The world of HIPAA compliance uses a lot of acronyms and terms that may not be well known outside of those that follow this important aspect of healthcare marketing and technology. Below are some terms that you may not know, but need to understand to make sure your website is compliant.
HIPAA Terms to Know in the Digital Marketing Space
- Access Controls
- Administrative Safeguards
- Audit Controls
- Authenticated Pages
- BAA (Business Associate Agreement)
- Business Associate
- Breach Notification Rule
- Compliance Officer
- Content Management System (CMS)
- Cookies
- Covered Entity
- De-identification
- Disclosure
- Electronic Protected Health Information (ePHI)
- Encryption
- Fingerprinting
- First-Party Cookies
- Google Analytics 4 (GA4)
- HHS (Health and Human Services)
- HIPAA (Health Insurance Portability and Accountability Act)
- HITECH Act
- JavaScript Trackers
- Local Storage Technologies
- Minimum Necessary Standard
- Mobile Device Identifiers
- Notice of Privacy Practices (NPP)
- OCR (Office for Civil Rights)
- Persistent Cookies
- Physical Safeguards
- Pixels
- PII (Personally Identifiable Information)
- PHI (Protected Health Information)
- Privacy Officer
- Privacy Rule
- Risk Analysis
- Security Incident
- Security Rule
- Session Cookies
- Session Recording Tools
- Technical Safeguards
- Third-Party Cookies
- Tracking Technologies
- Treatment, Payment, and Healthcare Operations (TPO)
- Two-Factor Authentication (2FA)
- Unauthenticated Pages
- Workforce Member
Access Controls: Measures/rules implemented to restrict access to electronic PHI to only authorized users, including unique user identification, emergency access procedures, automatic logoff, and encryption/decryption.
Administrative Safeguards: Administrative actions, policies, and procedures designed to manage the implementation, selection, and maintenance of security measures to protect PHI.
Audit Controls: Hardware, software, and procedural mechanisms that record and examine activity in information systems containing PHI.
Authenticated Pages: Authenticated pages require login credentials to access, such as portals. Authenticated pages may safely contain PHI if proper standards are maintained.
BAA (Business Associate Agreement): A legal contract required by HIPAA between a covered entity and a business associate. It ensures that business associates will appropriately safeguard PHI they receive or create on behalf of the covered entity. A business associate is any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity.
Business Associate: A person or organization that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity.
Breach Notification Rule: HIPAA provision requiring covered entities to notify affected individuals, HHS, and in some cases the media, of a breach of unsecured PHI.
Compliance Officer: Person designated by an organization to oversee HIPAA compliance efforts.
CMS (Content Management System): A software application or platform that allows users to create, manage, and modify digital content on a website without requiring specialized technical knowledge. In the context of HIPAA compliance, a CMS must incorporate security measures to protect any PHI that might be stored within the system or entered through forms. Healthcare organizations using a CMS must ensure it meets HIPAA requirements for access controls, encryption, audit trails, and secure data storage, and have a BAA in place with the CMS vendor if the system may contain PHI. Common examples of CMS platforms include WordPress, Drupal, Joomla, and healthcare-specific CMS solutions designed with HIPAA compliance in mind.
Covered Entity: Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically for HIPAA-covered transactions.
De-identification: The process of removing identifying information from health data so that the remaining information does not identify an individual and there is no reasonable basis to believe it could be used to identify an individual. When done properly it makes information not PHI.
Disclosure: The release, transfer, provision of access to, or divulging of PHI outside the entity holding the information.
Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.
Encryption: The process of converting information into a secure code to prevent unauthorized access, typically used for data in transit (being sent) and stored data.
Fingerprinting: A tracking technique that collects information about a user’s device configuration (such as browser type, installed plugins, screen resolution, system fonts, and other settings) to create a unique “fingerprint” that can identify and track users across websites.
Google Analytics 4 (GA4): A popular, free web analytics service from Google that tracks and reports website traffic and user behavior.
HHS (Health and Human Services): The U.S. federal agency responsible for protecting the health of Americans and providing essential human services and is the primary federal agency responsible for enforcing HIPAA regulations. HSS issues guidance on HIPAA implementation and can impose civil monetary penalties for HIPAA violations.
HIPAA (Health Insurance Portability and Accountability Act): A federal law passed in 1996 that establishes standards for protecting sensitive patient health information. It includes a Privacy Rule and a Security Rule.
HITECH Act: Health Information Technology for Economic and Clinical Health Act, which expanded HIPAA requirements and increased penalties for violations.
JavaScript Trackers: Code snippets, written in JavaScript, that record user interactions like clicks, scrolling, and form inputs.
Local Storage Technologies: Methods for storing data locally on a user’s device.
Minimum Necessary Standard: The requirement that covered entities make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.
Mobile Device Identifiers: Unique IDs for tracking users across mobile apps (like IDFA for iOS or AAID for Android)
Notice of Privacy Practices (NPP): Document that explains how a covered entity may use and disclose PHI and the individual’s rights with respect to their PHI.
OCR (Office for Civil Rights): HHS agency responsible for enforcing HIPAA Privacy and Security Rules.
Physical Safeguards: Physical measures, policies, and procedures to protect electronic information systems and buildings/rooms/computers housing them from natural and environmental hazards and unauthorized intrusion.
Pixels: Tiny transparent images embedded in web pages or emails that track when content is viewed and actions taken.
PII (Personally Identifiable Information): Information that can be used to identify, contact, or locate an individual. This includes names, addresses, social security numbers, phone numbers, email addresses, and other identifiers. PII is not a healthcare-specific term, but is used in a wide variety of situations.
PHI (Protected Health Information): Any individually identifiable health information that is created, received, maintained, or transmitted by HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. PHI includes: health status, provision of healthcare, or payment for healthcare combined with identifiers that could reveal the individual’s identity (name, address, birthdate, SSN, etc.) Put another way, PHI = Health Information + PII.
Privacy Officer: Individual responsible for developing and implementing privacy policies and procedures for an organization.
Privacy Rule: HIPAA rule establishing national standards to protect individuals’ medical records and other personal health information.
Risk Analysis: Systematic examination of potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability.
Security Incident: Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
Security Rule: HIPAA rule establishing national standards to protect individuals’ electronic personal health information.
Session Recording Tools: Software that captures user screen activity, including mouse movements and clicks. Usually used to improve the user’s experience (UX) and conversion rates.
Technical Safeguards: Technology and policies/procedures that protect ePHI and control access to it.
Tracking Technologies: Digital tools or mechanisms that gather and monitor user activities, behaviors, preferences, and identifying information across online platforms. These technologies record, analyze, and store data about how individuals use websites, applications, and other digital services.
Treatment, Payment, and Healthcare Operations (TPO): Categories of use and disclosure of PHI that don’t require patient authorization.
Two-Factor Authentication (2FA): Security process requiring users to provide two different authentication factors to verify their identity, enhancing access security.
Unauthenticated Pages: Unauthenticated pages are open to anyone to visit—they do not require a login to see them.
Workforce Member: Employees, volunteers, trainees, and other persons under the direct control of a covered entity or business associate.
