The HIPAA terms a compliance team actually uses, defined in plain language by practitioners. For the full walkthrough, read the practitioner's guide to HIPAA compliance.
A Security Rule specification that an entity must assess for its environment, then either implement, replace with an equivalent measure, or document why neither is reasonable while still meeting the standard another way. Addressable does not mean optional. Skipping one with no documented analysis is a violation.
The policies, procedures, and management actions under 45 CFR 164.308 that govern the security program. The largest safeguard family, covering the risk analysis, workforce security, training, security incident procedures, contingency planning, and the requirement to have business associate agreements in place.
The contract that binds a vendor handling protected health information to safeguard it and use it only as permitted. A covered entity must have one in place before it lets a business associate handle protected information, and a business associate must have one with each subcontractor.
The acquisition, access, use, or disclosure of unsecured protected health information in a way the Privacy Rule does not permit. An impermissible use or disclosure is presumed to be a breach unless a risk assessment shows a low probability that the information was compromised.
The rule at 45 CFR 164.400 through 164.414 that sets who must be notified, and within what timelines, when unsecured protected health information is breached. Individuals must be notified no later than 60 days after discovery, with extra steps for breaches affecting 500 or more people.
A person or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity to perform a function or service. Business associates are directly liable under HIPAA, not merely contractually liable to the covered entity.
The three properties of electronic protected health information that the Security Rule protects: keeping it private, keeping it accurate and unaltered, and keeping it accessible when it is needed. The risk analysis is measured against all three.
A health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with a covered transaction such as a claim or eligibility check. The electronic-transmission trigger is what pulls most providers in.
Removing identifiers so that health information no longer identifies an individual. Once properly de-identified, information is no longer protected health information. HIPAA recognizes two methods: a formal expert determination, and the safe harbor method that removes a defined list of identifiers.
Protected health information that is created, received, maintained, or transmitted in electronic form. The Security Rule attaches specifically to ePHI, while the Privacy Rule covers protected information in any form.
Converting electronic protected health information into a form that cannot be read without a key. It is an addressable specification under the Security Rule, and when applied to a standard it can render breached information no longer unsecured, which removes the duty to notify.
The US Department of Health and Human Services, the federal department that issues the HIPAA rules and, through the Office for Civil Rights, enforces them.
The Health Insurance Portability and Accountability Act of 1996 and its implementing rules. It protects the privacy and security of health information held by covered entities and business associates through the Privacy, Security, and Breach Notification Rules.
The 2009 Health Information Technology for Economic and Clinical Health Act. It strengthened HIPAA enforcement, made business associates directly liable, and created the breach notification framework.
A specific instruction for meeting a Security Rule standard. Each one is labeled either required or addressable, and the label dictates how an examiner tests it.
The Privacy Rule standard that limits the use, disclosure, and request of protected health information to the least amount needed to accomplish the purpose. Exceptions include disclosures to the patient and disclosures for treatment.
The notice a covered entity provides describing how it uses and discloses protected health information and the rights an individual holds over that information.
The office within HHS that enforces the HIPAA Privacy, Security, and Breach Notification Rules through complaint investigations, compliance reviews, and a periodic audit program. The current audit cycle is weighted toward Security Rule provisions relevant to hacking and ransomware.
The controls under 45 CFR 164.310 that protect the facilities, equipment, and media holding electronic protected health information. They cover facility access controls, workstation use and security, and device and media controls including disposal and re-use.
Individually identifiable health information held or transmitted by a covered entity or business associate, in any form, whether on paper, spoken, or electronic. PHI is the information HIPAA exists to protect.
The rule at 45 CFR Part 164 Subpart E that governs how protected health information in any form may be used and disclosed, including the minimum-necessary standard and the rights patients hold over their own information.
A Security Rule specification an entity must implement as written. There is no flexibility, and an examiner evaluates it directly against the standard, with a binary determination.
The required assessment under 45 CFR 164.308(a)(1)(ii)(A) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information an entity creates, receives, maintains, or transmits. It is the deficiency the Office for Civil Rights cites most often.
The required specification at 45 CFR 164.308(a)(1)(ii)(B) to implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level. The risk management plan has to trace back to the risk analysis.
The rule at 45 CFR Part 164 Subpart C that requires administrative, physical, and technical safeguards for electronic protected health information. It is narrower than the Privacy Rule because it applies only to the electronic form.
A person or organization that creates, receives, maintains, or transmits protected health information for a business associate. A subcontractor is itself a business associate and carries the same direct obligations, so HIPAA flows all the way down the chain.
The technology controls under 45 CFR 164.312 applied to electronic protected health information and the systems that hold it. They cover access control with unique user identification, audit controls, integrity, person or entity authentication, and transmission security.
Protected health information not rendered unusable, unreadable, or indecipherable through a method such as encryption or destruction. Only a breach of unsecured protected health information triggers the notification duty.
Employees, volunteers, trainees, and others whose conduct an entity controls, whether or not they are paid. The workforce must be trained on the security program and subject to a sanction policy for violations.
Compliance Command Center turns these concepts into a defensible, examiner-ready HIPAA program, run by practitioners and backed by software.
See Compliance Command Center Read the guides