Glossary

 

 

What does that mean?

Definitions for frequently used terms & acronyms.

 

Business Associate (BA)

The businesses that provide services to Covered Entities that need them to have some level of access to PHI (create, receive, maintain or transmit). They may have access because they do the insurance billing or because they do the shredding of paper reports with PHI. There are many companies that offer these kinds of services such as transcription, claim processing, statement printing, shredding, legal, accounting and more. Under the HITECH changes BAs are now separately and directly liable for compliance with the Security Rule and the appropriate portions of the Privacy Rule.

Business Associate Agreement (BAA)

The legal contract required under the Privacy Rule between all CEs and BAs as well as between two BAs if a BA uses a subcontractor. The HITECH Final Rule defines BAs are considered BAs based on the work they do, not on actually having an agreement in place. An agreement must be in place but the lack of one does not remove compliance requirements.

Breach

An impermissible use or disclosure of PHI as defined in the Privacy Rule. If PHI is seen, used or accessed in a manner outside the Privacy guidelines it is considered a Breach.

Breach Notification Rule

Defines specific action that must be taken by CEs in the event of a breach.  Notification must be made to the patients and HHS and, in cases involving over 500 patients, to the media.  Notification information and timelines are specifically defined in the rule.  Effective since September 23, 2009.  Beginning with the Final Rule, all breaches are assumed to require notification to the patient unless an assessment is completed that documents there has been no specific harm to the patient due to the breach.

Civil Money Penalties (CMP)

Non-compliance fines under HIPAA were limited to $25,000 per year per violation.  HITECH fines are now limited to $1.5 Million per calendar year per violation with minimum required fines as much as $50,000 per violation. Each year these fines are adjusted for inflation. The latest fines are always published in the Federal Register.

CISA

The Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security. CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience.

CMS

Centers for Medicare and Medicaid Services is the division of HHS that manages all Medicare and Medicaid activities plus the Children’s Health Insurance Program.

Covered Entity (CE)

The healthcare industry entities that are required to follow the HIPAA and HITECH regulations. It includes doctors, hospitals, nursing homes, insurance companies, imaging centers and more.

CPGs

CISA Cross-Sector Cybersecurity Performance Goals: A common set of protections that all critical infrastructure entities – from large to small – should implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.

Criminal Penalties

Since June 2005, CEs as well as BAs and their directors, employees or officers may also be criminally liable.  Criminal cases are prosecuted by the U.S. Department of Justice.  A federal criminal case can be brought if it is determined that PHI is obtained or disclosed, even if you simply just know it happened.  One year imprisonment and fines up to $50,000 can be levied in simple cases.  If it is done under false pretenses penalties rise to $100,000 and 5 years.  The penalties are $250,000 and up to 10 years in cases involving intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm.

EHR

Electronic Health Records – Patient medical charts in electronic formats.  The clinical information your healthcare providers keep on file originally on paper is now done with computer systems called EHRs.

Enforcement Rule

The original HIPAA rules had very little enforcement included.  HITECH added a whole new Enforcement Rule with serious civil and criminal penalties for non-compliance.  It also requires OCR to do random audits of CEs and BAs.  OCR began its Phase 2 HIPAA Audit Program in 2016 which were primarily desk audits and sought to review the policies and procedures used by CEs and BAs to meet selected standards and implementation specifications on the Privacy, Security, and Breach Notification Rules.

HITECH Privacy, Security and Breach Notification Final Rule

Final guidance and interpretations of the legal requirements of the HITECH Act that are required to be enacted.  Released January 25, 2013.  Effective March 26, 2013 with a grace period that ended September 23, 2013.

HHS

U.S. Department of Health & Human Services is the principal agency for protecting the health of Americans and providing essential human services to our citizens. There are many divisions and offices within HHS including Centers for Disease Control and Prevention, National Institutes of Health and the Food and Drug Administration. Also HHS is responsible for helping the Healthcare and Public Health (HPH) critical infrastructure sector prepare for and respond to cyber threats, adapt to the evolving threat landscape, and build a more resilient sector. 

HICP

Health Industry Cybersecurity Practices are industry specific cybersecurity suggested best practices developed under the CSA 405d Task Group. Donna Grindle is an active member of the 405d Task Group both in development of new products and updates to the guides plus the 405d Brand Ambassador team who helps spread the word about the tools and information availabe.

HIPAA

Health Insurance Portability and Accountability Act of 1996 which included several sections. The primary discussions on Small Provider HIPAA relate to the Privacy Rule and Security Rule.

HITECH

Health Information Technology for Economic and Clinical Health enacted as part of the American Recovery and Reinvestment Act of 2009.  This act made changes to the original HIPAA provisions in the Privacy Rule plus added Enforcement requirements and a Breach Notification Rule that were never in place before 2009.  The act includes many more provisions but our discussions here address only these areas.

HPH CPGs

Healthcare and Public Health (HPH) critical infrastructure sector voluntary healthcare specific Cybersecurity Performance Goals (CPGs) . These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.  They were built off the chassis of CISA’s CPGs and informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies defined in the 405(d) HICP recommendations.

Minimum Necessary

Refers to the rule that states when someone working on behalf of a covered entity (CE) or business associate (BA) is using or disclosing protected health information (PHI), they must make reasonable efforts to limit the PHI to the minimum amount necessary to accomplish the task.

Notice of Privacy Practices (NPP)

A document required by HIPAA that provides the person served with information about their rights under the Privacy Rule and how a CE generally uses their Protected Health Information.

OCR

Office for Civil Rights is the entity within HHS that is responsible for enforcing HIPAA among other activities including offering guidance on the rules and performing audits and investigations.

PHI

Protected Health Information – all the medical records, insurance records and billing records relating to a patient’s care.  Also referred to as ePHI when speaking specifically about the electronic versions of this information.  This is the information all these rules are attempting to make sure only those necessary are allowed to access it.

Privacy Rule

The portion of HIPAA that defines who, what, where and when can use or access PHI that is collected and maintained by healthcare organizations.  This section includes the required HIPAA form most people recognize from signing them when they visit their healthcare providers.  Effective since April 14, 2003.

Recognized Security Practices

A new amendment to the HITECH act added in Jan 2021. The details about Recognized Security Practices and their potential impact on HIPAA compliance programs can be found on our special page dedicated to explaining the amendment.

Risk Analysis Content

A complete and thorough Risk Analysis requires a good bit of thought and documentation.  The exercise is designed to make sure you think through:

With that in mind, your process and documentation should include the following elements:

  1. The scope of the analysis must take into account all ePHI, regardless of the source or location or the way it is created, received, maintained or transmitted. No matter where or how it exists it must be included in the analysis and documented as such.
  2. The locations PHI data is stored, received, maintained or transmitted must be identified and documented.
  3. Identify and document reasonably anticipated threats to PHI and vulnerabilities if triggered or exploited by any threat would create a risk of inappropriate access to or disclosure of PHI.
  4. Assess and document security measures currently in place to safeguard PHI, defining whether security rule measures required by HIPAA are already in place; plus confirm they are configured, monitored and used properly.
  5. Document all threat and vulnerability combinations with associated likelihood that may impact confidentiality, availability and integrity of ePHI.
  6. Document all potential impacts associated with the exploit of the defined vulnerabilities.
  7. Assign risk levels or ratings for all threat and vulnerability combinations.
  8. Document a list of corrective actions to be performed to mitigate each risk level.

Risk Analysis Terms

Risk Mitigation and Management

The process of fixing (mitigation) the problems (risks) found in the Risk Analysis and making sure the fixes remain in place and working (management).  It is your on-going compliance improvement and monitoring plan.

The information and documentation of your Risk Mitigation and Management plan should include the following:

Start working the plan and documenting everything that is done along the way and you have your on-going compliance in place.  Remember, the documentation should be regular to show you are actually paying attention to the safeguards and making sure they are working.

Security Rule

The portion of HIPAA that defines the safeguards that should be in place to provide protection of PHI.  The rules cover the physical buildings and offices, the networks and computer systems plus the training and rules for staff members.  Effective since April 20, 2005.

Willful Neglect

A category assigned when there are compliance problems identified within an organization by HHS/OCR.  Willful Neglect means a company clearly ignores their obligation to comply to HIPAA.  There are two levels considered in the designation. One is that problems were corrected in a reasonable amount of time when mistakes are discovered and the other is when no changes are made.  Neither designation is desirable since they define the minimum fines required by law per violation are $10,000 and $50,000, respectively.