The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
Implementing policies and procedures for granting an individual access to electronic PHI through multiple venues to include: access to a workstation, transaction, program, process, or other mechanism. Include clear delineation on the required authorizations and clearances needed before an account can be established.
Limiting access to information system resources only to authorized users, programs, processes, or other systems.
Access Control and Validation Procedures
Implementing procedures to control and validate identification and authentication of a person’s access to facilities based on their role or function, including visitor control and control of access to firmware, hardware, and/or software programs for testing and revision.
Access Establishment and Modification
Based upon the organization's access authorization policies, implement additional policies and procedures that establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
A level rank or category label associated with an individual who may be accessing information (for example, a clearance level) or with the information, which may be accessed (for example, a classification level).
The security policies, and the rules established therein, that determine types of, and reasons for, modification to an entity's established right of access to a terminal, transaction, program, or process.
Implementation of procedures for the authorization and supervision of workforce members that work with electronic protected health information or in locations where it is accessible.
Maintaining a record of the movements of hardware and electronic media and any person responsible therefore. Implement procedures for safely managing electronic devices and media, including records of who has the devices or media, when they had possession, and where they kept the devices or media from the time of original receipt to time of final disposal or transfer to another entity. The mechanism used for recording this documented
information may be manual or automated.
Accounting for Disclosures
Information that describes a covered entity's disclosures of PHI other than for treatment, payment, and health care operations; disclosures made with Authorization; and certain other limited disclosures. For those categories of disclosures that need to be in the accounting, the accounting must include disclosures that have occurred during the 6 years (or a shorter time period at the request of the individual) prior to the date of the request for an accounting. However, PHI disclosures made before the compliance date for a covered entity are not part of the accounting requirement.
Formal declaration by a Designated Accrediting Authority (DAA) that an information system is approved to operate in a particular security mode at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.
A covered entity must consider the implementation specification, and implement if appropriate. If not appropriate, document the reason why not, and what was done in its place to implement the standard.
Administrative actions, policies, and procedures that manage the selection, development, implementation, and maintenance of security measures through initial and subsequent organizational risk assessments due to changes in the organizational security posture. Administrative safeguards are measures designed to protect electronic PHI and to manage the conduct of the organization’s workforce in relation to the protection of that information.
Administrative Simplification (A/S)
Title II, Subtitle F, of HIPAA, which gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.
Application Service Provider (ASP)
ASPs offer access to various application programs over the Internet. Applications could include e-mail, storage, and other services like tax programs, etc.
Applications and Data Criticality Analysis
As part of an organization’s risk assessment, assessing the relative criticality of specific applications and data in support of other contingency plan components. Utilize the results of this analysis to assign priority to information resources and determine the best strategy to protect those resources.
Assigned Security Responsibility
(1) HIPAA Security Officer who is responsible for the development and implementation of the policies and procedures required by this Regulation. While more than one individual may be given security responsibilities, a single individual must be designated as having the overall final responsibility.
(II) The number and type of personnel required to implement an organization’s security
policies in a manner consistent with this Regulation depends on the size and structure of the organization. Document and validate the actual workforce numbers with a breakdown of responsibilities as part of the security management process.
An independent examination of records and activities to ensure compliance with established security controls, policies, and procedures. Usually an independent audit will recommend any changes in controls, policies, or procedures that may be desired or required.
Implementing hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use electronic protected health information.
A method for proving a user's identity (such as using passwords or authentication tokens).
A narrowly tailored permission to use and disclose only the specific protected health information identified for the limited purposes requested. Authorizations must have a limited duration and may only be relied upon for that period of time.
Implementing electronic procedures that terminate an electronic session after a predetermined tome of inactivity.
The property that data or information is accessible and useable upon demand by an authorized person.
Copy of files and programs made to facilitate recovery.
A measurement of the volume of information that can be transmitted over a network.
A Security science where Biometric identifiers are used for secure identification and authentication. Some of the common Biometric identifiers are fingerprints, voice patterns, face geometry, hand geometry, retinal scans, signatures, and typing patterns. Some systems use a combination of several of the above mentioned identifiers simultaneously for improved security identification.
Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected.
A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity. A member of a covered entity's workforce is not one of its business associates. A covered entity may be a business associate of another covered entity.
Business Associate Contracts and other Arrangements
Assurances obtained by a covered entity, in accordance with organizational requirements of HIPAA, that business associates will appropriately safeguard electronic protected health information created, received, maintained or transmitted on their behalf.
Centers for Medicare & Medicaid Services (CMS)
Formerly known as Health Care Financing Administration (HCFA), the U.S. Department of Health and Human Services (HHS) agency responsible for Medicare and parts of Medicaid. CMS has historically maintained the UB-92 institutional EMC format specifications, the professional Electronic Media Claims (EMC) National Standard Format (NSF) specifications, and specifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains the Healthcare Common Procedure Coding System (HCPCS) medical code set and the Medicare Remittance Advice Remark Codes administrative code set. CMS has responsibility for enforcing Security Rule compliance.
The technical evaluation performed as part of, and in support of, the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements.
Protection of data from unauthorized access by the designation of multiple levels of access authorization clearances to be required for access, dependent upon the sensitivity of the information.
If an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.
This exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.
Under HIPAA, this is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective data of the associated final rule for most entities, but 36 months after the effective data for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective data, but can be longer for small health plans and for complex changes.
Information (as property) is not made available or disclosed to unauthorized individuals, entities or processes.
Formal, documented procedures for (1) connecting and loading new equipment and programs, (2) periodic review of the maintenance occurring on that equipment and programs, and (3) periodic security testing of the security attributes of that hardware/software.
A plan maintained for emergency response, backup operations, and post-disaster recovery for an information system to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation.
Procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Focus these procedures on the functioning of the facility and its access control mechanisms (both administrative and technical) during and after an
emergency or disaster.
A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.
Those functions of a covered entity the performance of which makes the entity a health care provider, health plan, or health care clearinghouse under the HIPAA Administrative Simplification Rules.
A sequence of symbols to which meaning may be assigned.
The corroboration that data has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature.
A retrievable, exact copy of information.
Data Backup and Storage
Creation of a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Data Backup Plan
A formally documented plan to create and maintain, for a specific period of time, retrievable exact copies of information.
Condition existing when data is unchanged from its source and has not
been accidentally or maliciously modified, altered, or destroyed.
The retention of health care information pertaining to an individual in an electronic format.
Data Use Agreement
An agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.
The process of transforming cipher text into readable text.
Designated Record Set
A group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
Device and Media Controls
Implementing policies and procedures for the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a covered entity, and the movement of those items within a covered entity.
Any type of text or message encrypted with a private key, thereby identifying the source.
The process whereby an enterprise would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.
Disaster Recovery Plan
Part of an overall contingency plan. The plan for a process whereby an enterprise would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.
The release, transfer, access to, or divulging of information in any other manner outside the entity holding the information.
Under HIPAA this is a list of any entities that have received personally identifiable health care information for uses unrelated to treatment, and payment or healthcare operations.
Discretionary Access Control
Discretionary Access Control (DAC) is used to control access by restricting a subject's access to an object. It is generally used to limit a user's access to a file. In this type of access control it is the owner of the file who controls other users' accesses to the file.
Implementation of policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. Procedures must
include approved methods of disposal such as use of commercial or public disposal services, sale or donation of electronic devices and the process for ensuring that electronic PHI processed by or stored on the hardware and electronic media is no longer accessible.
Written security plans, rules, procedures, and instructions concerning all components of an entity's security and written records of any action, activity, or assessment required by HIPAA.
The date a final rule becomes effective, which is usually 60 days after publication in the
Electronic Data Interchange (EDI)
This usually means X12 and similar variable-length formats for the electronic exchange of structured data. It is sometimes used more broadly to mean any electronic exchange of formatted data.
Electronic File Interchange:
The ability for health care organizations, such as professional associations, to submit an electronic file with information of several health care providers to apply for the National Provider Identifier.
Electronic Media Claims (EMC)
This term usually refers to a flat file format used to transmit or transport claims, such as the 192-byte UB-92 Institutional EMC format and the 320-byte Professional EMC NSF.
Electronic Protected Health Information
Individually identifiable health information transmitted by, or maintained, in electronic media.
Electronic Storage Media
Includes memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.
A transmission using electronic media that is covered under HIPAA.
Emergency Access Procedure
Procedures for obtaining necessary electronic protected health information during an emergency.
Emergency Mode Operation
Access controls in place that enable an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
Emergency Mode Operation Plan
Part of an overall contingency plan. The plan for a process whereby an enterprise would be able to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Implementation of a mechanism to encrypt electronic protected health information whenever appropriate during transmission.
Encryption and Decryption
Under HIPAA, implementation of a mechanism to encrypt and decrypt electronic protected health information as a means of access control.
Implementing procedures to verify that persons or entities seeking access to EPHI are who or what they claim to be.
Documented security procedures for bringing hardware and software into and out of a facility and for maintaining a record of that equipment. This includes, but is not limited to, the marking, handling, and disposal of hardware and storage media.
Performing periodic technical and non-technical evaluations that determine the extent to which a covered entity's security policies and procedures meet the ongoing requirements of the Security Rule.
The physical premises and the interior and exterior of a building or buildings.
Facility Access Controls
Implementing policies and procedures to limit physical access to information systems or biomedical devices and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Facility Security Plan
A plan to safeguard the premises and building(s) (exterior and interior) from unauthorized physical access, and to safeguard the equipment therein from unauthorized physical access, tampering, and theft. Under HIPAA, the policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
FDA Protection of Human Subjects Regulations
Regulations intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction. The FDA Protection of Human Subjects Regulations can be found at Title 21 Code of Federal Regulations, Parts 50 and 56
Software/Hardware that creates a barrier between a trusted and an untrusted network, allowing or denying data to cross the barrier based on a set of rules that an administrator has configured. A firewall is usually placed between the public Internet and a private computer network to help protect against intrusion to the private network. A firewall acts as a gateway between networks, usually used between the Internet and internal networks, but sometimes used between departments and corporate entities.
Under HIPAA, all covered entity staff, including management and those who work at home, must comply with the Security Rule.
Group health plan
An employee welfare benefit plan that provides for medical care and that either has 50 or more participants or is administered by another business entity.
Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Health Care Clearinghouse
A public or private entity, including a billing service, re-pricing company, community health management information system or community health information system, and "value-added" networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
Health Care Provider
A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This Act requires, among other things, under the Administrative Simplification subtitle, the adoption of standards, including standards for protecting the privacy of individually identifiable health information.
Health Level Seven (HL7)
An ANSI-accredited group that defines standards for the cross-platform exchange of information within a health care organization. HL7 is responsible for specifying the Level Seven OSI standards for the health industry. The X12 275 transaction will probably incorporate the HL7 CRU message to transmit claim attachments as part of a future HIPAA claim attachments standard. The HL7 Attachment SIG is responsible for the HL7 portion of this standard.
For the purposes of Title II of HIPAA, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)) and including entities and government programs listed in the Rule. Health plan excludes: (1) any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and (2) a government-funded program (unless otherwise included at section 160.103 of HIPAA) whose principal purpose is other than providing, or paying for the cost of, health care or whose principal activity is the direct provision of health care to persons or the making of grants to fund the direct provision of health care to persons.
HHS Protection of Human Subjects Regulations
Regulations intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS. The HHS regulations include the Federal Policy for the Protection of Human Subjects, effective August 19, 1991, and provide additional protections for pregnant women, fetuses, neonates, prisoners, and children involved in research. The HHS regulations can be found at Title 45 of the Code of Federal Regulations, Part 46.
A single legal entity that is a covered entity, performs business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be business associates of one or more of its health care components, depending on the nature of their relationship.
Under HIPAA, this is the specific instruction for implementing a standard.
Incidental Use and Disclosure
Under HIPAA, when an individual's health information is used or disclosed incidentally. Usually this occurs when it cannot reasonably be prevented by chance or without intention or calculation during an otherwise permitted or required use or disclosure.
Indirect Treatment Relationship
A relationship between an individual and a health care provider in which:
- The health care provider delivers health care to the individual based on the orders of another
health care provider; and
- The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.
Individually Identifiable Health Information
Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Intrusion detection is software used to detect attempted intrusion into a computer or network. It actively runs to detect intrusions and then warns the system administrator, and can sometimes take action against the intruder, such as blocking their addresses.
Data to which meaning is assigned, according to context and assumed conventions.
Information Access Control
Formal, documented policies and procedures for granting different levels of access to health care information.
Information Access Management
Implementing policies and procedures for authorizing access to EPHI (electronic protected health information) that are consistent with the applicable requirements of the Privacy Rule and the Federal Information Security Management Act (FISMA).
A set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. Includes automated information system applications, enclaves, outsourced information technology (IT)-based processes, and platform IT interconnections.
Information System Activity Review
Procedures for regular review of records of information system activity such as audit logs, access reports, and security incident tracking reports.
Institutional Review Board (IRB)
An IRB can be used to review and approve a researcher's request to waive or alter the Privacy Rule's requirements for an Authorization. The Privacy Rule does not alter the membership, functions and operations, and review and approval procedures of an IRB regarding the protection of human subjects established by other Federal requirements.
The property that data or information have not been altered or destroyed in an unauthorized manner; implementing policies and procedures to protect EPHI electronic protected health information from improper modification or destruction.
Implementing security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Integrity Controls Mechanisms
Security mechanism employed to ensure the validity of the information being electronically transmitted or stored corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
The in-house review of the records of system activity (for example, logins, file accesses, security incidents) maintained by an organization.
Intrusion detection is software used to detect attempted intrusion into a computer or network. It actively runs to detect intrusions and then warns the system administrator, and can sometimes take action against the intruder, such as blocking their addresses.
Formal, documented identification of hardware and software assets.
IP (Internet Protocol)
A fundamental protocol in TCP/IP networks that addresses and delivers datagrams across the Internet.
Isolating Health Care Clearinghouse Function
Under HIPAA, when a health care clearinghouse is part of a larger organization, implementing policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
A joint Notice of Privacy Practices between covered entities that participate in an organized health care arrangement.
Limited Data Set
Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.
Including procedures for monitoring log-in attempts and reporting discrepancies as part of security awareness training.
Implementing policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Software, for example, a virus, designed to damage or disrupt a system.
Mandatory Access Control (MAC)
A means of restricting access to objects that is based on fixed security attributes assigned to users and to files and other objects. The controls are mandatory in the sense that they cannot be modified by users or their programs.
Mechanism to Authenticate Electronic Protected Health Information
Implementing electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Implement procedures for removal of electronic PHI from electronic media before the media is made available for re-use. Methods for removing electronic PHI include reformatting and writing over existing data.
Formal, documented policies and procedures that govern the receipt and removal of hardware/software (for example, diskettes, tapes) into and out of a facility.
A digital representation of information.
The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Unless an exception applies, this standard applies to a covered entity when using or disclosing PHI or when requesting PHI from another covered entity. A covered entity that is using or disclosing PHI for research without Authorization must make reasonable efforts to limit PHI to the minimum necessary. A covered entity may rely, if reasonable under the circumstances, on documentation of IRB or Privacy Board approval or other appropriate representations and documentation under section 164.512(i) as establishing that the request for protected health information for the research meets the minimum necessary requirements.
To alleviate any harmful effects that is known to a covered entity of a use or disclosure of protected health information in violation of its policies and procedures.
A change adopted by the Secretary of HHS, through a regulation, to a standards or an implementation specification.
NIST / National Institute of Standards and Technology
NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. The mission of NIST's Computer Security Division is to improve information systems security by raising awareness of IT risks, researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems.
Notice of Privacy Practices
A notice of the uses and disclosures of protected health information made by the covered entity, of the individual's rights and the covered entity's legal duties with respect to protected health information.
Notice of Proposed Rule Making
A document that describes and explains regulations that the federal government proposes to adopt at some future date, and that invites interested parties to submit comments related to them. These comments then can be used in developing a final regulation.
Covered entities must regularly train employees and revise security policies and procedures as needed.
Organized Health Care Arrangements
Organized systems of health care where more than one covered entity participates and where the participating covered entities publicly present themselves as a joint arrangement and participate in cross-organizational functions where PHI is shared. Members of organized health care arrangements may use and disclose PHI across their organizations.
confidential authentication information composed of a string of characters.
Implementing security awareness and training that covers procedures for creating, changing, and safeguarding
Periodic Security Reminders
Employees, agents and contractors should be made aware of security concerns on an ongoing basis.
Person or Entity Authentication
Implementing procedures to verify that a person or entity seeking access to electronic
PHI is the one claimed and provide the appropriate level of non-repudiation
Personnel Clearance Procedure
A protective measure applied to determine that an individual's access to sensitive unclassified automated information is admissible. The need for and extent of a screening process is normally based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures in place. Effective screening processes are applied in such a way as to allow a range of implementation, from minimal procedures to more stringent procedures commensurate with the sensitivity of the data to be accessed and the magnitude of harm or loss that could be caused by the individual.
The procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances.
Personnel Security Policy/Procedure
Formal, documentation of policies and procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances.
Personally Identifiable Information
Information about an individual that identifies, links, relates, or is unique to, or describes him or her. This also includes information which can be used to distinguish or trace an individual's identity and any other personal information which is linked or linkable to a specified individual.
Physical Access Controls
Those formal, documented policies and procedures to be followed to limit physical access to an entity while ensuring that properly authorized access is allowed.
Physical safeguards are physical measures, policies, and procedures to protect an organization’s information systems and related buildings and equipment from natural hazards, environmental hazards, and unauthorized intrusion.
Policy/Guideline on Workstation Use
Documented instructions/procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings, of a specific computer terminal site or type of site, dependant upon the sensitivity of the information accessed from that site.
A board that is established to review and approve requests for waivers or alterations of Authorization in connection with a use or disclosure of PHI as an alternative to obtaining such waivers or alterations from an IRB. A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual's privacy rights and related interests. The board must include at least one member who is not affiliated with the covered entity, is not affiliated with any entity conducting or sponsoring the research, and is not related to any person who is affiliated with any such entities. A Privacy Board cannot have any member participating in a review of any project in which the member has a conflict of interest.
Protected Health Information
Information that is created or received by a covered entity and relates to the past, present, or future physical or mental health of an individual; providing payment for health care to an individual; and can be used to identify the individual. It excludes health information in employment records held by a covered entity in its role as employer.
Protection from Malicious Software
Including procedures for guarding against, detecting, and reporting malicious software as part of security awareness training.
Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Public Health Authority
An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
Covered entities must institute appropriate measures to avert all reasonably anticipated risks to their electronic PHI. They must balance their resources and business requirements against the risks to electronic PHI.
Re-identification of Protected Health Information
The process of assigning a code or other means of record identification to allow information de-identified to be re-identified by the covered entity.
Required By Law
A mandate contained in law that compels an entity to make a use or disclosure of protected
health information and that is enforceable in a court of law. Required by law includes, but
is not limited to:
- Court orders and court-ordered warrants;
- Subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information;
- A civil or an authorized investigative demand;
- Medicare conditions of participation with respect to health care providers participating in the program; and
- Statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
A systematic investigation, including research development, testing, and evaluation, designed to
develop or contribute to generalized knowledge.
Response Procedures and Reporting
The documented formal rules/instructions for actions to be taken as a result of the receipt of a
security incident report requirement to identify and respond to suspected or known security
incidents; mitigate, to the extent practicable, harmful effects of security incidents that
are known to the covered entity; and document security incidents and their outcomes.
Examination of information to identify the risk to an information system.
The process of identifying and applying countermeasures commensurate with the value of
the assets protected based on a risk assessment.
Role-Based Access Control
Role-based access control (RBAC) is an alternative to traditional access control
models (e.g., discretionary or non-discretionary access control policies) that
permits the specification and enforcement of enterprise-specific security policies in a
way that maps more naturally to an organization's structure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.
The appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.
The appropriate sanctions against members of a covered entity's workforce who fail to comply with the privacy policies and procedures of that covered entity.
A required characteristic of the Security Rule whereby all sizes of healthcare entities must be able to comply with the Security rule.
Secure Workstation Location
Physical safeguards to eliminate or minimize the possibility of unauthorized access to information, for example, locating a terminal used to access sensitive information in a locked room and restricting access to that room to authorized personnel, not placing a terminal used to access patient information in any area of a doctor's office where the screen contents can be viewed from the reception area.
Security or Security Measures
Encompass all of the administrative, physical, and technical safeguards in an information system.
Security Awareness and Training
Awareness and training are separate activities. Security “awareness” exists to continuously heighten workforce members’ familiarity with security. Security “training” teaches security practices.
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Security Incident Procedures
Implementing formal, documented instructions for reporting security breaches policies and procedures to address security incidents.
Security Management Process
Implementing policies and procedures to prevent, detect, contain, and correct security violations.
The framework within which an organization establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organization commitment for a system.
Security updates that serve as a security reminder to increase security awareness. Security reminders include e-mail messages, newsletters, posters, etc.
A process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed applications environment. This process includes hands-on functional testing, penetration testing, and verification.
Small health plan
A health plan with annual receipts of $5 million or less.
A standard establishes a rule, condition, or requirement that a covered entity must implement.
A constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.
Includes hardware, software, information, data, applications, communications, and people.
TCP/IP (Transmission Control Protocol/Internet Protocol)
The protocol that is the foundation of the Internet. An agreed upon set of rules and standards directing computers on how to exchange information with each other.
The technology and the policy and procedures for its use that safeguard electronic PHI and control access to it.
A required characteristic of the Security Rule, whereby the Security rule contains no specific technology recommendations (e.g., specific type of firewall, IDS, access control system). Each covered entity must choose the appropriate technology to protect its EPHI (electronic protected health information).
An arrangement where a civilian employee and/or member of the Armed Forces performs assigned official duties at an alternative worksite on a regular and recurring or on a situational basis (not including while on official travel).
Procedures for terminating access to electronic PHI when the employment of a workforce member ends, or as required by the organization’s workforce clearance and access procedures
Testing and Revision Procedures
Procedures for annual testing and revision of written contingency plans to look for any weaknesses.
Under HIPAA, this is the exchange of information between two parties to carry out financial or administrative activities related to health care.
Used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Traditional paper-to-paper facsimile is not included; however, electronic data transmitted using a computer-based facsimile program is included.
Implementing technical security mechanisms to guard against unauthorized access, use, disclosure, modification, alteration, or destruction to PHI that is being transmitted over an electronic communications network.
The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Unique User Identification
Assigning a unique name and/or number for identifying and tracking user identity. System processes will use this name and/or number to identify the user and to associate the user with tracked actions taken by or on behalf of that user.
With respect to individually identifiable health information under HIPAA, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
A person or entity with authorized access.
Self-replicating, malicious code that attaches itself to an application program or other executable system component and leaves no obvious signs of its presence.
Virtual Private Network (VPN)
A technical strategy for creating secure connections, or tunnels, over the Internet.
Formal, documented procedure governing the reception and hosting of visitors.
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.
Waiver or Alteration of Authorization
The documentation that the covered entity obtains from a researcher or an IRB or a Privacy Board that states that the IRB or Privacy Board has waived or altered the Privacy Rule's requirement that an individual must authorize a covered entity to use or disclose the individual's PHI for research purposes.
Military and civilian full-time and part-time employees, volunteers, trainees, and other persons (including students and contract personnel) whose conduct, in the performance of work for an organization, is under the direct control of such an entity, whether or not they are paid by the organization.
Workforce Clearance Procedure
Under HIPAA, a protective measure applied to determine that an individual's access to electronic protected health information is appropriate. The need for and extent of a screening process is normally based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures in place. Effective screening processes are applied in such a way as to allow a range of implementation, from minimal procedures to more stringent procedures commensurate with the sensitivity of the data to be accessed and the magnitude of harm or loss that could be caused by the individual.
The policies and procedures that ensure that all members of a covered entities workforce have appropriate access to electronic protected health information, as provided under the information access management standard, and to prevent those who do not have access under that standard from obtaining access to electronic protected health information.
Workgroup for Electronic Data Interchange (WEDI)
A health care industry group that lobbied for HIPAA A/S, and that has a formal consultative role under the HIPAA legislation. WEDI also sponsors Strategic National Implementation Process (SNIP).
An electronic computing device (e.g., a laptop or a desktop computer), or any other device that performs similar functions, and electronic media stored in its immediate environment.
Implementing policies and procedures concerning workstations that specify the authorized functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or a class of workstation that can access electronic PHI.
Implementing physical safeguards for all workstations that access electronic PHI. Ensure that workstation access is only granted to authorized users and prevent workstation
access to unauthorized users.
Written Contract or Other Arrangement
Under HIPAA, documentation of the satisfactory assurances required by the business associates standard through a written contract or other arrangement that meets all applicable requirements specified in the Security Rule.