Glossary of Terminology
A list of terminology that may be referenced throughout our software, documentation site, and communications. Listed in alphebetical order.
Glossary
Accountable:
A healthcare compliance software platform designed to help organizations manage HIPAA compliance, offering an all-in-one solution for privacy, security, and risk management.
Administrative Simplification Provisions:
Sections of HIPAA (261-264) that required HHS to adopt national standards for electronic healthcare transactions, unique health identifiers, and security, as well as federal privacy protections for individually identifiable health information.
Audit Protection Guarantee:
A promise from Accountable that its experts and platform will support clients if a HIPAA audit occurs.
Automated Data Breach Detection & Risk Scoring:
Accountable's system for real-time detection of third-party breaches, assessment of risk levels, and automated notification of impacted employees.
BAA Management System (Business Associate Agreement Management System):
A feature that centralizes the creation, tracking, and management of Business Associate Agreements (BAAs) to ensure HIPAA compliance with vendors.
Breach:
Generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. It is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised.
Breach Notification Rule (45 CFR §§ 164.400-414):
A HIPAA rule that requires covered entities and their business associates to provide notification following a breach of unsecured Protected Health Information (PHI).
Breached Password Detection:
A feature that identifies when an organization's email addresses or passwords appear in publicly available data breach dumps on the dark web.
Business Associate (BA):
A person or entity (other than a member of a covered entity's workforce) that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of Protected Health Information (PHI). This also includes subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate.
Business Associate Agreement (BAA):
A legally required contract under HIPAA between covered entities and their business associates (and between business associates and their subcontractors) to ensure the appropriate safeguarding of Protected Health Information (PHI). It outlines permitted and required uses/disclosures, safeguards, and reporting obligations.
CCPA (California Consumer Privacy Act):
A state statute intended to enhance privacy rights and consumer protection for residents of California.
Civil Money Penalties (CMPs):
Financial penalties imposed by the Office for Civil Rights (OCR) for noncompliance with HIPAA Rules. The amount varies based on factors like knowledge of the violation and willful neglect, with calendar year caps.
Confidentiality (Security Rule):
Means that data or information is not made available or disclosed to unauthorized persons or processes.
Covered Entity (CE):
Under HIPAA, this refers to health plans, healthcare clearinghouses, and healthcare providers who transmit health information in electronic form in connection with transactions for which HHS has adopted a standard.
Custom Company Training (BYO – Bring Your Own Training):
A feature allowing organizations to upload and manage their own specific training modules tailored to company policies and compliance goals.
Data Breach Monitoring:
Accountable's solution to identify, assess, and respond to security incidents and cyber threats that could impact employees and sensitive data.
Data Inventory Management:
A feature that provides a centralized hub to track and monitor every location where Electronic Protected Health Information (ePHI) and Protected Health Information (PHI) are stored within an organization.
Data Protection Impact Assessment (DPIA):
A process to identify and minimize the data protection risks of a project. Often associated with GDPR.
Data Use Agreement (DUA):
An agreement used for sharing limited data sets for specific purposes like research or public health, distinct from a BAA.
De-identified Health Information:
Health information that neither identifies nor provides a reasonable basis to identify an individual. There are two methods for de-identification: formal determination by a qualified statistician or the removal of specific identifiers. No restrictions apply to the use or disclosure of de-identified health information.
DSAR (Data Subject Access Request):
A request made by an individual to an organization asking for access to the personal data that organization holds about them. Relevant under laws like GDPR and CCPA.
Electronic Protected Health Information (ePHI):
Protected Health Information (PHI) that is maintained in or transmitted by electronic media. The Security Rule specifically protects ePHI.
Employee Learning Management System (LMS):
A comprehensive system within Accountable's Employee Portal for managing and delivering various training programs, including HIPAA, Security Awareness, and Sexual Harassment Prevention.
Encryption (for PHI):
An algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key. Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, and for data in motion, they comply with NIST Special Publications 800-52, 800-77, or 800-113, or are FIPS 140-2 validated.
Enforcement Rule (45 CFR Part 160, Subparts C, D, and E):
Provides standards for compliance, investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
e-Signature (HIPAA-Compliant Electronic Signature Service):
A secure digital signature service that meets HIPAA requirements for legally binding signatures on sensitive documents, such as BAAs and policy acknowledgments.
ESIGN Act:
The Electronic Signatures in Global and National Commerce Act, a U.S. federal law that facilitates the use of electronic records and signatures in interstate and foreign commerce.
FERPA (Family Educational Rights and Privacy Act):
A U.S. federal law that protects the privacy of student education records.
Full Service Plan:
Accountable's highest-tier pricing plan, offering white-glove onboarding, dedicated support, data migration assistance, and Privacy Officer as a Service.
GAP Analysis:
The process of comparing actual performance or practices with desired performance or standards (e.g., HIPAA requirements) to identify discrepancies. Accountable uses AI for this.
GDPR (General Data Protection Regulation):
A comprehensive data protection law in the European Union and European Economic Area.
HIPAA (Health Insurance Portability and Accountability Act):
A U.S. federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
HIPAA Breach Notification Rule:
A HIPAA rule that requires Covered Entities and Business Associates to notify affected individuals, HHS, and sometimes the media when a breach of unsecured PHI occurs.
HIPAA Privacy Rule:
A part of HIPAA that establishes national standards to protect individuals' medical records and other personal health information.
HIPAA Seal of Compliance:
A third-party verification badge from Accountable that organizations can earn and display to demonstrate their commitment to safeguarding patient data and completing key HIPAA compliance components through the platform.
HIPAA Security Rule:
A part of HIPAA that sets national standards for the security of electronic protected health information (ePHI).
HIPAA Training:
Accountable's program designed to educate employees on essential HIPAA privacy and security regulations for handling sensitive patient data.
HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009):
Enacted as part of ARRA, it strengthened HIPAA's privacy and security protections, extended direct liability for Security Rule violations to business associates, and mandated periodic audits.
Incident Management Software:
Accountable's structured, HIPAA-compliant approach to reporting, tracking, and resolving security and privacy incidents to minimize risk.
Individually Identifiable Health Information (IIHI):
Information, including demographic data, that relates to an individual's past, present, or future physical or mental health or condition, the provision of health care, or payment for health care, and that identifies or could reasonably be used to identify the individual.
Integrity (Security Rule):
Means that data or information has not been altered or destroyed in an unauthorized manner.
Minimum Necessary Rule:
A principle of the Privacy Rule requiring covered entities to make reasonable efforts to use, disclose, and request only the minimum amount of Protected Health Information (PHI) needed to accomplish the intended purpose.
Multiple Location Management:
A feature allowing franchises and multi-site businesses to centralize control of HIPAA compliance while enabling location-specific management.
National Institute of Standards and Technology (NIST):
A federal agency that sets computer security standards and publishes reports relevant to IT security, with several special publications referenced for HIPAA compliance, especially regarding encryption and media sanitization.
Notice of Privacy Practices (NPP):
A document that covered entities must provide to individuals, describing how their Protected Health Information (PHI) may be used and disclosed, the entity's duties, and individuals' rights.
NPI Number (National Provider Identifier):
A unique identification number for healthcare providers in the United States, mandated by HIPAA.
Office for Civil Rights (OCR):
The HHS office responsible for implementing and enforcing the HIPAA Privacy, Security, and Breach Notification Rules through investigations, compliance reviews, education, and outreach.
Patient Safety Work Product (PSWP):
Information collected and created during the reporting and analysis of patient safety events, protected by federal privilege and confidentiality protections under the Patient Safety and Quality Improvement Act of 2005 (PSQIA).
Phishing Attacks:
A type of social engineering attack where an attacker attempts to trick individuals into revealing sensitive information, often through deceptive emails or websites.
Policy Management Software:
Accountable's solution for creating, managing, and sharing internal policies and procedures using pre-built templates and tracking employee acknowledgments.
Privacy Center:
A customizable, centralized, and automated portal provided by Accountable where users can manage their data privacy requests (e.g., access, update, deletion) in compliance with laws like GDPR and CCPA.
Privacy Compliance Software:
Accountable's automated solution to help organizations meet regulatory requirements for various privacy laws, including HIPAA, GDPR, and CCPA.
Privacy Officer as a Service:
A service offered in the Full Service plan where a dedicated privacy professional acts as an organization's privacy officer.
Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164):
Establishes national standards to protect individuals' medical records and other individually identifiable health information (PHI) and applies to health plans, healthcare clearinghouses, and certain healthcare providers.
Protected Health Information (PHI):
All "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media (electronic, paper, or oral).
Public Health Authority:
An agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate.
Resolution Agreement:
A settlement agreement between HHS (OCR) and a covered entity or business associate where the entity agrees to specific obligations and reporting, often including a monetary payment, to resolve noncompliance issues.
Risk Analysis:
An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, required by the Security Rule.
Security Awareness Training:
Accountable's program that equips employees with knowledge to identify threats, prevent breaches, and safeguard company data, covering topics like phishing and password safety.
Security Risk Assessment (SRA):
A core HIPAA requirement and a structured process offered by Accountable to identify, assess, and mitigate security risks and vulnerabilities related to Protected Health Information (PHI).
Security Rule (45 CFR Part 160 and Subparts A and C of Part 164):
Establishes a national set of security standards to protect certain health information that is maintained or transmitted in electronic form (ePHI). It sets forth administrative, physical, and technical safeguards.
Sexual Harassment Prevention Training:
Accountable's training program designed to educate employees on recognizing, preventing, and reporting sexual harassment to foster a safe workplace.
Third-Party Security Monitoring Software:
A feature that helps organizations track and manage the compliance status and security risks of vendors, partners, and service providers who handle sensitive data.
Unsecured Protected Health Information:
Protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through technologies or methodologies specified by the Secretary in guidance (i.e., encryption or destruction).
Vendor Compliance Management Software:
Software that helps organizations assess, track, and manage vendor risk to ensure third parties comply with security and privacy regulations like HIPAA.
Vendor Management System (VMS):
Accountable's centralized solution to track, assess, and monitor vendor risk and compliance.
Additional Resources
Updated about 1 month ago