- Access Controls- An essential function of data security by which certain measures are implemented to limit who is able to view or handle confidential information. Examples may include multi-factor authentication, decryption keys, and user login credentials
- Administrative Safeguards- A subsection in HIPAA law that outlines the policies and procedures a Covered Entity (CE) must implement to safeguard Protected Health Information (PHI). Examples may include employee training for HIPAA awareness, thorough onboarding policies for new employees, and auditing procedures to monitor log-in attempts.
- Business Associate- A third-party entity that handles PHI on behalf of a CE. Even though this company is not a CE directly, they are still required to comply with HIPAA regulations because they come into contact with PHI. A data storage company, electronic portal, and call tracking service are all examples.
- Business Associate Agreement- A legally binding contract between a CE and a Business Associate (BA) that outlines each party’s responsibility regarding HIPAA compliance. Before a CE completes a business transaction with a BA, they must obtain this legal documentation to protect confidential information.
- Breach Notification Rule- One of the three main rules outlined in HIPAA law, The Breach Notification Rule requires that HIPAA covered entities and their BAs properly notify relevant personnel in the event of a data breach. These entities are only required to report the data breach if PHI that has not been properly secured is compromised. All affected individuals and the Secretary of State must be notified. Additionally, if more than 500 individuals are affected, the CE or BA must also alert the media of the data breach.
- Covered Entity- A healthcare provider, organization, insurance plan, or clearinghouse that handles PHI in any form. As such, they are required to abide by the regulations outlined under HIPAA. Physicians, pharmacies, company health plans, HMOs, and specialty care facilities all meet the requirements to be considered a CE. HIPAA regulations only apply to CEs and BAs.
- Data Breach- A security violation that occurs when unauthorized personnel gain access to PHI.
- Data Encryption- A complex security tactic by which confidential information is stripped of all identifiable factors and made to like nonsense. This is the most effective method to implement when safeguarding PHI because it anonymizes the confidential data thus depleting its value in the event of a data breach.
- ePHI– Stands for Electronic Protected Health Information and is classified as any kind of PHI in electronic form. Examples of ePHI may include emailed test results, an online appointment calendar, and digital photographs of a patient.
- Electronic Medical Record- a computerized database that stores valuable medical information, such as a patient’s demographic, medical history, and employment information.
- HIPAA– Stands for the Health Insurance Portability and Accountability Act. Originally enacted in 1996, this piece of legislation regulates how a patient’s Protected Health Information (PHI) is used and disclosed.
- Identifiable Factors- A broad range of characteristics that make PHI traceable to a specific patient. This can include a patient’s full name, DOB, SSN, physical address, medical history, phone number, email address, and much more.
- Office for Civil Rights– A branch of the department for Health and Human Services (HHS). They, along with the attorney’s state general, are responsible for enforcing HIPAA regulations.
- Physical Safeguards- A subsection of HIPAA law outlining tangible security measures that must be implemented to safeguard PHI. Unlike procedures that are required to protect online databases, physical safeguards protect a CEs’ or BAs’ buildings and equipment from unauthorized access. Access controls, facility control, and record maintenance are all methods of physical safeguards.
- Privacy Rule- One of three main rules outlined under HIPAA, The Privacy Rule gives a patient positive control over their medical information. It defines what kind of information is protected, who can access it, and how it can be used. In addition to optimizing the flow of health information, The Privacy Rule also sets the “standards for privacy of individually identifiable health information”.
- PHI– Stands for Protected Health Information. It is individually identifiable medical information obtained, stored, transmitted, or maintained by a HIPAA covered entity. HIPAA laws were enacted to protect and advocate for a patient’s right to oversee the use and disclosure of this information.
- Risk Assessment- A set of policies and procedures HIPAA covered entities need to follow after a data breach. As part of the Administrative Safeguards under The Privacy Rule, a risk assessment determines if there is a significant threat of harm to an individual whose PHI was compromised.
- Security Rule- One of the three main rules outlined under HIPAA, The Security Rule outlines a set of security standards HIPAA covered entities need to implement to properly safeguard confidential medical information, especially ePHI. While The Privacy Rules outlines what information is protected, The Security Rule outlines how that information is protected. End-to-end data encryption, for example, is a security method required under The Security Rule for data in transit.
- Technical Safeguards- Technological tools CEs use to safeguard ePHI. While technical safeguards are not specifically defined under The HIPAA Security Rule, CEs are required to implement reasonable and appropriate safeguards to protect sensitive information. Access controls, data encryption, and multi-factor authentication are all technical safeguards that can be used to protect confidential data.
- Telecommunications- Long-distance methods of communications via electronic transmissions. Modalities through which this can be executed may include telephone, internet, radio, or television. Data can be transmitted with a wired connection, such as the internet or landline; a wireless connection, such as a radio tower; or a satellite connection.