Every term you'll encounter in HIPAA compliance — defined in plain English.
Technical and administrative rules that limit who can see or change patient information — unique logins, passwords, and permission levels are common examples.
Example
A receptionist can schedule appointments but cannot open clinical notes outside their department.
45 CFR §164.312(a)(1)
A signed permission form from a patient that allows you to share their health information in specific ways that would not otherwise be permitted.
Example
A patient signing a form to allow their records to be sent to a specialist, an attorney, or a family member.
45 CFR §164.508
A required contract between a healthcare organization and any vendor that handles patient information on their behalf. It specifies how the vendor must protect the data.
Example
Before your practice can use a cloud storage service to store patient records, you must have a signed BAA with that company.
45 CFR §164.504(e)
An incident where patient information was accessed, used, or disclosed in a way that wasn't allowed by HIPAA and that poses a risk to the patient.
Example
A stolen laptop containing unencrypted patient records, a fax sent to the wrong number, or an employee accessing records they had no reason to view.
45 CFR §164.402
When a reportable breach occurs, HIPAA requires notifying affected individuals, HHS, and sometimes the media within set time frames.
Example
A lost laptop with unencrypted patient data may require letters to patients and a filing on the HHS portal.
45 CFR §164.400–414
A vendor or service provider that handles patient information on behalf of a covered entity. They are also bound by HIPAA through a signed agreement.
Example
Your medical billing company, your EHR software provider, your cloud storage vendor, or your IT support company.
45 CFR §160.103
Fines OCR can impose after an investigation. Amounts depend on factors like negligence, harm, and how long a problem went unfixed.
Example
A small practice fined after a patient complaint revealed years of missing risk assessments.
45 CFR §160.404
An organization that HIPAA directly applies to. This includes healthcare providers, health insurance plans, and healthcare clearinghouses.
Example
Your doctor's office, a hospital, a dental practice, a health insurance company, or a pharmacy.
45 CFR §160.103
The process of removing all information that could identify a patient from their health records. De-identified data is no longer covered by HIPAA.
Example
Removing a patient's name, address, date of birth, and other identifiers from their records so they cannot be linked back to them.
45 CFR §164.514
A way of scrambling electronic data so that only authorized people with a special key can read it. If encrypted patient data is stolen, it is generally not a reportable HIPAA breach.
Example
Encrypting the hard drive of a laptop that contains patient records means that if the laptop is stolen, the thief cannot read the data.
45 CFR §164.312(a)(2)(iv)
PHI that is stored or sent in electronic form — including in computer systems, emails, text messages, and cloud storage.
Example
Patient records in your EHR system, an email about a patient's test results, or a scanned document uploaded to a server.
45 CFR §160.103
The HIPAA principle that staff should only access or share the minimum amount of patient information needed to do their job — nothing more.
Example
A billing clerk needs a patient's insurance information but doesn't need their full medical history.
45 CFR §164.502(b)
A document given to patients that explains how your practice uses and protects their health information. It must be posted in your office and given to new patients.
Example
The form patients sign at a doctor's office that says "I have received the Notice of Privacy Practices."
45 CFR §164.520
Under HIPAA, patients have rights to access their records, request corrections in some cases, receive a notice of privacy practices, and ask for an accounting of certain disclosures.
Example
A patient asking for a copy of their chart is exercising their right of access.
45 CFR §164.520–524
Any information about a patient's health, treatment, or payment for care that could identify them. This includes names, addresses, dates, phone numbers, and anything connected to their medical care.
Example
A patient's name combined with their diagnosis, their appointment date, or their insurance information are all PHI.
45 CFR §160.103
Written instructions your organization follows for privacy, security, and breach response. They do not need to be long — they need to match what you actually do.
Example
A one-page policy on how workstations must lock after 15 minutes, signed by staff annually.
45 CFR §164.316
The person at your organization responsible for developing and overseeing HIPAA privacy policies. Every covered entity must designate one.
Example
At a small practice this is often the practice manager. At a hospital it may be a full-time compliance professional.
45 CFR §164.530(a)
HIPAA requires organizations to train everyone who works with patient information on policies and procedures — when hired and when things change.
Example
Annual 30-minute online module plus a sign-in sheet for new hires during orientation.
45 CFR §164.530(b)