HIPAA Glossary
63 terms in plain English: the vocabulary behind the Privacy and Security Rules, defined the way we use them across the platform. Free, no signup.
Prefer a copy for your team? Download the glossary →
- Addressable (implementation specification)
- A HIPAA Security Rule requirement you must either implement, implement an equivalent alternative for, or document why it is not reasonable and appropriate (and then do nothing). "Addressable" does not mean optional; a decision and its rationale must be recorded.
- Administrative Safeguards
- The policies, procedures, and management actions that run the security program: risk analysis, workforce training, access management, contingency planning, and the like (45 CFR §164.308).
- AES (Advanced Encryption Standard)
- The standard symmetric encryption algorithm (e.g. AES-256) used to protect data at rest and in backups.
- Accounting of Disclosures
- An individual's right to receive a list of certain disclosures of their PHI. Covered entities must be able to produce it on request.
- Amendment (Right to)
- An individual's right to request a correction to their PHI. The entity must have a process to accept, act on, and track these requests.
- Authentication
- Confirming a user is who they claim to be (password + MFA, SSO, etc.), as distinct from authorization.
- What an authenticated user is permitted to do or access. Governed by least privilege and role-based access.
- Availability
- The security goal that ePHI is accessible and usable when needed (backups, redundancy, contingency planning). One leg of the CIA triad with Confidentiality and Integrity.
- BAA (Business Associate Agreement)
- The contract HIPAA requires between a covered entity and a business associate (and between a business associate and its subcontractors) that binds the recipient to safeguard PHI and defines permitted uses.
- Breach
- The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises its security or privacy, unless a risk assessment shows a low probability of compromise. Triggers the Breach Notification Rule.
- Breach Notification Rule
- The HIPAA rule (45 CFR §164.400–414) requiring notice to affected individuals, HHS, and sometimes the media after a breach of unsecured PHI, within defined timeframes.
- Business Associate (BA)
- A person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity (e.g. a SaaS vendor, billing company, or IT provider). Directly liable under HIPAA.
- CIA Triad
- Confidentiality, Integrity, and Availability, the three security goals HIPAA safeguards protect.
- Confidentiality
- The security goal that PHI is not made available or disclosed to unauthorized people or processes.
- Contingency Plan
- The overall plan to keep operating and protect ePHI during and after an emergency. Its parts include the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan, with periodic testing.
- Covered Entity (CE)
- A health plan, health care clearinghouse, or health care provider that transmits health information electronically for covered transactions. Directly subject to HIPAA.
- Data Backup Plan
- The documented, tested procedure for creating and maintaining retrievable exact copies of ePHI.
- De-identification
- Removing identifiers so information is no longer PHI (via the Safe Harbor method or an expert determination). De-identified data is out of HIPAA scope.
- Disaster Recovery Plan (DR)
- The documented procedure to restore systems and data after a disruptive event, measured against RTO and RPO targets.
- Disclosure
- Releasing or providing access to PHI to a party outside the entity holding it (contrast with "use," which is internal).
- Emergency Mode Operation Plan
- The procedure for continuing critical business processes that protect ePHI while operating in emergency conditions.
- Encryption
- Converting data into ciphertext so only authorized parties can read it. Encrypting PHI to a recognized standard is a safe harbor that can remove a lost/stolen record from breach-notification obligations.
- ePHI (electronic PHI)
- PHI that is created, stored, transmitted, or received electronically. The subject of the Security Rule.
- Enforcement Rule
- The HIPAA rule governing investigations, penalties, and procedures for noncompliance, administered by OCR.
- FTPS / SFTP
- Encrypted file-transfer protocols used to move files containing ePHI securely.
- HHS (Department of Health and Human Services)
- The federal department that issues and enforces HIPAA; enforcement is carried out by its Office for Civil Rights.
- HIPAA (Health Insurance Portability and Accountability Act)
- The 1996 U.S. law whose Privacy, Security, Breach Notification, and Enforcement Rules govern the protection of health information.
- Integrity
- The security goal that PHI is not improperly altered or destroyed; verified with mechanisms such as hashing.
- IRT (Incident Response Team)
- The named group responsible for detecting, triaging, and responding to security incidents.
- Least Privilege
- Granting each user or process only the minimum access needed to do the job, the core principle behind access control and Minimum Necessary.
- MDM (Mobile Device Management)
- Software that enforces security policy (encryption, remote wipe, screen lock) on laptops and mobile devices that may touch ePHI.
- MFA (Multi-Factor Authentication)
- Requiring two or more independent factors (password plus a phone prompt, token, etc.) to sign in. A baseline safeguard for accounts with ePHI access.
- Minimum Necessary
- The Privacy Rule principle that uses, disclosures, and requests of PHI be limited to the least amount needed to accomplish the purpose (with defined exceptions such as treatment).
- NIST (National Institute of Standards and Technology)
- The U.S. standards body whose frameworks (e.g. SP 800-30 for risk assessment, SP 800-66 for HIPAA) are commonly used to structure a compliant program.
- NPP (Notice of Privacy Practices)
- The notice a covered entity must give individuals describing how it uses and discloses PHI and the individual's rights.
- OCR (Office for Civil Rights)
- The HHS office that enforces the HIPAA Privacy, Security, and Breach Notification Rules and investigates complaints.
- PHI (Protected Health Information)
- Individually identifiable health information held or transmitted by a covered entity or business associate, in any form. ePHI is its electronic subset.
- PII (Personally Identifiable Information)
- Information that identifies an individual. Overlaps with PHI when tied to health information, but PII is a broader, non-HIPAA-specific term.
- Physical Safeguards
- Controls over physical access to facilities and devices: facility access, workstation use and security, and device and media controls (45 CFR §164.310).
- Privacy Rule
- The HIPAA rule (45 CFR §164.500+) governing the use and disclosure of PHI and individual rights, regardless of medium.
- Required (implementation specification)
- A Security Rule requirement that must be implemented as written (contrast with Addressable).
- RBAC (Role-Based Access Control)
- Granting access by job role rather than per individual, so permissions are consistent and easy to review.
- Risk Analysis
- The Security Rule's foundational requirement: a thorough, documented assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Risk Management
- The ongoing process of reducing identified risks to a reasonable and appropriate level, tracked in a risk register with owners and dates.
- RPO (Recovery Point Objective)
- The maximum acceptable amount of data loss, measured in time (e.g. "no more than 24 hours"), that a backup strategy must meet.
- RTO (Recovery Time Objective)
- The maximum acceptable time to restore a system or process after a disruption.
- Sanction
- A disciplinary consequence applied to a workforce member who violates security or privacy policy. HIPAA requires a sanction policy and applied enforcement records.
- Security Incident
- An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations. Not every incident is a breach.
- Security Rule
- The HIPAA rule (45 CFR §164.302+) requiring administrative, physical, and technical safeguards for ePHI.
- SHA (Secure Hash Algorithm)
- A family of cryptographic hash functions (e.g. SHA-256) used to verify data integrity.
- SOC 2
- An independent audit report (from the AICPA framework) on a service provider's security controls; often requested from business associates as third-party assurance. Related to, but not the same as, HIPAA.
- SOP (Standard Operating Procedure)
- A documented, repeatable procedure that implements a policy in practice.
- SSO (Single Sign-On)
- Centralized authentication that lets users sign in once to reach multiple systems, easing MFA and de-provisioning.
- Standard (implementation)
- In the Security Rule, the umbrella requirement under which specific Required or Addressable implementation specifications sit.
- Subcontractor
- A business associate of a business associate: anyone downstream who handles PHI on a BA's behalf. Requires its own BAA.
- Technical Safeguards
- The technology controls protecting ePHI: access control, audit controls, integrity, authentication, and transmission security (45 CFR §164.312).
- TLS (Transport Layer Security)
- The standard protocol that encrypts data in transit (e.g. HTTPS, secure email), protecting ePHI moving across networks.
- TPO (Treatment, Payment, and Operations)
- The core purposes for which the Privacy Rule permits PHI use and disclosure without individual authorization.
- Transmission Security
- Technical safeguards (encryption, integrity controls) protecting ePHI as it moves across a network.
- Use
- Sharing, applying, examining, or analyzing PHI within the entity that holds it (contrast with "disclosure," which is external).
- VPN (Virtual Private Network)
- An encrypted network tunnel used to reach internal systems or protect traffic on untrusted networks.
- Workforce
- Employees, volunteers, trainees, contractors, and others whose conduct is under the direct control of the entity, whether or not paid, all subject to its HIPAA policies.
- Workstation
- Any device (laptop, desktop, tablet) that can access ePHI. Subject to workstation-use and workstation-security requirements.
Put the vocabulary to work
The free template library maps these terms to ready-to-adopt policies and procedures, and the two-minute check shows where your compliance posture stands.