HIPAA Glossary

Access Control

Technical policies and procedures that restrict access to electronic protected health information (ePHI) to only authorized users and systems. Under the HIPAA Security Rule, covered entities must implement technical access controls including unique user identification, automatic logoff, and encryption where appropriate.

Accounting of Disclosures

An individual's right under HIPAA to receive a record of certain disclosures of their PHI made by a covered entity during the six years prior to the request. Disclosures for treatment, payment, and operations (TPO) are generally excluded from this accounting requirement.

Addressable (Implementation Specification)

A designation under the HIPAA Security Rule indicating that a covered entity must assess whether a particular implementation specification is reasonable and appropriate for its environment. If not, the entity must document its reasoning and implement an equivalent alternative measure.

Administrative Safeguards

One of three categories of HIPAA Security Rule safeguards, consisting of administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures. Examples include risk analysis, workforce training, and contingency planning.

Audit Controls

Hardware, software, and procedural mechanisms required under the HIPAA Security Rule that record and examine activity in systems containing ePHI. Audit logs provide a traceable record of who accessed, modified, or transmitted PHI and when.

Audit Trail

A chronological record of system activities that enables the reconstruction and examination of events surrounding or leading to an operation, procedure, or event. Audit trails are essential for detecting unauthorized access and demonstrating HIPAA compliance.

Authorization

A written permission from an individual allowing a covered entity to use or disclose their PHI for purposes beyond treatment, payment, and operations. A valid authorization must include specific core elements such as a description of the PHI, the purpose of the disclosure, and an expiration date.

Availability

One of the three core principles of the HIPAA Security Rule (alongside confidentiality and integrity), defined as the property that ePHI is accessible and usable upon demand by authorized persons. Covered entities must protect against reasonably anticipated threats that could disrupt access to ePHI.

BAA (Business Associate Agreement)

A legally required contract between a covered entity and a business associate that specifies each party's responsibilities for protecting PHI. The BAA must include provisions for safeguarding PHI, reporting breaches, and ensuring subcontractors also comply with HIPAA requirements.

Breach

An impermissible use or disclosure of PHI that compromises the security or privacy of the information. Under the HIPAA Breach Notification Rule, a breach is presumed unless the covered entity can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.

Breach Notification Rule

The HIPAA rule requiring covered entities to notify affected individuals, the HHS Secretary, and in some cases the media, following a breach of unsecured PHI. Individual notifications must be provided within 60 days of discovering the breach; breaches affecting 500 or more individuals also require media notification.

Business Associate

A person or organization that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. Common examples include cloud service providers, billing companies, EHR vendors, and legal firms that handle patient records.

Business Continuity Plan

A documented strategy for maintaining or restoring critical business operations—including access to ePHI—during and after a disaster or disruptive event. The HIPAA Security Rule requires covered entities to have contingency plans that include data backup, disaster recovery, and emergency mode operation procedures.

CFR (Code of Federal Regulations)

The codification of the general and permanent rules and regulations published in the Federal Register by the executive departments and agencies of the U.S. federal government. HIPAA regulations are found primarily in 45 CFR Parts 160, 162, and 164.

Civil Money Penalty

A financial sanction imposed by the HHS Office for Civil Rights (OCR) for violations of HIPAA rules. Penalties are tiered based on the level of culpability, ranging from $137 to $2,067,813 per violation category per year, with higher penalties for willful neglect.

Clearinghouse

See Health Care Clearinghouse. A public or private entity that processes nonstandard health information it receives from another entity into a standard format, or vice versa, making it a covered entity under HIPAA.

Complaint

A formal written grievance filed with HHS OCR alleging that a covered entity or business associate has violated HIPAA Privacy or Security Rule requirements. Individuals have 180 days from when they knew or should have known of the alleged violation to file a complaint.

Compliance Officer

An individual designated by a covered entity or business associate to be responsible for overseeing and implementing the organization's HIPAA compliance program. This role is sometimes called the Privacy Officer, Security Officer, or combined into a Chief Compliance Officer position.

Confidentiality

One of the three core principles of the HIPAA Security Rule, defined as the property that ePHI is not available or disclosed to unauthorized persons. Covered entities must implement safeguards to protect the confidentiality of ePHI in storage, transit, and during processing.

Contingency Plan

A required HIPAA Security Rule administrative safeguard consisting of policies and procedures for responding to emergencies or disasters that damage systems containing ePHI. A complete contingency plan includes data backup, disaster recovery, emergency mode operations, testing, and application and data criticality analysis.

Covered Entity

An organization directly regulated by HIPAA, defined as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with HIPAA-covered transactions. If you bill insurance electronically, you are almost certainly a covered entity.

Covered Functions

Those functions of a covered entity that cause it to meet the definition of a covered entity under HIPAA—specifically, the activities of a health plan, health care provider, or health care clearinghouse. Employees performing covered functions are subject to HIPAA's workforce requirements.

Data Backup Plan

A required component of HIPAA's contingency plan standard, consisting of documented procedures to create and maintain retrievable exact copies of ePHI. Backups must be tested periodically to ensure they can actually be restored in the event of a system failure or disaster.

De-identification

The process of removing or obscuring from health information all 18 categories of direct and indirect identifiers specified by HIPAA so that the remaining information cannot reasonably be used to identify an individual. De-identified health information is not PHI and is not subject to HIPAA's restrictions on use and disclosure.

Designated Record Set

A group of records maintained by or for a covered entity that includes medical and billing records used to make decisions about individuals. Patients generally have the right to access and request amendment of PHI contained in their designated record set.

Direct Treatment Relationship

A treatment relationship in which a health care provider delivers health care directly to an individual, such as a physician treating a patient. This is distinguished from an indirect treatment relationship where the provider delivers services based on orders from another provider.

Disaster Recovery Plan

A documented and tested set of procedures for restoring critical systems and data access following a disaster. Under HIPAA, the disaster recovery plan is a required component of the contingency plan and must address restoration of lost data and resumption of operations at the original or alternate location.

Disclosure

The release, transfer, provision of access to, or divulging of PHI in any manner to a party outside the entity holding the information. HIPAA's Privacy Rule regulates which disclosures of PHI are permitted and under what circumstances, distinguishing between required, permitted, and prohibited disclosures.

Encryption

The conversion of data into a form that cannot be read without a decryption key, used to protect ePHI from unauthorized access during storage and transmission. HIPAA lists encryption as an addressable implementation specification under the Security Rule; when implemented, encrypted data is considered 'secured' and a breach of such data does not trigger notification requirements.

Enforcement Rule

The HIPAA rule codified at 45 CFR Part 160 that establishes the procedures and penalties for HIPAA noncompliance, including the framework for investigations, hearings, and the imposition of civil money penalties by HHS OCR.

Entity Authentication

An addressable implementation specification under the HIPAA Security Rule requiring covered entities to implement procedures to verify that a person or entity seeking access to ePHI is who or what they claim to be. Methods include passwords, PINs, biometrics, and smart cards.

ePHI (Electronic Protected Health Information)

Protected health information that is created, received, maintained, or transmitted in electronic form. ePHI includes health data stored in computers, servers, portable devices, or transmitted over networks, and is specifically regulated by the HIPAA Security Rule in addition to the Privacy Rule.

Expert Determination

One of two methods approved by HIPAA for de-identifying PHI, in which a person with appropriate statistical or scientific knowledge applies generally accepted principles and methods to determine that the risk of identifying an individual is very small, and documents the methods and results.

Facility Access Controls

Physical safeguards required by the HIPAA Security Rule to limit physical access to electronic information systems and the facilities in which they are housed to authorized users only. Implementation specifications include contingency operations, facility security plans, access control and validation procedures, and maintenance records.

FERPA

The Family Educational Rights and Privacy Act, a federal law that protects the privacy of student education records. When FERPA applies to a student's health records held by a school, those records are generally exempt from HIPAA, though there is a limited exception for health records maintained by a covered health care provider at a school.

Firewall

A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls are a common technical safeguard used to protect systems containing ePHI from unauthorized external access, though HIPAA does not mandate firewalls specifically.

Gap Analysis

An assessment that compares an organization's current security and privacy practices against the requirements of HIPAA and identifies areas where controls are missing, insufficient, or ineffective. A gap analysis is often the first step in building or improving a HIPAA compliance program.

Governance

The system of policies, processes, and structures by which an organization directs and controls its HIPAA compliance activities. Effective governance includes clear accountability, defined roles and responsibilities, regular reporting to leadership, and documented decision-making processes for privacy and security matters.

Health Care Clearinghouse

A public or private entity—including a billing service, repricing company, or community health management information system—that processes nonstandard health information received from another entity into a standard format or standard data content, or vice versa. Clearinghouses are covered entities under HIPAA.

Health Care Provider

A provider of medical or health services and any other person or organization who furnishes, bills for, or is paid for health care in the normal course of business. Health care providers are covered entities under HIPAA only if they transmit health information electronically in connection with a covered transaction.

Health Information Exchange

The electronic movement of health-related information among organizations according to nationally recognized standards. HIEs enable health care providers, patients, and others to appropriately access and securely share vital medical information, and participating entities must have BAAs in place to govern PHI sharing.

Health Plan

An individual or group plan that provides or pays the cost of medical care, including health insurance issuers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans. Health plans are covered entities under HIPAA and must comply with both the Privacy and Security Rules.

HHS (Department of Health and Human Services)

The United States federal department responsible for protecting the health of Americans and providing essential human services. HHS, through its Office for Civil Rights (OCR), is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA (Health Insurance Portability and Accountability Act)

A landmark federal law enacted in 1996 that established national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA's key components include the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.

HITECH Act

The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH significantly strengthened HIPAA by expanding the Security Rule to business associates, increasing civil money penalties, creating the Breach Notification Rule, and enhancing individual rights.

Hybrid Entity

A single legal entity that is a covered entity but whose covered functions constitute only part of its overall business operations. A hybrid entity must designate its covered health care components and ensure those components comply with HIPAA, while non-covered components are not directly regulated.

Implementation Specification

Specific requirements or guidance under the HIPAA Security Rule for implementing a particular standard. Implementation specifications are classified as either 'required' (must be implemented as stated) or 'addressable' (must be assessed and implemented if reasonable and appropriate, or replaced with an equivalent measure).

Incident

Under the HIPAA Security Rule, a security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. Covered entities must have documented procedures for identifying, responding to, and documenting security incidents.

Individual Rights

The rights granted to patients and individuals under the HIPAA Privacy Rule with respect to their PHI, including the right to access, receive a copy of, amend, receive an accounting of disclosures of, and request restrictions on the use and disclosure of their health information.

Information System

An interconnected set of information resources under the same direct management control that shares common functionality. HIPAA requires covered entities to protect all information systems that create, receive, maintain, or transmit ePHI, including networks, servers, workstations, and mobile devices.

Integrity

One of the three core principles of the HIPAA Security Rule, defined as the property that ePHI has not been altered or destroyed in an unauthorized manner. Covered entities must implement policies and procedures to protect ePHI from improper alteration or destruction.

Integrity Controls

Technical mechanisms used to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. Examples include checksums, hash functions, digital signatures, and version control systems that can detect unauthorized changes to health data.

Joint Commission

An independent, not-for-profit organization that accredits and certifies health care organizations and programs in the United States. Joint Commission standards often complement HIPAA requirements, particularly around privacy, security, and information management, though accreditation does not substitute for HIPAA compliance.

Key Management

The administration of cryptographic keys in a cryptosystem, including generation, distribution, storage, rotation, revocation, and destruction of encryption keys. Proper key management is essential for maintaining the effectiveness of encryption as a safeguard for ePHI.

Limited Data Set

PHI from which certain direct identifiers have been removed but which may still include indirect identifiers such as geographic data (city, state, zip code) and dates. A limited data set may be used or disclosed for research, public health, or health care operations purposes under a data use agreement, without individual authorization.

Log Analysis

The process of reviewing and interpreting audit logs from information systems to identify security events, anomalies, or unauthorized access to ePHI. Regular log analysis is a key component of the HIPAA Security Rule's audit controls requirement and supports ongoing monitoring of system activity.

Malware

Malicious software, including viruses, ransomware, spyware, and trojans, that can compromise the security and integrity of systems containing ePHI. The HIPAA Security Rule requires covered entities to implement protection from malicious software as a required implementation specification under workstation and device security.

Media Controls

Technical and physical policies and procedures required by the HIPAA Security Rule governing the receipt and removal of hardware and electronic media that contains ePHI into and out of a facility, including procedures for final disposal, media re-use, and accountability.

Minimum Necessary Standard

A HIPAA Privacy Rule requirement that covered entities make reasonable efforts to limit the use or disclosure of PHI to the minimum amount necessary to accomplish the intended purpose. The standard applies to most uses and disclosures of PHI but does not apply to disclosures for treatment purposes.

Mitigation

A requirement under the HIPAA Privacy Rule that covered entities mitigate, to the extent practicable, any harmful effects known to have occurred from a use or disclosure of PHI in violation of the entity's policies and procedures. Mitigation efforts are also a key component of breach response.

Multi-Factor Authentication

An authentication method requiring users to provide two or more verification factors—such as a password plus a one-time code from a mobile device—before gaining access to a system or application containing ePHI. MFA is a widely recommended security control for protecting ePHI against unauthorized access.

NIST (National Institute of Standards and Technology)

A federal agency within the U.S. Department of Commerce that develops and promotes measurement standards, including cybersecurity frameworks. NIST's Special Publication 800-66 provides guidance specifically for implementing the HIPAA Security Rule, and NIST's Cybersecurity Framework is widely used by covered entities.

NOD (Notice of Determination)

A formal written communication from HHS OCR informing a covered entity or business associate of OCR's determination regarding a HIPAA complaint investigation or compliance review, including any findings of violation and the opportunity to resolve the matter through informal resolution or formal enforcement action.

Non-Repudiation

A security property ensuring that a party in a communication cannot deny the authenticity of their actions—such as sending a message or accessing a record. In the context of ePHI, non-repudiation mechanisms like digital signatures and audit logs ensure accountability and deter unauthorized access.

Notice of Privacy Practices (NPP)

A document required by the HIPAA Privacy Rule that describes how a covered entity may use and disclose a patient's PHI and informs individuals of their rights with respect to their health information. Covered health care providers must provide the NPP to patients on their first date of service and make it available on request.

OCR (Office for Civil Rights)

The division of the U.S. Department of Health and Human Services that enforces federal civil rights laws and the HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints, conducts compliance reviews, and imposes civil money penalties for HIPAA violations.

Omnibus Rule

The 2013 final rule that significantly modified HIPAA by implementing most of the HITECH Act's requirements. The Omnibus Rule extended HIPAA's Security Rule directly to business associates, strengthened breach notification requirements, expanded individual rights, and increased civil money penalties.

Oral Communication

Verbal discussions of PHI, which are covered by the HIPAA Privacy Rule. Covered entities must implement reasonable safeguards to protect PHI in oral form—such as lowering voices in public spaces, using private rooms for sensitive discussions, and training staff not to discuss PHI where unauthorized persons could overhear.

Organized Health Care Arrangement

A clinically integrated care setting where individuals typically receive health care from more than one provider, such as a hospital and its affiliated physicians, or a group practice. Participating covered entities may share PHI for joint health care operations without individual authorization.

PHI (Protected Health Information)

Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media—electronic, paper, or oral. PHI includes any information that relates to an individual's health condition, provision of health care, or payment for health care, along with 18 categories of identifiers that could identify the individual.

Physical Safeguards

One of three categories of HIPAA Security Rule safeguards, consisting of physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Requirements include facility access controls, workstation use policies, and device and media controls.

Plan Sponsor

An employer or employee organization that establishes or maintains a group health plan. Plan sponsors may receive PHI from the group health plan only under specific conditions and must implement appropriate safeguards to protect that information.

Preemption

The principle that federal HIPAA standards generally preempt contrary state laws. However, HIPAA does not preempt state laws that are more protective of individual privacy—meaning states may impose stricter requirements, and covered entities operating in those states must comply with whichever standard is more stringent.

Privacy Impact Assessment

A structured process for evaluating the potential privacy risks of a new project, system, or process that involves PHI, and identifying measures to mitigate those risks. While not explicitly required by HIPAA by name, PIAs are a best practice for demonstrating compliance and proactively managing privacy risk.

Privacy Officer

An individual required to be designated by every covered entity under the HIPAA Privacy Rule, who is responsible for developing and implementing the entity's privacy policies and procedures and serving as a point of contact for complaints and questions about PHI privacy.

Privacy Rule

The HIPAA regulation at 45 CFR Part 164 Subparts A and E that establishes national standards for the protection of individuals' medical records and other PHI. The Privacy Rule sets conditions on the use and disclosure of PHI, gives patients rights over their health information, and requires covered entities to adopt privacy policies and procedures.

Psychotherapy Notes

Notes recorded by a mental health professional documenting or analyzing the contents of a counseling session, kept separate from the rest of the patient's medical record. Psychotherapy notes receive heightened protection under HIPAA—they generally cannot be used or disclosed without a patient's specific authorization, even for treatment, payment, or operations.

Qualified Protective Order

A court order or stipulation agreed upon by the parties to litigation that prohibits the parties from using or disclosing PHI produced during the litigation for any purpose other than the litigation and requires return or destruction of the PHI at the end of the litigation. A covered entity may disclose PHI in response to a subpoena if a qualified protective order is in place.

Quality Assurance

Activities undertaken to evaluate and improve the quality of health care services. Quality assurance functions are considered health care operations under HIPAA, meaning covered entities may use and disclose PHI for quality assurance purposes without patient authorization, subject to the minimum necessary standard.

Remediation Plan

A documented corrective action plan created by a covered entity or business associate to address identified HIPAA compliance deficiencies. OCR often accepts and monitors remediation plans as part of corrective action agreements (CAPs) following enforcement actions, requiring the entity to fix gaps within specified timeframes.

Required (Implementation Specification)

A designation under the HIPAA Security Rule indicating that a covered entity must implement the specification as described—there is no flexibility to substitute an alternative measure. Required specifications include unique user identification, emergency access procedures, audit controls, and transmission security.

Right of Access

An individual's right under the HIPAA Privacy Rule to inspect and obtain a copy of their PHI in a designated record set. Covered entities must provide access within 30 days of a request (extendable by 30 days with notice) and cannot charge more than a reasonable cost-based fee for copies.

Risk Analysis

A required HIPAA Security Rule administrative safeguard in which a covered entity conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits. Risk analysis is the foundation of an effective HIPAA security program.

Risk Assessment

Often used interchangeably with risk analysis, a risk assessment is the process of identifying threats and vulnerabilities to ePHI, assessing the likelihood and impact of those threats, and determining the current level of risk. Under HIPAA, a formal risk assessment must be conducted at least periodically and whenever significant changes occur.

Risk Management

A required HIPAA Security Rule administrative safeguard in which a covered entity implements security measures sufficient to reduce risks and vulnerabilities identified in its risk analysis to a reasonable and appropriate level. Risk management is an ongoing process, not a one-time activity.

Role-Based Access Control

A method of regulating access to ePHI based on the roles of individual users within an organization, ensuring that employees can only access the PHI they need to perform their job functions. RBAC supports HIPAA's minimum necessary standard and is a recommended practice for implementing access controls.

Safe Harbor

One of two methods approved by HIPAA for de-identifying PHI. Under the Safe Harbor method, all 18 categories of identifiers specified by HHS must be removed or masked from the health information, and the covered entity must have no actual knowledge that the remaining information could identify an individual.

Safeguards

Administrative, physical, and technical measures required by HIPAA to protect PHI from unauthorized access, alteration, or destruction. The Privacy Rule requires 'appropriate' safeguards, while the Security Rule specifies detailed requirements organized into three categories: administrative, physical, and technical safeguards.

Sanction Policy

A required HIPAA Privacy and Security Rule administrative safeguard consisting of documented consequences for workforce members who fail to comply with the organization's privacy and security policies and procedures. Sanction policies must apply to all members of the covered entity's workforce, including management.

Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Under the HIPAA Security Rule, covered entities must implement procedures to identify, respond to, mitigate, and document the effects of security incidents.

Security Officer

An individual required to be designated by every covered entity under the HIPAA Security Rule, who is responsible for developing and implementing the entity's security policies and procedures for protecting ePHI. The Security Officer role may be combined with the Privacy Officer role in smaller organizations.

Security Rule

The HIPAA regulation at 45 CFR Part 164 Subpart C that establishes national standards for protecting ePHI. The Security Rule requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

Subcontractor

A person or entity who acts as a business associate on behalf of another business associate—that is, a downstream vendor who handles PHI. Under the HITECH Act and Omnibus Rule, subcontractors are directly subject to HIPAA and must sign BAAs with the business associates that engage them.

Substance Use Disorder Records (42 CFR Part 2)

Records of the identity, diagnosis, prognosis, or treatment of any patient maintained in connection with a federally assisted substance use disorder treatment program, protected under regulations separate from and generally more restrictive than HIPAA. These records typically require patient consent for most disclosures, with limited exceptions.

Technical Safeguards

One of three categories of HIPAA Security Rule safeguards, consisting of the technology and the related policies and procedures that protect ePHI and control access to it. Required technical safeguards include access controls, audit controls, integrity controls, and transmission security.

Termination Procedures

An addressable HIPAA Security Rule implementation specification requiring covered entities to have documented procedures for revoking workforce members' access to ePHI upon termination of employment or a change in role. Effective termination procedures include disabling accounts, recovering devices, and revoking physical access.

Training

A required HIPAA Security Rule administrative safeguard mandating that covered entities implement a security awareness and training program for all members of the workforce, including management. Training must address topics such as malware protection, log-in monitoring, and password management.

Transaction

The transmission of information between two parties to carry out financial or administrative activities related to health care, such as claims, eligibility inquiries, or remittance advice. HIPAA's Transactions and Code Sets Rule standardizes the electronic formats used for these exchanges.

Transmission Security

An addressable HIPAA Security Rule implementation specification requiring covered entities to implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Encryption of ePHI in transit is the most common way to satisfy this requirement.

Treatment, Payment, Operations (TPO)

The three categories of health care activities for which a covered entity may use or disclose PHI without obtaining individual authorization. Treatment includes care coordination; payment includes billing and claims; operations include quality improvement, training, and business management activities.

Two-Factor Authentication

A subset of multi-factor authentication (MFA) that requires users to provide exactly two verification factors before gaining access to a system. In a health care context, 2FA is commonly implemented as a password combined with a one-time code sent to a registered mobile device or generated by an authenticator app.

Unique User Identification

A required HIPAA Security Rule implementation specification mandating that covered entities assign a unique name or number to identify and track each user's activity in systems containing ePHI. Shared login accounts are not permitted, as unique IDs ensure that audit logs can be tied to specific individuals.

Unsecured PHI

PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction methods specified in HHS guidance. Only a breach of unsecured PHI triggers HIPAA's Breach Notification Rule; encrypted PHI that is lost or stolen generally does not require notification.

Use (of PHI)

The sharing, employment, application, utilization, examination, or analysis of PHI within the entity that holds it, as distinguished from a 'disclosure' which involves releasing it to an external party. HIPAA regulates both the use and disclosure of PHI and generally requires that use be limited to the minimum necessary.

Vendor Management

The processes and controls used to manage a covered entity's relationships with business associates and other third-party vendors who handle PHI. Effective vendor management includes due diligence before contracting, executing BAAs, ongoing monitoring, and periodic reassessment of vendor security practices.

Verification

Under the HIPAA Privacy Rule, the process by which a covered entity confirms the identity and authority of individuals or entities requesting PHI before making a disclosure. Covered entities must verify requesters' identities when disclosing PHI for law enforcement, judicial, and certain other purposes.

Vulnerability

A flaw or weakness in an information system's design, implementation, operation, or management that could be exploited to violate the system's security policy and compromise the confidentiality, integrity, or availability of ePHI. Vulnerabilities must be identified through risk analysis and addressed through risk management.

Vulnerability Assessment

A systematic examination of information systems to identify security weaknesses that could be exploited to gain unauthorized access to ePHI. Vulnerability assessments—including network scans, penetration tests, and configuration reviews—are a critical input to a covered entity's risk analysis and ongoing security monitoring.

Workforce

Under HIPAA, employees, volunteers, trainees, and other persons whose conduct in the performance of work for a covered entity is under the direct control of that entity, whether or not they are paid. All workforce members are subject to HIPAA's workforce training, sanction, and access control requirements.

Workforce Clearance

An addressable HIPAA Security Rule implementation specification requiring covered entities to implement procedures to determine that the access of a workforce member to ePHI is appropriate. This typically involves background checks, role-based access reviews, and confirmation that access levels match job responsibilities.

Workstation Security

Physical safeguards required by the HIPAA Security Rule specifying physical attributes of a workstation's surroundings that can be used to minimize the possibility of unauthorized access and to protect the workstation from unauthorized access. Measures include screen positioning, privacy screens, locked workstations when unattended, and clean-desk policies.

Workstation Use

A required HIPAA Security Rule physical safeguard specifying the proper functions to be performed on a workstation, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a workstation. Organizations must define acceptable use policies for all devices that access ePHI.

Zero Trust

A modern security framework based on the principle of 'never trust, always verify,' in which no user, device, or network segment is trusted by default—even if inside the organization's perimeter. Zero Trust architectures align strongly with HIPAA's access control, unique user identification, and audit control requirements for protecting ePHI.

Zone of Privacy

An informal concept in HIPAA compliance referring to the physical and logical boundaries within which PHI can be used and disclosed appropriately. Establishing zones of privacy—such as designated areas for clinical conversations, restricted server rooms, and access-controlled EHR environments—is a practical approach to implementing HIPAA's safeguard requirements.