Compliance Glossary

Business Associate Agreement (BAA)

An agreement that explicitly documents a vendors willingness to take all necessary measures to comply with HIPAA privacy rules.  Sample BAA

Business Associate

Any company or business associate of a company that during the course of conducting business with a covered entity will be exposed to or be in possession of PHI is classified as a Business Associate. Some examples of Business Associates include companies that provide electronic data storage services, paper document storage, legal services, IT services, accounting services, consulting services, and any company that transmits, maintains, or manages PHI on behalf of the covered entity.

Cardholder Data

Is personal data associated with credit or debit cards. It includes the Primary Account Number (PAN), cardholder name, expiration date, and the three or four digit service code that appears on the card.

Covered Entity

There are three main classes of covered entities.

  1. Health care providers: Doctors, dentists, medical clinics, psychologists, chiropractors, nursing homes, pharmacies.
  2. Health plans: Health insurance companies, company health plans, Medicare, Medicaid, veterans health care programs, and HMOs.
  3. Health care clearinghouses: Organizations that convert non-electronic medical information into electronic records.

Compliance Audit

A comprehensive review of the regulatory guidelines that apply to your company and an assessment of whether you are adhering to them.  These audits are typically performed by an outside IT consulting or an independent accounting firm. The auditors will review security policies, user access controls, and risk management procedures.

Chief Privacy Officer

A chief privacy officer (CPO) is a “C” level executive that is responsible for developing and implementing policies designed to protect customer and employee data from unauthorized access.

Chief Risk Officer

A chief risk officer (CRO) is a “C” level executive that is responsible for identifying, assessing, and mitigating risks that corporations face from competitors, non-compliance related to industry or government regulations, insiders, privileged users, former employees, and illegal hacking.

Controlled Unclassified Information

Any information that a law, regulation, or government policy requires to have safeguarded that is not classified as Confidential, Secret, or Top Secret under Executive Order 13526 or the Atomic Energy Act of 1954.

Corporate Governance

Corporate governance is the rules, processes or laws by which businesses are operated, regulated and controlled. The term can refer to self-imposed guidelines that are defined by the executive team, the board of directors, or stockholders.  External forces such as consumer groups, activists, large clients, unions, or government regulations can also influence rules or processes that must be followed.

Dodd-Frank Act

The Dodd-Frank Act is also known as the Dodd-Frank Wall Street Reform and Consumer Protection Act. This law places regulation of the financial industry in the hands of the government. The legislation is designed to prevent another significant financial crisis by creating regulatory processes that focus on transparency of financial information and making executive accountable for irregularities.

Data Breach

An incident in which sensitive data, regulated information, trade secrets, or intellectual property has been exposed to people that are not authorized to see it.  This may be due to illegal activity or accidental or inadvertent release of sensitive data outside of the control of the organization.

Education Record

Records that contain student information that is maintained or stored by an educational institution or a third party acting on behalf of an educational institution or agency.

HIPAA Identifiers

When any of the HIPAA identifiers are combined with an individual’s physical or mental health or condition, health care, or a payment for that health care, it becomes Protected Health Information (PHI).


The Health Information Technology for Economic and Clinical Health Act is the legislation that was created to encourage the adoption of electronic health records (EHR) in the United States. HITECH is a component of the American Recovery and Reinvestment Act of 2009 (ARRA).

Identifiable Natural Person (GDPR)

A person whose identity can be determined either directly or indirectly by data such as a name, an ID number, geographic data, an online identifier or other factors related to the identity of a person.

IT Audit

An IT audit is an evaluation of an organization’s information technology and IT policies. The audit will review all aspects of information technology including, hardware, operating system software, application software, storage, backup, disaster recovery preparedness, and security.

Minimum Necessary

When working with another covered entity or business associate, you must limit the personal health information disclosed to what is absolutely necessary.

PCI Compliance (payment card industry compliance)

Payment card industry (PCI) compliance is a set of guidelines established by the major credit card brands. All businesses that accept credit cards, store or transmit credit card data are required to follow the guidelines to prevent theft of credit card data. 

Personal Data (GDPR)

Information that clearly relates to a specific person.

Personally Identifiable Information (PII)

Information including name, address, DOB, Social Security #, or other data that could be used to identify a student.

Protected Health Information (PHI)

PHI (Protected Health Information) is the combination of information about a person’s health with other information that would identify who the person is. Examples of PHI include patient names, phone numbers, social security numbers, and even photographs of the patient. This type of information can show up in a variety of ways including medical bills, emails, appointment scheduling, medical test results, and voice mail. It’s important to remember that PHI includes all information that comes into or leaves a covered entity. PHI not only covers electronic records it includes verbal, written, information visible on computer screens, and even conversations that may be overheard.

Privacy Rule

The privacy rule gives individuals certain rights concerning their health information. Their rights include the right to inspect any of their records and request corrections to their medical records. The Privacy Rule requires covered entities to notify individuals of their right to privacy and to explain how their PHI will be used and if it will be shared with anyone.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act is legislation designed to protect shareholders in public companies and the general public from fraudulent practices, and accounting errors. The goal is to improve the accuracy of corporate disclosures.

Security Rule

The HIPAA Security Rule establishes the national IT standards for protected healthcare information. The rules outline information technology standards and best practices on how to protect data that is stored or transmitted electronically.

Security Breach Notification

Many government agencies enforce legislation that requires private or governmental entities to notify individuals or another governing body of security breaches. There are many different security breach notification laws that depend on what jurisdiction the breach occurs in and exactly what the breach entailed.

We Can Help. To Find Out How Call (631) 333-4033