Compliance Glossary

Business Associate Agreement (BAA).

An agreement that explicitly documents a vendors willingness to take all necessary measures to comply with HIPAA privacy rules.  Sample BAA

Business Associate

Any company or business associate of a company that during the course of conducting business with a covered entity will be exposed to or be in possession of PHI is classified as a Business Associate. Some examples of Business Associates include companies that provide electronic data storage services, paper document storage, legal services, IT services, accounting services, consulting services, and any company that transmits, maintains, or manages PHI on behalf of the covered entity.

Covered Entity

There are three main classes of covered entities.

  1. Health care providers: Doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies.
  2. Health plans: Health insurance companies, HMOs, company health plans, Medicare, Medicaid, veterans health care programs.
  3. Health care clearinghouses: Organizations that convert non-electronic medical information to electronic records.

Compliance Audit

A comprehensive review of the regulatory guidelines that apply to your company and an assessment of whether you are adhering to them.  These audits are typically performed by and outside IT consulting or and independent accounting firm. The auditors will review security policies, user access controls, and risk management procedures.

Chief Privacy Officer

A chief privacy officer (CPO) is a “C” level executive that is responsible for developing and implementing policies designed to protect customer and employee data from unauthorized access.

Chief Risk Officer

A chief risk officer (CRO) is a “C” level executive that is responsible for identifying, assessing, and mitigating risks that corporations face from competitors, non-compliance related to industry or government regulations, insiders, privileged users, former employees, and illegal hacking.

Corporate Governance

Corporate governance is the rules, processes or laws by which businesses are operated, regulated and controlled. The term can refer to self-imposed guidelines that are defined by the executive team, the board of directors, or stockholders.  External forces such as consumer groups, activists, large clients, unions, or government regulations can also influence rules or processes that must be followed.

Dodd-Frank Act

The Dodd-Frank Act is also known as the Dodd-Frank Wall Street Reform and Consumer Protection Act. This law places regulation of the financial industry in the hands of the government. The legislation is designed to prevent another significant financial crisis by creating regulatory processes that focus on transparency of financial information and making executive accountable for irregularities.

Data Breach

An incident in which sensitive data, regulated information, trade secrets, or intellectual property has been exposed to people that are not authorized to see it.  This may be due to illegal activity or accidental or inadvertent release of sensitive data outside of the control of the organization.

Education Record

Records that contain student information that is maintained or stored by an educational institution or a third party acting on behalf of an educational institution or agency.

HITECH Act

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is the legislation that was created to encourage the adoption of electronic health records (EHR) in the United States. HITECH is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

IT Audit

An IT audit is an evaluation of an organization’s information technology and IT policies. The audit will review all aspects of information technology including, hardware, operating system software, application software, storage, backup, disaster recovery preparedness, and security.

PCI Compliance (payment card industry compliance)

Payment card industry (PCI) compliance is a set of guidelines established by the major credit card brands. All businesses that accept credit cards, store or transmit credit card data are required to follow the guidelines in an effort to prevent theft of credit card data.   

Personally Identifiable Information (PII)

Any information such as name, address, Social Security number,  date of birth, or other information that could be used alone to identify a student.

Protected Health Information (PHI)

PHI (Protected Health Information) is the combination of information about a person’s health with other information that would identify who the person is. Examples of PHI include patient names, phone numbers, social security numbers, and even photographs of the patient. This type of information can show up in a variety of ways including medical bills, emails, appointment scheduling, medical test results, and voice mail. It’s important to remember that PHI includes all information that comes into or leaves a covered entity. PHI not only covers electronic records it includes verbal, written, information visible on computer screens, and even conversations that may be overheard.

Privacy Rule

The privacy rule gives individuals certain rights with respect to their health information. Their rights include but are not limited to the right to inspect any of their records and request corrections or amendments to their medical records. The Privacy Rule requires covered entities to notify individuals of their right to privacy and to explain how their PHI will be used and if it will be shared with anyone.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act is legislation designed to protect shareholders in public companies and the general public from fraudulent practices, and accounting errors. The goal is to improve the accuracy of corporate disclosures.

Security Rule

The HIPAA Security Rule establishes the national IT standards for protected healthcare information. The rules outline information technology standards and best practices on how to protect data that is stored or transmitted electronically.

Security Breach Notification

Many government agencies enforce legislation that requires private or governmental entities to notify individuals or another governing body of security breaches. There are many different security breach notification laws that depend on what jurisdiction the breach occurs in and exactly what the breach entailed.