HIPAA Glossary: Important Definitions of HIPAA Terms

HIPAA Glossary

While reading through the HIPAA regulations you will most likely come across several terms that you think you understand, but mean something different in HIPAA terms. Rather than you having to research each term individually, we have put together a list of important HIPAA terms.

Our HIPAA glossary is a comprehensive list of common terms you will come across while trying to understand the regulation. This HIPAA glossary is meant to clarify regulatory terms with simplified definitions that you don’t need to be a lawyer to understand.

HIPAA Glossary of Terms


Access: (This definition applies to “access” as used in the Privacy and Breach Notification Rules). The means used to retrieve, view, hear, read, write, modify, or communicate information. This information can include records, data, or other system information. 

Access: (This definition applies to “access” as used in the Security Rule). The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.  

Accounting of Disclosures of PHI: A report that describes a covered entity‘s disclosures (including those by its business associates) of PHI other than disclosures for treatment, payment, and health care operations; those made with written patient authorization; and certain other disclosures.

Administrative Safeguards: Administrative actions and policies and procedures, that manage the selection, development, implementation, and maintenance of security measures. These measures protect electronic protected health information and create guidelines for protection of that information by employees. 

Administrative Tribunal: An officially appointed or elected individual, judge, or group of those individuals or judges, including those appointed by administrative agencies who conduct hearings and exercise judgment over specific issues.

Agent: An agent of the Organization is determined in accordance with the federal common law of the agency.  The Organization is liable for the acts of its agents. An agency relationship exists if the Organization has the right or authority to control the agent’s conduct in the course of performing a service on behalf of the Organization (i.e. give interim instructions, direct the performance of the service).

Alternative Communications: Information or communications delivered to patients in a manner different than the Organization’s normal practice. For example, patients may ask for delivery at an alternative address, phone number, or post office box.

Amend/Amendment: The correction of PHI or the addition of PHI to an existing designated record set.

Authentication: The verification of a user, process, or device, to allow access to resources in an electronic information system.

Authorization: An individual’s written statement of agreement to the use or disclosure of protected health information.

Availability: The property that data or information is accessible and useable upon demand by an authorized person. 


Breach: The acquisition, access, use, or disclosure of protected health information in a manner not permitted that compromises the security or privacy of the PHI.

Business Associate: A person or entity who, 1) is not a member of the Organization’s workforce and, 2) provides a service, performs a function, or performs an activity on behalf of a covered entity that involves the creation, receipt, maintenance, or transmission of protected health information. 

Business Associate Agreement: Under the HIPAA Privacy and Security Rules, a business associate agreement (“BAA”) is a legally binding contract entered into between a covered entity and a business associate. The agreement must contain satisfactory assurances by the business associate that the business associate will appropriately safeguard protected health information.


Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes. 

Covered Entity: A health plan, health care clearinghouse, or a health care provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.


Data Aggregation: The act of a business associate combining protected health information from multiple covered entities in order “to permit data analyses that relate to the health care operations of the respective covered entities.”

De-Identified Health Information: Health information that does not identify an individual, and that does not contain information that can identify or link the information to the individual.

Designated Record Set: A group of records maintained by or for a covered entity that is: a) medical and billing records maintained by or for a covered health care provider; b) enrollment, payment, claims, adjudication, and case or medical management record systems maintained by or for a health plan; or c) records used in whole or in part to make care-related decisions.

Disclosure: The release, transfer, provision of access to, or divulging in any manner PHI to outside the entity holding the information.


Electronic Protected Health Information (ePHI):  Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.

Encryption: The use of an algorithmic process to transform data into a form in which it is unreadable without a confidential process or key. 


Facility: The physical premises and the interior and exterior of a building(s). 

Facility Directory: A directory of Organization’s staff. Patient information may be included in this directory. This information may include patient name, location (room/bed number), a condition described in general terms (i.e., “Not feeling well,” “Having a good day”), and religious affiliation. Religious affiliation is available to clergy members only.

Fundraising: An organized campaign designed to reach out to certain segments of the population to raise monies.


Health Care Operations: Any of the following activities of a covered entity

  1. Quality assessment and improvement activities (including outcome evaluation and clinical guideline development); patient safety; population-based activities related to improving health or reducing health care costs, protocol development, case management, and care coordination, contacting health care providers and recipients with information about treatment alternatives, related activities that do not include treatment
  2. Reviewing the competence, qualifications, performance of health care professionals, health plan performance, conducting health care training programs for students, trainees or practitioners under supervision for practice and improvement of skills; training of non-health care professionals, accreditation, certification, licensing, or credentialing;
  3. Underwriting (excluding any use of genetic information), enrollment, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, ceding, securing, or placing a contract for reinsurance of healthcare claim risks; 
  4. Conducting or arranging for medical review, legal services, and auditing functions including fraud and abuse detection and compliance programs;
  5. Business planning and development including formulary development and administration, development, or improvement of payment or coverage policies; 
  6. Business management and general administrative activities of the entity including but not limited to:
  • Management activities relating to implementation of and compliance with the Privacy Rule; 
  • Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer; 
  • Resolution of internal grievances; 
  • The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and 
  • Consistent with the applicable requirements of creating de-identified health information or a limited data set and fundraising for the benefit of the covered entity

HHS: Stands for the Department of Health and Human Services. This agency is charged with the development, statement, and implementation of the HIPAA Privacy Rule.

Health Insurance Portability and Accountability Act (HIPAA): Federal legislation passed in 1996 that regulates the privacy and security of individually identifiable health information.

HIPAA Breach Notification Rule: Requires breaches affecting the confidentiality, integrity, and availability of PHI to be reported to the HHS and affected individuals. Breaches affecting 500 or more patients must also be reported to the media. 

HIPAA Compliance: Organizations working in healthcare, covered entities and business associates, are required to be HIPAA compliant. To be HIPAA compliant, organizations must implement a total HIPAA compliance program including risk assessments, gap identification and remediation, written policies and procedures, employee training, business associate agreements, and incident management.

HIPAA Privacy Rule: regulates the use and disclosure of protected health information. The HIPAA Privacy Rule gives individuals the right to access their protected information; the right to request that this information be amended; and the right to an accounting of how their PHI has been disclosed. The Privacy Rule prescribes measures that must be taken to ensure PHI is protected from unauthorized access. The Privacy Rule also requires covered entities to develop and use Notices of Privacy Practices, which outline how covered entities will use or disclose the PHI of individuals. The Privacy Rule also outlines when patient written authorization to use or disclose PHI is required, and when it is not required. In addition, the Privacy Rule outlines those circumstances under which PHI must be disclosed and those circumstances under which it may not be disclosed.

HIPAA Security Rule: Regulates and safeguards a subset of protected health information, known as electronic protected health information. The Rule requires that organizations ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit; identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against impermissible uses or disclosures of ePHI that are reasonably anticipated; and ensure compliance by their workforce.

HIPAA Training: One requirement of HIPAA is annual employee training. Under this requirement, employees must be trained on HIPAA basics, their organization’s internal HIPAA policies and procedures, and cybersecurity best practices.

HIPAA Violation: When an organization fails to comply with HIPAA requirements, they are in violation of HIPAA laws. Some common HIPAA violations include failure to conduct an accurate and thorough risk assessment, failure to comply with the right of access standard, and failure to have signed BAAs with business associate vendors.


Individual: The person who is the subject of PHI.

Individually Identifiable Health Information: A subset of health information, including demographic information that:

  1. Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to the individual; or the payment for the provision of health care for the individual; and
  3. That identifies the individual, or might reasonably be used to identify the individual.

Information System: An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. 

Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner. 

Institutional Review Board (IRB): In reference to a research project, a board that is designated to review and approve proposed research, and the process by which the investigator intends to secure the informed authorization of research subjects.


Limited Data Set: A set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met including the exclusion of HIPAA specified direct identifiers of the individual, or of relatives, employers or household members of the individual.


Malicious Software: Software designed to damage or disrupt a system – for example, a virus.

Marketing: The provision of information about a product or service that encourages recipients of the communication to purchase or use the product or service. 

Medical Record: Documents, notes, forms, and test results that collectively document health and healthcare services for an individual including but not limited to medical history, care or treatments received, medications prescribed or taken, test results, diagnosis and prognosis. Psychotherapy notes are excluded from the definition of medical record as are peer review documents when they are covered by a legal privilege.

Minimum Necessary Standard: Use of reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.  


Notice of Privacy Practices: A document required by the HIPAA Privacy Rule. The Notice of Privacy Practices must provide individuals with information on how an organization will use or disclose their PHI, what the organization’s responsibilities are and what individuals’ rights are with respect to that PHI.


Office for Civil Rights (OCR): The branch within the Department of Health and Human Services that enforces HIPAA.

Opt-out: To make a choice to be excluded from communications or practices.


Password: Confidential authentication information composed of a string of characters. 

Payment:  Activities undertaken by a health care provider or health plan to obtain or provide reimbursement for the provision of health care. Activities undertaken by a health plan to obtain premiums or to determine the full extent of its coverage and benefit provision under the health plan. Activities for payment include eligibility of coverage determination, billing, claims management, collection activities, medical necessity determinations, risk adjustments, utilization review including precertification, preauthorization, concurrent and retrospective review of services, and specified disclosures to consumer reporting agencies.

Personal Representative: One who, under law, has the authority to act on behalf of an individual in making decisions related to health care or in exercising the individual’s rights related to their protected health information. Personal representatives’ rights are limited in certain circumstances. 

Physical Safeguards: Physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. 

Privacy Breach: Any unauthorized or unpermitted access, use, disclosure, modification, or destruction of unsecured PHI in any form.

Privacy Incident: Any attempted or successful unpermitted or unauthorized access, use, disclosure, modification, interference, or destruction of unsecured PHI in any form.

Privacy Leadership: Person or persons designated by Organization to lead Organization’s efforts to fulfill the obligations applicable to Organization under The Privacy Rule or HITECH Act directly through the requirements of the laws and regulations or through contractual agreements, including business associate agreements, entered into by Organization.

Protected Health Information (PHI): PHI is individually identifiable health information that is created, received, transmitted, or maintained by a covered entity or business associate in any form or medium. PHI excludes information regarding persons deceased for more than 50 years, information in education records (which are protected by other laws), and information in employment records held by a covered entity in its role as an employer. It includes genetic and demographic information. 

Provider: A provider of medical or health services, and any other person or entity who furnishes, bills for, or is paid for health care in the normal course of business. Providers at the organization are those contracted, subcontracted, or employed who provide medical or health services on behalf of the organization.

Psychotherapy Notes: Notes recorded in any medium by a mental health professional documenting or analyzing the contents of a conversation during a counseling session that are separated from the rest of the medical record. Psychotherapy notes do not include medication prescription and monitoring, session start and stop times, modalities and frequency of treatment, clinical test results, or summary information on diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.


Research: A systematic investigation designed to develop or contribute to generalized knowledge. Research is conducted through development, testing, and evaluation.


Security or Security Measures: All of the administrative, physical, and technical safeguards in an information system. 

Security Incident: A HIPAA security incident is an attempt (which can be successful or not) to do something unauthorized. The “something” that is unauthorized, is an unauthorized access, use, disclosure, modification, destruction, or interference with ePHI.

Security Risk Assessment: Identifies potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, and transmits. A security risk assessment (SRA), also referred to as a security risk analysis includes six elements, collecting data, identifying and documenting potential threats and vulnerabilities, assessing current security measures, determining the likelihood of threat occurrence, determining the potential impact of threat occurrence, and determining the level of risk.


Technical Safeguards: The technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 

Treatment: The provision, coordination, or management of health care and related services, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.


Use: To share, employ, apply, utilize, examine, or analyze individually identifiable health information.

User: A person or entity with authorized access. 

Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.


Whistleblower: An individual who reveals wrongdoing within an organization to the public, government agencies, or to those in positions of authority.

Workforce Members: Employees, volunteers, trainees, consultants, providers, professionals, managers, staff, and other persons whose conduct, in the performance of work for the Organization, is under the direct control of the Organization, regardless of whether these individuals are paid by the covered entity

Workstation: An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

See How It Works