Every HIPAA acronym your practice needs to know

HIPAA compliance has a language problem. Regulations, enforcement guidance, and vendor marketing are saturated with acronyms that can make even experienced practitioners feel lost. The result: practices nod along during compliance training without fully understanding what is being discussed — and miss critical requirements because the terminology obscured the obligation.

This guide cuts through the noise. Every acronym is defined in plain language with a practical explanation of why it matters to your practice and what you need to do about it.

The regulatory framework

| Rule | What It Covers | |---|---| | Privacy Rule | Who can access PHI and under what conditions | | Security Rule | How to protect ePHI using technical, administrative, and physical safeguards | | Breach Notification Rule | What you must do if patient data is exposed | | Enforcement Rule | Defines penalties for violations | | Omnibus Rule | Extends HIPAA obligations to vendors (Business Associates) |

HIPAA — Health Insurance Portability and Accountability Act

The federal law enacted in 1996 that established national standards for protecting health information. HIPAA has two components most people reference: the Privacy Rule (who can access health information and how) and the Security Rule (how electronic health information must be protected technically).

Why it matters: HIPAA is not a suggestion. It is federal law with civil and criminal enforcement. Every healthcare practice that transmits health information electronically — which is all of them in 2025 — is subject to HIPAA.

HITECH — Health Information Technology for Economic and Clinical Health Act

Enacted in 2009, HITECH expanded HIPAA's scope and teeth. It extended HIPAA requirements directly to business associates (not just covered entities), increased penalty amounts, required breach notification, and created the HHS breach portal that publicly lists breaches affecting 500+ individuals.

Why it matters: HITECH is why breaches have consequences. Before HITECH, enforcement was sporadic. After HITECH, there is a public Wall of Shame, mandatory notification, and penalties that can reach millions.

HHS — Department of Health and Human Services

The federal department responsible for HIPAA oversight. HHS delegates enforcement to its Office for Civil Rights (OCR).

OCR — Office for Civil Rights

The enforcement arm of HHS for HIPAA. OCR investigates complaints, conducts audits, issues guidance, and levies penalties for violations. When a practice receives a letter from OCR, it is not a drill.

Why it matters: OCR is who shows up when things go wrong. Understanding their enforcement priorities — which are published annually — tells you where to focus your compliance efforts. The HIPAA compliance checklist is aligned with current OCR enforcement priorities.

Data classifications

PHI — Protected Health Information

Any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. PHI includes clinical records, billing information, insurance details, appointment schedules, and any of the 18 HIPAA identifiers when connected to health data.

Why it matters: PHI is what HIPAA protects. If your practice handles it — and it does — every HIPAA requirement applies. PHI is broader than most practices realize; it includes appointment metadata, voicemails, and even the fact that someone is a patient at your practice.

ePHI — Electronic Protected Health Information

PHI in electronic form. This includes data in your EHR, email, text messages, digital images, electronic billing records, and any file on a computer, server, phone, or cloud service that contains identifiable patient information.

Why it matters: The Security Rule applies specifically to ePHI. Every technical safeguard — encryption, access controls, audit logging, transmission security — is required for ePHI. Use the ePHI data flow mapper to identify where ePHI exists in your practice environment.

PII — Personally Identifiable Information

A broader category than PHI, used across industries (not specific to HIPAA). PII includes any information that can identify an individual: name, address, Social Security number, email address. When PII is combined with health information and held by a covered entity, it becomes PHI.

Why it matters: State privacy laws often reference PII rather than PHI. Your practice may have obligations under both HIPAA (for PHI) and state law (for PII) simultaneously.

Entities and relationships

CE — Covered Entity

An organization directly subject to HIPAA: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. If your practice submits electronic claims — and it does — you are a covered entity.

Why it matters: Being a CE means HIPAA applies to you in full. There is no partial coverage and no small-practice exemption.

BA — Business Associate

Any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes your EHR vendor, cloud storage provider, billing service, IT support company, email provider, answering service, shredding company, and any other vendor that touches patient data.

Why it matters: Every BA needs a BAA. Most practices have more business associates than they realize — often 15 to 30 or more. Each one without a BAA is a compliance gap and a liability.

BAA — Business Associate Agreement

A written contract between a covered entity and a business associate (or between two business associates) that establishes the permitted uses and disclosures of PHI, requires appropriate safeguards, and defines breach notification obligations.

Why it matters: No BAA means no legal protection if your vendor causes a breach. OCR enforcement actions routinely cite missing BAAs as violations — even when no breach has occurred. A BAA is not optional for any vendor that can access PHI.

Security and technical standards

SRA — Security Risk Assessment

The foundational requirement of the HIPAA Security Rule. An SRA identifies threats to ePHI, evaluates vulnerabilities, assesses the likelihood and impact of threats, and determines appropriate safeguards. Must be conducted regularly — not just once.

Why it matters: The SRA is the single most-cited deficiency in OCR enforcement actions. If you do not have a current, thorough SRA, you are out of compliance regardless of everything else you have done. The free risk assessment provides an immediate baseline. For a deeper analysis, read our take on why the HHS SRA tool is not enough.

MFA — Multi-Factor Authentication

An access control that requires users to verify their identity with two or more independent factors: something they know (password), something they have (phone or hardware key), or something they are (biometric). The 2025 HIPAA Security Rule amendments are moving MFA from "addressable" toward required status for all systems containing ePHI.

Why it matters: Credential theft is the most common initial access vector in healthcare breaches. MFA stops it. If your EHR, email, cloud storage, or any system with patient data does not require MFA, you have a critical gap.

TLS — Transport Layer Security

A cryptographic protocol that encrypts data in transit between two systems. TLS is the successor to SSL and is the standard for securing email, web traffic, and API communications. HIPAA-compliant implementations require TLS 1.2 or higher.

Why it matters: TLS protects ePHI while it moves between systems — from your practice to your EHR cloud, from your email server to the recipient's server, from your web browser to a patient portal. Without TLS, data travels in plaintext and can be intercepted.

AES — Advanced Encryption Standard

The encryption algorithm standard for protecting data at rest. AES-128 and AES-256 are the NIST-approved standards referenced in the HIPAA encryption safe harbor. Patient Protect uses AES-256-GCM — a highly secure, NIST-approved encryption standard.

Why it matters: AES encryption at rest means that even if a device or server is stolen or compromised, the data is unreadable without the encryption key. Encrypted data qualifies for the breach notification safe harbor — no notification required if the key is not compromised.

Compliance documents and processes

NPP — Notice of Privacy Practices

A document that covered entities must provide to patients describing how PHI may be used and disclosed, the patient's rights regarding their information, and the entity's legal duties. Must be provided at first service and made available on request.

Why it matters: Missing or outdated NPPs are a common compliance finding. Your NPP must reflect current practices — including any electronic communication channels, patient portal usage, and telehealth services added since the last update.

TPO — Treatment, Payment, and Healthcare Operations

The three categories of PHI use and disclosure that do not require individual patient authorization under the Privacy Rule. Treatment (providing care), Payment (billing and claims), and Operations (quality assessment, training, business management).

Why it matters: TPO is the legal basis for most routine PHI use in your practice. Understanding what falls within TPO — and what requires separate patient authorization — prevents unauthorized disclosures.

NIST — National Institute of Standards and Technology

A federal agency that publishes cybersecurity frameworks and standards referenced throughout HIPAA guidance. NIST SP 800-66 provides specific implementation guidance for the HIPAA Security Rule. NIST SP 800-88 covers media sanitization. NIST encryption standards define the safe harbor qualifications.

Why it matters: When OCR says "reasonable and appropriate safeguards," they are measuring against NIST standards. Aligning your security controls to NIST frameworks gives you a defensible position in any audit or investigation.

HIPAA penalty tiers

| Tier | Penalty Range | Description | |---|---|---| | Tier 1 | $100–$50,000 | You didn't know and couldn't have known | | Tier 2 | $1,000–$50,000 | Reasonable cause but not willful neglect | | Tier 3 | $10,000–$50,000 | Willful neglect, corrected within 30 days | | Tier 4 | $50,000+ | Willful neglect, not corrected |

Putting the acronyms into practice

Knowing what these terms mean is the starting point. Applying them is the requirement. Here is how the acronyms connect to your daily operations:

• Your practice is a CE subject to HIPAA and HITECH
• You handle PHI and ePHI across clinical, administrative, and financial systems
• Every vendor that touches that data is a BA and needs a BAA
• Your security program starts with an SRA and implements controls like MFA, TLS, and AES
• OCR under HHS enforces all of it — and publishes findings publicly
• Your patients receive an NPP and their data is used under TPO rules

If any link in that chain is missing, you have a compliance gap. The free risk assessment evaluates your practice against every one of these requirements in under five minutes. The HIPAA roadmap then maps out the specific steps to close any gaps.

No more guessing what the acronyms mean. Now it is about making sure your practice lives up to each one.