proposition that specifies the processes, actions, and methodologies that must be embraced to secure and restore electronic health records (EHR) in case of a natural or manmade disaster, calamity or similar event.

Hybrid Entity

A legal entity that carries out both covered as well as non-covered functions may designate itself as a hybrid Entity under HIPAA and may choose not to apply the Privacy Rule to its non-healthcare components, whereas all covered healthcare components must be in compliance with HIPAA, and the covered entity retains security compliances, oversight, and…