Privacy and Security Terminology
- Audit trail - data collected and potentially used to
facilitate a security audit, to include the who (login ID), what (read-only,
modify, delete, add, etc.), and when (date/timestan1p).
- Audit controls -the mechanisms employed to record and examine
- Authorization -permission granted by the patient or the
patient's personal representative to use or disclose protected health
information for purposes other than treatment, payment, health care
operations or uses and disclosures permitted or required by the Privacy
- Access - the ability or the means necessary to read,
write, modify, or communicate data/information or otherwise make use of
any system resource.
- Access Authorization -Information-use policies/procedures that
establish the rules for granting and/or restricting access to a user,
terminal, transaction, program, or process.
- Access Control - A method of restricting access to resources,
allowing only privileged entities access. (PGP, Inc.) Types of access
control include, an1Ong others, mandatory access control, discretionary
access control, time-of-day, classification, and subject-object separation.
- Access Controls -The protection of sensitive communications
transmissions over open or private networks so that it cannot be easily
intercepted and interpreted by parties other than the intended recipient.
- Access Establishment -The security policies, and the rules
established therein, that determine an entity's initial right of access to
a terminal, transaction, program, or process. Part of information access
control on the matrix.
- Access Level - A level associated with an individual who may
be accessing information (for exan1ple, a clearance level) or with the
information that may be accessed (for example, a classification level).
- Access Modification -The security policies, and the rules
established therein, that determine
and reasons for, modification to an entity's established right of access to a
terminal, transaction, progran1, or process.
- Accountability -The property that ensures that the actions of
an entity can be traced uniquely to that entity. (ASTM E1762 -95). (#)
- Business associate -A person who on behalf of a covered entity (or
of an organized health care arrangement in which the covered entity
participates) performs, or assists in the performance of:
function or activity involving the use or disclosure of individually
identifiable health information,
including claims processing or administration, data analysis, processing
or administration, utilization review,
quality assurance, billing, benefit management, practice management, and
-Any other function or activity regulated by this
- A person
who provides legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services to or for such
covered entity (or to or for an
organized health care arrangement in which the covered entity participates)
where the provision of the service involves the disclosure of individually
identifiable health information from such covered entity (or arrangement), or
from another business associate of such covered entity (or arrangement), to the
- Biometric identification -An identification system that identifies a
human from a measurement of a physical feature or repeatable action of the
individual, such as, hand geometry, retinal scan, iris scan, fingerprint
patterns, facial characteristics, DNA sequence characteristics, voice
prints, and hand written signature. (§142.308(c)(I)(v) HHS HIPAA Security
- Classification based access
control -Protection of data from
unauthorized access by the designation of multiple levels of access
authorization clearances to be required for access, dependent upon the
sensitivity of the information.
- Context-based access -An access control based on the context of a
transaction (as opposed to being based on attributes of the initiator or
target). The "external" factors might include time of day,
location of the user, strength of user authentication, etc.
- Consent -Permission granted by the patient or the
patient's guardian to use or disclose protected health information for
purposes of treatment, payment or health care operations.
- Covered entities -
- A health plan (as defined in 45 C.F.R. §160.IO3).
- A health
- A health care provider who transmits any health
information in electronic form in
with a transaction covered by this HIPAA ' s Administrative Simplification provisions.
- Data authentication -The corroboration that data has not been
altered or destroyed in an unauthorized manner. Examples of how data corroboration
may be assured include the use of a check sum, double keying, a message
authentication code, or digital signature.
- Designated record set - A group of records maintained by or for a covered
entity that includes the medical records and billing records about
individuals maintained by or for a covered health care provider; the
enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health plan; or used, in whole or in
part, by or for the covered entity to make decisions about individuals.
For purposes of this definition, the term record means any item,
collection, or grouping of information that includes protected health
information and is maintained, collected, used, or disseminated by or for
a covered entity.
- De-identified information -Health information that meets the standard and
implementation specifications under 45 C.F.R. § 164.514 (a) and (b).
- Digital signature -An electronic signature based upon
cryptographic methods of originator authentication, computed by using a
set of rules and a set of parameters such that the identity of the signer
and the integrity of the data can be verified. (FDA Electronic Record;
Electronic Signatures; Final Rule)
- Disaster recovery - The process whereby an enterprise would
restore any loss of data in the
event of fire, vandalism, natural disaster, or system
failure. (CPRI, 1996c, as cited in HISB, --
GLOSSARY OF TERMS RELATED TO INFORMATION SECURITY IN HEALTH CARE INFORMATION
SYSTEMS draft Glossary of Terms Related to Information Security in Health Care
- Disclosure - The release, transfer, provision of access to,
or divulging in any other manner of protected health information outside
the entity holding the information.
- Discretionary Access Control
(DAC) -is used to control access
by restricting a subject's access to an object. It is generally used to
limit a user's access to a file. In this type of access control it is the
owner of the file who controls other users' accesses to the file-
- Double keying - The act of key entering data twice to ensure
the accuracy of the data entered.
- Electronic data interchange
computer-to-computer transmission of business information in a standard
format. For EDI purists, "computer-to- computer" means direct
transmission from the originating application program to the receiving, or
processing, application program, and an EDI transmission consists only of
business data, not any accompanying verbiage or free-form messages.
Purists might also contend that a standard format is one that is approved
by a national or international standards organization, as opposed to
formats developed by industry groups or companies. (ED! Security, Control,
- Encryption -Transforming confidential plaintext into cipher
text to protect it (also called
An encryption algorithm combines plaintext with other values called keys, or ciphers,
so the data becomes unintelligible. Once encrypted, data can be stored or
transmitted over unsecured lines. (ED! Security, Control, and Audit)
- Emergency mode operation -Access controls in place that enable an
enterprise to continue to operate in the event of fire, vandalism, natural
disaster, or system failure-
- Entity authentication -I. Processes that are put in place to guard
against unauthorized access to data that is transmitted over a
communications network (§ 142.308(d) HHS HIP AA Security NRPM). 2. A
communications/network mechanism to irrefutably identify authorized users,
programs, and processes, and to deny access to unauthorized users,
programs and processes. (§142.308(d)(2)(iii) HHS HIPAA Security NRPM)
- Equipment control (into and out of site) -Documented security
procedures for bringing hardware and software into and out of a facility
and for maintaining a record of that equipment. This includes, but is not
limited to, the marking, handling, and disposal of hardware and storage
- Facility security plan -A plan to safeguard the premises and building(
s) ( exterior and interior) from unauthorized physical access, and to
safeguard the equipment therein from unauthorized physical access,
tampering, and theft.
- Fundraising - An activity of a covered entity intended to
raise funds to benefit the covered entity or an institutionally related
foundation that has as its mission to benefit the covered entity.
Health Plan - An employee welfare
benefit plan, including insured and self-insured plans, to the extent that the
plan provides medical care, including items and services paid for as medical
care, to employees or their dependents directly or through insurance,
reimbursement, or otherwise
policy or rule intended to give practical guidance.
operations -Any of the following
activities (see 45 C.F.R. §I64.501) of the covered entity to the extent that
the activities are related to covered functions, and:
- Conducting quality assessment and improvement
the competence or qualifications of health care professionals
- Conducting or arranging for medical review, legal
services, and auditing functions,
including fraud and abuse detection and compliance
programs; Business planning
- Business management and general administrative
activities of the entity
HHS or Secretary -the Department of Health and Human Services or the
Health and Human Services.
Health information -Any information, oral or recorded in any medium,
- Is created or received by a health care provider,
health plan, public health authority,
life insurer, school or university, or health care clearinghouse; and
to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual;
or the past, present, or future payment for the provision of health care to an
Hybrid entity -Means a single legal entity that is a covered entity
and whose covered functions are not its primary functions.
Specification -Specific requirements
or instructions for implementing a standard.
Individual - The person who is the subject of protected health
Individually identifiable health information -Means information that is a subset of health
including demographic information collected from an individual, and: (I) Is
created or received by a health care provider, health plan, employer, or health
care clearinghouse; and (2) Relates to the past, present, or future physical or
mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health
care to an individual; and (i) That identifies the individual; or (ii) With
respect to which there is a reasonable basis to believe the information can be
used to identify the individual-
- Information access control - Formal, documented policies and procedures for
granting different levels of access to health care information.
- IRB- Institutional Review Board, established to
review research activities in accordance with federal regulations.
- Internal audit -The in-house review of the records of system activity
(for example, logins, file accesses, security incidents) maintained by an
Limited data set. Means
protected health information that excludes the following direct
of the individual or of relatives, employers, or household members of the
individual identified in 45 C.F.R. 164.5l4(e).
- Mandatory Access Control (MAC) -A means of restricting access to objects that is
based on fixed security attributes assigned to users and to files and
other objects. The controls are mandatory in the sense that users or their
programs cannot modify them.
- Marketing - means to make a communication about a
product or service that encourages recipients of the communication to
purchase or use the product or service, unless the communication is made:
(i) T o describe a health-related product or service ( or payment for such
product or service) that is provided by, or included in a plan of benefits
of, the covered entity making the communication, including communications
about: the entities participating in a health care provider network or
health plan network; replacement of, or enhancements to, a health plan;
and health-related products or services available only to a health plan
enrollee that add value to, but are not part of, a plan of benefits; or
(ii) For treatment of the individual; or (iii) For case management or care
coordination for the individual, or to direct or recommend alternative
treatments, therapies, health care providers, or settings of care to the
individual. Marketing also means an arrangement between a covered entity
and any other entity whereby the covered entity discloses protected health
information to the other entity, in exchange for direct or indirect
remuneration, for the other entity or its affiliate to make a communication
about its own product or service that encourages recipients of the
communication to purchase or use that product or service.
- Message authentication code -Data associated with an authenticated message
that allows a receiver to verify the integrity of the message. (Glossary
of INFOSEC and INFOSEC Related Terms -Idaho State University)
- Minimum necessary -When using or disclosing protected health
information or when requesting protected health information from another covered
entity, a covered entity generally must make reasonable efforts to limit
protected health information to the minimum necessary to accomplish the
intended purpose of the use, disclosure, or request.
- Need-to-know -A security principle stating that a user should
have access only to the data he or she needs to perform a particular
- Password -A confidential numeric and/or character string
used in conjunction with a User ID to verify the identity of the
individual attempting to gain access to a computer system.
- Payment- The activities undertaken by either a health plan
to obtain premiums or to determine or fulfill its responsibility for
coverage and provision of benefits under the health plan; or a covered
health care provider or health plan to obtain or provide reimbursement for
the provision of health care-
- Personal identification
number (PIN) -A number or code
assigned to an individual and used to provide verification of identity.
- Plan -a detailed scheme or method for the
accomplishment of an object.
- Plan Administration Functions
-An Administration function
performed by the Plan Sponsor of a Group Health Plan on behalf of the
Group Health Plan and excludes functions performed by the Plan Sponsor in
connection with any other benefit or benefit plan of the Plan Sponsor.
- Plan Sponsor- The employer in the case of an employee benefit
plan established or maintained by a single employer, the employee
organization in the case of a plan established or maintained by an
employee organization, or in the case of a plan established or maintained
by two or more employers or jointly by one or more employers and one or
more employee organizations, the association, committee, joint board of
trustees, or other similar group of representatives of the parties who
establish or maintain the plans-
- Policy -A general principle or plan that guides the
actions taken by an individual or group.
- Procedure - A way of performing or accomplishing
something; a series of steps; course of action.
- Process -A series of steps, actions or operations used
to bring about a desired result.
- Protected health information -Individually identifiable health information
that is or has been electronically maintained or electronically
transmitted by a covered entity, as well as such information when it takes
any other form that is (1) Created or received by a health care provider,
health plan, employer, or health care
and (2) Relates to the past, present, or future physical or mental health or condition
of an individual, the provision of health care to an individual, or the past,
present, or future payment for the provision of health care to an individual.
(2) Protected health information excludes individually identifiable health
information in: (i) Education records covered by the Family Educational Rights
and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20
U.S.C. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered
entity in its role as employer.
- Research - Means a systematic investigation, including
research development, testing, and evaluation, designed to develop or
contribute to generalizable knowledge-
- Role-based access control - Role-based access control (RAC) is an
alternative to traditional access control models ( e.g. discretionary or
non-discretionary access control policies) that permits the specification
and enforcement of enterprise-specific security policies in a way
more naturally to an organization's structure and business activities. With
RBAC, rather than attempting to map an organization's security policy to a
relatively low-Ievel set of technical controls (typically, access control
lists), each user is assigned to one or more predefined roles, each of which
has been assigned the various privileges needed to perform that role.
- Standard -A rule, condition, or requirement describing
the following information for products, systems, services or practices:
classification of components, specification of materials, performance, or
operations; or delineation of procedures; or with respect to the privacy
of individually identifiable health information.
- Summary Health Information -Information, that may be individually
identifiable health information, and:
-That summarizes the claims history, claims expenses,
or type of claims experienced by
for whom a Plan Sponsor has provided health benefits under a Group Health
-From which the identifiers of the individual or of
relatives, employers, or household
members of the individual specified in 45
C.F.R. §154.504(a), are removed
- Technical security mechanisms -To protect sensitive communication that is
transmitted electronically over open networks so that it cannot be easily
intercepted and interpreted by parties other than the intended recipient.
(§ 142.308( d)(2) HHS HIPAA Security NRPM)
- Time-of-day access control - Access to data is restricted to certain
periods, e.g., Monday through Friday, 8:00 a.m. to 6:00 p.m.
- Token -A physical item containing an electronic device
used to provide identity and to obtain access, typically a device that can
be inserted in a door or a computer system.
(As cited in HISB, DRAFT GLOSSARY OF TERMS RELATED TO INFORMATION SECURITY IN
HEALTH CARE INFORMATION SYSTEMS drafts Glossary of Terms Related to Information
Security in Health Care Information Systems).
- Treatment - Means the provision, coordination, or
management of health care and related services by one or more health care
providers, including the coordination or management of health care by a
health care provider with a third party; consultation between health care
providers relating to a patient; or the referral of a patient for health
care from one health care provider to another.
- Unique user identifier - A combination name/number assigned and
maintained in security procedures for identifying and tracking individual
user identify. (§ l42.308(c)(1)(v) HHS HIPAA Security NRPM)
- Use - Means, with respect to individually
identifiable health information, the sharing, employment, application,
utilization, examination, or analysis of such information within an entity
that maintains such information.
- User-based access - Refers to a security mechanism used to grant
users of a system access based upon the identity of the user.
- User ID -A unique identifier given to an individual
allowing that individual access to a computer system. A User ID is usually
accompanied by a password.
- Workforce -Employees, volunteers, trainees, and other
persons whose conduct, in the performance of work for a covered entity, is
under the direct control of such entity, whether or not they are paid by
the covered entity.