HIPAA includes many such acronyms, mostly security-related.
Sometimes I wish I could ban acronyms from the planet. HIPAA includes many such acronyms, mostly security-related. You may come across them in actual HIPAA text, online during security research, or when talking to a healthcare compliance consultant.
For a more comprehensive reference to cybersecurity terms, visit our glossary here.
See also: HIPAA FAQ
Here are the ones you should understand to fully grasp most HIPAA security requirements.
AES (Advanced Encryption Standard): government encryption standard to secure sensitive electronic information.
APT (Advanced Persistent Threat): network attack in which a hacker breaks into a network undetected and harvests information over a long period of time. These guys are really good and very patient. If you don’t have the right software to detect them, such as IDS/IPS and FIM you will likely never know they were there.
BCP (Business Continuity Plan): identifies an organization’s exposure to internal and external threats.
BA (Business Associate): a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services, laboratories.)
BAA (Business Associate Agreement): a contract between a covered entity and business associate to safeguard PHI and comply with HIPAA.
CERT (Computer Emergency Response Team): designated group to handle computer security incidents.
CISO (Chief Information Security Officer): similar to a CSO, but with responsibility for IT rather than entity-wide security.
CISSP (Certified Information Systems Security Professional): a globally recognized certification that confirms an individual’s knowledge about information security.
Covered Entity (CE): a health plan, health care clearinghouse or health care provider that electronically transmits health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans.)
CPOE (Computerized Provider Order Entry): management software that allows physicians to provide electronic instructions to staff (vs. handwritten) on a patient’s treatment and care.
CSO (Chief Security Officer): company position with responsibility towards HIPAA compliance, PCI compliance, physical security, network security, and other security protocols.
DLP (Data Loss Prevention): a piece of software or strategy to ensure users don’t send sensitive information (such as PHI) outside the network.
EHR (Electronic Health Record): digital chart that contains a patient’s comprehensive medical history from multiple healthcare providers.
eMAR (Electronic Medication Administration Record): a way to track medication administration using electronic tracking sensors.
EMR (Electronic Medical Record): digital chart that contains a patient’s medical history from a single practice used for diagnosis and treatment.
ePHI (Electronic Protected Health Information): health information sent or stored electronically protected by the HIPAA Security Rule.
FIM (File Integrity Monitoring): a way of checking software, systems, and applications in order to warn of potential malicious activity.
FW (Firewall): system designed to screen incoming and outgoing network traffic.
GPG (GNU Privacy Guard): the free version of PGP.
HIPAA (Health Insurance Portability and Accountability Act): a federal mandate that, among other things, requires organizations to keep patient data secure through a myriad of privacy and security procedures, policies, and actions.
HIT (Health Information Technology): the management of ePHI and its secure exchange between covered entities, business associates, and patients.
HHS (United States Department of Health and Human Services): the federal organization that created HIPAA.
IDS/IPS (Intrusion Detection System/Intrusion Prevention System): a monitoring system to monitor network security appliances and report malicious activity.
IIHI (Individually Identifiable Health Information): (see PHI)
IRP (Incident Response Plan): policies and procedures to effectively limit the effects of security breach.
IT (Information Technology): anything relating to networks, computers, and programming, and the people that work with those technologies.
MU (Meaningful Use): a requirement that states providers sharing patient data with other healthcare professionals must do so in a way that can be measured.
NPP or NoPP (Notice of Privacy Practices): The required document or notice that provides a clear explanation of patient rights and covered entity practices concerning a patient’s PHI.
OCR (Office for Civil Rights): the federal organization responsible for enforcing HIPAA compliance.
ONC (Office of the National Coordinator for Health Information Technology): The federal organization charged with coordination of nationwide efforts to implement and use advanced health information technology.
PGP (Pretty Good Privacy): data encryption computer program that provides privacy for encrypting emails, files, directories, and disks.
PHI (Protected Health Information): information that can be linked to a particular person (i.e., past, present, or future health condition or healthcare provision) such as patient name, social security number, and medical history.
P&P (Policies and Procedures): In HIPAA compliance, guidelines and principles adopted by an entity with respect to the security of PHI.
P2PE (Point-To-Point Encryption): credit/debit card data encryption from the point of interaction to a merchant solution provider.
RA (Risk Analysis): an assessment of the potential vulnerabilities, threats, and possible risk to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate.
RBAC (Role-Based Access Control): the act of restricting users’ access to systems based on their role within the organization.
RMP (Risk Management Plan): the strategy to implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.
SSL (Secure Socket Layer): Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive information (predecessor to TLS).
TFA (Two-Factor Authentication): two out of three independent methods of authentication are required to verify a computer or network user. The three possible factors are:
TLS (Transport Layer Security): (See SSL)
VPN (Virtual Private Network): technical strategy for creating secure tunnels over the Internet.
WEP (Wired Equivalent Privacy): an outdated and weak security algorithm for wireless networks.
WPA (Wi-Fi Protected Access): security protocol designed to secure wireless computer networks.
WPA2 (Wi-Fi Protected Access II): (see WPA)
3DES (Triple Data Encryption Standard): a secure encryption standard that encrypts data three times.
For a more comprehensive reference to cybersecurity terms, visit our glossary here.
.svg)
