Glossary
Plain-English definitions of HIPAA, hosting, and compliance terms.
A
-
Access Control
Technical measures that restrict ePHI to authorized users and processes only.
-
Access Log Review
Periodically examining access logs to detect inappropriate activity on ePHI.
-
Administrative Safeguards
HIPAA Security Rule policies and procedures that manage the protection of ePHI.
-
Audit Controls
HIPAA-required mechanisms that record and examine activity in systems holding ePHI.
-
Audit Logging
Recording who accessed PHI and when, as required by the HIPAA Security Rule.
-
Automatic Logoff
A control that ends an idle session to prevent unauthorized access to PHI.
B
-
Backup and Disaster Recovery (BDR)
Practices for backing up data and restoring systems after a disruptive event.
-
Breach (HIPAA)
An impermissible use or disclosure of unsecured PHI that compromises its security or privacy.
-
Breach Notification Rule
The HIPAA rule requiring notice when unsecured PHI is exposed.
-
Business Associate
A vendor that handles PHI on behalf of a covered entity and is directly liable under HIPAA.
-
Business Associate Agreement (BAA)
A written contract requiring a vendor that handles PHI to protect it under HIPAA.
-
Business Continuity Plan
A plan to keep essential business functions running through and after a disruption.
C
-
Conduit Exception
A narrow HIPAA exception for services that only transmit PHI without storing it.
-
Contingency Plan
A HIPAA-required plan for responding to emergencies that damage systems containing ePHI.
-
Corrective Action Plan (CAP)
A remediation plan an organization agrees to after an OCR HIPAA enforcement action.
-
Covered Entity
A healthcare provider, health plan, or clearinghouse directly regulated by HIPAA.
D
-
Data Backup Plan
A HIPAA-required plan to create and maintain retrievable copies of ePHI.
-
Data Center
A secured facility housing servers and infrastructure, subject to HIPAA physical safeguards.
-
Data Use Agreement (DUA)
A contract governing how a limited data set may be used and disclosed.
-
DDoS Protection
Measures that keep services available during distributed denial-of-service attacks.
-
De-identification
Removing identifiers from health data so it is no longer PHI under HIPAA.
-
Dedicated Server
A physical server used by a single tenant, offering isolation useful for PHI workloads.
-
Designated Record Set
The records a covered entity uses to make decisions about individuals, subject to patient access rights.
-
Disaster Recovery Plan
The documented process for restoring systems and data after a major disruption.
E
-
Electronic Protected Health Information (ePHI)
PHI that is created, stored, or transmitted in electronic form.
-
Emergency Access Procedure
A documented way to reach ePHI during an emergency without weakening normal controls.
-
Emergency Mode Operation Plan
Procedures to keep critical ePHI processes running during an emergency.
-
Encryption (at rest and in transit)
Scrambling PHI so it is unreadable without a key, both while stored and while transmitted.
-
Expert Determination Method
A HIPAA de-identification method where a qualified expert certifies re-identification risk is very small.
F
H
-
High Availability (HA)
Designing systems to minimize downtime through redundancy and failover.
-
HIPAA (Health Insurance Portability and Accountability Act)
The 1996 U.S. law that sets national standards for protecting sensitive patient health information.
-
HIPAA Authorization
A patient's written permission to use or disclose PHI beyond treatment, payment, or operations.
-
HIPAA Enforcement Rule
The rule setting out how HIPAA violations are investigated and penalized.
-
HIPAA Omnibus Rule
The 2013 rule that finalized HITECH changes and made business associates directly liable under HIPAA.
-
HIPAA Privacy Rule
The HIPAA rule governing how PHI may be used and disclosed.
-
HIPAA Security Rule
The HIPAA rule that sets administrative, physical, and technical safeguards for ePHI.
-
HIPAA-Compliant Hosting
Hosting configured with the safeguards and a signed BAA needed to store or transmit PHI.
-
HIPAA-Eligible Services
The specific cloud services a provider agrees to cover under its BAA; PHI may only live inside them.
-
HITECH Act
A 2009 law that strengthened HIPAA enforcement, penalties, and breach notification requirements.
-
HITRUST CSF
A certifiable security framework that maps HIPAA and other standards into one control set.
I
-
Incident Response Plan
A documented plan for detecting, responding to, and recovering from security incidents.
-
Individually Identifiable Health Information
Health information that identifies, or could identify, a specific person: the basis of PHI.
-
Integrity Controls
Measures ensuring ePHI is not improperly altered or destroyed.
-
Intrusion Detection and Prevention System (IDS/IPS)
Systems that monitor network or host activity to detect and block malicious behavior.
-
ISO 27001
An international standard for information security management systems (ISMS).
K
L
-
Least Privilege
Granting each user or process only the minimum access needed to do its job.
-
Limited Data Set
PHI with direct identifiers removed, usable for research or operations under a data use agreement.
-
Load Balancing
Distributing traffic across multiple servers to improve performance and availability.
M
-
Managed Hosting
Hosting where the provider operates and secures the servers, including patching and monitoring.
-
Minimum Necessary Standard
A HIPAA principle requiring access to only the minimum PHI needed to accomplish a task.
-
Multi-Factor Authentication (MFA)
Requiring two or more independent factors to verify a user's identity.
N
O
P
-
Penetration Testing
An authorized simulated attack to find exploitable security weaknesses.
-
Person or Entity Authentication
Verifying that a user or system seeking ePHI is who it claims to be.
-
Physical Safeguards
HIPAA Security Rule controls protecting the physical facilities and hardware that hold ePHI.
-
Private Cloud
Cloud infrastructure dedicated to a single organization rather than shared publicly.
-
Protected Health Information (PHI)
Individually identifiable health information held by a covered entity or business associate.
-
Public Cloud
Shared, multi-tenant cloud infrastructure; can host PHI under a BAA with proper configuration.
R
-
Recovery Point Objective (RPO)
The maximum amount of data, measured in time, an organization can afford to lose in an outage.
-
Recovery Time Objective (RTO)
The maximum acceptable time to restore a system after an outage.
-
Redundancy
Duplicating critical components so a failure doesn't cause an outage or data loss.
-
Right of Access
A patient's HIPAA right to inspect and obtain a copy of their own health information.
-
Risk Analysis
A HIPAA-required assessment of threats and vulnerabilities to ePHI.
-
Role-Based Access Control (RBAC)
Granting access to ePHI based on a user's job role rather than individually.
S
-
Safe Harbor Method
A HIPAA de-identification method that removes 18 specified identifiers from health data.
-
Sanction Policy
A HIPAA-required policy for disciplining workforce members who violate security policies.
-
Security Incident
An attempted or successful unauthorized access, use, or interference with ePHI systems.
-
Service Level Agreement (SLA)
A contract defining guaranteed service levels such as uptime and support response times.
-
Shared Responsibility Model
The split of security duties between a cloud provider and its customer; the cloud secures the infrastructure, the customer secures what runs on it.
-
Single-Tenant Hosting
A hosting model where one customer's environment runs on infrastructure shared with no other tenant, simplifying isolation and risk analysis.
-
SOC 2
An audit report on a service provider's controls for security, availability, and confidentiality.
-
SOC 2 Type II
A SOC 2 report testing that controls operated effectively over a period of time.
-
SSL/TLS Certificate
A digital certificate that enables encrypted HTTPS connections to a website or service.
-
Subcontractor (HIPAA)
A vendor a business associate hires to handle PHI, who must also sign a BAA.
T
-
Technical Safeguards
HIPAA Security Rule technology controls such as access control, encryption, and audit logging.
-
Transmission Security
HIPAA safeguard protecting ePHI as it moves across networks.
-
Treatment, Payment, and Health Care Operations (TPO)
The core purposes for which PHI can be used without separate patient authorization.
U
V
W
-
Web Application Firewall (WAF)
A firewall that filters HTTP traffic to protect web applications from attacks.
-
Willful Neglect
Conscious failure to comply with HIPAA, carrying the highest penalty tier.
-
Workforce Security Training
HIPAA-required security awareness training for all members of the workforce.