HIPAA Definitions

hipaa definitions

This list of HIPAA definitions will help get you started understanding HIPAA compliance so you can protect your business.

Be sure to bookmark or favorite this HIPAA definitions page so you can access these definitions whenever you have a question or concern. Let’s get started with each HIPAA definition below:


The Health Insurance Portability and Accountability Act of 1996. HIPAA regulation is composed of a series of national standards outlining the privacy and security of protected health information. HIPAA has undergone significant additions and revisions in the 20+ years since it was first enacted. These changes have been made to account for new technologies and changes to the way that the federal government has enforced compliance.

HIPAA guidance and regulation is overseen by the Department of Health and Human Services (HHS). HIPAA enforcement is overseen by the Office for Civil Rights (OCR).

Since first enacted, there have been millions of dollars in fines levied for HIPAA violations stemming from non-compliance. Read more about HIPAA fines here!

Protected Health Information (PHI):

Any personally identifiable demographic information that can be used to identify a patient. HIPAA sets national standards for the privacy and security of PHI. HIPAA identifies 18 markers of PHI, which include:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

Covered Entity (CE):

A covered entity is any health care provider, health insurance plan, or health care clearinghouse. Covered entities must comply with the HIPAA Rules and all necessary standards.

Business Associate (BA):

A business associate is any organization hired to handle PHI on behalf of a CE or other BA. The job they’ve been hired to perform must necessarily entail access, transmission, or handling of PHI in any way. Common examples of BAs include: practice management firms, data storage, physical storage, IT service providers, and managed service providers, to name a few.

HIPAA Security Rule:

The HIPAA Security Rule sets national standards for administrative, technical, and physical safeguards necessary to ensure the security of PHI.

HIPAA Privacy Rule:

The HIPAA Privacy Rule sets national standards for access, use, and disclosures of PHI by covered entities.

HIPAA Breach Notification Rule:

The HIPAA Breach Notification Rule outlines processes that must be followed in the event of a data breach. It sets standards for how and when to notify individuals affected by the breach, HHS, news media, and law enforcement.

HIPAA Omnibus Rule:

The HIPAA Omnibus Rule made several key changes to HIPAA regulation. Among those changes are revisions to the execution of and compliance with business associate agreements (defined below). Additionally, the Omnibus Rule mandates BA compliance with HIPAA. The Omnibus rule also sets looser guidelines for the issuing of HIPAA fines.

Business Associate Agreement (BAA):

Business associate agreements are contracts that must be legally executed between two HIPAA-beholden entities before any PHI can be shared. BAAs are mandated by the HIPAA Rules to mitigate liability in the event of a data breach, and give both parties the necessary assurances that PHI will be kept safe. Read more about Business Associate Agreements here!

HIPAA Risk Assessment:

Risk assessments are an important part of HIPAA compliance. The HIPAA Security Rule sets safeguards for PHI. These safeguards fall under the categories of administrative, technical, and physical. One of the technical safeguards outlined in HIPAA regulation mandates that security risk assessments must be executed. When organizations execute a security risk assessment, they identify potential risk areas. These risk areas must then be fixed with documented remediation plans. Read more about HIPAA Risk Assessments here!

Notice of Privacy Practices:

A notice of privacy practices is mandated by the HIPAA Privacy Rule. This is a notification that must be made visible and available to patients when they enter and begin treatment with a health care provider. Notices of privacy practices must be prominently displayed in office waiting areas, available on company websites, and must be reproducible for patients upon request.

See How It Works