Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

A

Administrative Safeguards

Administrative Safeguards are actions, policies, and procedures to manage the development, implementation, and maintenance of security measures to protect PHI. It guides covered entities to be compliant with the HIPAA security rule.  In order to comply with Administrative Safeguards, one must evaluate their existing security controls, accurately analyze risks to the systems, and evaluate documented…
Learn More Administrative Safeguards

Availability

Availability means the healthcare facility should keep their hardware and software systems up and running properly. This requires covered entities and business associates to keep their infrastructure updated to protect it against security threats.  Availability is a requirement for HIPAA technical and physical safeguards. Its goal is to allow authorized individuals to access necessary information…
Learn More Availability

BAA

A Business Associate Agreement (BAA) is a signed agreement between covered entities and business associates. HIPAA privacy rule mandates that covered entities who share PHI with third party service providers specify the responsibilities of each party to secure PHI.  A BAA must describe the permitted rules to use or disclose PHI and require the business…
Learn More BAA

Business Associates

Business Associates are individuals or entities who work for or provide a service for a covered entity. The work involves use and disclosure of Protected Health Information (PHI). They must comply with the privacy rule of HIPAA.  Business Associates perform functions like claims processing, data analysis, quality assurance, practice management, repricing, and more.
Learn More Business Associates

Covered Entities

Covered Entities can be a health plan, health care clearinghouse, or health care provider. They electronically transmit health information as per HHS standards and include individuals and organizations.  – Health plans are individuals or groups who provide medical care or cover its expenses.   – Health care clearinghouses are private or public firms who process health…
Learn More Covered Entities

Data Use Agreement

A Data Use Agreement (DUA) is an agreement that oversees the sharing of data between research collaborators that fall under covered entities in the HIPAA privacy rule. A DUA defines the ways in which the information is established as a limited data set, its use by the intended recipient, and how well it is protected.
Learn More Data Use Agreement

De-Identified Information

De-Identified Information is health information that does not identify an individual if covered entities hold that there is no reasonable cause to believe that it can be used to identify an individual.  The HIPAA privacy rule specifies two methods to de-identify PHI.  – Expert determination method which applies statistical or scientific principles to conclude that…
Learn More De-Identified Information

Designated Record Set

Designated record sets include billing records, medical records, payment and claim records, case management records, health plan enrollment records, as well as other records used, in part or in whole or by or for a covered entity, to reach conclusions about individuals.
Learn More Designated Record Set

DHS

The Department of Human Services, or DHS, provides and sponsors many types of health and social services as well as determines persons’ eligibility to receive those services. They collect personal and health information about you and/or your family, which is kept private and called “protected health information.”
Learn More DHS

Disaster Recovery Plan

A HIPAA disaster recovery plan (HIPAA DRP) is a formal proposition that specifies the processes, actions, and methodologies that must be embraced to secure and restore electronic health records (EHR) in case of a natural or manmade disaster, calamity or similar event.
Learn More Disaster Recovery Plan

Electronic Media

Electronic Media refers to storage systems such as hard drives, computers, USB, optical disk or any medium in which data can be stored in the digital format. Additionally, any medium used to transmit data such as the internet, extranet, dial up lines, private networks are considered as electronic media.
Learn More Electronic Media

EMO Plan

An Emergency Mode Operation (EMO) plan is an organization’s contingency plan for continuous operations in the event of a fire, natural disaster, vandalism, or system failure. Budget and resources should be allocated for EMO and tested in a controlled environment.
Learn More EMO Plan

ePHI

Any patient data that is created, stored, managed, transmitted, or shared via electronic means is Electronic Protected Health Information (ePHI). As per the HIPAA regulation, there are 18 HIPAA identifiers that qualify as ePHI. Covered entities and business associates are required to protect ePHI as per HIPAA security and privacy rule. 
Learn More ePHI

Facility Security Plan

All HIPAA-Covered Components have to implement a facility security plan to safeguard the facility and the equipment within from unauthorized physical access, theft, and tampering for all locations that store and/or access ePHI.
Learn More Facility Security Plan

Health Care Provider

The term “Health Care Provider” includes: – a hospital, home health entity, skilled nursing facility, nursing facility, – long-term care facilities such as health care clinics,  renal dialysis facilities, community mental health centers, blood centers,  -emergency medical services provider, ambulatory surgical center,  -Federally qualified health center, group practice, practitioner, pharmacist, physician, pharmacy, laboratory, a rural…
Learn More Health Care Provider

HHS

The United States Department HHS, or Health and Human Services, is a cabinet-level executive branch of the U.S. federal government created to safeguard the health of all American citizens and provide essential human services.
Learn More HHS

HIC

The Department of Public Health’s (DPH) Human Investigations Committee (HIC) is responsible for monitoring, reviewing, and approving research by utilizing identifiable health information obtained by the Department with the purpose of protecting the rights and the well-being of the research subjects.
Learn More HIC

HIPAA Agreement

A HIPAA Business Associate Agreement is a contract between a HIPAA-covered entity (like a healthcare provider) and a business or individual that helps with certain functions involving PHI. It’s essentially a written arrangement that outlines how the PHI is used. HIPAA requires covered entities to work with business associates who demonstrate the prowess to protect…
Learn More HIPAA Agreement

HIPAA Authorization Form

A HIPAA authorization form, often called a HIPAA release form, is a document patients sign with their healthcare providers. It grants permission for the provider to use or share their protected health information (PHI) for specific reasons. These reasons include: When is HIPAA authorization required? HIPAA authorization is required in specific situations outlined by 45…
Learn More HIPAA Authorization Form

HIPAA Compliant Fax

HIPAA-compliant fax is a mandated-trusted method for securely transmitting patient data. To meet HIPAA’s stringent data protection requirements, healthcare professionals and companies use cloud-based fax services to safeguard the integrity of PHI.  Is faxing HIPAA-compliant?  Faxing, by its nature, is considered HIPAA-compliant due to its inherent security and point-to-point transmission. Fax lines and most IP…
Learn More HIPAA Compliant Fax

HIPAA Confidentiality

The HIPAA Privacy Rule sets standards for safeguarding individuals’ medical records and identifiable health information, commonly known as PHI.  For example, discussions between doctors and patients should occur privately, and patients may prefer to be contacted on their cell phones rather than at home. Even well-meaning family members may not necessarily access a loved one’s…
Learn More HIPAA Confidentiality

HIPAA Journal

The HIPAA Journal is a useful website for all things HIPAA. It’s got news, breach info, tips, and the latest in healthcare data security. They’ve got sections like “New HIPAA regulations” and “HIPAA Changes 2023.” You can find out about the latest HIPAA rule updates, like telehealth rules and security changes. They even wrote about…
Learn More HIPAA Journal

HIPAA Liaison

HIPAA Liaisons are designated by each HCC to work with the Office of HIPAA Privacy and are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Liaisons may receive requests from patients as well, including but not limited to access, appeals, amendment, and accountings…
Learn More HIPAA Liaison

HIPAA Privacy Practices

Covered entities must provide a Notice of Privacy Practices (Privacy Notice) to every individual whose PHI is processed by them. Healthcare providers send this notice to new enrollees during initiation and at least once every three years to the existing ones. Self-insured health plans create their own Privacy Notices, while fully insured plans rely on…
Learn More HIPAA Privacy Practices

HIPAA Safeguards

The HIPAA Security Rule defines three crucial standards for safeguarding health information: Administrative Safeguards These safeguards are vital to manage security measures and protect ePHI. Usually, a designated security officer oversees these actions which include risk assessments, access controls, incident response, and security awareness training. Physical Safeguards These measures focus on securing buildings, equipment, and…
Learn More HIPAA Safeguards

HIPAA Sanctions

HIPAA mandates the implementation of sanctions for policy violations within covered entities. This policy focuses on employee sanctions for HIPAA violations by emphasizing the importance of safeguarding patients’ PHI. Key policy components include: Violating HIPAA regulations can lead to penalties ranging from $100 to $250,000 and prison terms of 1 to 10 years. Consistent enforcement…
Learn More HIPAA Sanctions

HIPAA Summary

HIPAA summary is a brief of the HIPAA frameworks. It talks about how healthcare providers and related entities must process health information and the measures to abide by while transmitting or sharing PHI. Key topics covered in the HIPAA summary are: The Privacy Rule (PHI and Key Concepts) The Privacy Rule governs the use and…
Learn More HIPAA Summary

HIPAA Waiver Form

A HIPAA waiver form, also known as a medical record information release form, allows patients to authorize third parties to access their health records. It also permits healthcare providers to share information when needed. Patients can revoke or change these permissions at any time. Sharing medical records without a HIPAA authorization form is a violation….
Learn More HIPAA Waiver Form

Hybrid Entity

A legal entity that carries out both covered as well as non-covered functions may designate itself as a hybrid Entity under HIPAA and may choose not to apply the Privacy Rule to its non-healthcare components, whereas all covered healthcare components must be in compliance with HIPAA, and the covered entity retains security compliances, oversight, and…
Learn More Hybrid Entity

Limited Data Set

A limited data set is detailed as health information that excludes certain listed direct identifiers but that may include city;  ZIP Code; state; elements of date; telephone numbers, fax numbers and other characteristics, numbers, or codes not listed as direct identifiers. The direct identifiers defined in the Privacy Rule’s limited data lays down provisions that…
Learn More Limited Data Set

OCR

The Office for Civil Rights (OCR) promotes medical excellence throughout the nation by ensuring equal access to certain health and human services while protecting the privacy and security of health information.
Learn More OCR

PHI

Protected Health Information (PHI) refers to any data in a medical data record that can be used to identify an individual. This data was created, used, or disclosed during the course of offering health services to a patient.  The Privacy Rule of HIPAA extensively covers the rights an individual has over this information. Covered entities…
Learn More PHI

Physical Safeguards

Physical safeguards as the physical measures, procedures, and policies to protect a covered entity’s electronic information systems and related equipment and buildings from natural and unnatural hazards and unauthorized intrusion.
Learn More Physical Safeguards

Privacy Official

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Officer is responsible for developing, managing, and implementing processes to ensure the organizations are in compliance with applicable federal as well as state HIPAA regulations and guidelines, particularly for the organizations having access to and using protected health information (PHI).
Learn More Privacy Official

Public Health Activities

Public health activities include the reporting of disease or injury; conducting public health surveillance; reporting vital events (e.g., births or deaths); reporting child abuse and neglect;  investigations or interventions; and monitoring adverse outcomes related to drugs, food (including dietary supplements), biological products, and medical devices. Covered entities may report adverse activities related to public agencies or…
Learn More Public Health Activities

Risk Assessment

A risk assessment validates if your organization is compliant with HIPAA’s technical, administrative, and physical safeguards. A risk assessment also helps identify areas where your organization’s Protected Health Information (PHI) is vulnerable to breach.
Learn More Risk Assessment

Risk Management

Risk Management is a formal plan to identify and rectify risks. Some of these basic practices will help you achieve security compliance without breaking your budget. – Put in place “Technical, Administrative, and Physical Safeguards” to protect Public Health Information(PHI) – Identify and fix vulnerabilities in your system – Work on it consistently and perform…
Learn More Risk Management

Security Official

The Security Officer for HIPAA deals with all forms of data to monitor risks, assess for threats and create policies and compliances to manage vulnerabilities. They are responsible for creating, implementing, and enforcing an organization’s security program as per the physical, administrative, and technical, based on the security rule.
Learn More Security Official

SRA Tool

The OCR in partnership with the Office of the National Coordinator for Health Information Technology, developed a downloadable Security Risk Assessment (SRA) Tool that guides users through the security risk assessment process by utilizing a simple, wizard-based approach as asked for by the CMS or the Centers for Medicare and Medicaid Service Electronic Health Record…
Learn More SRA Tool

Subcontractors

Subcontractors are individuals to whom business associates delegate a task or function or service that involves creation, transmission, or management of PHI. They work on behalf of a BA and are subject to comply with HIPAA privacy requirements. 
Learn More Subcontractors

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Designated Record Set

Designated record sets include billing records, medical records, payment and claim records, case management records, health plan enrollment records, as well as other records used, in part or in whole or by or for a covered entity, to reach conclusions about individuals.

Data Use Agreement

A Data Use Agreement (DUA) is an agreement that oversees the sharing of data between research collaborators that fall under covered entities in the HIPAA privacy rule. A DUA defines the ways in which the information is established as a limited data set, its use by the intended recipient, and how well it is protected.

EMO Plan

An Emergency Mode Operation (EMO) plan is an organization’s contingency plan for continuous operations in the event of a fire, natural disaster, vandalism, or system failure. Budget and resources should be allocated for EMO and tested in a controlled environment.

DHS

The Department of Human Services, or DHS, provides and sponsors many types of health and social services as well as determines persons’ eligibility to receive those services. They collect personal and health information about you and/or your family, which is kept private and called “protected health information.”

Risk Management

Risk Management is a formal plan to identify and rectify risks. Some of these basic practices will help you achieve security compliance without breaking your budget. – Put in place “Technical, Administrative, and Physical Safeguards” to protect Public Health Information(PHI) – Identify and fix vulnerabilities in your system – Work on it consistently and perform…