Reference
Definitive one-sentence definitions of every HIPAA term — PHI, ePHI, BAA, covered entity, breach notification, Privacy Rule, Security Rule, and 60+ more — each with the primary-source citation (45 CFR, NIST, HHS) you can verify against.
203 termsEvery entry cites its primary sourceUpdated 2026
A HIPAA technical safeguard requiring covered entities to implement policies and procedures granting access to ePHI only to authorized persons or software programs.
Includes unique user identification, emergency access procedure, automatic logoff, and encryption/decryption as required implementation specifications.
A patient's right under HIPAA to receive a list of certain non-routine disclosures of their PHI made by a covered entity in the prior six years.
Excludes disclosures for treatment, payment, operations, or disclosures made with patient authorization. Must be provided within 60 days of request.
Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.
Includes security management process, assigned security responsibility, workforce security, information access management, awareness and training, security incident procedures, contingency plan, and evaluation.
A sophisticated, sustained cyberattack in which an intruder establishes long-term presence in a network to exfiltrate data or maintain access, typically attributed to nation-state actors or organized criminal groups.
Healthcare is a frequent APT target because medical records have long monetization tail and patient care systems cannot be easily taken offline. APTs typically use a kill chain: reconnaissance, initial access, persistence, privilege escalation, lateral movement, exfiltration.
Advanced Encryption Standard with a 256-bit key, the cryptographic algorithm specified by NIST and adopted as the industry standard for protecting ePHI at rest.
Use of NIST-validated encryption like AES-256 is the basis for the HIPAA encryption safe harbor — properly encrypted PHI may not require breach notification.
A group of legally separate covered entities under common ownership or control that designates itself as a single covered entity for HIPAA purposes.
Designation must be documented in writing. Used by health-system holding companies, multi-location practice groups, and integrated delivery networks to share PHI internally as one entity.
A patient's right under HIPAA to request correction of inaccurate or incomplete PHI in their designated record set.
Covered entities must act within 60 days. If denied, the patient may submit a statement of disagreement that becomes part of the record.
The irreversible removal of all identifiers from a dataset such that re-identification of any individual is computationally infeasible.
Stronger than HIPAA de-identification. True anonymization is rare in healthcare because most clinical data retains indirect identifiers (rare diagnoses, geographic clusters, temporal patterns). HIPAA uses de-identification, not anonymization, as its legal standard.
Cryptographic approach that uses a pair of mathematically linked keys — a public key for encryption and a private key for decryption — enabling secure communication between parties that have never shared a secret.
Underpins TLS, S/MIME email encryption, digital signatures, and modern PKI. RSA and elliptic-curve (ECDSA/EdDSA) are the dominant algorithms.
A HIPAA technical safeguard requiring covered entities to implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI.
A chronological record of system activities — including access events, configuration changes, and security incidents — used to satisfy HIPAA's audit controls requirement.
Audit logs are a foundational forensic artifact for breach investigation and OCR compliance review. Most enforcement actions involve gaps in audit log coverage or retention.
A chronological record of events sufficient to reconstruct who did what, when, and from where — distinct from an audit log in emphasis (audit trails focus on reconstructable narrative; audit logs focus on raw event capture).
A HIPAA technical safeguard requiring covered entities to verify that a person or entity seeking access to ePHI is the one claimed.
Authentication is distinct from authorization (what the person can do once verified). HIPAA does not mandate a specific authentication method, but MFA is the current best-practice baseline and is proposed for explicit requirement in the 2026 Security Rule amendments.
A written, signed document by the patient permitting a specific use or disclosure of their PHI for purposes other than treatment, payment, or operations.
Required for most marketing communications, sale of PHI, disclosure of psychotherapy notes, and many research uses. Must include specific elements such as the PHI involved, recipients, purpose, expiration, and right to revoke.
An impermissible use or disclosure of PHI that compromises the security or privacy of the information.
Any impermissible disclosure is presumed to be a breach unless the covered entity demonstrates through a documented risk assessment that there is low probability the PHI was actually compromised.
Requirement that affected individuals be notified of a breach without unreasonable delay and no later than 60 calendar days after discovery; HHS must be notified within 60 days for breaches of 500+ individuals.
For breaches affecting fewer than 500 individuals, HHS must be notified in an annual aggregate report by March 1 of the following year. State breach notification laws may impose stricter timelines.
A workplace policy allowing workforce members to use personal devices (phones, tablets, laptops) to access organizational systems including PHI.
Permitted under HIPAA only with documented BYOD policies, mobile device management (MDM), encryption at rest, screen lock, remote wipe, and workforce training. Many practices avoid BYOD and issue practice-owned devices to simplify compliance.
A person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity.
Common examples include EHR vendors, cloud storage providers, billing services, IT contractors, transcription services, and many SaaS platforms.
A written contract between a covered entity and a business associate specifying permitted uses of PHI, required safeguards, breach notification obligations, and what happens to PHI at contract end.
A BAA is required before any PHI is shared with a business associate. Missing BAAs have triggered standalone enforcement actions (the Raleigh Orthopaedic case set the precedent at $750,000 with no associated breach).
A documented set of procedures enabling a healthcare practice to continue operations during and after a disruptive event — natural disaster, ransomware attack, vendor outage, or pandemic.
Required as a HIPAA administrative safeguard. Should include contact trees, recovery priorities, alternate processing locations, and tested fallback procedures. Distinct from a disaster recovery plan (which focuses on IT restoration) and an incident response plan (which focuses on security events).
A social-engineering attack where the attacker impersonates an executive, vendor, or patient via email to trick staff into transferring funds, sharing PHI, or changing payment details.
FBI IC3 reports BEC as the highest-loss cybercrime category. Healthcare is a frequent target because billing departments process high-volume vendor and insurance transfers. Defenses include MFA, sender authentication (SPF/DKIM/DMARC), out-of-band verification policies, and staff training.
California state law providing additional confidentiality protections for medical information beyond HIPAA, including stricter authorization requirements and direct private right of action for patients.
Applies broadly to providers of health care, health care service plans, and contractors handling medical information in California. Penalties include statutory damages per violation and attorney's fees.
A security policy enforcement point — on-premises or cloud-hosted — that sits between users and cloud services to enforce visibility, compliance, data security, and threat protection across cloud applications.
Healthcare CASBs (Microsoft Defender for Cloud Apps, Netskope, Zscaler) commonly enforce DLP policies for PHI in cloud applications and detect shadow IT cloud usage.
The California Consumer Privacy Act (2018) and California Privacy Rights Act (2023) — state laws granting California residents rights over their personal information including healthcare-related data not already covered by HIPAA.
Most PHI handled by HIPAA-covered entities is exempt from CCPA, but data created outside the HIPAA-covered relationship (wellness apps, patient portals not under a BAA, marketing data) can fall under CCPA/CPRA. Compounds with HIPAA rather than replacing it.
A trusted third party that issues digital certificates binding public keys to verified identities, enabling TLS, S/MIME, and other PKI-based trust.
Public CAs (DigiCert, Let's Encrypt, Sectigo) issue certificates trusted by all major browsers. Private CAs are used for internal infrastructure. Certificate misconfiguration is a common cause of TLS fallback to plaintext.
The structured process of planning, reviewing, approving, implementing, and documenting changes to information systems — required as part of HIPAA's evaluation and security management process administrative safeguards.
The three core information-security objectives — Confidentiality (only authorized access), Integrity (data unaltered), Availability (accessible when needed) — explicitly mirrored in HIPAA's Security Rule definition of required protections.
A prioritized set of cybersecurity best practices from the Center for Internet Security, widely used as a tactical complement to NIST 800-53 and the NIST CSF.
Currently CIS Controls v8 (18 controls, 153 safeguards). Many healthcare practices use CIS Controls as a practical implementation guide because they are more actionable than NIST 800-53's catalog.
A monetary fine imposed by HHS for HIPAA violations, ranging from $137 to $2,067,813 per violation depending on culpability tier (2024 inflation-adjusted amounts).
Tiers: Unaware ($137 minimum), Reasonable Cause ($1,379), Willful Neglect Corrected ($13,785), Willful Neglect Not Corrected ($68,928 minimum). Annual cap of $2,067,813 per identical violation category.
An OCR-initiated investigation into a covered entity's or business associate's HIPAA compliance, often triggered by a breach, complaint, or audit selection.
Generally prohibited practice of conditioning treatment, payment, enrollment, or eligibility for benefits on the patient's authorization for a use or disclosure of PHI.
Limited exceptions exist for research-related treatment and disclosures necessary to determine plan eligibility.
A narrow exception under which entities providing mere transmission services for PHI — postal services, internet service providers, courier services — are not considered business associates and do not require a BAA.
HHS interprets the conduit exception narrowly: entities that store PHI for more than transient periods are business associates, not conduits.
A patient's right to request that covered entities communicate with them by alternative means or at alternative locations (e.g., not at home, or only by mobile phone).
The systematic process of establishing, maintaining, and auditing the security configuration of information systems handling ePHI.
HIPAA-relevant configuration management includes baseline configurations, change control, vulnerability remediation tracking, and configuration drift detection. NIST 800-53 CM family is the authoritative control reference.
A multi-year remediation program required by OCR as part of a resolution agreement, including specific actions, reporting requirements, and ongoing monitoring obligations.
CAPs commonly run 2-3 years and require revised policies, comprehensive risk analysis, workforce training, and periodic reports to OCR.
A health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form for a HIPAA-covered transaction.
Solo practitioners, single-provider practices, dental offices, behavioral health clinics, and any provider that bills electronically — directly or through a clearinghouse — are covered entities. There is no small-practice exemption.
Insurance coverage for losses related to cyber incidents, including breach notification costs, legal defense, regulatory fines (where insurable), business interruption, and ransomware response.
Many cyber policies now require minimum security controls (MFA, EDR, backup testing) as a condition of coverage. Carriers increasingly deny coverage for organizations that misrepresent control implementation in applications.
Technology that detects and prevents unauthorized transmission, sharing, or exfiltration of sensitive data — including PHI — based on content inspection and policy rules.
Healthcare DLP detects patterns like SSNs, medical record numbers, ICD codes, and named-clinical phrases in emails, file shares, and uploads. Modern DLP combines content rules with user behavior analytics. Often included in Microsoft 365 E5 / Google Workspace Enterprise / dedicated tools like Forcepoint, Symantec, and Microsoft Purview.
The documented inventory of every system, vendor, and workflow that creates, receives, maintains, or transmits PHI within a covered entity's environment.
A foundational HIPAA risk-analysis input — you cannot protect what you have not inventoried. Data mapping should identify data flows, classification, storage locations, retention, and business associates involved at each step.
The requirement that data be stored only in specified geographic regions — typically within the United States for HIPAA-covered workloads.
HIPAA itself does not mandate US-only storage, but many practices and BAAs require it to avoid foreign-government access risk and to simplify state-law compliance. AWS, Azure, and GCP all offer US-region-only data residency commitments.
A contract required when a covered entity discloses a Limited Data Set, specifying permitted uses, prohibitions on re-identification, and safeguards.
The process of removing identifiers from PHI such that the resulting information cannot reasonably identify an individual; achieved via the Safe Harbor method or Expert Determination.
Properly de-identified information is no longer PHI and falls outside HIPAA's scope.
A security architecture principle of layering multiple, independent controls so that the failure of any single control does not result in a breach.
Implemented in HIPAA-compliant healthcare environments as a stack: network segmentation + WAF + endpoint detection + encryption + access control + audit logging + workforce training. The principle aligns with NIST 800-53's structured control families.
A group of records maintained by a covered entity that is used to make decisions about individuals — including medical records, billing records, enrollment records, and case management records.
The Right of Access applies specifically to information in the designated record set.
Digital Imaging and Communications in Medicine — the international standard for medical imaging data exchange (X-rays, MRIs, CT scans, ultrasound).
DICOM files contain PHI in metadata: patient name, date of birth, accession numbers, study descriptions. DICOM servers exposed to the public internet are a documented healthcare breach vector — thousands have leaked images over the past decade.
The IT-focused process of restoring systems, applications, and data after a disruptive event — typically measured by Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Required under HIPAA's contingency plan administrative safeguard. Cloud-based practices often achieve RPO of minutes and RTO of hours; on-premises systems vary widely. DR must be tested at documented intervals.
DomainKeys Identified Mail — an email authentication method that uses public-key cryptography to verify that an email message was sent by an authorized sender and was not altered in transit.
Used together with SPF and DMARC to prevent email spoofing. Required component of modern email anti-phishing defense.
Domain-based Message Authentication, Reporting and Conformance — the email-authentication policy framework that, combined with SPF and DKIM, prevents attackers from spoofing your practice's email domain.
DMARC is a structural defense against phishing and BEC attacks impersonating your domain to patients, vendors, and staff. Set DMARC to 'reject' for production domains — 'none' provides only visibility.
A subcontractor of a business associate that itself creates, receives, maintains, or transmits PHI — also subject to HIPAA through a BAA with the upstream business associate.
The BAA chain must continue downstream for each entity touching PHI. A covered entity's BAA with its EHR vendor does not extend to the EHR vendor's database hosting provider; that relationship requires its own BAA.
Protected Health Information (PHI) that is created, received, maintained, or transmitted in electronic form.
The HIPAA Security Rule applies specifically to ePHI. The HIPAA Privacy Rule applies to all PHI regardless of form (electronic, paper, or oral).
The transformation of stored data into ciphertext such that it cannot be read without a decryption key, typically using algorithms like AES-256.
Required as an 'addressable' implementation specification under HIPAA — meaning covered entities must implement encryption or document why an alternative measure is reasonable and appropriate.
The transformation of data moving between systems into ciphertext, typically using TLS (Transport Layer Security) — TLS 1.2 or higher is the current standard.
Provision in the Breach Notification Rule whereby breaches of properly encrypted PHI may not require notification because the data is considered 'secured.'
Encryption must meet NIST-validated standards. Loss of an encrypted laptop where the key was not also compromised typically does not trigger breach notification.
Security technology installed on workstations and servers that continuously monitors for malicious activity, blocks threats in real time, and supports forensic investigation.
Modern EDR includes behavioral analytics, ransomware rollback, and integration with SIEM/SOC workflows. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Sophos are widely deployed in healthcare. The 2026 Security Rule amendments are expected to require endpoint protection.
A de-identification method certified by a qualified statistician who determines that the risk of re-identification is very small.
More flexible than Safe Harbor — allows retention of some indirect identifiers when statistical analysis demonstrates low re-identification risk. Used for research datasets and complex analytics.
Family Educational Rights and Privacy Act — federal law protecting the privacy of student education records, which generally pre-empts HIPAA for records maintained by educational institutions on enrolled students.
Important for student health clinics: when a school operates a health clinic for its enrolled students, the records are typically FERPA-covered education records rather than HIPAA-covered PHI.
The HL7 international standard for exchanging healthcare information electronically, using RESTful APIs and JSON/XML data formats. Required for several patient-access and provider-access APIs under the Cures Act.
FHIR R4 is the current US-mandated baseline. CMS rules require Medicare-participating providers to support FHIR-based Patient Access APIs. Each FHIR resource (Patient, Observation, MedicationRequest) carries PHI subject to HIPAA.
US government cryptographic module validation standard — required for encryption products handling federal data and frequently demanded in healthcare procurement as proof of validated cryptography.
FIPS 140-3 is the current revision (replacing 140-2). HHS guidance to render PHI unusable explicitly references NIST-validated encryption, and FIPS 140 is the validation standard.
A network security control that monitors and filters incoming and outgoing network traffic based on defined security rules — the foundational perimeter defense for healthcare networks.
Modern healthcare networks use next-generation firewalls (NGFW) combining packet filtering, intrusion prevention, application-aware policies, and threat intelligence. Required under HIPAA technical safeguards for transmission security.
A regulated category of communication where covered entities may use limited PHI (demographic info, dates of service, department, treating physician, outcome info, health insurance status) for fundraising without patient authorization — but only with an opt-out mechanism.
EU General Data Protection Regulation — the European Union's comprehensive data protection law, applicable to US healthcare practices that intentionally serve EU-based patients (e.g., telehealth, medical tourism, expatriate care).
GDPR is broader and stricter than HIPAA in several respects: explicit consent requirements, 72-hour breach notification, Data Protection Officer mandates, and significant fines (up to 4% of global revenue). Most US-only practices are not GDPR-subject.
Genetic Information Nondiscrimination Act (2008) — federal law prohibiting health insurers and employers from discriminating based on genetic information, with parallel privacy protections in HIPAA preventing genetic information from being used for underwriting purposes.
An employee welfare benefit plan that provides medical care to employees and their dependents — a type of HIPAA covered entity subject to special rules around sponsor disclosures and summary health information.
Health Information Sharing and Analysis Center — a non-profit member-driven organization for sharing cyber threat intelligence and best practices among healthcare organizations.
Members include hospitals, health systems, payers, pharma companies, and healthcare vendors. H-ISAC operates threat intelligence feeds, incident response coordination, and sector-wide cybersecurity exercises.
A physical computing device that safeguards and manages cryptographic keys, typically validated to FIPS 140-2 Level 3 or higher, used for encryption-at-rest key protection in regulated environments.
AWS KMS, Azure Key Vault, and Google Cloud KMS use HSMs in their backend. Self-managed HSMs (Thales Luna, AWS CloudHSM) are used by health systems with strict key-control requirements.
A one-way mathematical function that produces a fixed-size output from arbitrary input — used to verify data integrity, store password derivatives, and create digital signatures.
SHA-256 and SHA-3 are current standards; MD5 and SHA-1 are deprecated for security purposes. HIPAA-aligned password storage requires hashing with a per-user salt and a slow KDF (bcrypt, Argon2, PBKDF2).
An electronic system or organization that facilitates the sharing of health information among providers, payers, public health agencies, and patients across organizational boundaries.
State and regional HIEs (CRISP, Manifest, Healthix) operate as business associates to participating covered entities and must execute BAAs. TEFCA is the federal framework standardizing inter-HIE connectivity.
US Department of Health and Human Services, the federal agency responsible for HIPAA regulation and enforcement through its Office for Civil Rights (OCR).
Health Insurance Portability and Accountability Act of 1996, the US federal law establishing national standards for the protection of individually identifiable health information.
HIPAA is implemented through five regulatory rules: the Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the Transactions and Code Sets Rule.
OCR's periodic, random selection of covered entities and business associates for HIPAA compliance audits, conducted under authority granted by the HITECH Act.
Phase 1 (2011-2012) and Phase 2 (2016-2017) covered hundreds of organizations. OCR uses audit findings to identify systemic compliance gaps and direct enforcement priorities. Audit selections trigger document production deadlines and interview scheduling.
OCR's published checklist of audit inquiries used during HIPAA compliance audits — covering Privacy Rule, Security Rule, and Breach Notification Rule provisions with specific evidence requirements for each.
The Audit Protocol was last comprehensively updated in 2016 for the Phase 2 audits. Independent practices can use the protocol as a self-assessment template — OCR auditors evaluate exactly what the protocol lists.
Federal regulation requiring covered entities and business associates to notify affected individuals, HHS, and (for large breaches) media following a breach of unsecured PHI.
Federal regulation establishing the procedures for HIPAA investigations, civil monetary penalty calculations, and procedural requirements for OCR enforcement actions.
Federal regulation establishing national standards for the protection of PHI and patient rights over their health information.
The Privacy Rule applies to all PHI regardless of form. It governs uses and disclosures, patient rights, and the requirement for a Notice of Privacy Practices.
Federal regulation establishing national standards for the security of ePHI through administrative, physical, and technical safeguards.
The Security Rule applies specifically to ePHI (the electronic subset of PHI). The proposed 2026 amendments would mandate encryption, MFA, network segmentation, and asset inventory.
Mandatory security awareness and privacy training that covered entities and business associates must provide to all workforce members as part of HIPAA's administrative safeguards.
Training must be documented and refreshed periodically. Recent OCR enforcement has emphasized the requirement for role-specific training beyond generic awareness modules.
Health Information Technology for Economic and Clinical Health Act of 2009, which extended HIPAA requirements to business associates, established the Breach Notification Rule, and increased civil monetary penalties.
Health Information Trust Alliance Common Security Framework — a certifiable framework that maps HIPAA, NIST, ISO 27001, and other standards into a single auditable control set.
HITRUST certification is not equivalent to HIPAA compliance but provides a defensible third-party attestation increasingly demanded by health-system partners.
Health Level Seven — a family of international standards for electronic health information exchange, including HL7 v2 (legacy messaging), HL7 v3, CDA (Clinical Document Architecture), and FHIR (modern API standard).
The Critical Infrastructure Partnership Advisory Council body for the healthcare and public health sector, coordinating cybersecurity, supply chain, and incident response across providers, payers, pharma, and government.
A web security policy mechanism that forces browsers to use HTTPS for all communications with a domain, preventing TLS downgrade attacks and protocol stripping.
A covered entity that performs both covered and non-covered functions and chooses to designate specific health-care components as subject to HIPAA.
Universities operating both a student health center and academic departments are common examples. The designation must be documented.
The discipline and technology layer that manages digital identities and controls user access to systems handling ePHI.
HIPAA-aligned IAM combines identity provisioning (SCIM), authentication (SSO + MFA), authorization (RBAC/ABAC), privileged access management (PAM), and lifecycle management. Mature IAM is the foundation for HIPAA access controls.
Security technology that monitors network or system activity for malicious activity. IDS alerts on detection; IPS additionally blocks or contains the threat.
Often combined with EDR for host-based protection and SIEM for cross-system correlation. Required as part of HIPAA's audit controls and security incident procedures.
A documented set of procedures defining how a covered entity identifies, contains, eradicates, and recovers from security incidents involving ePHI — including breach assessment, notification timelines, and lessons-learned review.
Required under HIPAA's security incident procedures administrative safeguard. NIST SP 800-61 Rev. 2 is the canonical reference. Practices should test the IRP at least annually with tabletop exercises.
A HIPAA administrative safeguard standard requiring covered entities to implement policies and procedures for authorizing access to ePHI, with specific implementation specifications for access authorization and access establishment/modification.
Practices by healthcare providers, HIT developers, or health information networks that are likely to interfere with the access, exchange, or use of electronic health information — prohibited by the 21st Century Cures Act.
Eight exceptions exist (e.g., preventing harm, privacy, security, content/manner). Penalties: HIT developers and HINs up to $1M per violation (HHS OIG); providers subject to disincentives under separate ONC rules.
HIPAA technical safeguard requiring covered entities to implement policies and procedures protecting ePHI from improper alteration or destruction.
Implementation typically uses cryptographic hashing, digital signatures, version control, immutable audit logs, and access controls preventing unauthorized modification.
Internet Protocol Security — a suite of protocols providing authentication, integrity, and encryption for IP packets, used to construct secure VPN tunnels and protect network-layer communications.
An access control pattern in which elevated permissions are granted only for the duration needed to complete a specific task and then automatically revoked — eliminating standing privileged access.
Direct technical implementation of HIPAA's minimum-necessary standard for privileged operations. Common in modern PAM tools and cloud-native admin workflows.
The administrative and technical processes governing the generation, distribution, storage, rotation, use, and destruction of cryptographic keys protecting ePHI.
NIST SP 800-57 is the authoritative reference. Cloud providers offer managed services (AWS KMS, Azure Key Vault, GCP Cloud KMS). Customer-managed keys (CMK) and customer-supplied keys (BYOK) provide additional control for high-sensitivity workloads.
A model describing the stages of a cyberattack from reconnaissance to action on objectives — used to identify defensive controls at each stage and disrupt attacks before completion.
Lockheed Martin's Cyber Kill Chain has 7 stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives. MITRE ATT&CK is the more granular modern reference framework.
An attacker technique of moving from an initial compromise point through a network to reach high-value systems — typically by exploiting credential reuse, network trust relationships, or unpatched services.
Healthcare networks are particularly vulnerable when clinical and administrative systems share flat network topology. Mitigated by network segmentation, microsegmentation, least-privilege access, and zero-trust architectures.
The security principle that every user, process, and system should have only the minimum permissions necessary to perform its legitimate function.
Operationalized via RBAC, just-in-time access, privileged access management (PAM), and access reviews. Direct technical implementation of HIPAA's minimum-necessary standard.
PHI from which direct identifiers (names, contact info, SSNs) have been removed but indirect identifiers (dates, geographic info above ZIP code level) remain; may be disclosed for research, public health, or healthcare operations under a Data Use Agreement.
Communications about a product or service that encourage purchase or use; generally requires patient authorization, with limited exceptions for face-to-face communications, promotional gifts of nominal value, and refill reminders.
Patient appointment reminders are typically treatment communications, not marketing. Post-visit thank-you emails with promotional content may cross into marketing.
The fraudulent use of an individual's personal or health information to obtain medical services, prescription drugs, or insurance benefits — a long-tail consequence of healthcare data breaches.
Unlike credit-card fraud, medical identity theft can persist for years and contaminate medical records with another person's clinical data. The average cost to victims exceeds $13,000 (Ponemon Institute data).
A network security technique that creates fine-grained isolation zones around individual workloads or applications, enforcing per-flow access policies to limit lateral movement.
Modern implementations use software-defined networking (SDN) and identity-based policies rather than traditional VLANs. Healthcare deployments commonly use microsegmentation to isolate clinical applications from administrative networks.
HIPAA standard requiring covered entities and business associates to limit the use, disclosure, and request of PHI to the minimum amount needed to accomplish the intended purpose.
Does not apply to disclosures for treatment, disclosures to the patient, disclosures required by law, or those authorized by the patient.
The HIPAA requirement to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI made in violation of HIPAA policies or the BAA.
Typical mitigation actions include retrieving disclosed information, retraining the workforce member involved, and revising affected policies.
Technology that enrolls, configures, secures, and monitors smartphones, tablets, and laptops accessing organizational data — required for BYOD HIPAA compliance and increasingly for managed-device deployments.
Capabilities include forced encryption, screen-lock enforcement, remote wipe, app whitelisting, and conditional access based on device compliance. Microsoft Intune, Jamf, Kandji, and VMware Workspace ONE are common platforms.
An authentication mechanism in which both the client and the server present X.509 certificates to verify each other's identity, providing strong cryptographic authentication for service-to-service communication.
Increasingly used for API authentication in healthcare integrations (FHIR APIs, EHR connections, payer integrations). Eliminates shared-secret risk and supports zero-trust architectures.
An authentication method requiring two or more independent verification factors — something you know (password), something you have (token), or something you are (biometric).
Strongly recommended for HIPAA and proposed for explicit requirement in the 2026 Security Rule amendments. NIST SP 800-63B is the authoritative guidance.
An access control principle requiring that information be disclosed only to individuals who require it to perform their authorized duties — a foundational concept underlying HIPAA's minimum-necessary standard.
The architectural practice of dividing a network into isolated zones to limit attacker movement and contain the blast radius of a breach.
Healthcare segmentation typically separates clinical, administrative, guest Wi-Fi, IoT/medical devices, and DMZ-hosted public services. The 2026 Security Rule amendments are expected to mandate network segmentation explicitly.
NIST Special Publication providing a catalog of security and privacy controls for federal information systems, widely adopted as a reference framework for HIPAA technical safeguards.
National Institute of Standards and Technology Special Publication providing guidance on implementing the HIPAA Security Rule. Currently Revision 2 (2024).
NIST 800-66 is the canonical implementation reference for HIPAA technical safeguards. HHS guidance consistently points to NIST-validated approaches as the standard for 'reasonable and appropriate' security measures.
A voluntary cybersecurity framework structured around six functions — Govern, Identify, Protect, Detect, Respond, Recover — widely used by healthcare organizations as a strategic complement to HIPAA's prescriptive controls.
CSF 2.0 (2024) added the Govern function. NIST maintains a HIPAA-to-CSF crosswalk mapping how CSF subcategories align with Security Rule requirements.
A document that covered entities must provide to patients describing how their PHI may be used and disclosed, and the patient's rights under HIPAA.
Required content and posting locations (including website) are specified in the Privacy Rule. Acknowledgment of receipt is required for direct treatment providers.
An open standard authorization framework that enables an application to obtain limited access to a user's resources on another service without exposing user credentials — the protocol underlying most modern API authorization including SMART on FHIR.
The division of HHS responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules.
OCR conducts compliance reviews, investigates complaints, issues guidance, runs the periodic HIPAA Audit Program, and imposes civil monetary penalties or resolution agreements.
The HHS division responsible for health information technology policy, certification of EHR systems, and enforcement of the Information Blocking Rule for HIT developers and health information networks.
An identity layer built on top of OAuth 2.0 that allows clients to verify the identity of an end-user and obtain basic profile information — commonly used together with OAuth for combined authentication and authorization.
A clinically or operationally integrated arrangement of legally separate covered entities that holds itself out to patients as a joint provider and may share PHI internally for joint operations.
Common examples include hospital staff physician groups, group practices in academic medical centers, and multi-entity provider networks operating shared services.
A regularly updated list of the most critical web application security risks published by the Open Worldwide Application Security Project — used as a baseline checklist for application security in healthcare technology.
Current edition (2021) includes broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, server-side request forgery.
The process of identifying, testing, and applying software patches to address security vulnerabilities and bugs — required under HIPAA's evaluation administrative safeguard and proposed for explicit requirement in the 2026 Security Rule amendments.
Unpatched systems are the most common entry vector in healthcare ransomware incidents. Patch management programs should include vulnerability scanning, prioritized patching based on severity, testing procedures, and documentation of accepted-but-not-patched residual risk.
A FHIR-based API that CMS-regulated payers and providers must offer to patients enabling them to retrieve their health information from a third-party app of their choice without barriers.
Required under CMS Interoperability and Patient Access Final Rule (CMS-9115-F). Patient apps connect via OAuth 2.0 / SMART on FHIR authorization. Not an authorization to bypass HIPAA — the patient is exercising their Right of Access.
A secure web or mobile application that allows patients to access their health records, communicate with providers, schedule appointments, and pay bills — typically maintained by or under contract with the covered entity.
Patient portals are HIPAA-relevant infrastructure: they store and transmit PHI, require BAAs with the provider if operated by a third party, and must include audit logging, MFA, and encrypted transmission.
Payment Card Industry Data Security Standard — the security framework governing the protection of cardholder data, applicable to any healthcare practice accepting payment cards.
Overlaps with HIPAA when payment data is combined with clinical information. PCI DSS v4.0 (2024) added requirements aligned with modern cloud and DevSecOps practices.
An authorized simulated cyberattack against an organization's systems, conducted by qualified security professionals, to identify exploitable vulnerabilities and validate the effectiveness of security controls.
Recommended annually for healthcare environments handling significant PHI volumes. Required by some payer contracts and proposed for explicit requirement in the 2026 Security Rule amendments. Distinct from vulnerability scanning, which is automated and broader but less deep.
An informal term sometimes used interchangeably with PHI, sometimes more loosely to include all health-related personal information regardless of whether it is held by a HIPAA-covered entity.
When precision matters, use 'PHI' (HIPAA-defined term, applies to covered entities and business associates) and 'health-related personal information' or 'health data' for the broader category.
A health record that an individual maintains for themselves — distinct from a covered entity's medical record — often using consumer-facing apps, fitness trackers, or vendor-hosted PHR services.
PHRs may or may not be HIPAA-covered. A PHR offered by a covered entity is PHI. A standalone consumer PHR (Apple Health, MyChart consumer features outside a provider relationship) is typically not HIPAA-covered.
An individual with legal authority to act on behalf of a patient — including parents of minors, guardians, healthcare powers of attorney, and executors of deceased patients' estates — and who can exercise the patient's HIPAA rights on their behalf.
A social-engineering attack in which the attacker impersonates a trusted entity in an email or message to trick the recipient into revealing credentials, downloading malware, or transferring funds.
Phishing is the #1 initial-access vector in healthcare breaches. Defenses include MFA, email authentication (SPF/DKIM/DMARC), workforce training with simulated phishing, and email filtering with content analysis.
Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
Includes facility access controls, workstation use, workstation security, and device and media controls.
Information that can identify, contact, or locate a specific individual — a federal/state-law concept broader than HIPAA's PHI and often applicable to data outside the healthcare context.
Most state breach-notification laws use a PII definition. PHI is a subset of PII (PII tied to health-related information held by a covered entity or business associate).
The employer, employee organization, or other entity that establishes or maintains a group health plan — subject to special HIPAA rules limiting access to plan participants' PHI.
A social-engineering technique in which the attacker creates a fabricated scenario (the pretext) to manipulate the victim into divulging information or performing an action.
Healthcare-targeted pretexting commonly impersonates IT support, HIPAA compliance officers, executives, or insurance representatives. Defense: out-of-band verification, callback procedures, workforce training.
A framework requiring privacy and data protection to be embedded into the design and architecture of IT systems and business practices, rather than added as an afterthought.
Originated by Ann Cavoukian; codified in GDPR Article 25. Increasingly referenced in healthcare procurement and emerging US state privacy laws.
A documented analysis of how personally identifiable information is handled by a system or process, evaluating compliance with applicable privacy regulations and identifying risks.
Not strictly required by HIPAA but considered industry best practice for new systems handling PHI. Mandatory for many government healthcare systems.
A workforce member designated to develop and implement HIPAA Privacy Rule policies and procedures. Every covered entity must designate one.
In small practices the same person often serves as both Privacy Officer and Security Officer. The role is responsible for NPP maintenance, patient rights requests, complaint handling, and privacy training.
Technology and processes for securing, controlling, and monitoring elevated administrative access to systems handling ePHI — including vaulted credentials, just-in-time access grants, and session recording.
PAM is critical for HIPAA compliance because administrative access is the most common path used in insider-threat and APT attacks. CyberArk, BeyondTrust, and Delinea are common platforms.
Technology and processes for governing the lifecycle of privileged identities — discovery, classification, monitoring, just-in-time elevation, and decommissioning of accounts with administrative access.
Sister concept to PAM (Privileged Access Management) — PIM focuses on identity governance, PAM focuses on credential vaulting and session control. Critical for HIPAA-aligned administrative oversight.
Any individually identifiable health information held or transmitted by a covered entity or business associate, including names, dates, addresses, SSNs, medical record numbers, photos, biometric data, and any combination that could identify an individual in connection with their healthcare.
PHI includes any of 18 identifier categories listed in the Safe Harbor de-identification standard when associated with health information. The HIPAA Privacy Rule applies to PHI regardless of form (electronic, paper, oral).
A data-processing technique that replaces direct identifiers in PHI with reversible pseudonyms, where the linking key is held separately under stricter controls.
Useful for research, analytics, and software development on patient data while reducing exposure. Distinct from de-identification (where re-identification keys are destroyed) and anonymization (where re-identification is computationally infeasible). PHI under pseudonymization is still PHI under HIPAA.
Notes recorded by a mental health professional documenting or analyzing the contents of a private counseling session, kept separate from the rest of the medical record and afforded stronger protection than other PHI.
Disclosure of psychotherapy notes generally requires specific patient authorization, separate from any general HIPAA authorization. Excludes medication prescriptions, session start/stop times, and other clinical summary data.
Disclosures of PHI to public health authorities for purposes of preventing or controlling disease, injury, or disability — permitted without patient authorization under HIPAA.
Includes reportable disease surveillance, immunization registries, cancer registries, FDA adverse event reporting, and birth/death certificates. State public health reporting requirements are typically codified separately.
The system of roles, policies, hardware, and software for issuing, managing, distributing, and revoking digital certificates used in asymmetric cryptography.
Underpins TLS, S/MIME, mTLS, digital signatures, and many federated authentication systems. Healthcare PKI is increasingly used for clinical messaging (DirectTrust), identity assurance, and device authentication.
A network designated under TEFCA (Trusted Exchange Framework and Common Agreement) to provide cross-network exchange services among health information networks, enabling interoperability at federal scale.
QHINs operate as business associates to participating covered entities. The first QHINs were designated in 2023; the network continues to expand.
A type of malicious software that encrypts a victim's data and demands payment for the decryption key — the most disruptive cyberthreat to healthcare operations since 2018.
HHS treats ransomware on ePHI as a presumed breach unless the covered entity demonstrates through documented risk assessment that there is low probability of compromise. Healthcare ransomware payments routinely exceed $1M; recovery costs and downtime impact are much higher.
The process — or risk — of associating de-identified data back to a specific individual, either through identifiable data leaks, linkage with other datasets, or statistical inference.
HIPAA's Safe Harbor and Expert Determination de-identification methods aim to minimize re-identification risk. Disclosure of de-identified data does not require authorization; re-identification of such data without HIPAA authorization creates a violation.
A category of HIPAA violation in which the violator knew, or by exercising reasonable diligence would have known, that the action violated HIPAA but did not act with willful neglect.
Civil monetary penalty range: $1,379 to $68,928 per violation (2024 inflation-adjusted).
An adversarial security exercise in which a team of professionals emulates real-world attack tactics, techniques, and procedures against an organization to test detection and response capabilities end-to-end.
More comprehensive than penetration testing, which focuses on technical vulnerabilities. Red team engagements may include physical access, social engineering, and multi-week persistent operations.
A settlement between OCR and a covered entity or business associate that resolves alleged HIPAA violations, typically including monetary payment and a multi-year Corrective Action Plan.
A patient's right to request restrictions on the use or disclosure of their PHI; covered entities are not generally required to agree, except for self-pay disclosures to health plans (which they must honor).
A patient's right to inspect, obtain a copy of, or direct transmission of their PHI to a third party within 30 days of a request (with one 30-day extension permitted).
Covered entities may charge only reasonable, cost-based fees. Right of Access is OCR's most-enforced provision — failure-to-provide cases routinely settle in the $20,000–$200,000 range.
HIPAA-required process of conducting an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate.
Missing or inadequate risk analyses are the most-cited deficiency in OCR enforcement actions. The risk analysis must be ongoing and reviewed at least annually.
A documented strategy implementing the security measures identified in the risk analysis, prioritized by risk severity and resource constraints — required as a HIPAA administrative safeguard.
Distinct from risk analysis (which identifies risks) — risk management is the plan to address them. Should include accepted risks, mitigated risks, transferred risks (insurance, contracts), and avoided risks (eliminated activities).
A method of restricting system access to authorized users based on their organizational role rather than individual identity.
RBAC is the standard implementation pattern for satisfying HIPAA's minimum necessary access requirement at the technical layer.
Recovery Point Objective: the maximum acceptable data loss measured in time. Recovery Time Objective: the maximum acceptable downtime before systems are restored. Both define disaster-recovery service levels.
Modern healthcare environments target RPO of minutes (continuous replication) and RTO of hours for critical clinical systems. HIPAA contingency plan must specify and test these values.
A de-identification method requiring removal of 18 specific identifier categories (names, dates more granular than year, addresses below state level, SSNs, full-face photos, etc.) with no actual knowledge that the remaining information could identify an individual.
Disclosures of PHI in exchange for direct or indirect remuneration; generally prohibited without specific patient authorization that explicitly mentions the remuneration.
Limited exceptions include public health, research at cost, treatment, mergers and acquisitions, and disclosures to business associates for permitted purposes.
Security Assertion Markup Language — an open XML-based standard for exchanging authentication and authorization data between identity providers and service providers, widely used for enterprise SSO.
A covered entity's written policy describing the penalties for workforce members who violate HIPAA policies and procedures. A required administrative safeguard.
A cloud-delivered architecture combining network connectivity (SD-WAN) with cloud-native security functions (CASB, ZTNA, FWaaS, SWG) into a unified service edge.
Emerging as the dominant remote-access pattern for distributed healthcare practices replacing traditional VPN + on-premises firewall stacks. Zscaler, Netskope, and Cisco Umbrella are common platforms.
An open standard for automating the exchange of user identity information between identity providers and service providers — enabling automated provisioning, deprovisioning, and group membership management.
Critical for HIPAA-compliant user lifecycle management: when a workforce member leaves, SCIM-provisioned accounts can be deactivated centrally across all integrated systems within minutes.
A workforce member designated to develop and implement HIPAA Security Rule policies and procedures. Every covered entity must designate one.
A team or facility (in-house or outsourced) responsible for continuous monitoring, detection, and response to cybersecurity incidents — operationalizing the SIEM and other detection technologies.
Many independent healthcare practices use managed SOC services (MSSP, MDR) rather than building in-house teams. The proposed 2026 Security Rule amendments are expected to require continuous monitoring capabilities.
Information technology systems, applications, and services used within an organization without explicit IT or security approval — a common source of unaccounted-for PHI flows in healthcare practices.
Examples in healthcare: staff using personal Dropbox, Slack workspaces created without IT involvement, AI tools used informally by clinicians, browser-based PDF editors handling clinical documents. CASB and DLP technologies provide visibility into shadow IT.
A technology platform that aggregates security event data from across the IT environment, correlates events to identify threats, and supports incident investigation and compliance reporting.
Healthcare SIEM commonly aggregates EHR access logs, firewall events, EDR alerts, identity events, and email security signals. Splunk, Microsoft Sentinel, Elastic, and IBM QRadar are common platforms.
An authentication scheme that allows a user to access multiple applications with one set of credentials, typically using SAML 2.0 or OpenID Connect with an identity provider.
SSO improves HIPAA compliance by centralizing authentication policy (MFA, password complexity, conditional access) and enabling rapid deprovisioning. Okta, Microsoft Entra ID, and Google Workspace are common identity providers.
A phishing attack delivered via SMS or other text messaging, often impersonating banks, healthcare providers, or shipping companies to capture credentials or distribute malware.
AICPA-defined audit reports examining a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. Type I attests to design at a point in time; Type II attests to operating effectiveness over a period.
Widely required in healthcare vendor procurement, though SOC 2 is not equivalent to HIPAA compliance — it audits the controls a vendor claims, not specific HIPAA requirements.
The use of psychological manipulation to trick people into divulging confidential information, performing unauthorized actions, or violating security policies — the most common initial-access vector in healthcare breaches.
Includes phishing, smishing, vishing, pretexting, baiting, and tailgating. Mitigated by workforce training, technical defenses (MFA, DMARC, EDR), and verification policies for sensitive transactions.
Sender Policy Framework — an email authentication method that lets domain owners specify which mail servers are authorized to send mail on behalf of their domain, helping prevent sender address forgery.
A web application vulnerability in which an attacker injects malicious SQL code into application input fields, manipulating the underlying database query and potentially extracting or modifying data.
Listed in OWASP Top 10. Healthcare-specific impact: SQL injection in EHR systems, patient portals, or billing interfaces has been responsible for multiple large breaches. Mitigated by parameterized queries, input validation, and WAF rules.
The progressive deprecation of insecure cryptographic protocols: SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are now considered insecure and should not be used to protect PHI; TLS 1.2 is the minimum, TLS 1.3 the current standard.
HIPAA does not list specific TLS versions, but NIST SP 800-52 Rev. 2 (which HHS guidance references) requires TLS 1.2 minimum and recommends TLS 1.3.
State-level statutes requiring notification to affected individuals and state authorities following a breach of personally identifiable information — many with timelines, content requirements, or definitions stricter than HIPAA's federal floor.
All 50 US states have breach notification laws. Healthcare providers must comply with both HIPAA federal requirements and applicable state laws. Notable state variations include California (CMIA), New York (SHIELD Act), Texas (HB 300), and Massachusetts (201 CMR 17).
A business associate of another business associate; subject to HIPAA requirements through a BAA chain that mirrors the upstream agreement.
When a business associate engages a subcontractor to handle PHI, the business associate must execute a BAA with the subcontractor. The chain continues for each downstream party.
Cryptographic approach using the same key for both encryption and decryption — typically used for encryption-at-rest because of its speed advantage over asymmetric encryption.
AES-256 is the dominant symmetric cipher for HIPAA-protected data at rest. The challenge with symmetric encryption is secure key distribution, which is why TLS combines asymmetric (key exchange) and symmetric (bulk encryption) cryptography.
A discussion-based simulation of a security incident or disaster scenario in which key personnel walk through their response procedures — used to test and refine incident response plans without disrupting production systems.
OCR has consistently emphasized the documentation of tested incident response procedures. Annual tabletop exercises are the practical baseline for HIPAA-aligned practices.
Technology and the policies for its use that protect ePHI and control access to it.
The four required technical safeguards are access control, audit controls, integrity controls, and transmission security. Encryption and authentication are addressable implementation specifications.
The federal framework establishing technical and policy standards for nationwide health information exchange, including the designation of QHINs and a common trust agreement among participating networks.
Operational as of 2023 with the first QHINs designated. Aims to make patient health information exchange seamless across providers, payers, and patient apps.
An individual, group, or organization that conducts cyberattacks — categorized by motivation (financial, espionage, hacktivism, insider threat) and capability level (script kiddie through nation-state).
A structured approach to identifying, communicating, and addressing potential threats to a system — used during system design to build security in proactively rather than reactively.
Common frameworks: STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege), PASTA, OCTAVE. Should accompany every significant system change in HIPAA-covered infrastructure.
Transport Layer Security — the cryptographic protocol used to encrypt data in transit over networks. TLS 1.2 or higher is the current standard for HIPAA-compliant transmission.
TLS 1.3 (RFC 8446) is the modern standard. TLS configurations that silently fall back to plaintext when the receiving server does not support TLS create unencrypted PHI transmission — a common email-encryption gap.
A data-protection technique that replaces sensitive values with surrogate tokens that have no exploitable meaning outside the tokenization system — common for protecting payment card data and sometimes PHI.
Distinct from encryption — tokens cannot be reversed mathematically; the mapping is held in a secure vault. Used in healthcare to share datasets while preserving referential integrity without exposing direct identifiers.
The three core healthcare activities for which PHI may be used and disclosed without patient authorization.
Treatment includes diagnosis, consultations, and care coordination. Payment includes billing and claims activities. Operations includes quality improvement, training, audits, and business management — but not marketing.
Authentication requiring exactly two factors — a subset of multi-factor authentication (MFA). Functionally equivalent to MFA in most healthcare contexts; the broader term MFA is preferred.
HIPAA Security Rule required implementation specification (45 CFR §164.312(a)(2)(i)) requiring covered entities to assign a unique name and/or number for identifying and tracking user identity.
Shared accounts violate this requirement. Audit logs must be attributable to specific individuals, which requires per-user accounts at the system access layer.
PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through methods specified by HHS — primarily encryption meeting NIST standards.
Breaches of secured (properly encrypted) PHI may not require notification under the Encryption Safe Harbor.
PHI stored in formats not enforced by structured data schemas — free-text notes, scanned documents, PDFs, voicemails, images — typically harder to inventory, search, encrypt selectively, and de-identify.
Unstructured PHI is overrepresented in HIPAA breaches because it sits in shared drives, email attachments, and legacy file servers without the protections applied to database-backed systems.
The standardized set of health data elements that certified EHR systems must be able to exchange — the minimum baseline for interoperable patient records in the United States.
Maintained by ONC, updated periodically (currently USCDI v4). Includes patient demographics, allergies, problems, medications, immunizations, lab results, and clinical notes. The foundation for FHIR-based patient access APIs.
HIPAA defines 'use' as sharing, employment, examination, or analysis of PHI within the entity holding it, and 'disclosure' as the release, transfer, access to, or sharing of PHI outside the entity holding it. Different rules apply to each.
A phishing attack delivered via voice call, often impersonating IT support, executives, or vendors to trick targets into revealing credentials or performing unauthorized actions.
Voice-cloning AI has dramatically increased vishing effectiveness — Pindrop reported a 475% YOY increase in voice-cloning attacks in 2024.
A network virtualization technique that segments a physical network into multiple logical broadcast domains — a foundational network segmentation building block.
Modern healthcare network segmentation often combines VLANs with software-defined networking and microsegmentation. VLANs alone are not sufficient for zero-trust architectures but remain a baseline control.
A network technology that creates an encrypted tunnel between a remote user or site and an organizational network, enabling secure remote access to internal systems handling ePHI.
Traditional VPNs are increasingly being replaced by Zero Trust Network Access (ZTNA) and identity-aware proxies that provide application-level rather than network-level access. HIPAA does not mandate a specific remote access technology.
A formal channel for security researchers and good-faith finders to report security vulnerabilities to an organization, with documented response timelines and safe-harbor protections for researchers acting in good faith.
Increasingly expected of healthcare technology vendors and recommended by HHS 405(d) guidance.
The continuous process of identifying, evaluating, prioritizing, and remediating security weaknesses in systems handling ePHI — including scanning, patch management, and configuration assessment.
Required under HIPAA administrative safeguards and proposed for explicit mention in the 2026 Security Rule amendments. Standard tools: Tenable Nessus, Qualys, Rapid7 InsightVM, Microsoft Defender Vulnerability Management.
A security control that monitors, filters, and blocks HTTP traffic to and from web applications, defending against attacks targeting application logic (SQL injection, XSS, CSRF, account takeover).
Healthcare WAFs protect patient portals, EHR web interfaces, public-facing APIs, and marketing sites that may capture PHI. Cloudflare, AWS WAF, F5, and Imperva are common platforms.
Public-facing list maintained by HHS OCR of breaches affecting 500 or more individuals, formally the 'Breach Portal' and colloquially the 'Wall of Shame.'
A targeted phishing attack against high-value individuals — typically executives, physicians, or finance staff — often involving extensive research to make the lure credible.
Whaling overlaps with BEC and is responsible for many high-loss healthcare incidents involving fraudulent wire transfers, vendor payment redirection, and credential theft.
A category of HIPAA violation involving conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA requirements. Carries the highest penalty tier under the Enforcement Rule.
Civil monetary penalty range for willful neglect not corrected: $68,928 to $2,067,813 per violation (2024 inflation-adjusted).
HIPAA Security Rule addressable implementation specification (45 CFR §164.308(a)(3)(ii)(B)) requiring covered entities to implement procedures to determine that access to ePHI is appropriate before granting it.
Typically implemented as background checks, license verification, role-appropriate access determination, and onboarding checklist procedures.
Any employee, volunteer, trainee, or other person whose conduct in performing work for a covered entity or business associate is under the direct control of that entity, regardless of whether they are paid.
All workforce members must be trained, sanctioned for violations, and have appropriate access controls — the term is intentionally broader than 'employee.'
A web application vulnerability in which an attacker injects malicious scripts into web pages viewed by other users, potentially capturing credentials, session tokens, or PHI displayed in the browser.
Listed in OWASP Top 10 (A03:2021 Injection). Common in legacy healthcare web applications. Mitigated by input validation, output encoding, Content Security Policy (CSP), and modern framework auto-escaping.
A security architecture model that assumes no implicit trust based on network location and requires verification of every access request regardless of source.
Zero Trust principles align with HIPAA's access control and authentication requirements and are increasingly referenced in HHS guidance as best practice. NIST SP 800-207 is the authoritative reference.
A previously-unknown software vulnerability that has not yet been patched by the vendor — exploitable by attackers before any defense is available.
Healthcare environments are particularly vulnerable to zero-days because clinical systems often run on legacy software that does not receive timely patches. Mitigated by defense-in-depth, network segmentation, and rapid threat intelligence.
A category of security products and architectures that provide secure remote access to applications based on per-request identity and context verification rather than network-perimeter trust.
Replaces traditional VPNs in modern zero-trust architectures. The user authenticates, the device state is evaluated, and the application is brokered without exposing the network. Cloudflare Access, Zscaler Private Access, and Palo Alto Prisma Access are common platforms.
Federal law (2016) that, among other reforms, established the prohibition on Information Blocking — requiring healthcare providers, HIT developers, and health information networks to share electronic health information without unreasonable interference.
The Information Blocking Rule (45 CFR Part 171) created actionable patient-access obligations enforced by ONC and OIG. Compounds with HIPAA's Right of Access — Cures Act adds penalties for technical interference with information sharing.
Section 405(d) of the Cybersecurity Act of 2015 directs HHS to develop consensus-based cybersecurity practices for the healthcare sector — published as Health Industry Cybersecurity Practices (HICP) and updated periodically.
HICP provides practical, voluntary cybersecurity guidance tailored to small, medium, and large healthcare organizations. The 2023 update aligns HICP with the NIST CSF and includes 10 specific threat-aligned practices. HHS treats 405(d)/HICP adherence as a mitigating factor in OCR enforcement decisions.
Federal regulation governing the confidentiality of substance use disorder (SUD) patient records, which imposes stricter requirements than HIPAA in many areas.
Patient consent is required for most disclosures even between treating providers, with limited exceptions for emergencies and research. The 2024 final rule aligned some provisions more closely with HIPAA while preserving heightened protections.
A breach affecting 500 or more individuals triggers immediate HHS notification (within 60 days), individual notification, and notification to prominent media outlets in the affected state.
Breaches at or above this threshold are added to the public HHS Breach Portal and typically trigger an OCR compliance review.
Definitions are the floor
Knowing what HIPAA terms mean is a prerequisite, not a compliance program. Patient Protect runs the program over your stack — risk assessment, BAA tracking, audit logging, workforce training, and real-time monitoring — between assessments, not just at the annual review.
14-day free trial · Credit card required · Cancel any time
