To understand HIPAA compliance requirements, you will need to understand some of the commonly used terms.
Protected Health Information (PHI)– individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
Electronic Protected Health Information (ePHI)– individually identifiable health information that is transmitted by electronic media or maintained in electronic media.
Privacy Rule– a government regulation created to protect patients’ medical records and other health information that applies to health plans, health care clearinghouses, and health care providers who conduct health care transactions electronically.
Security Rule– a government regulation created to protect patients’ health information that is created, used, received, or maintained by a covered entity.
Administrative Safeguards– administrative actions for HIPAA compliance such as creating policies and procedures and implementing controls that help safeguard protected health information, whether in paper form or electronic form. An example is a sanction policy that outlines what actions may be taken by management if there is a security incident or a breach.
Physical Safeguards– physical actions for HIPAA compliance such as creating policies and procedures and implementing controls that help safeguard protected health information, whether in paper form or electronic form. This can include a physical access policy that describes how access to physical locations, where PHI is held or accessed, is granted.
Technical Safeguards– technical actions for HIPAA compliance such as creating policies and procedures and implementing controls that help safeguard electronic protected health information. These safeguards might include implementing encryption and audit logs.
Covered Entity– a health care entity that includes health plans, health care clearing houses, and health care providers who submit electronic transactions.
Business Associate– a third-party vendor who works with the covered entity and uses PHI for business purposes.
Subcontractor– a business associate’s business associate.
Office for Civil Rights– the governing body for HIPAA compliance. Employees there will review complaints about breaches of protected health information and provide guidance on how to maintain HIPAA compliance. They also perform breach investigations and assign fines to non-compliant health care organizations.
Encryption– a process using an algorithm to transform information to make it only readable for authorized users.
Audit Logs– a recorded document of events in information technology systems. These events might include failed login attempts.
Audit Controls– safeguards and rules that are placed in information technology systems to limit access to private or special information. These controls can also limit who can see audit logs and who can make changes to information technology systems.
Penetration Tests– a specific type of test for a computer system, network or web application to find vulnerabilities that an attacker could exploit. Some companies provide automated penetration tests, but those tests may not have the capability of exploiting all vulnerabilities.
Vulnerability Scans– an automated inspection of the potential points of exploit on a computer system, network, or web application to identify security holes.
Breach– an impermissible use or disclosure that compromises the security or privacy of protected health information.
Backups– protected health information that is stored offsite for use in the event of an emergency.
Risk Assessment– a process that identifies potential vulnerabilities and allows organizations to determine how to mitigate those vulnerabilities.
Vulnerability– a weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, possibly resulting in a security breach or violation of policy.
Security Incident– a violation or imminent threat of violation of information security policies, acceptable use policies, or standard security practices; an adverse event whereby some aspect of computer security could be threatened.