Understanding HIPAA compliance can be difficult. We’re here to help! Below we outline some standard terms referenced in HIPAA compliance documents and training. We’ll be expounding on these in the coming months to help you build a deeper understanding of HIPAA regulations and better ensure that your organization is compliant.

  • Health Insurance Portability and Accountability Act: The Health Insurance Portability and Accountability Act of 1996 is a HIPAA regulation consisting of a series of national standards that outline the privacy and security of protected health information. HIPAA has undergone significant additions and revisions in the 20+ years since it was first enacted. These changes have been made to account for new technologies and changes to the way the federal government has enforced compliance.
  • Department of Health and Human Services (HHS): The Department of Health and Human Services is a department of the United States federal government that is tasked with protecting the health of Americans and providing human services essential for a high quality of life. This department is responsible for creating regulations.
  • Office for Civil Rights (OCR): The Office for Civil Rights is a part of the United States Department of Education focused on enforcing civil rights laws. This office is tasked with enforcing HIPAA laws and regulations.
  • Protected Health Information (PHI): PHI is any personally identifiable demographic information that can be used to identify a patient. HIPAA sets national standards for the privacy and security of PHI. HIPAA identifies 18 markers of PHI, listed below:
    • Name
    • Address (including subdivisions smaller than state such as street address, city, county, or zip code)
    • Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
    • Telephone number
    • Fax number
    • Email address
    • Social Security number
    • Medical record number
    • Health plan beneficiary number
    • Account number
    • Certificate/license number
    • Vehicle identifiers, serial numbers, or license plate numbers
    • Device identifiers or serial numbers
    • Web URLs
    • IP address
    • Biometric identifiers such as fingerprints or voiceprints
    • Full-face photos
    • Any other unique identifying numbers, characteristics, or codes
  • Covered Entity (CE): A covered entity is any health care provider, health insurance plan, or health care clearinghouse. Covered entities must comply with the HIPAA Rules and all necessary standards.
  • Business Associate (BA): A business associate is an organization hired to handle PHI on behalf of a CE or other BA. The job they’ve been hired to perform must necessarily entail access, transmission, or handling of PHI in any way. Common examples of BAs include practice management firms, data storage, physical storage, IT service providers, and managed service providers, to name a few.
  • HIPAA Security Rule: The HIPAA Security Rule sets national standards for administrative, technical, and physical safeguards necessary to ensure the security of PHI.
  • HIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for access, use, and disclosures of PHI by covered entities.
  • HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule outlines processes that must be followed in the event of a data breach. It sets standards for how and when to notify individuals affected by the breach, HHS, news media, and law enforcement.
  • HIPAA Omnibus Rule: The HIPAA Omnibus Rule made several key changes to HIPAA regulation. Among those changes are revisions to the execution of and compliance with business associate agreements (defined below). Additionally, the Omnibus Rule mandates BA compliance with HIPAA. The Omnibus rule also sets looser guidelines for the issuing of HIPAA fines.
  • Business Associate Agreement (BAA): Business associate agreements are contracts that must be legally executed between two HIPAA-beholden entities before any PHI can be shared. BAAs are mandated by the HIPAA Rules to mitigate liability in the event of a data breach and give both parties the necessary assurances that PHI will be kept safe.
  • HIPAA Risk Assessment: Risk assessments are an important part of HIPAA compliance. The HIPAA Security Rule sets safeguards for PHI. These safeguards fall under the categories of administrative, technical, and physical. One of the technical safeguards outlined in HIPAA regulation mandates that security risk assessments must be executed. When organizations execute a security risk assessment, they identify potential risk areas. These risk areas must then be fixed with documented remediation plans.
  • Notice of Privacy Practices: A notice of privacy practices is mandated by the HIPAA Privacy Rule. This is a notification that must be made visible and available to patients when they enter and begin treatment with a health care provider. Notices of privacy practices must be prominently displayed in office waiting areas, available on company websites, and must be reproducible for patients upon request.


Read more from the Compliancy Group, A TPM Partner: