access  (1) The ability of a person, or user, to interact with information or a technology asset such as a computer network by entering the appropriate credentials; (2) a principle within privacy and security frameworks that grants data subjects rights to review, challenge, and keep copies of information that is collected about them. The term “access” is often confused with “authorization” and “authentication” because of their interrelated relationship within identity and privilege management. Each concept does have distinctions to differentiate them.

access control  A type of control used to ensure that access to assets is authorized and restricted based on business and security requirements [ISO/IEC 27000]. It affects the ability for a user or other entity to do something with a computer resource, and usually refers to a technical capability such as reading, creating, modifying, or deleting a file; executing a program; or using an external connection.

access limitation  A standard that requires that access to sensitive information be limited to the minimum amount necessary and only to those with a need to know based on their role in the organization and reason for the information request.

accountability

The property that ensures that the actions of an entity may be traced uniquely to the entity [ISO 7498-2].

Accountable Care Organization (ACO)  A formal organizational care delivery and resourcing model that is currently applicable to Medicare patients only. Physicians, hospitals, and other relevant health service professionals are testing ACO models that merge their organizations contractually to provide a broader set of healthcare services.

accounting of disclosures  A right assigned in HIPAA in which healthcare organizations must keep and be able to provide to patients and regulators a record of all information disclosed, by whom, and to whom outside of the healthcare organization.

Accreditation Association for Ambulatory Health Care (AAAHC)  An organization that develops accreditation standards for patient safety, quality, value, and measurement of performance for healthcare organizations. Because its focus is in ambulatory health care, AAAHC surveys can be more efficient and meaningful with better-equipped, peer-based accreditation processes.

Accreditation Canada  Formerly known as Canadian Council on Health Services Accreditation (CCHSA), this organization provides accreditation for more than 1000 client organizations, ranging from regional health authorities, to hospitals and community-based programs and services. Like the Joint Commission and the AAAHC in the United States, the Canadian surveyors and auditors are not government employees, and they do not take direction from the government.

accuracy  The quality or state of information precision that is vital to the health of the patient. Accuracy must be the rule with regard to the entire scope of a patient’s medical entry and overall healthcare record. A patient—or, for that matter anyone, including care providers—who determines information within the record is in error has the right to request an amendment or change to the record or entry.

administration  The various people who manage or provide support for the provision of healthcare. At every level of the healthcare organization, from the chief executive officer to the ward clerk, administrative individuals provide appropriate levels of management and leadership. At the most senior level, administration refers to the management of internal and external forces to achieve specific goals.

American College of Radiology (ACR)  An organization founded in 1923 that is at the forefront of radiology evolution, representing nearly 40,000 radiologists, radiation oncologists, nuclear medicine physicians, and medical physicists. Its core purpose is to serve patients and society by empowering members to advance the practice, science, and professions of radiological care [https://www.acr.org].

American National Standards Institute (ANSI) Accredited Standards Committee (ASC) X12  An ANSI committee that develops protocols for HIPAA transactions as part of a larger body of work for all electronic transactions. There are more than 315 X12-based standards and a growing collection of X12 XML schemas for healthcare, insurance, government, transportation, finance, and many other industries. X12N is used for healthcare claims.

annualized loss expectancy (ALE)  A calculation of the single loss expectancy multiplied by the annual rate of occurrence, or how much an organization could estimate to lose from an asset based on the risks, threats, and vulnerabilities.

annualized rate of occurrence (ARO)  An estimate based on data showing how often a threat would be successful in exploiting a vulnerability.

anonymization  A process that removes the association between the identifying data set and the data subject [ISO/TS 25237]. Protected health information (PHI) in anonymization includes elements eliminated or manipulated with the purpose of hindering the possibility of returning to the original data set.

architecture  A general term that describes a focus on principles for information asset design and interconnectivity based on models and conceptual diagrams. It is often described as both art and science.

assessment  A process conducted by information privacy and security professional to determine levels of risk an organization may face by implementing a system, contracting with a third-party supplier, or publishing a new web site, as examples. Assessments are based on established standards or objectives to permit comparison and evaluation.

audit  An inspection and/or appraisal conducted against a “standard” with an explanation of how the activity should be performed (normally a process or procedure). The auditor works to determine whether the described process conforms to the standard and whether the operators are following the appropriate processes.

authorization  Granting of access rights and user privileges to operate information technology assets.

availability  Ensuring timely and reliable access to and use of information [NIST SP 800-53].

awareness  Possession of an informed perspective that all employees or certain groups of employees should have with regard to information privacy and security controls, responsibilities, and risks. It is achieved through initial, annual, and periodic training and communication about information protection.

bachelor of science in nursing (BSN)  A four-year academic degree in the science and principles of nursing granted by a tertiary education university or similarly accredited school. Can be combined with an RN (registered nurse) license, but BSN is not synonymous with an RN designation, which can be attained with a two-year academic degree.

biomedical technician  Personnel who maintain medical devices and are responsible for many information privacy and security controls.

body area network (BAN)  A sensor or multiple sensors located on a person’s body that act as endpoint computing devices on a network. These sensors send and receive signals wirelessly to other medical devices and LANs.

breach  The compromise of information. In healthcare, a breach is usually specific to the unauthorized disclosure or loss of medical information as it is shared electronically.

breach notification  Following a breach of protected health information, healthcare organizations must inform several entities about the breach and the actions the organization is taking in response. Entities to be contacted are affected individuals, the government, and, in some cases, the media. In addition, third parties who handle PHI must notify the healthcare organization they support if a breach occurs at or by the third party.

bundled payment  A more predetermined payment model than fee-for-service, bundled healthcare delivers compensation to a healthcare provider based on expected costs for each acute care episode, not necessarily on the actual costs.

business associate (BA)  In the United States, a person or organization that performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information [US HHS].

business associate agreement (BAA)  A special type of contract, mandated by HIPAA in the United States, between a covered entity (CE) and a business associate (BA). The BAA should explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate’s subcontractors. In addition, HIPAA BAAs should require a BA to demonstrate how it will respond to an Office of Civil Rights (OCR) investigation.

business continuity  The actions an organization must be able to perform in an effort to continue its mission should an unforeseen event occur. Not all continuity operations are specific to information technology and systems.

business partner  A particular subcategory of vendor for healthcare organizations, business partners provide a product or service for the healthcare organization, but not within a transactional type of relationship. They are characterized as having a longer or recurring relationship with the healthcare organization, commonly described in a contract or formal, written obligation.

business process reengineering  Involves the radical redesign of core business processes to achieve dramatic improvements in productivity, cycle times, and quality. These improvements typically come from automation of manual processes or the implementation of a new technology.

capitation  A strict predetermined compensation model that provides a payment arrangement of a set amount for each person covered by a third-party payer. Providers agree in advance to accept a fixed amount for each person, known as a covered life, based on a specified time period, typically a year, whether or not that person seeks care.

Centers for Medicare and Medicaid Services (CMS)  An operating division of the US Department of Health and Human Services (HHS) that combines the oversight of the Medicare program, the federal portion of the Medicaid program, State Children’s Health Insurance Program, Health Insurance Marketplace, and related quality assurance activities.

certified registered nurse anesthetist (CRNA)  In the United States, an advanced practice registered nurse who has acquired graduate-level education and board certification in anesthesia.

choice  A concept that covers the right a person has to withdraw earlier authorizations whenever he or she wants. The person must make the request in writing, and it goes into effect once the healthcare organization receives it. This privacy principle upholds the right of individuals to opt in or opt out of information collection and use related to them.

clearinghouse  (1) An intermediary between the healthcare provider and payer; (2) a covered entity subject to HIPAA. The clearinghouse function is not limited to changing paper-based information to digital. It also serves to streamline the claims processing and revenue collection of the provider.

clinical workflow  A general term for depicting the different procedures and examples of activities clinicians use to provide patient care. Concerning electronic data and electronic health records (EHRs), clinical workflows depict how information travels through the data framework—by whom, to whom, when, and how frequently.

cloud computing  A collection of software, platforms, and infrastructure provided as a service to consumers via the Internet from remote locations external to the consumer’s organization.

coding  Translation of provider notes, exam information, and data that results from patient care and clinical operations from unstructured human language to alphanumeric data sets that are used for documenting and transacting disease description, injuries, symptoms, and conditions for additional clinical workflow and payment.

Common Criteria for Information Technology Security Evaluation  Criteria used by independent licensed testing and evaluation laboratories to assess the effectiveness of various hardware and software tools. The output or list of evaluated products can be used by healthcare information privacy and security personnel to select, purchase, and implement approved products [ISO/IEC 15408]. Usually referred to as Common Criteria.

compensating controls  The security controls employed in lieu of the recommended controls in the security control baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253 that provide equivalent or comparable protection for an information system or organization. Can be used when legitimate technical or business restrictions are known and adequate risk mitigation through other security controls is in place to reach acceptable risk tolerance levels.

completeness  A part of data integrity that requires personal data to contain all relevant elements, such as a medical record that includes all visits for an individual patient. Missing records do not satisfy a completeness requirement.

confidentiality  The process of protecting information so that it is not made available or disclosed to unauthorized individuals, entities, or processes [ISO 7498-2].

configuration control board (CCB)  A formal organizational committee that makes decisions regarding whether or not proposed changes to the enterprise network should be implemented. Includes hardware, software, business and clinical systems, applications, and network architecture changes.

consent  Agreement, approval, or permission granted voluntarily by a competent person [ISO/TS 17975]. In healthcare, a patient’s data should not be disclosed without the data subject’s consent. HIPAA permits but does not require a covered entity to obtain consent for use or disclosure of PHI for treatment, payment, or healthcare operations.

context-based access control  A control that is not set at the user level but is based on settings within the firewall that control traffic flow based on application layer protocol session information.

continuity of operations  Similar to business continuity, the planned and actual ability to continue performance of essential functions under a broad range of circumstances.

continuous monitoring  Process used constantly to detect compliance and risk issues associated with an organization’s operational environment.

control  A management, operational, or technical limitation, safeguard, or countermeasure to mitigate risk or ensure compliance with a standard. Under some standards, a control may be categorized as administrative, physical, or technical. Controls may also be classified as preventative, detective, or correction as time-based safeguards.

control variance  A range of acceptable values within any risk framework.

corrective action plan  A detailed plan of each area, such as a single Administrative Safeguard from the HIPAA Security Rule, and the actions necessary to meet compliance requirements for that one safeguard. Using the NIST Risk Management Framework language, you may want to develop a Plan of Action and Milestones as part of your corrective action plan.

covered entity  An entity subject to HIPAA and defined in the law as a health plan (insurer), health care clearinghouse, or healthcare provider (hospital).

create  The initial phase of the data lifecycle that includes the collection and intake of information. Information sources could be the patient, a provider, or any number of different medical devices and diagnostic tools.

data analytics  Employing information gained from processes that normalize, standardize, model, and turn data into usable formats to support decision-making and clinical practices.

data authority  An independent body as established by the in the General Data Protection Regulation (GDPR) in the European Union that monitors the data protection level in a member state, gives advice to the government about administrative measures and regulations, and starts legal proceedings when a data protection regulation has been violated. Also called the data protection authority and the supervisory authority in relevant guidance.

data breach  A security incident involving unauthorized access to information or data loss of personally identifiable information (PII) or PHI. See also breach.

data classification  A value relative to the sensitivity and criticality of information as defined by the organization. The classification level will determine what level of information protection controls will be applied to information collected, maintained, retained, used, and disposed of when no longer needed.

data controller  An entity or entities in the European Union that determine the purposes for why and how any personal data is, or is to be, processed. This entity can be a person, an organization, or a group of people who are not collectively an organization. The data controllers must ensure that information use complies with the EU Data Protection Directive (DPD).

data destruction  Various processes and methods used to permit the destruction of data and media in forms of IT storage, including shredding, degaussing, and sanitizing, based on data retention requirements. An important factor in deciding which method is appropriate is the organization’s risk and mitigation policies. The overall goal is to prevent unauthorized access to sensitive information in the last stage of the data lifecycle.

data encryption  Secure coding or cryptographic translation of data into a form that is unintelligible without a deciphering mechanism [NIST SP 800-47]. Data is rendered unreadable or unusable for recipients that do not possess a decryption key to change the data into clear text.

data processor  In the European Union, those who process the data on behalf of the data controller but are not employees of the controller. By comparison, a business associate is an example of a data processor in the United States specific to the healthcare industry.

Data Protection Directive (DPD)  Officially Directive 95/46/EC, it covers the protection of individuals in the European Union with regard to the processing of personal data and on the free movement of such data. Replaced by the General Data Protection Regulation (GDPR), effective 2018.

data retention  The legal or policy-related requirements that state how long an organization must store or retain records.

data sharing agreement  Often referred to as a data use agreement (DUA), an obligating document used to describe the access to and expectations for a third party’s use of a healthcare organization’s patient information. It will clearly indicate and limit the period of time the data sharing will occur, the systems the third party will access, and how the data will be used (and disposed of). Data sharing agreements can cover additional parameters.

data subject  In the European Union, the person to whom the data refers or pertains [ISO/TS 14265].

data taxonomy  The organization of elements of information into categories and classifications that are standardized to allow for common definitions and terminology and that facilitate data analytics and information exchange.

defense-in-depth  Consists of coordinating various defensive controls for your systems or applications to protect the overall integrity of organizational assets. In the IT world, examples of defense-in-depth include the use of antivirus and antimalware software, firewalls, encryption, intrusion detection and prevention, and biometric authentication.

degaussing  Erasing or eliminating the unwanted magnetic field on storage media such as a hard drive disk. In layman terms, degaussing erases the 0’s and 1’s. Because of magnetic hysteresis, it is generally not possible to reduce a magnetic field completely to 0, so degaussing typically leaves a remnant, an effect known as bias.

de-identification  Removal of identifying data elements from information so that the rest of the data cannot be used to identify someone. It reduces the privacy risk associated with collecting, processing, archiving, distributing, or publishing PII and PHI [NIST SP 800-188]. Under the HIPAA Privacy Rule, de-identification occurs when data has been stripped of common identifiers by either of two methods: by the removal of 18 specific identifiers (Safe Harbor Method), or by the formal determination of an experienced statistical expert that the statistical risk of re-identification is very small.

designation of privacy officer  The designation or assignment in writing from management of a person who oversees the development, implementation, maintenance of, and adherence to privacy policies and procedures. Required by most privacy regulatory requirements around the world. Privacy officers often must have specific experience or training.

diagnosis-related groups (DRGs)  Foundational classifications and codes used for quality of care and reimbursement matters. The basis of the US healthcare system reimbursement, DRGs consist of codes for severity of illness, prognosis, treatment difficulty, need for intervention, and resource intensity.

digital forensics  The investigation, collection, and preservation of potential digital evidence used to determine relevant circumstances after a cyberattack or data breach.

Digital Imaging and Communications in Medicine (DICOM)  A standard method for transferring images and information between medical devices such as digital diagnostic imaging devices, called modalities (X-ray, ultrasound, computed tomography, and so on), to facilitate use in various vendors’ electronic health records (EHRs).

disaster recovery  (1) The planning and policy development that is required to respond to a natural or manmade disaster; (2) an organization’s ability to resume operations after a natural or manmade disruption to information technology assets and business operations.

disclosure  As a principle within privacy frameworks, data collectors should inform data subjects about who is collection and using their data.

disclosure limitation  A control by which disclosure of healthcare information is limited to treatment, payment, and operations. Leading privacy frameworks generally limit disclosure but also provide specific exceptions where public safety and health considerations outweigh the need for individual privacy.

disposal  The final stage of the data lifecycle. There are three common disposal options for sensitive information: overwriting, degaussing electronic media, and physical destruction as the process applies to both paper records and electronic hardware containing digital information. All options must render sensitive information useless or unreadable.

doctor of osteopathic medicine (DO)  A medical professional with a doctorate degree conferred through a US medical school who focuses on osteopathic medicine. These physicians have the same credentials and privileges as physicians and surgeons with a Doctor of Medicine (MD) academic degree.

due care  The amount of attention that an ordinary and reasonable person or organization would be expected to provide to avoid negative consequences.

due diligence  A threshold or standard that is reached after what is considered reasonable and comprehensive review and mitigation of risk.

e-iatrogenesis  (1) A phenomenon related to the concept of illness or injury actually introduced in the delivery of healthcare, such as a patient suffering a bacterial infection after being admitted to the hospital. (2) In security and privacy terms, e-iatrogenesis is the unintended consequences that result from health information technology and security interventions, such as a computer system becoming inoperable after security software updates are installed.

electronic health record (EHR)  An electronic version of a patient’s medical history that is maintained by the provider over time and may include all of the key administrative clinical data relevant to that person’s care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports [Centers for Medicare and Medicaid Services (CMS)].

emergency medical technician (EMT)  A medical professional who has undergone special training to provide first response to emergency situations and to handle traumatic injuries and medical care at accident scenes.

employer-based insurance  Insurance coverage offered as an employment benefit, in addition to salary and other enticements. The insurance company collects employee premiums from the employer.

environmental services  The department and staff responsible for housekeeping, janitorial, laundry operations, and linen distribution in the healthcare organization.

eradication  The removal of any malicious activity or artifacts left by an intrusion. The activity falls within the containment, eradication, and recovery phase of data incident response.

European Union (EU)  An economic and political union of 27 member states that are located primarily in Europe. The European Union is an integrated governance of independent member states operating as one entity for cooperative and intergovernmental negotiated decisions by the member states.

event (information)  Any observable occurrence in a system or network. Events can be authorized actions, such as a user sending e-mail or a server receiving a request for a web page. If the event has a negative effect, it is called an adverse event [NIST SP 800-53].

evidence  Information collected in an investigation that may prove cause and extent of activity relating to an incident. Because it is used in legal proceedings, evidence must be collected and handled in a specific, controlled manner to prevent tampering or degradation.

exception handling  The process of responding to the occurrences of exceptions, which involve noncompliance with computing policies and standards. Where policy requirements are clearly articulated but cannot be met, a request must be made to explain reasons for noncompliance and any mitigations that can be made instead, including compensating controls.

exposure  The estimation of the level to which a weakness could have financial, reputational, operational, or clinical consequence in the event of an adverse event.

Federal Information Security Management Act (FISMA)  A US law enacted in 2002 as Title III of the E-Government Act of 2002 (Public Law 107–347, 116 Stat. 2899). The act supported improvements and investments in information systems security as a significant component of national security in the United States as well as economic interests.

fee-for-service  A payment model in which treatment is paid for based on each exam, consultation, intervention, and so on. It offers the greatest freedom of choice for patients in selecting providers and healthcare options.

gap analysis  A step in the risk assessment process that identifies the steps specific to the organization, and in some cases the functional unit, department, system, or application necessary to resolve the risks and weaknesses identified during assessments, audits, or other forms of analysis.

General Data Protection Regulation (GDPR)  The law governing information privacy and security throughout the European Union. It replaced EU DPD in 2018.

Generally Accepted Privacy Principles (GAPP) framework  Principles designed by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to assist organizations in creating an effective privacy program that addresses their privacy obligations, risks, and business opportunities. Important components within these privacy principles are drawn from relevant local, national, and international privacy laws, regulations, guidelines, and leading business practices.

Good Clinical Research Practice (GCP)  A set of guidelines that provides public assurance that the rights, safety, and well-being of research subjects are protected and respected. The requirements also ensure the integrity of clinical research data.

governance (information)  A strategic approach to managing the information assets of an organization that involves oversight and the authority to examine risks versus benefit and value for the use of information. Governance establishes and monitors relevant information use policies and procedures.

governance structure  A body, such as a board of directors, that requires support from the highest levels of an organization and that must be supported by a well-defined framework for program sponsorship at all organization levels, including executive levels in the owner and program management organizations. Governance structures must provide for clear leadership and establish the requisite ethical, safety, and other cultural foundations that successful programs require.

Health and Human Services (HHS)  A cabinet-level department of the US government with the goal of protecting the health of all Americans and providing essential human services. HHS oversees regulatory aspects for healthcare delivery and payment, including compliance with HIPAA [www.hhs.gov].

Health Information and Management Systems Society (HIMSS)  A not-for-profit organization dedicated to improving healthcare quality, safety, cost-effectiveness, and access, through the best use of information technology and management systems [https://www.himss.org].

health information exchange (HIE)  An organization that exists to facilitate the electronic sharing of healthcare information across multiple healthcare organizations. Typically, HIE organizations are not affiliated or under the same corporate structure, but they may be. In any case, the HIE supports information transfer within a region and community.

Health Insurance Portability and Accountability Act (HIPAA)  Federal legislation passed by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy–Kassebaum Act after two of its leading sponsors, then Senators Ted Kennedy and Nancy Kassebaum. It was initiated to help make healthcare operate more effectively and efficiently through administrative simplification and health insurance improvement and consists of several amendments: the Privacy Rule, the Security Rule, HITECH Act, and the Omnibus Final Rule [Public Law 104–191, 110 Stat. 1936, enacted August 21, 1996].

Health Level 7 (HL7)  (1) A protocol developed to enable different information systems to exchange health data between applications using a standard; (2) the organization that builds this standard.

health maintenance organization (HMO)  A healthcare organization that enrolls patients who pay a fixed amount to receive healthcare services. Patients are then eligible to receive care at lower cost from providers who have agreed to prenegotiated fees from the HMO.

health records management (HRM)  An organization that handles the designated record set for a healthcare provider. An HRM organization may be engaged, for example, because the provider does not have adequate space or expertise, or it may not be able to invest in the hardware or software (data center) to manage the information.

high-deductible health plan with savings option (HDHP/SO)  A high-deductible health insurance plan that enables enrollees to use tax-preferred funds (a health savings account, or HSA) to pay plan cost sharing and other out-of-pocket medical expenses. For a relatively low premium, an enrollee gets catastrophic insurance coverage. For all healthcare received up to catastrophic care, the enrollee must pay a high deductible.

impact  The extent of damages expected or experienced by a threat event happening.

incident (information)  An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies [NIST SP 800-128].

incident response team  A designated group of personnel responsible for reacting to information security incidences or any emergency incident, such as a natural disaster or an interruption of business operations.

indemnity insurance  The model for insurance payment that is based on fee-for-service. A patient receives healthcare services, pays for it at the point of care, and then submits a claim to the insurance company for reimbursement.

information asset identification  The process used to identify any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware, software, and data type information.

information asset validation  A method for determining the worth of an asset based on factors such as historical records, documented returns on investment, or replacement costs.

information lifecycle management (ILM)  A comprehensive approach to managing the flow of information from creation and initial storage to the time when it becomes obsolete and is deleted.

institutional review board (IRB)  A formal organizational committee that has been designated to approve, monitor, and review biomedical and behavioral research involving humans.

Integrating the Healthcare Enterprise (IHE)  An initiative by healthcare professionals and the healthcare industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as Digital Imaging and Communications in Medicine (DICOM) and HL7 to address specific clinical needs in support of optimal patient care [https://www.ihe.net].

integrity  The security and privacy concern that information and programs are changed only in a specific and authorized manner.

International Classification of Diseases (ICD)  The foremost and most widely known hierarchal medical classification system, designed to categorize diseases so that morbidity and mortality rates can be tracked and reported. The use of ICD codes—14,000 in total—are significant in the digitization of healthcare records and electronic record systems.

International Organization for Standardization (ISO)  The world’s largest developer of voluntary international standards, which provides state-of-the-art specifications for products, services, and good practice and helps to make businesses more efficient and effective.

Internet of Medical Things (IoMT)  A category of medical devices and applications that are healthcare information technology (HIT) systems or that connect to HIT systems through Wi-Fi, online computer networks, and cloud platforms. IoMT leverages machine-to-machine communication to collect, store, analyze, and transfer personal health data at an unprecedented scale and depth.

interoperability  The availability of data with regard to its ability to be transferred between connected systems and applications.

Joint Commission  An independent, not-for-profit organization headquartered in the United States, with a few offices worldwide, that conducts assessments of healthcare organizations. Joint Commission accreditation is considered important to demonstrate a healthcare organization’s commitment to quality and compliance with performance standards. In fact, in the United States, some reimbursement conditions are contingent on the organization having a current Joint Commission certification. Formerly known as the Joint Commission on Accreditation of Healthcare Organizations and Joint Commission on Accreditation of Hospitals.

least privilege  The concept that users of information should be granted access only to the information they need to perform their duties. Also known as the need-to-know principle. Least privilege does not mean that all users will have extremely limited functional access; some employees will have significant access if that is required for their position.

legal contracts  A legally binding agreement between entitles that generally includes four main elements: must be between two or more parties, all parties must be competent to consent, the agreement must be something of value, and the agreement must be lawful.

legal medical record  A portion of the entire medical record that should (at least) contain patient care decisions, document the care provided for purposes of reimbursement, and serve as evidence in legal proceedings about such care.

legitimate purpose  An important concept of the HIPAA Privacy Rule, which recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission. Under HIPAA, this concept is referred to as the “legitimate business purpose,” in that an organization requires the information to perform its mission. Under the EU DPA, personal data can be processed only for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes.

licensed practical nurse (LPN)  A nurse who completes a year-long (typically) certified educational program. Often these programs are affiliated with a teaching hospital that provides some hands-on experience for the students. After nurses complete the program, they must pass an additional licensing exam. In some states, they may be called licensed vocational nurses.

likelihood  A function of risk that is the chance an occurrence will happen to exploit vulnerability and result in some impact.

limited collection/limited data set  Under HIPAA, a set of data in which most of the PHI has been removed.

lines of defense model  A risk-management framework used to outline and clarify roles and responsibilities in three major categories, or lines of defense. When used for information privacy governance, the model guides oversight of the functions from the board of directors and reduces gaps in roles and responsibilities through layers of oversight, which is required for effective information privacy governance.

local area network (LAN)  A computer network that interconnects computers within a limited area such as a home, school, computer laboratory, or office building using network media.

logging  (1) The action of recording actions taken by a user or users of a system; (2) the recording system itself; (3) actions of system transactions (may be remote system actions).

logical access  A system that prescribes not only who or what (for example, in the case of a process) is to have access to a specific system resource but also the type of access permitted.

Logical Observation Identifiers Names and Codes (LOINC)  A widely accepted code system specially formulated for identifying laboratory and clinical observations. To be able to exchange observations and measurements electronically across multiple independent lab systems, LOINC uses a universal code system with a maximum field size of 7.

malpractice  An instance of negligence or incompetence on the part of a medical professional.

managed care  A mechanism to control cost, improve quality, and increase access that has evolved over the last 50 years. The key feature of managed care is in the integration of healthcare delivery and payment within one organization.

Manufacturer Disclosure Statement for Medical Device Security (MDS2)  A method for information gathering related to the risks associated with medical devices that are capable of being connected to an organization’s networks, normally completed by the manufacturer.

master of science in nursing (MSN)  An advanced-level postgraduate degree for registered nurses in medical practices and other healthcare delivery settings. For educators and management positions, this can be an entry-level requirement. Nurses with this level of academic training often seek positions as health administrators, in health public policy, and in clinical executive positions.

Medicaid  In the United States, a joint federal and state program that provides healthcare coverage to more than 72 million Americans, including low-income families, parents, children, seniors, and individuals with disabilities. It is the single largest source of health coverage in the United States.

medical billing  (1) The transaction between provider and payer to receive reimbursement for services rendered; (2) the process of submitting and following up on claims in the US healthcare system.

medical device  A device or technology used to diagnose, prevent, monitor, or treat a disease, injury, or physiological process. It can be networked or stand-alone hardware, software, or applications. Health information and medical technology devices are regulated by the US Food and Drug Administration (FDA).

medical doctor (MD)  A medical practitioner, either a physician or surgeon with an advanced academic degree in medicine. After an internship and a residency assignment, in the United States, an MD must be tested and licensed by a certification board.

medical technician  A general category of healthcare employee who has received specialized training in administration and operation of various medical technologies such as medical devices and clinical systems. A medical technician has information protection responsibilities based on the particular equipment he or she uses and the PII and PHI collected, transferred, and stored.

Medicare  A program funded and administered by the federal government that provides health insurance coverage for individuals age 65 and over, or for citizens younger than 65 who are affected by long-term disabilities.

mitigation action  An action that involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process [NIST SP 800-30, ISO/IEC 27005].

monitoring  A component of detection security controls, an automated process for reviewing logs or actions, as well as monitoring the health and status of the system and its operations.

National Electrical Manufacturers Association (NEMA)  An association of nearly 325 electrical equipment and medical imaging manufacturers in the United States. Member companies manufacture safe, reliable, and efficient products used in the generation, transmission, distribution, control, and end use of electricity [https://www.nema.org].

National Health Service (NHS)  A government agency in the United Kingdom (UK) that is organized and resourced to provide universal health coverage. NHS is publicly funded via tax collection and is founded on the belief that all citizens have an entitlement to healthcare.

National Institutes of Standards and Technology (NIST)  A standard-setting agency that does not regulate industry but promotes innovation through measurement standards. The organization plays a critical role in helping industry and science create and implement these standards.

National Provider Identifier (NPI)  An identification standard for healthcare providers established by the US Health Insurance Portability and Accountability Act (HIPAA). The NPI is a unique identification number for healthcare organizations subject to HIPAA and used for administrative and financial transactions. It is permanently assigned to the provider regardless of location or job changes. The NPI is a 10-position, intelligence-free numeric identifier (a 10-digit number).

Nationwide Health Information Network (NHIN)  Within the United States, a proposed combination and interconnection of HIEs into an integrated network of national, state, regional, and local health information organizations.

notice of privacy practices  A HIPAA requirement that patients be informed of a covered entity’s practices and procedures regarding use and disclosure of PHI. This is achieved by giving the patient, conspicuously posting, and making available the procedures the healthcare organization has in place to collect and use PHI. Under the EU DPA, data subjects should be given notice when their PHI is being collected.

notification  A regulated process for healthcare organizations and their third-party suppliers to announce adverse information incidents to help individuals manage potential unauthorized access and use of their PII and PHI. See breach notification.

nurse  The largest category of the healthcare workforce. The training and approach to patient care for nurses is comprehensive across many environments, specialties, and scopes of practice.

nurse practitioner  An advanced-level registered nurse who has completed additional academic training at a master’s or doctoral degree level with advanced clinical training beyond that required of the generalist registered nurse (RN) role. Nurse practitioners have greater responsibilities than RNs and provide medical services similar to an MD.

nurses’ aide  Assistants who work under a licensed nurse’s supervision to provide basic patient care in a variety of healthcare settings, from a physician’s office, to a hospital, to long-term care environments. A related occupation to hospital orderlies and attendants, nurses’ aides perform services that include moving, repositioning, and lifting patients. Sometimes known as nursing assistant.

openness  Enables any member of the public who has legitimate interest to be provided information about the processing of healthcare data. Although this does not supply access to the data itself, it does mean that the organization should disclose how the data it maintains on behalf of others is kept secure, processed, or shared.

Organisation for Economic Co-operation and Development (OECD) principles  These categorize fair information practices for collecting, storing, and using PII. The organization aims to help individuals participate in the use of their own information. The principles assign responsibility for protecting information to the entities that collect and maintain it. The framework consists of the following principles: Collection limitation, Data quality, Purpose specification, Use limitation, Security safeguards, Openness, Individual participation, and Accountability.

overwriting  The process of replacing old data with new data. Data that has been overwritten is generally considered to be unrecoverable.

patient  A person who seeks assistance with matters of health (physical and mental), improvement of health status, or treatment of illness.

patient authorization  A detailed privacy-related document that gives covered entities permission to use PHI for specified purposes, which are generally purposes other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

payer  Someone other than the patient who finances or reimburses the cost of healthcare. Commonly described as third-party payers or health insurers.

peer review  An assessment of processes, research, clinical records, and other medical work by qualified personnel with similar competency. This quality control method is a self-regulatory approach to maintaining standards and credibility within healthcare practices.

personal area network (PAN)  A small network consisting of a communications area near the individual, which may include a body area network (BAN), in which numerous devices are attached to convey information primarily over wireless channels. A PAN is sell-administered within a segment provided to it on the LAN of an organization or within an individual’s home.

Personal Health Information Protection Act (PHIPA)  Ontario, Canada, legislation that is a component of the Health Information Protection Act that intends to protect the healthcare information of patients by healthcare organizations, called healthcare custodians in the regulation.

personal health record (PHR)  A record of personal health that is maintained by the patient as opposed to the provider organization. It is sometimes confused with an EHR or misidentified as part of a longitudinal EHR.

Personal Information Protection and Electronic Documents Act (PIPEDA)  A Canadian law relating to data privacy that applies to private sector organizations and regulates how they collect, use, and disclose personal information to conduct required business operations. PIPEDA includes provisions for paper as well as digital information protection.

personally identifiable information (PII)  Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information [GAO Report 08-536].

pharmacist  A healthcare professional responsible for the proper and safe use and distribution of medications and who has advanced academic credentials with authorization to prepare and dispense medications prescribed by a qualified medical professional. Pharmacists are an integral part of the healthcare team in that they often provide meaningful education and counseling for patients who are receiving medication.

physical destruction  Options, such as shredding or incineration, of paper or digital data to destroy the physical characteristics of data storage.

physician  A healthcare professional whose role is to diagnose and treat injuries and illnesses for his or her patients. Surgeons are a specialized type of physician who performs operations.

physician assistant (PA)  Another general category of healthcare professional who has a license to practice medicine under the guidance of a physician.

point-of-service (POS) plan  A managed care plan that combines the most attractive elements of both HMOs and preferred provider organizations (PPOs). In exchange for a deductible and higher coinsurance payment on a one-time basis, an HMO enrollee can choose to use a service that falls outside of the HMO plan.

preferred provider organization (PPO)  A fee-for-service health plan with a number of providers who have aligned with the PPO. If the patient chooses a participating provider, the cost of medical care is discounted to the enrollee. If not, the service is covered at a lesser rate. A PPO offers more choice to the patient than other models, particularly an HMO. However, the out-of-pocket costs like deductibles and coinsurance payments to the patient are increased, generally. The costs are more when the patient exercises their prerogative and chooses a provider or service not included in the PPO plan.

privacy  Freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual [ISO/IEC 2382-8].

privacy shield  With the advent of GDPR, the replacement of Safe Harbor provisions. The European Union and the US Department of Commerce developed a way for US organizations to demonstrate adequate privacy protections to satisfy GDPR concerns and permit transnational PII and PHI data exchange.

processing authorization  Under the EU DPD, because of the vast levels of information use and sharing in healthcare, this authorization requires regulatory control and approval for transfer based on the nature of the information collection and transfer as well as prescribing appropriate safeguards.

proportionality  Addresses assurances that personal data that is collected and shared is limited only to that which is necessary and used for the intended and described purpose.

protected health information (PHI)  A subset of individually identifiable health information that includes demographic information collected from an individual by a health care provider, health plan, employer, or healthcare clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual [45 CFR § 160.103 – Definitions].

provider  Any person or organization that is involved in or associated with the delivery of healthcare to a client, or is caring for a client’s wellbeing [ISO/TS 27527].

pseudonymization  A particular type of anonymization that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms [ISO/TS 25237].

psychiatrist  An MD who focuses on examining and treating mental illnesses and behavioral health issues with legal privileges to prescribe medication.

psychologist  A PhD or PsyD who provides patient care with respect to behavior and mental processes. A psychologist provides counselling services and may conduct research within academic settings.

purpose  A privacy principle included in most leading frameworks that asserts that data collected will be used for a specific reason and will be used only for reasons disclosed to the data subject or permissible under applicable law.

purpose specification (or limitation)  A specification that is intended to protect data subjects by setting limits with regard to the collection and further processing of their data. It sets limits on how organizations are able to use PII or PHI data, while also offering some degree of flexibility for clinical and business requirements.

qualitative risk assessment  An assessment process by which the components of the risk equations are valued at levels such as high, medium, and low. Subjective factors are used to measure and evaluate risk. Particularly useful when the assessment must be made in a short period of time or the assessors are familiar with the subjects of the assessment (such as systems, processes, vendors, or applications).

quantitative risk assessment  An assessment process that includes the use of objective data such as financial impacts, revenue losses, historical frequency and probabilities, and risk scores associated with vulnerability management. Data can be difficult to obtain, so this approach is sometimes used in conjunction with qualitative methods.

quality  A state of data that matches ideally to the concept of integrity as is applies to principles of security. Data should be relevant to the purpose for which it was collected, should be maintained to be accurate and complete, and should be updated to remain so.

registered nurse (RN)  A nurse who has graduated from a nursing program at a college or university and has passed a licensing exam to obtain a nursing license.

reimbursement  Repayment for expense incurred, the final step of the revenue cycle. As claims are processed and bills are submitted (and resubmitted), the desired outcome from the provider’s perspective is to receive reimbursement for the cost of the provided healthcare.

remediation  The method by which the organization responds to identified risks or weaknesses in controls. The process includes implementing changes to meet or exceed the requirements of a control or use of compensating controls to minimize risk.

residual risk  A portion of the risk that remains after a risk assessment has been conducted and mitigation is implemented to the best extent possible. Note that some residual risk may be accepted, while other risks may be transferred or avoided.

retention  The storage and maintenance of data by an organization. Policies are required to establish the length of time the records are useful; after this time, they are discarded. Regulatory requirements and the value of the information will determine how long an organization will keep the information.

risk  The level of impact on the organization and information assets resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring [NIST SP 800-47].

risk acceptance  A conscious acceptance that a certain act may result in a negative consequence based on informed assessment and decision based on a process to identify the risk, best practices to address, and possible mitigation strategies implemented.

risk analysis  The process of identification, recording, and determining action plans with regard to risk, both system and organizational in nature. It is a scientific approach to examining risks with probability and impact measures.

risk avoidance  The decision not to perform an activity that potentially involves risk. An example would be not entering into a contract with a third party because of its previous history of data breaches.

risk communication  A continuous process intended to improve collective and individual decision-making that includes providing awareness of the risk management process and the roles of each functional area, stating outcomes of risk assessments, and reporting on corrective action plans.

risk management lifecycle  Applied to the healthcare organization and oversight of third-party relationships, includes activities identifying, assessing, and mitigating information risks.

risk planning  A method of managing risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls.

risk reduction  Actions taken to lessen the severity of impacts or the likelihood of an incident from occurring. See also mitigation action.

risk transfer  The process of shifting exposure to the organization by using other options to offset potential loss, such as purchasing cybersecurity insurance.

risk treatment  Actions to be taken to address identified risks. Once risks have been identified and assessed, the organization must determine these actions, which are identified as risk treatments and include techniques to manage the risk. Techniques fall into one or more of four major categories: avoidance, transfer, mitigation, and acceptance.

role-based access  A process implemented to match access to data or systems with the functional or structural role an individual provides within the organization. So, for example, a doctor who works in the emergency department will have the same access to data as another doctor in the emergency department, but the ER doc’s access would not be the same as that of a doctor who works in the ophthalmology department.

rule-based access  A discretionary access approach that allows or restricts access based on parameters and properties not related to identity or function. For example, access could be based on IP address, geographic location, or time of day.

Safe Harbor  A provision within the HITECH Act that exempts HIPAA-covered entities and business associates from reporting and notifying external agencies and affected individuals when they have implemented specified technologies and methodologies so that the protected health information is not “unsecured.” Encryption and de-identification are examples of specified technologies and methodologies that satisfy safe harbor exemption.

Safe Harbor Privacy Framework  A framework to provide an efficient and effective process for US organizations to demonstrate adherence to EU DPD privacy approaches. The US Department of Commerce in consultation with the European Commission developed this framework to accommodate the privacy programs of US firms and permit data transfer from EU organizations.

sanction policy  A human resources policy to apply disciplinary actions against members of the workforce who do not correctly handle protected health information.

sanitizing  Data and media disposal techniques that completely erase or securely cleanse all information from devices and storage platforms.

secure shredding  A physical data-destruction technique that destroys media such as a disc, tape, or hard drive by crushing, pulverizing, or processing through a shearer.

security  A process of assuring confidentiality, integrity, and availability of data, both in paper form and digital, via administrative, technical, and administrative controls.

security categorization  Means of determining the level of security required for a system based on the information (or data) type the system uses or maintains.

security controls  Measures that provide the capability to identify, protect, detect, respond, and recover from threats and attacks. These defenses or countermeasures are used to protect information, prevent physical asset destruction, and minimize risk.

segregation of duties  A sort of checks and balances system implemented to reduce the risk of accidental or deliberate misuse of information. It involves processes and controls that help create and maintain a separation of security roles and responsibilities within an organization to ensure that the integrity of security processes is not jeopardized, and to ensure that no single person has the ability to disrupt a critical computing process or security function.

service level agreement (SLA)  An obligating document that outlines the support or products the third party promises to provide and relevant measures against which the healthcare organization can assess fulfillment. One such support item and its measurement would be continuous network uptime.

single loss expectancy (SLE)  The value of the asset multiplied by the impact measurement as a one-time occurrence or single loss expectancy: (SLE) = asset value (AV) × exposure factor (EF).

social worker  A professional who concentrates on patients’ quality of life and subjective well-being. Social workers administer to individuals, groups, and communities. Areas of practice include research, counseling, crisis intervention, and teaching.

staff augmentation  An outsourcing or contracting strategy that is used to increase a department staff temporarily. Additional personnel are integrated into a current workforce with similar day-to-day management and oversight.

stewardship  The responsibility for ownership and accountability in the managing or organizational data to ensure quality, accuracy, and availability.

supervisory authority  An independent body in each EU member state that oversees the data protection processes in its state. The position is an advisor to government and may take enforcement actions when there are infractions against privacy and data protection directives.

system recovery  Planning and processes that help ensure information systems are available in times of crisis and business disruption. Depends on adequate data backup processes to restore information assets as quickly as possible. See also disaster recovery.

Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT)  A detailed terminology framework of concepts, descriptions, and relationships that works for developing inputs into healthcare systems and that resemble data flow diagrams or flowcharts. Used to describe extensive clinical terminology that is meant more as machine language to construct the EHR.

third party  A business external to the healthcare organization that provides supplies, services, and products. Third parties may also manage, maintain, or have access to sensitive information. In the United States, these entities are called business associates.

threat  A possible danger, an action, or a condition that presents a source of concern for the security of an organization, such as a phishing attack. A threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, and other organizations [NIST SP 800-12].

tort law  A civil action, as opposed to a criminal action, that establishes legal liability when injury or harm is caused by someone or an organization against another person or entity. Several categories of criminal acts can be affected by tort law: intentional, negligent, failure to fulfil a duty to act, and legal violation of law.

training  Part of security awareness as a security control, an approach to teach employees about proper information protection techniques, including incident reporting and password management.

trans-border concerns  Jurisdictional considerations that affect data transferred and shared across national or state boundaries. Some regulatory guidance restricts or prohibits transfer of PII and PHI outside of the host country. Organizations that enter into third-party agreements with firms located in different regulatory jurisdictions will need to be aware of trans-border implications.

transparency  When an individual’s data is maintained by an organization, this process ensures that the individual is aware of how their data is maintained, processed, or shared.

unauthorized disclosure  An impermissible use or prohibited access of PHI where the security or privacy of the information is potentially compromised.

use  A general term for all actions that constitute handling information—collection, transfer, storage, analysis, and disposal are examples.

use limitation  When disclosing PHI, the amount or content of data provided must be limited to what is required to satisfy the request and nothing more.

user-based access  Access rights that are established based on an individual’s attributes, specific to the person.

value stream mapping (VSM)  A method, rooted in lean-management techniques made popular by Toyota decades ago, for analyzing the current state, reducing wastes, and designing an improved future state. The purpose of VSM is to increase efficiency by eliminating waste.

vendor  An entity that sells, supplies, or provides a service or product. In healthcare, vendors do business with a provider organization. They may have many different customers, including those that are not healthcare organizations. Their service or product may or may not be healthcare related.

vulnerability  A weakness in a computing environment based on ineffective security controls or a condition that puts an organization in danger of exploit by an information threat or natural disaster.

wide area network (WAN)  An expansive, interconnected computer network that spans multiple cities and geographic areas across a telecommunication construction over public and private digital pathways.

wireless network  Also called Wi-Fi, a generic term that refers to a wireless LAN that observes the IEEE 802.11 protocol to connect network nodes [NISTIR 7250].