Compliance Glossary

Administrative Safeguards are actions, policies, and procedures to manage the development, implementation, and maintenance of security measures to protect PHI. It guides covered entities to be compliant with the HIPAA security rule.  In order to comply with Administrative Safeguards, one must evaluate their existing security controls, accurately analyze risks to the systems, and evaluate documented…

Availability means the healthcare facility should keep their hardware and software systems up and running properly. This requires covered entities and business associates to keep their infrastructure updated to protect it against security threats.  Availability is a requirement for HIPAA technical and physical safeguards. Its goal is to allow authorized individuals to access necessary information…

A Business Associate Agreement (BAA) is a signed agreement between covered entities and business associates. HIPAA privacy rule mandates that covered entities who share PHI with third party service providers specify the responsibilities of each party to secure PHI.  A BAA must describe the permitted rules to use or disclose PHI and require the business…

Business Associates are individuals or entities who work for or provide a service for a covered entity. The work involves use and disclosure of Protected Health Information (PHI). They must comply with the privacy rule of HIPAA.  Business Associates perform functions like claims processing, data analysis, quality assurance, practice management, repricing, and more.

Covered Entities can be a health plan, health care clearinghouse, or health care provider. They electronically transmit health information as per HHS standards and include individuals and organizations.  – Health plans are individuals or groups who provide medical care or cover its expenses.   – Health care clearinghouses are private or public firms who process health…

A Data Use Agreement (DUA) is an agreement that oversees the sharing of data between research collaborators that fall under covered entities in the HIPAA privacy rule. A DUA defines the ways in which the information is established as a limited data set, its use by the intended recipient, and how well it is protected.

De-Identified Information is health information that does not identify an individual if covered entities hold that there is no reasonable cause to believe that it can be used to identify an individual.  The HIPAA privacy rule specifies two methods to de-identify PHI.  – Expert determination method which applies statistical or scientific principles to conclude that…

Designated record sets include billing records, medical records, payment and claim records, case management records, health plan enrollment records, as well as other records used, in part or in whole or by or for a covered entity, to reach conclusions about individuals.

The Department of Human Services, or DHS, provides and sponsors many types of health and social services as well as determines persons’ eligibility to receive those services. They collect personal and health information about you and/or your family, which is kept private and called “protected health information.”

A healthcare provider is said to have a Direct Treatment Relationship with the patient if they provides services, diagnoses, products, or results directly to the patient.

A HIPAA disaster recovery plan (HIPAA DRP) is a formal proposition that specifies the processes, actions, and methodologies that must be embraced to secure and restore electronic health records (EHR) in case of a natural or manmade disaster, calamity or similar event.

Electronic Media refers to storage systems such as hard drives, computers, USB, optical disk or any medium in which data can be stored in the digital format. Additionally, any medium used to transmit data such as the internet, extranet, dial up lines, private networks are considered as electronic media.

Emergency Mode Operations Plan is a process that requires health care services to continue their business operation during a disastrous event. These include fire, earthquake, robbery, data theft, system failure, or any natural or man made disaster. 

An Emergency Mode Operation (EMO) plan is an organization’s contingency plan for continuous operations in the event of a fire, natural disaster, vandalism, or system failure. Budget and resources should be allocated for EMO and tested in a controlled environment.

Any patient data that is created, stored, managed, transmitted, or shared via electronic means is Electronic Protected Health Information (ePHI). As per the HIPAA regulation, there are 18 HIPAA identifiers that qualify as ePHI. Covered entities and business associates are required to protect ePHI as per HIPAA security and privacy rule. 

An external entity could imply any individual, organization or government body other than the applicant group that is dealing with or utilizing PHI.

All HIPAA-Covered Components have to implement a facility security plan to safeguard the facility and the equipment within from unauthorized physical access, theft, and tampering for all locations that store and/or access ePHI.

A Health Care Clearinghouse can be any organization that processes non standard health information into a standard content format; on behalf of another entity or service.

Health Care Component (HCC) is a component or a combination of components of a HIPAA hybrid entity. A hybrid entity is a covered entity whose business activities include covered and noncovered functions. 

The term “Health Care Provider” includes: – a hospital, home health entity, skilled nursing facility, nursing facility, – long-term care facilities such as health care clinics,  renal dialysis facilities, community mental health centers, blood centers,  -emergency medical services provider, ambulatory surgical center,  -Federally qualified health center, group practice, practitioner, pharmacist, physician, pharmacy, laboratory, a rural…

The United States Department HHS, or Health and Human Services, is a cabinet-level executive branch of the U.S. federal government created to safeguard the health of all American citizens and provide essential human services.

The Department of Public Health’s (DPH) Human Investigations Committee (HIC) is responsible for monitoring, reviewing, and approving research by utilizing identifiable health information obtained by the Department with the purpose of protecting the rights and the well-being of the research subjects.

A HIPAA Business Associate Agreement is a contract between a HIPAA-covered entity (like a healthcare provider) and a business or individual that helps with certain functions involving PHI. It’s essentially a written arrangement that outlines how the PHI is used. HIPAA requires covered entities to work with business associates who demonstrate the prowess to protect…

A HIPAA authorization form, often called a HIPAA release form, is a document patients sign with their healthcare providers. It grants permission for the provider to use or share their protected health information (PHI) for specific reasons. These reasons include: When is HIPAA authorization required? HIPAA authorization is required in specific situations outlined by 45…

HIPAA-compliant fax is a mandated-trusted method for securely transmitting patient data. To meet HIPAA’s stringent data protection requirements, healthcare professionals and companies use cloud-based fax services to safeguard the integrity of PHI.  Is faxing HIPAA-compliant?  Faxing, by its nature, is considered HIPAA-compliant due to its inherent security and point-to-point transmission. Fax lines and most IP…

The HIPAA Privacy Rule sets standards for safeguarding individuals’ medical records and identifiable health information, commonly known as PHI.  For example, discussions between doctors and patients should occur privately, and patients may prefer to be contacted on their cell phones rather than at home. Even well-meaning family members may not necessarily access a loved one’s…

The HIPAA Journal is a useful website for all things HIPAA. It’s got news, breach info, tips, and the latest in healthcare data security. They’ve got sections like “New HIPAA regulations” and “HIPAA Changes 2023.” You can find out about the latest HIPAA rule updates, like telehealth rules and security changes. They even wrote about…

HIPAA Liaisons are designated by each HCC to work with the Office of HIPAA Privacy and are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Liaisons may receive requests from patients as well, including but not limited to access, appeals, amendment, and accountings…

Covered entities must provide a Notice of Privacy Practices (Privacy Notice) to every individual whose PHI is processed by them. Healthcare providers send this notice to new enrollees during initiation and at least once every three years to the existing ones. Self-insured health plans create their own Privacy Notices, while fully insured plans rely on…

The HIPAA Security Rule defines three crucial standards for safeguarding health information: Administrative Safeguards These safeguards are vital to manage security measures and protect ePHI. Usually, a designated security officer oversees these actions which include risk assessments, access controls, incident response, and security awareness training. Physical Safeguards These measures focus on securing buildings, equipment, and…

HIPAA mandates the implementation of sanctions for policy violations within covered entities. This policy focuses on employee sanctions for HIPAA violations by emphasizing the importance of safeguarding patients’ PHI. Key policy components include: Violating HIPAA regulations can lead to penalties ranging from $100 to $250,000 and prison terms of 1 to 10 years. Consistent enforcement…

HIPAA summary is a brief of the HIPAA frameworks. It talks about how healthcare providers and related entities must process health information and the measures to abide by while transmitting or sharing PHI. Key topics covered in the HIPAA summary are: The Privacy Rule (PHI and Key Concepts) The Privacy Rule governs the use and…

A HIPAA waiver form, also known as a medical record information release form, allows patients to authorize third parties to access their health records. It also permits healthcare providers to share information when needed. Patients can revoke or change these permissions at any time. Sharing medical records without a HIPAA authorization form is a violation….

A legal entity that carries out both covered as well as non-covered functions may designate itself as a hybrid Entity under HIPAA and may choose not to apply the Privacy Rule to its non-healthcare components, whereas all covered healthcare components must be in compliance with HIPAA, and the covered entity retains security compliances, oversight, and…

A limited data set is detailed as health information that excludes certain listed direct identifiers but that may include city;  ZIP Code; state; elements of date; telephone numbers, fax numbers and other characteristics, numbers, or codes not listed as direct identifiers. The direct identifiers defined in the Privacy Rule’s limited data lays down provisions that…

The Office for Civil Rights (OCR) promotes medical excellence throughout the nation by ensuring equal access to certain health and human services while protecting the privacy and security of health information.

Protected Health Information (PHI) refers to any data in a medical data record that can be used to identify an individual. This data was created, used, or disclosed during the course of offering health services to a patient.  The Privacy Rule of HIPAA extensively covers the rights an individual has over this information. Covered entities…

Physical safeguards as the physical measures, procedures, and policies to protect a covered entity’s electronic information systems and related equipment and buildings from natural and unnatural hazards and unauthorized intrusion.

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Officer is responsible for developing, managing, and implementing processes to ensure the organizations are in compliance with applicable federal as well as state HIPAA regulations and guidelines, particularly for the organizations having access to and using protected health information (PHI).

Public health activities include the reporting of disease or injury; conducting public health surveillance; reporting vital events (e.g., births or deaths); reporting child abuse and neglect;  investigations or interventions; and monitoring adverse outcomes related to drugs, food (including dietary supplements), biological products, and medical devices. Covered entities may report adverse activities related to public agencies or…

A risk assessment validates if your organization is compliant with HIPAA’s technical, administrative, and physical safeguards. A risk assessment also helps identify areas where your organization’s Protected Health Information (PHI) is vulnerable to breach.

Risk Management is a formal plan to identify and rectify risks. Some of these basic practices will help you achieve security compliance without breaking your budget. – Put in place “Technical, Administrative, and Physical Safeguards” to protect Public Health Information(PHI) – Identify and fix vulnerabilities in your system – Work on it consistently and perform…

The Security Officer for HIPAA deals with all forms of data to monitor risks, assess for threats and create policies and compliances to manage vulnerabilities. They are responsible for creating, implementing, and enforcing an organization’s security program as per the physical, administrative, and technical, based on the security rule.

The OCR in partnership with the Office of the National Coordinator for Health Information Technology, developed a downloadable Security Risk Assessment (SRA) Tool that guides users through the security risk assessment process by utilizing a simple, wizard-based approach as asked for by the CMS or the Centers for Medicare and Medicaid Service Electronic Health Record…

Subcontractors are individuals to whom business associates delegate a task or function or service that involves creation, transmission, or management of PHI. They work on behalf of a BA and are subject to comply with HIPAA privacy requirements. 

It refers to protected health information that has not been rendered unusable, indecipherable, or unreadable to unauthorized personnel through the use of a technology or procedure specified by the Secretary in guidance.