HIPAA Glossary

Business Associate (BA)

A third-party that performs a function or activity on behalf of a covered entity but is not part of the covered entity’s workforce. A business associate can also be a covered entity in its own right. Although these BAs may not create, receive, maintain or transmit PHI, they must comply with HIPAA’s Rules and ensure adequate safeguards are in place to protect patient data.

Business Associate Agreement

The agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The BAA provides an assurance to the CE that the BA will implement the appropriate administrative, physical and technical safeguards needed to protect PHI.

Code Set

Any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This definition includes both the codes and their descriptions.

Covered Entity (CE)

CEs are organisations that are required to comply with HIPAA’s Rules. These include healthcare providers, health plans, and clearinghouses. Healthcare providers include doctors, hospitals, caregivers, dentists, and other associated organisations.

Data Breach

Impermissible uses or disclosures of PHI under the Privacy Rule that compromises the security or privacy of PHI.


The release, transfer, provision of access to, or divulging in any other manner of protected health information outside of the entity holding the information.

Electronic Data Interchange (EDI)

Computer-to-computer data exchanges of documents in an electronic format.

Electronic Medical Record (EMR)

A computer-based medical record of a patient. Also called an electronic health record or electronic patient record.

Electronic Protected Health Information (ePHI)

PHI that is created, maintained or transmitted electronically.

Healthcare Clearinghouse

Organisations that standardise health information. One example is a billing company that processes data from its initial format into a standardised billing format.

Health Information

Patient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or CE.

Healthcare Insurance Portability and Accountability Act (HIPAA)

Signed into law by Bill Clinton in 1996, HIPAA was initially created to help the public with insurance portability. Eventually, HIPAA introduced administrative simplifications that involved electronic, medical record technology and other components. HIPAA also created privacy standards for the protection of healthcare data.

Health Information Technology for Economic and Clinical Health (HITECH)

Introduced in 2009 as part of the American Recovery and Reinvestment Act (ARRA). The act included incentives offered to physicians in private practices, as well as institutional practices to implement and adopt electronic medical records.

HITECH also introduced new fines to help enforce HIPAA rules. HITECH also mandated that business associates of covered entities, as well as the covered entities themselves, were responsible for the same level of HIPAA compliance.

Individually Identifiable Health Information

A subset of health information, this includes demographic information about an individual’s health can be used to identify a specific individual. Names, addresses, dates of birth, details of physical or mental conditions, payment information, and other identifiers fall into this category of data.

Minimum Necessary

The requirement for organisations to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose.

National Drug Code (NDC)

A medical code set that identifies prescription drugs and some over the counter products. These codes must be used in HIPAA transactions


Office of Civil Rights, the branch of the DHHS that is responsible for federal oversight of the privacy regulations.

Protected Health Information (PHI)

PHI is any information which could be used to identify a patient associated with a particular healthcare record. The eighteen so- called ‘personal identifiers’, which may be used to connect an individual to healthcare data. These are:

  • Names or part of names
  • Geographical identifiers
  • Phone numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Vehicle license plate numbers
  • Web URLs
  • Fingerprints, retinal and voice prints
  • Full face or any comparable photographic images
  • IP addresses
  • Device identifiers and serial numbers
  • Certificate or license numbers
  • Health insurance beneficiary numbers
  • Social Security numbers
  • Fax numbers
  • Dates directly related to an individual
  • Any other unique identifying characteristic

Trading Partner Agreement (TPA)

An agreement related to the exchange of information in electronic transactions between each party to the agreement.