Glossary

Recording who accessed PHI and when, as required by the HIPAA Security Rule.

A control that ends an idle session to prevent unauthorized access to PHI.

The HIPAA rule requiring notice when unsecured PHI is exposed.

A vendor that handles PHI on behalf of a covered entity and is directly liable under HIPAA.

A written contract requiring a vendor that handles PHI to protect it under HIPAA.

A narrow HIPAA exception for services that only transmit PHI without storing it.

A healthcare provider, health plan, or clearinghouse directly regulated by HIPAA.

PHI that is created, stored, or transmitted in electronic form.

Scrambling PHI so it is unreadable without a key, both while stored and while transmitted.

The HIPAA rule governing how PHI may be used and disclosed.

The HIPAA rule that sets administrative, physical, and technical safeguards for ePHI.

Individually identifiable health information held by a covered entity or business associate.