Reference
Twenty-seven terms every independent healthcare practice needs to know — defined in plain language, linked to the resources that matter. No legalese, no filler.
45 CFR Parts 160 & 164 · Updated for 2026 Security Rule
A – Z
These definitions are written for practice managers, office administrators, and clinicians — not compliance attorneys. Each term links to the relevant Patient Protect resource where applicable.
Federal regulations that provide additional privacy protections for substance use disorder treatment records beyond standard HIPAA. Part 2 requires specific patient consent for most disclosures and restricts re-disclosure of treatment information — even to other healthcare providers.
Therapist compliance guide→A detailed, patient-signed document that permits a covered entity to use or disclose PHI for purposes not otherwise allowed by HIPAA — such as marketing, sale of PHI, or psychotherapy notes. Authorizations must include specific elements: a description of the information, who may disclose it, who may receive it, an expiration date, and the patient's right to revoke.
A legally binding contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI by the business associate. A BAA must require the associate to safeguard the data, report breaches, and ensure its subcontractors do the same. No BAA, no compliant relationship.
Features — BAA tracking→The HIPAA rule (45 CFR §§ 164.400–414) requiring covered entities and business associates to notify affected individuals, HHS, and — for large breaches — the media when unsecured PHI is accessed, used, or disclosed in a way not permitted by the Privacy Rule. Notification must occur within 60 days of discovery.
Breach response guide→Any person or organization — other than a member of the covered entity's workforce — that creates, receives, maintains, or transmits PHI on behalf of a covered entity. EHR vendors, billing companies, IT support, cloud storage providers, and shredding services are all common business associates.
Vendor breach guide→Financial penalties imposed by HHS OCR for HIPAA violations. Penalties are tiered by the level of culpability: unknowing violations start at $100 per violation, while willful neglect not corrected within 30 days can reach $50,000 per violation with an annual cap of $1.5 million per violation category.
Violation penalties→A formal agreement between a covered entity or business associate and HHS OCR that outlines specific steps the organization must take to come into HIPAA compliance following a violation. CAPs typically include implementation timelines, monitoring requirements, and reporting obligations that can last several years.
An organization directly subject to HIPAA: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. Every independent medical practice, dental office, therapy clinic, and optometry practice that bills insurance electronically is a covered entity.
Why independent practices are targets→The process of removing identifying information from health data so it is no longer considered PHI under HIPAA. De-identified data can be used and disclosed freely without HIPAA restrictions. HIPAA recognizes two methods: Expert Determination and Safe Harbor.
The group of records maintained by or for a covered entity that is used to make decisions about individuals. Includes medical records, billing records, enrollment records, and any other records used for coverage or payment decisions. Patients have the right to access and request amendments to their designated record set.
The release, transfer, access to, or sharing of PHI outside the entity holding the information. HIPAA distinguishes between permitted disclosures (treatment, payment, operations, public health) and disclosures requiring patient authorization. Every disclosure must follow the minimum necessary standard.
PHI that is created, stored, transmitted, or received in electronic form. ePHI is subject to the HIPAA Security Rule, which requires administrative, physical, and technical safeguards. This includes data in EHRs, email, digital imaging, cloud storage, and any electronic system touching patient information.
ePHI data flow mapper→The federal agency responsible for administering HIPAA through its Office for Civil Rights (OCR). HHS publishes HIPAA rules, issues guidance, conducts audits, investigates complaints, and enforces penalties. All breach reports and compliance complaints are filed with HHS.
The Health Information Technology for Economic and Clinical Health Act (2009) that expanded HIPAA's scope by extending breach notification requirements to business associates, increasing penalties for violations, and strengthening enforcement. HITECH made business associates directly liable under HIPAA — not just contractually through BAAs.
An organization that performs both covered and non-covered functions under HIPAA. A university that operates a medical school and a business school, for example, can designate itself as a hybrid entity — applying HIPAA requirements only to its healthcare components while exempting non-healthcare operations.
The HIPAA principle requiring covered entities to limit the use, disclosure, and request of PHI to the minimum amount needed to accomplish the intended purpose. Staff should not access entire patient records when only a specific data point is needed. Exceptions apply to treatment, patient requests, and legally required disclosures.
Privacy Rule guide→A document that covered entities must provide to patients describing how their PHI may be used and disclosed, their rights regarding their information, and the entity's legal duties. The NPP must be provided at the first service encounter and posted prominently in the facility and on the website.
The enforcement arm of HHS responsible for HIPAA compliance and enforcement. OCR investigates complaints, conducts audits, issues penalties, and publishes guidance. When a breach is reported or a complaint is filed, OCR is the agency that investigates and determines penalties.
OCR audit preparation→The 2013 HIPAA rule that implemented many HITECH Act provisions — making business associates directly liable for HIPAA violations, strengthening breach notification requirements, expanding patient rights, and increasing penalty amounts. The Omnibus Rule fundamentally changed who is responsible under HIPAA.
Any individually identifiable health information held or transmitted by a covered entity or its business associate. PHI includes 18 specific identifiers — name, date of birth, Social Security number, medical record numbers, and more — when connected to health data. PHI exists in any form: electronic, paper, or oral.
Risk assessment→The HIPAA regulation (45 CFR §§ 164.500–534) establishing national standards for how covered entities use and disclose PHI. The Privacy Rule gives patients rights over their health information — including the right to access, request corrections, and receive an accounting of disclosures.
Privacy Rule guide→One of two HIPAA-approved methods for de-identifying PHI. The Safe Harbor method requires removing 18 specific identifiers — name, geographic data smaller than a state, dates (except year), phone numbers, email addresses, SSN, medical record numbers, and others — with no actual knowledge that the remaining data could identify an individual.
The HIPAA regulation (45 CFR §§ 164.302–318) requiring covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI. The Security Rule mandates risk assessments, access controls, audit logging, encryption, and incident response procedures.
2026 Security Rule update→A systematic evaluation of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a covered entity. The SRA is the single most important HIPAA requirement — it is required annually, and its absence is the most common finding in OCR audits and the most frequent basis for enforcement actions.
Free risk assessment→The three categories of activities for which covered entities may use and disclose PHI without patient authorization. Treatment includes care coordination and referrals. Payment includes billing and claims processing. Operations includes quality assessment, training, and business planning.
Conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA. Willful neglect carries the highest penalty tier — $50,000 per violation. If not corrected within 30 days, penalties are mandatory. Most large enforcement actions involve findings of willful neglect.
Violation penalties→Any person whose conduct is under the direct control of a covered entity — including employees, volunteers, trainees, and independent contractors working on-site. Workforce members are not business associates. The covered entity is directly responsible for their HIPAA compliance through training, policies, and access controls.
Knowing the terms is step one
Understanding HIPAA terminology matters — but knowing your compliance gaps matters more. Run a free risk assessment and get actionable results in ten minutes.
14-day free trial · No charge until trial ends
