Compliance Glossary

An acceptable use policy refers to a set of guidelines that define the proper usage of an organization's information resources such as computer systems, networks, and data. For HIPAA (the Health Insurance Portability and Accountability Act) compliance, an acceptable use policy is a crucial element of an organization's comprehensive compliance program.

Access, Onboarding and Termination Policy - An access, onboarding, and termination policy for HIPAA compliance would include guidelines for granting and revoking access to protected health information (PHI) for employees and contractors. The policy would outline the process for verifying the identity and credentials of new employees and contractors before granting access to PHI, as well as the procedures for revoking access upon termination or change in job responsibilities.

Access Control - A security measure that limits access to information or resources to authorized users only.

Access Rights - An access rights policy for HIPAA compliance outlines the rules and procedures for granting and revoking access to protected health information (PHI).

Accounting of Disclosures - Information that describes a covered entity’s disclosures of PHI other than for treatment, payment and health care operations; disclosures made with authorization; and certain other limited disclosures. For those categories of disclosures that need to be in the accounting, the accounting must include disclosures that have occurred during the 6 years (or a shorter time period at the request of the individual) prior to the date of the request for an accounting.

Administrative Safeguards - One of the three categories of safeguards required under the HIPAA Security Rule, which includes policies and procedures for managing the selection, development, implementation, and maintenance of security measures.

Affected Individual - An individual whose protected health information (PHI) has been subject to a breach of unsecured PHI.

Affiliated Covered Entity - A group of covered entities that share common ownership or control, and that have agreed to designate themselves as a single affiliated entity for purposes of complying with HIPAA.

Amendment and Correction - An amendment to a record would indicate that the data is in dispute while retaining the original information. A correction to a record alters or replaces the original record.

Application Security Policy - This policy typically includes guidelines for the secure development, implementation, and maintenance of applications that handle protected health information (PHI).

Audit Controls; System Alerts - An audit controls system is a set of procedures and controls that ensure compliance with HIPAA regulations. It includes alerts to notify the organization of any potential violations or breaches, and a policy outlining the steps to be taken in the event of such an occurrence.

Audit Logs Policy - This policy is utilized in order to ensure PHI stays safe by frequently checking your checking system access and / or monitoring for suspicious network activity.

Audit Trail - A record of system activity that can be used to reconstruct events and track security incidents.

Authentication Policy - This policy outlines the specific measures and protocols that must be in place to ensure the secure identification and verification of individuals accessing electronic protected health information (ePHI).

Written permission by the patient or the patient’s personal representative to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations. A templated version of an authorization form can be found here.

Availability of Data (Availability Policy) - A patient has the right to request information from their medical record at any time. As someone working with PHI (Business Associate Organizations would be included here), it is your responsibility to ensure these requests, when valid, are fulfilled. As per the H.I.P.A.A. framework, One must always keep PHI confidential, of good integrity (not tampered with) and available. This is what availability of data is discussing.

Backup and Recovery - A set of processes and procedures for creating and storing copies of electronic data and information systems to ensure that data can be restored in the event of a system failure or disaster.

The unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed, would not reasonably have been able to retain such information. An impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.

Breach Notification - The process of notifying affected individuals, the Secretary of Health and Human Services, and in some cases, the media, of a breach of unsecured PHI.

Breach Risk Assessment - An evaluation of the potential risks and consequences of a breach of protected health information (PHI) to determine the appropriate response.

Business Continuity Policy - is a written document that outlines the steps a healthcare organization should take to ensure the continuity of its operations in the event of a disaster or emergency.

Business Associate - Any third party entity who is paid in order to provide a service and, in doing so, cannot help but be exposed to PHI in the course of their normal working day.

Business Associate Agreement - A necessary agreement between parties sharing PHI for a business relationship (See Business Associate). Typically executed between Covered Entities and Business Associates, or Business Associates and their Business Associates. In short, the agreement is an assurance that both parties are doing all they can to protect sensitive data from being breached.

Business Associate Relationship Policy - This is a document that outlines the terms and conditions of a business relationship between a covered entity (such as a healthcare provider) and a business associate (such as a billing company).

Business Continuity Plan - A plan for maintaining essential business functions and services in the event of a disruption, such as a natural disaster, power outage, or cyber attack.

​
​

C.M.S. - Centers for Medicaid and Medicare Services -C.M.S. is a federal agency within the United States Department of Health and Human Services. It is responsible for administering the Medicare and Medicaid programs, which provide healthcare coverage to seniors, low-income individuals, and people with disabilities. C.M.S. also works to improve the quality of healthcare and reduce costs through initiatives such as value-based purchasing, innovation models, and fraud prevention efforts.

Code of Conduct Policy - A HIPAA compliant Code of Conduct Policy is a set of guidelines and standards for ensuring the confidentiality, integrity, and security of personal health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

Complaints Policy - This policy outlines the steps that individuals can take to report HIPAA violations, such as the use or disclosure of personal health information without proper consent. It also outlines the procedures for investigating and resolving these complaints, including the steps that the organization must take to protect the privacy of individuals and ensure compliance with HIPAA regulations.

Confidentiality Agreements - A HIPAA compliant confidentiality agreement is a legal document that outlines the confidentiality requirements set by the Health Insurance Portability and Accountability Act (HIPAA) for protecting personal health information (PHI) in the healthcare industry.

Confidentiality Policy - A HIPAA compliant confidentiality policy is a set of guidelines and procedures that ensure the privacy and security of personal health information (PHI). It includes measures to prevent unauthorized access or disclosure of PHI, as well as protocols for handling and storing PHI in a secure manner. The policy also outlines the rights and responsibilities of individuals and organizations involved in the handling of PHI, including healthcare providers, insurers, and business associates. Overall, the goal of a HIPAA compliant confidentiality policy is to protect the privacy of individuals and maintain the integrity of the healthcare system.

Contingency Plan - A plan for responding to emergencies, disasters, or other unexpected events that could result in a disruption to operations or services.

Covered Entity -Defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. In simpler terms, this refers to anyone directly providing care, or is 100% necessary to provide care, like a pharmacy or hospital.

Critical Data - Data if inappropriately handled may result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, or unauthorized access by an individual or many individuals (e.g., student loan information, social security number, driver’s license number, passport or Visa number, state ID card number and protected health information).

Cyber Risk Assessment Policy - This policy is a comprehensive analysis of an organization's cybersecurity measures and vulnerabilities, with the goal of identifying and mitigating any potential risks to protected health information (PHI).

This policy includes regularly backing up data to prevent loss in the event of a disaster or system failure, storing data in a secure location that is only accessible by authorized personnel, and implementing measures to protect against unauthorized access or theft.

Data Center Policy - This policy is a set of guidelines and procedures that ensure the security and confidentiality of protected health information (PHI) stored in a data center. These policies outline the measures that must be taken to protect PHI from unauthorized access, misuse, and breach, including physical security measures, access controls, and data encryption.

Data Classification Policy - A HIPAA compliant data classification policy is a set of guidelines that outline how personal health information (PHI) should be handled and protected within an organization. It specifies the level of security and confidentiality required for different types of PHI, such as demographic data, medical records, and financial information.

Data Integrity - In HIPAA compliance Data Integrity refers to the accuracy and completeness of electronic health information and the security measures in place to protect it from unauthorized access or modification.

Data Retention Policy - This policy refers to the guidelines and procedures that an organization must follow in order to properly store and manage electronic health information (EHI). This includes the duration of time that EHI must be kept, as well as the processes for destroying or disposing of the information once it is no longer needed. The policy is designed to protect the privacy and security of patient data, and ensure that it is only accessed by authorized personnel.

Data Use Agreement - An agreement required by the Privacy Rule between a covered entity (the holder of the PHI) and a person or entity that receives the limited data set (e.g. a research investigator) when the data are in the form of a limited data set. A Data use agreement establishes the ways in which the information in the limited data set may be used and how it will be protected.

De-Identified Health Information - Health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

Designated Record Set - A group of records maintained by or for a covered entity that is: the medical records and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used, in whole or in part, by or for the covered entity to make decisions about individuals.

Any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

Device, Media and Controls Policy - This policy outlines the guidelines and procedures for the secure handling and use of electronic devices, media, and controls within an organization. This includes the proper disposal of electronic devices and media, the use of passwords and encryption to protect sensitive information, and the implementation of physical and technical controls to prevent unauthorized access to electronic devices and media.

DHHS - Department of Health and Human Services - A federal agency responsible for protecting the health and well-being of Americans. In order to fulfill this mission, the DHHS must comply with the Health Insurance Portability and Accountability Act (HIPAA). This includes maintaining the privacy and security of patient health information, as well as ensuring that information is used appropriately and only for authorized purposes. The DHHS works to ensure that all of its programs and activities are in compliance with HIPAA regulations, and works to educate individuals and organizations about HIPAA requirements.

Disaster Recovery Plan (D.R.P.) - A disaster recovery plan in HIPAA compliance is a detailed plan that outlines the steps an organization will take to recover from a natural disaster, cyber attack, or other catastrophic event that disrupts the normal operation of the organization. The plan should include procedures for maintaining the confidentiality, integrity, and availability of electronic protected health information (ePHI) during and after the disaster.

Disclosure - Release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.

Documentation, Record Retention and Document Destruction - Documentation refers to the process of creating and maintaining records of activities related to HIPAA compliance, including policies and procedures, training materials, and audits. Record retention is the process of keeping these records for a specified period of time, as required by HIPAA regulations. Document destruction is the process of securely disposing of these records once they are no longer needed, in order to protect the privacy of individuals. All of these processes are essential for ensuring HIPAA compliance and protecting the privacy of personal health information.

An electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.

Electronic Protected Health Information (ePHI) - Protected health information (PHI) created, maintained or transmitted in electronic form (ePHI).

Emancipated Minor - A minor who is to be treated as an adult for purposes of this policy. An emancipation order allows a minor to consent to “medical, dental or psychiatric care, without parental consent, knowledge or liability.” In Connecticut , minors above age sixteen or their parents may petition the Superior Court for Juvenile Matters or the Probate Court for emancipation orders. The court may declare the minor emancipated if (1) the minor has been married, (2) the minor actively serves in the U.S. armed forces, (3) the minor willingly lives away from home and manages his or her own finances, or (4) the court determines “for good cause” that emancipation is in the “best interest” of the minor. A minor may also be considered emancipated under common law under similar circumstances.

Emergency Access Procedure - A procedure that allows access to electronic protected health information (ePHI) during an emergency or other situation that requires immediate access to the information.

Encryption - A technical safeguard for your Company devices. Encryption scrambles regular characters into randomized text and only provides the correct text to the proper recipient (or password owner), allowing it to be held or transmitted safely and securely.

Enforcement Sanctions Policy - Enforcement sanctions policy in HIPAA compliance refers to the penalties and consequences that may be imposed on individuals or organizations that violate the HIPAA Privacy and Security Rules. These penalties may include civil monetary fines, corrective action plans, and criminal charges for severe violations. The enforcement of HIPAA compliance is overseen by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS), which has the authority to investigate complaints, conduct audits, and impose sanctions as necessary. The purpose of the enforcement sanctions policy is to ensure that HIPAA compliance is taken seriously and that individuals and organizations are held accountable for their actions related to the handling of protected health information (PHI).

Entity Authentication - The process of verifying the identity of a healthcare provider, health plan, or healthcare clearinghouse that transmits any health information in electronic form in connection with a transaction covered by HIPAA.

ePHI / Electronic Protected Health Information - Protected health information (PHI) that is transmitted or maintained in electronic form.

This policy refers to the measures put in place to ensure that only authorized individuals have access to physical areas where protected health information (PHI) is stored or accessed. This may include measures such as security badges, keycards, and locked doors.

Facility Security Plan - A plan for maintaining physical security and protecting facilities where protected health information (PHI) is stored or accessed.

Family Member – means an individual’s dependent or any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or the individual’s dependent. Relatives by marriage or adoption are treated the same as relatives who share a common biological ancestor. First-degree relatives include parents, spouses, siblings and children. Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces. Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins. Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.

Federal Register - The official journal of the federal government of the United States that contains government agency rules, proposed rules, and public notices, including updates and changes to the HIPAA Privacy, Security, and Breach Notification Rules.

Firewall - A network security device that monitors and controls incoming and outgoing network traffic, and can prevent unauthorized access to protected health information (PHI).
​

Formal Authorization - A written document that grants permission for the use or disclosure of protected health information (PHI), as required by HIPAA regulations.

G.I.N.A. - (Genetic Information Nondiscrimination Act) A federal law that prohibits employers and health insurers from discriminating against individuals based on their genetic information.

Gap Analysis - A process of comparing an organization's current policies and procedures with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules to identify areas where compliance is lacking.

Means information about 1) an individual’s genetic tests, 2) the genetic tests of family members of the individual, 3) the manifestation of a disease or disorder in family members of the individual, or 4) any request for or receipt of genetic services including participation in clinical research which includes genetic services by the individual or their family member. Genetic information includes the genetic information of a pregnant women’s fetus or that of a family member or of any embryo legally held by the individual or family member using an assisted reproductive technology. Genetic information does not include the sex or age of an individual.
​

General Authorization - A written authorization that allows a covered entity or business associate to use or disclose protected health information (PHI) for any purpose not otherwise permitted under HIPAA regulations.

Genetic Services – means a genetic test, genetic counseling (including obtaining, interpreting, or assessing genetic information), or genetic education.

Genetic Test – means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder or pathological condition.

Good Faith Use - The use of protected health information (PHI) by a covered entity or business associate for the purpose of treatment, payment, or healthcare operations, as defined by HIPAA regulations.

Group Health Plan – means an employee welfare benefit plan (as defined in the Employee Retirement Income and Security Act of 1974 (ERISA), 29 USC 1002(1)), including insured and self–insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that has 50 or more participants; or is administered by an entity other than the employer that established and maintains the plan.

Guidelines - Recommendations or best practices for complying with HIPAA regulations, such as the HIPAA Privacy, Security, and Breach Notification Rules.

​

Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Healthcare Component – means a component of a hybrid entity designated by the hybrid entity that functions as a health care provider, as defined by HIPAA.

Healthcare Operations - Certain activities of the covered entity that are related to covered functions. These activities include, but are not limited to: administrative, financial, legal, underwriting and quality improvement activities that are necessary for a covered entity to run its business.

Health Care Provider – a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Information – any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Health Information Exchange - H.I.E. - The process of reliable and interoperable electronic health-related information sharing conducted in a manner that protects the confidentiality privacy and security of the information. The electronic movement of health-related information among organizations according to nationally recognized standards.

Health Information Technology (HIT): Technology used to manage health information, including electronic health records (EHRs), personal health records (PHRs), and health information exchanges (HIEs).

Health Information Technology for Economic and Clinical Health Act (HITECH Act) - Federal law enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The HITECH Act promotes adoption and meaningful use of health information technology; widens the scope of privacy and security protections available under HIPAA; increases the potential legal liability for noncompliance; and provides for more enforcement.

H.I.P.A.A. - The Health Insurance Portability and Accountability Act of 1996 - A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Also gives Health and Human Services (HHS) the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.

Hybrid Entity – a single legal entity, that is a covered entity whose business activities include both covered and non–covered functions.

Or Individually Identifiable Health Information - This is a term used in HIPAA compliance to refer to any information that can be used to identify an individual and that relates to the individual's past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual.

This includes personal information such as name, address, social security number, and medical history, as well as information about the individual's healthcare providers, treatment, and payment for services. HIPAA compliance requires that this information be protected and kept confidential, and that proper safeguards are put in place to prevent unauthorized access, use, or disclosure of the information.

Incidental Disclosure - An unintentional disclosure of protected health information (PHI) that occurs as a result of a use or disclosure that is permitted under HIPAA regulations.

Incident Reporting Policy - This policy refers to the process by which healthcare organizations report and document incidents that involve the unauthorized access, use, disclosure, or breach of protected health information (PHI). This includes incidents that occur within the organization, as well as those that occur outside of the organization, such as when a third-party vendor experiences a breach. The incident reporting policy should outline the steps that must be taken to report and document an incident, including who is responsible for reporting the incident and to whom it should be reported. It should also outline the steps that must be taken to prevent future incidents from occurring.

Information Security Policy - Information security policy in HIPAA compliance is a set of guidelines and procedures that protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). These policies ensure that ePHI is only accessed by authorized individuals, is not tampered with or modified, and is always available when needed.

Incident Response Plan - A set of guidelines and procedures for responding to and managing a breach of protected health information (PHI). It includes steps for identifying and containing the breach, evaluating the impact on individuals, and taking corrective action to prevent further incidents. It also includes a process for reporting the incident to the appropriate authorities and stakeholders. The goal of an incident response plan is to minimize the impact of a breach on patients and the organization and ensure that appropriate measures are taken to prevent future incidents.

Individual - A natural person who is the subject of protected health information (PHI).

Individual Requests - This refers to the process by which individuals can request access to their personal health information (PHI). This includes the right to request copies of their medical records, request amendments to their records, and request an accounting of disclosures of their PHI. The policy outlines the steps individuals must take to make these requests, the timeframes in which the requests must be fulfilled, and any fees that may be involved. It is important for organizations to have a clear and concise individual request policy in place to ensure compliance with HIPAA regulations and to ensure that individuals have access to their own PHI.

Information System Activity Review - A process of reviewing the activity logs of an information system to ensure that security measures are being followed and to identify any unauthorized access or use of protected health information (PHI).

Informed Consent - The process of obtaining an individual's agreement to participate in a research study, medical procedure, or other activity, after the individual has been informed of the risks and benefits of the activity.

​

J-Codes: A subset of the HCPCS Level II code set with a high-order value of “J” that has been used to identify certain drugs and other items. The final HIPAA transactions and code sets rule states that these J-codes will be dropped from the HCPCS, and the NDC codes will be used to identify the associated pharmaceuticals and supplies.
​

Joint Commission on Accreditation of Healthcare Organizations (JCAHO): A subset of the HCPCS Level II code set with a high-order value of “J” that has been used to identify certain drugs and other items. The final HIPAA transactions and code sets rule states that these J-codes will be dropped from the HCPCS, and the NDC codes will be used to identify the associated pharmaceuticals and supplies.

Joint Healthcare Information Technology Alliance (JHITA): A healthcare industry association that represents AHIMA, AMIA, CHIM, CHIME, and HIMSS on legislative and regulatory issues affecting the use of health information technology.

A sparsely seen portion of the rule, where the patient loses their right to their own PHI pursuant to an official Judicial proceedings need for it.

An input that controls the transformation of data by an encryption algorithm (NRC, 1991, as cited in the HISB draft Glossary of Terms Related to Information Security in Health Care Information Systems.)

A person authorized either by state law or by court appointment to make decisions, including decisions related to health care, on behalf of another person, including someone who is authorized under applicable law to consent on behalf of a prospective subject to the subject’s participation in the procedure involved in any research.

Limited Data Set - A data set of protected health information that excludes specified direct identifiers related to an individual or of relatives, employers, or household members of the individual, but retains geographic subdivisions larger than the postal address, elements of dates including month and day as well as other unique identifying numbers, characteristics or codes not previously listed as a direct identifier and cannot reasonably be used to identify an individual. Limited data sets may only be used for research, public health or for health care operations; and only in conjunction with a data use agreement.

Law Enforcement Official - An individual who is authorized to investigate or conduct official activities related to criminal or civil law enforcement, as defined by HIPAA regulations.

Malware - Short for malicious software. This is software that is intended to damage or disable computers and computer systems. Malware includes computer programs known as viruses, worms, Trojans, ransomware and spyware.

Marketing and Fundraising

Here is a short summary of HIPAA compliant policies and procedures for marketing and fundraising using protected health information (PHI):

Meaningful Use - A set of criteria that healthcare providers must meet to receive incentives for adopting and implementing electronic health records (EHRs) in a meaningful way.

Refers to reasonable efforts made to limit use, disclosure, or requests for PHI to the minimum necessary to accomplish the intended purpose.

Mitigation - This refers to actions taken to reduce or eliminate the likelihood of a HIPAA violation occurring, or to lessen the impact of a HIPAA violation that has already occurred. Synonymous with remediation in this context.

National Practitioner Data Bank (NPDB) - A national database maintained by the U.S. Department of Health and Human Services that contains information on malpractice payments and disciplinary actions taken against health care providers.

N.I.S.T - National Institute of Standards and Technology -

NIST is a non-regulatory agency of the U.S. Department of Commerce that develops and publishes technical standards and guidelines related to information security and privacy. NIST has developed a framework of cybersecurity best practices known as the NIST Cybersecurity Framework (CSF), which provides guidance to organizations on how to manage and protect their cyber assets.

HIPAA is a federal law that establishes standards for the protection of personal health information (PHI). HIPAA applies to healthcare providers, health plans, and other entities that handle PHI, and requires these entities to implement appropriate safeguards to protect the privacy and security of PHI.

There is an intersection between NIST and HIPAA compliance in that both NIST and HIPAA require organizations to implement strong safeguards to protect sensitive information. NIST's CSF provides guidance on how to implement these safeguards, and HIPAA requires that covered entities follow these guidelines in order to comply with the law.

Additionally, HIPAA requires covered entities to conduct risk assessments to identify and address potential vulnerabilities in their systems and processes, which aligns with the risk management principles outlined in the NIST CSF.

Network Security - The measures and technologies used to protect computer networks from unauthorized access, hacking, malware, and other cyber threats that could compromise the confidentiality, integrity, and availability of PHI.
​

Non Retaliation - In the circumstance that a workforce member reports an incident it is of critical importance that no colleagues perform any action that can be construed as retaliation.

Notification of Breach - Five distinct things need to happen in the case of a breach of PHI -

Notice of Privacy Practice - The Rule requires health plans and covered health care providers to provide adequate notice that provides a clear, user friendly explanation of the individual’s legal rights with respect to their personal health information and the privacy practices of the covered entity. Obtain a template copy of a general Notice of Privacy Practices here.

O.C.R. - Office of Civil Rights - This office is part of HHS. Its HIPPA responsibilities include oversight of the privacy requirements.

O.I.G. - Office of the Inspector General - The OIG has the authority to investigate potential HIPAA violations and to take enforcement action against individuals or organizations that violate HIPAA rules. The OIG has the authority to impose civil monetary penalties on individuals or organizations that violate HIPAA rules, as well as to refer cases for criminal prosecution if necessary.

Officer - A senior management official designated by a covered entity to be responsible for the development and implementation of HIPAA compliance policies and procedures.

OMNIBUS - The 2013 amendment to HIPAA that strengthened the privacy and security protections for PHI and expanded the obligations of covered entities and business associates.

Ongoing Risk Assessment - The requirement under H.I.P.A.A. which is the reason why we audit annually.

Organizational Requirements - The HIPAA Security Rule requirement that requires covered entities to implement policies and procedures to ensure the security and privacy of protected health information (PHI).

Organized Health Care Arrangement (OHCA) - A group of healthcare providers that work together to provide coordinated care to patients, such as a hospital and its affiliated physician practices.

A document whose procedures have an ultimate goal of ensuring that all passwords are strong, unique, and protected from unauthorized access.

Patient Access - The right of an individual to access and obtain a copy of their own PHI from a covered entity, as established by the HIPAA Privacy Rule.

Personal Representatives - Policies and procedures for HIPAA compliance regarding personal representatives outline the steps that must be taken to ensure that an individual's personal and health information is properly protected. Personal representatives are individuals who have been authorized by the individual to make healthcare decisions on their behalf, such as a family member or legal guardian.

According to HIPAA regulations, personal representatives must be granted access to an individual's health information if the individual is unable to make decisions for themselves, or if the individual has specifically designated them as their personal representative. In order to protect the individual's privacy, HIPAA policies and procedures require that personal representatives must provide proof of their identity and authorization to access the individual's health information.

Additionally, HIPAA compliance policies and procedures outline the responsibilities of personal representatives when it comes to protecting the individual's health information. This includes ensuring that the information is only used for authorized purposes, and not disclosing the information to unauthorized parties. HIPAA policies and procedures also outline the consequences for personal representatives who fail to comply with these requirements, including potential fines and legal action.

Personnel Designations - The HIPAA compliance policies and procedures for personnel designations outline the roles and responsibilities of individuals within an organization who handle protected health information (PHI). These policies and procedures ensure that only authorized personnel have access to PHI, and that they are trained on HIPAA regulations and proper handling of PHI. They may include provisions for the assignment of unique identifiers, such as user names and passwords, to ensure that only designated personnel can access PHI. Additionally, these policies and procedures may include guidelines for the termination of access to PHI when an individual's role or employment status changes within the organization. Overall, these policies and procedures are in place to protect the confidentiality, integrity, and security of PHI, and to ensure HIPAA compliance within the organization.

Physical Safeguard(s) - HIPAA Security Rule standards that require covered entities and business associates to protect electronic PHI (ePHI) by implementing physical measures to safeguard the physical facility, equipment, and systems that store or transmit ePHI.

Protected Health Information, or P.H.I. - Protected Health Information (PHI) refers to any identifiable health-related information that is collected, maintained, or transmitted by a covered entity (such as a healthcare provider or health insurance company) or its business associate (such as a billing company). This information is protected under the Health Insurance Portability and Accountability Act (HIPAA) and must be kept confidential and secure to ensure the privacy of individuals. Examples of PHI include patient medical records, insurance claims, and billing information. HIPAA compliance requires covered entities and their business associates to implement safeguards to protect the confidentiality, integrity, and availability of PHI. This includes implementing technical, physical, and administrative controls to prevent unauthorized access, use, or disclosure of PHI.

Privacy Rule - The HIPAA Privacy Rule is a federal regulation that sets standards for the use and disclosure of Protected Health Information (PHI). It applies to covered entities (such as healthcare providers and health insurance companies) and their business associates (such as billing companies), and requires them to implement safeguards to protect the confidentiality, integrity, and availability of PHI. The HIPAA Privacy Rule establishes the rights of individuals to access, control, and protect their own PHI, and requires covered entities to provide notice to individuals about their privacy rights and how their PHI may be used and disclosed. It also sets limits on the use and disclosure of PHI, and requires covered entities to obtain written consent from individuals before using or disclosing their PHI for certain purposes, such as marketing or research. The HIPAA Privacy Rule is designed to ensure the privacy and security of individuals' health information while still allowing for the necessary exchange of information for the provision of healthcare and related activities.

Privacy Officer - The HIPAA Privacy Officer is a designated individual or position within a covered entity (such as a healthcare provider or health insurance company) who is responsible for overseeing the organization's compliance with the HIPAA Privacy Rule. This includes developing and implementing policies and procedures to protect the privacy of individuals' protected health information (PHI), training employees on HIPAA privacy practices, and responding to privacy-related incidents and complaints. The HIPAA Privacy Officer is also responsible for conducting regular audits and reviews to ensure that the organization is in compliance with HIPAA regulations, and for providing guidance and support to employees on HIPAA privacy issues. The HIPAA Privacy Officer is a critical role in ensuring that a covered entity is compliant with HIPAA regulations and that individuals' health information is kept confidential and secure.

Qualified Service Organization (Q.S.O.) - One HIPAA compliance term that starts with the letter "Q" is "Qualified Service Organization" or "QSO".

Under HIPAA, a Qualified Service Organization (QSO) is a third-party entity that provides certain services to a covered entity, such as data processing or customer service.

Reasonable and Appropriate Safeguards - The HIPAA Security Rule standard that requires covered entities and business associates to implement safeguards that are reasonable and appropriate to protect PHI from threats or hazards.

A remote access policy is a set of guidelines and procedures that outline how employees and contractors can access company resources and data remotely, including Protected Health Information (PHI). The purpose of a remote access policy is to ensure that all remote access to PHI is secure and compliant with HIPAA regulations.

Removable Media and Cloud Storage Policy - Use of removable media: Removable media, such as USB drives, CDs, and DVDs, should only be used for the purpose of transferring or storing protected health information (PHI) when no other secure means is available. When using removable media, it should be encrypted to protect the PHI from unauthorized access.

And >

Use of cloud storage - Cloud storage should only be used for storing PHI if the cloud service provider has a Business Associate Agreement (BAA) in place with the organization and the service meets HIPAA requirements for the secure storage of PHI.

Restricted Internal Access to P.H.I. - The HIPAA (Health Insurance Portability and Accountability Act) compliance policy for restricted internal access to protected health information (PHI) outlines the steps that must be taken to ensure the confidentiality, integrity, and availability of PHI. This includes the implementation of technical safeguards, such as password protection and data encryption, as well as physical safeguards, such as locking cabinets and shredding documents.

Retention - The length of time that covered entities and business associates must retain PHI in accordance with HIPAA regulations and other applicable laws.

Right to Access - The HIPAA Privacy Rule requires covered entities to provide individuals with access to their own PHI upon request, subject to certain exceptions.

Risk Analysis - A process used by covered entities and business associates to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI.

Risk Assessment Policy - The risk assessment policy should outline the process for identifying and evaluating potential risks to PHI, including threats and vulnerabilities that could compromise the security and privacy of the information. The policy should also outline the steps to be taken to address identified risks, including implementing appropriate controls and procedures to protect PHI.

Additionally, the risk assessment policy should outline the frequency of risk assessments and the roles and responsibilities of all individuals involved in the process. It should also outline the process for documenting and reporting the results of risk assessments, including any identified risks and the actions taken to address them.

Overall, the risk assessment policy is an important part of HIPAA compliance and helps ensure that covered entities are taking appropriate steps to protect the confidentiality, integrity, and availability of PHI.

Safeguards - Specific actions which are designed to protect the privacy and security of an individual’s health information. These actions may include: administrative measures such as policies, procedures, training and written agreements; physical measures such as locked doors or keycard access; and technical measures such as firewalls, password/passphrase and encryption.

Sanctions for Non Compliance - With regard to employee sanctions for non-compliant behavior, the policies and procedures should outline the consequences for employees who fail to adhere to HIPAA regulations. This may include disciplinary action, such as verbal warnings, written warnings, or termination of employment.

Sanitizing Electronic Media - A process by which data is irreversibly removed from media or the media is permanently destroyed. It includes removing all classified labels, markings, and activity logs.

Secure Destruction - The result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover.

Security Incident - The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Security Incident Response - Policies and procedures for HIPAA compliance with regard to incident response involve establishing a process for responding to potential HIPAA violations or breaches. This process should include steps for identifying and reporting incidents, assessing the severity of the incident, determining the appropriate response, and documenting the steps taken to resolve the incident.

Security Incident Response Team - A group of individuals created to assist with an incident investigation. The incident response team will be activated at the discretion of the Information Security Office (ISO). The core IU Health incident response team members will be decided with each incident by the ISO. This team may typically consist of General Counsel representatives, IS representatives, a Media Relations Office representative, and a Compliance Office representative.

Security Management Process - The HIPAA Security Rule requirement that covered entities and business associates implement policies and procedures to prevent, detect, contain, and correct security violations.

Security Officer - a designated employee within a healthcare organization who is responsible for ensuring that the organization is in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Compliance Security Officer is responsible for implementing and maintaining policies and procedures that protect the privacy and security of patient information, as well as for training employees on HIPAA regulations and best practices.

Security Rule - A HIPAA rule that establishes national standards for the security of electronic protected health information (ePHI).

System and Information Integrity - HIPAA Security Rule standards that require covered entities and business associates to implement measures to protect ePHI against unauthorized access or modification.

Technical Safeguard - The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Termination Procedures - Establish a process for handling the termination of an employee who has access to protected health information (PHI). This process should include steps to ensure that the employee's access to PHI is terminated in a timely and secure manner.

Training Policy - The reason you hear that so many things within HIPAA compliance have a timeline of a year is due to the training policy which dictates that the Organization will provide ongoing training and updates to staff as needed, to ensure that they are aware of any changes to HIPAA rules or to your organization's policies and procedures.

Transmission Security Policy - Overall, HIPAA transmission security requirements are designed to ensure that ePHI is protected when it is transmitted over an electronic network and to prevent unauthorized access, use, or disclosure of ePHI.

Treatment - The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

User - A person who uses a computer or network service. At IU this includes faculty, staff, students, affiliates, temporary workers, retired faculty, retired staff and any individuals or entities that use or have authorized access to IU’s network.

Uses And Disclosures That Are Permitted By Privacy Rule, Or Permitted By Authorization - The Privacy rule has strict rules to abide by regarding uses and disclosures of PHI. Several choice situations call for disclosing PHI.

In addition to these permitted uses and disclosures thanks to the Privacy Rue, covered entities may also use and disclose PHI with the individual's written authorization. This authorization must specify the purpose of the use or disclosure, and the individual must have the opportunity to revoke the authorization at any time.

Uses And Disclosures That Are Permitted Without Individual Authorization - Certain circumstances do not call for the patient to have an authorization in place before Covered Entity disclosure. These disclosures would include cases that deal with Treatment, Payment, or Operation, public health activities, health oversight activities, law enforcement, decedents, Military and veterans, cases involving Worker's Comp., and for the purposes of medical research.

Vendor - A third-party provider of goods or services to a covered entity or business associate that has access to protected health information (PHI).

Vendor Management Policy - It is required that you have written policies and procedures regarding vendor management. Requirements under this policy would be to conduct thorough vendor risk assessments and continue to check vendor security status, have a written agreement in place, and, last, have a plan in place for addressing HIPAA violations by vendor.

Verification - The process of confirming the identity of an individual who requests access to their PHI or authorizes the disclosure of their PHI to a third party.

Violation - A willing effort to disregard or circumvent H.I.P.A.A. policy.

Virtual Private Network (VPN) - A secure communication network that enables remote access to an organization's computer network, often used to protect the confidentiality and integrity of ePHI.

Viruses and Malware; Application Updates - Taking measures to protect against viruses and malware, as well as ensuring that applications used to access or store ePHI are kept up to date with the latest security patches and updates is your requirement under HIPAA law.

Vulnerability - Any weakness or gap in an organization's security measures that could be exploited by an attacker to gain unauthorized access to protected health information (PHI).

Waiver of Authorization - HIPAA permits covered entities to disclose PHI without authorization in certain circumstances, such as for public health purposes or to comply with a court order.

Workforce Member - Employees, volunteers, trainees (including students, residents and fellows), and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Workstation Policy - Outlines how individuals should use and access electronic protected health information (ePHI) on workstations (e.g., computers, laptops, tablets). The purpose of such a policy is to ensure that ePHI is protected and that HIPAA requirements are met when accessing and using ePHI on workstations.

Workstation Security - This refers to practical ways one can keep their workstation compliant for unauthorized access to PHI. Specifics in this regard would be physical security, access controls, data encryption, software and system updates, data backup and termination of access.

Workforce Training - HIPAA requires covered entities and business associates to provide training to workforce members on their privacy and security policies and procedures, as well as any updates or changes to those policies and procedures.