HIPAA Glossary
Plain-language HIPAA and PHI definitions.
Short definitions for the compliance terms small clinic teams encounter most. Each entry links to the full explainer where the concept matters operationally.
- 18 HIPAA identifiers
- The 18 HIPAA identifiers are the practical screening list teams use when deciding whether a workflow contains identifiable patient data. If one or more identifiers appear with health context, treat the workflow carefully.
- Business Associate Agreement
- A business associate agreement is the legal contract HIPAA requires between a covered entity and any vendor who handles PHI on its behalf. Without an executed BAA, both parties face OCR enforcement exposure. This article explains what a BAA is, what it must contain, and how to track executed agreements.
- Covered entity vs business associate
- A healthcare provider is usually the covered entity. A vendor becomes a business associate when it creates, receives, maintains, or transmits PHI on the provider's behalf. That determines whether a BAA and a fuller vendor review are required.
- De-identified data vs PHI
- De-identified data is data that no longer identifies the individual under HIPAA's standards. Removing one obvious field is not enough if the remaining data can still point back to a person.
- Designated record set
- A designated record set is the group of records used to make decisions about individuals or otherwise maintained as required under HIPAA. Not every operational tool or note automatically becomes part of it.
- Electronic protected health information
- ePHI is PHI that is created, received, maintained, or transmitted in electronic form. If patient-linked information moves through software, cloud storage, spreadsheets, email, or messaging tools, it is usually ePHI.
- HIPAA
- HIPAA stands for the Health Insurance Portability and Accountability Act, signed into law in 1996. It began as a health insurance portability law and later grew, through the Privacy Rule, Security Rule, HITECH, and the Omnibus Rule, into the patient-data framework clinics operate under now.
- HIPAA
- HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 federal law that sets the national standard for protecting patient health information. It has five titles, but small clinics primarily operate under the Privacy Rule, Security Rule, and Breach Notification Rule.
- HIPAA audit trail
- An audit trail under HIPAA refers to two distinct things: system-level logs of who accessed PHI and when, and the operational compliance documentation record showing the clinic ran a functional program. Both are reviewed in OCR investigations.
- HIPAA Authorization
- The HIPAA Authorization form is required for uses and disclosures outside treatment, payment, and healthcare operations. Treatment consent is a separate document under state law and medical ethics. A clinic that conflates them — or uses one where the other is needed — creates both legal exposure and documentation gaps.
- HIPAA subcontractor
- Since 2013, subcontractors who handle PHI on behalf of a business associate are directly subject to HIPAA. Clinics don't need direct BAAs with subcontractors, but must ensure their vendors are managing subprocessors under HIPAA — especially for AI tools and cloud services.
- Incidental disclosure
- An incidental disclosure is a secondary exposure that may occur as part of an otherwise permitted disclosure when reasonable safeguards are in place. It is not a blanket excuse for careless workflow design.
- Limited data set
- A limited data set is not fully de-identified data. It excludes certain direct identifiers but can still be regulated and still requires controls and an appropriate agreement for the permitted use.
- Minimum necessary standard
- The minimum necessary standard means healthcare teams should limit PHI use, access, and disclosure to what is reasonably needed for the task. In practice that affects permissions, notifications, exports, and how much patient detail staff place in collaboration tools.
- Patient name plus appointment date as PHI
- Patient name combined with an appointment date at a medical clinic constitutes PHI under HIPAA. This has practical implications for scheduling software, appointment reminders, front desk operations, and any vendor that processes appointment data.
- PHI
- PHI stands for Protected Health Information. Under HIPAA, it is any information that identifies an individual and relates to their health, treatment, or payment for care. PHI is regulated by the HIPAA Privacy Rule and Security Rule, and mishandling it can trigger federal enforcement action.
- PHI vs PII
- PII is a broader privacy concept about information that identifies a person. PHI is narrower and healthcare-specific: identifiable information tied to health, care, or payment context.
- PII
- PII stands for Personally Identifiable Information — any data that can identify a specific individual. In healthcare, PII and PHI overlap significantly, but PHI is the stricter category governed by HIPAA. Understanding both terms helps clinic staff correctly classify data and apply the right protections.
- Protected health information
- PHI is identifiable information tied to a person's health, care, or payment for care. In practice it shows up far beyond the chart, including in tasks, messages, spreadsheets, forms, and operational notes.
- Protected Health Information (PHI)
- PHI stands for Protected Health Information. HIPAA defines it as individually identifiable health information held or transmitted by a covered entity or business associate. The definition lives in 45 CFR 160.103 and shapes almost every compliance decision a clinic makes.
Operational assurance
Compliance programs need more than definitions.
PHIGuard turns HIPAA requirements into daily tasks with audit trails. BAA included at every plan.
No credit card required. Add billing details later if you want service to continue after the trial.