Privacy and Security (HIPAA) - VOCABULARY Flashcards

Vocabulary flashcards covering key terms, definitions, and concepts from the Privacy and Security lecture notes (HIPAA, privacy, security, de-identification, and related laws).

Privacy

The right to control personal information and keep it to yourself.

Confidentiality

The right to share personal information only with those you designate.

Security

Mechanisms to protect your personal information from unauthorized access or exposure.

Individually Identifiable Health Information (IIHI)

Data that can be correlated with an individual.

Protected Health Information (PHI)

IIHI as defined by the HIPAA Privacy Rule.

Consent (in privacy context)

Written or verbal permission to allow use of your IIHI.

De-identified data

PHI data that has had identifying information removed or cannot reasonably identify individuals.

De-identification methods – Expert determination

A qualified expert assesses and certifies that re-identification risk is very small.

De-identification methods – Safe Harbor

Removal of specified PHI identifiers to render data de-identified.

Re-identification

Process of linking de-identified data back to individuals.

Small cell counts (re-identification risk)

Low cell counts can increase the risk of identifying individuals in a dataset.

Wall of Shame

HHS list of breaches of unsecured PHI affecting more than 500 individuals.

Breaches

Acquisition, access, use, or disclosure of PHI in a way not permitted.

Ransomware

Malware that encrypts data, potentially blocking access and demanding payment.

Medical identity theft

Using IIHI to obtain property or services fraudulently.

Health Information Exchange (HIE)

Systems and networks that move health data across organizations.

Cloud computing

Delivery of computing services over the internet; changes the data protection perimeter.

Individually Identifiable Information (IIHI) vs PHI

IIHI is the broader term; PHI is IIHI as defined under HIPAA rules.

Accountable care organizations (ACOs)

New care models requiring broader team access to information.

Bring Your Own Device (BYOD)

Clinicians using personal devices to access health information.

De-identification – OCR guidance

Official guidance on de-identification methods provided by HHS/OCR.

Governor Weld re-identification (historical example)

Illustrates how individual identity can be inferred from data (e.g., linking registries to health data).

Genomic data and re-identification

Genomics can aid re-identification in research data.

Re-identification risk in practice

Even de-identified data can potentially be re-identified under certain conditions.

Temporal information in de-identified data

Removing timing data can reduce usefulness for longitudinal analysis.

De-identified data not a panacea

Ethical concerns and potential loss of analytical value if over-scrubbed.

Concerns about security

Security threats and leakages across multiple points, including paper records.

Paper records insecurity

Fax, copying, and lack of auditable trails create privacy risks.

Consequences of poor security

Patient avoidance, misreporting, delayed care, and worse outcomes.

IOM For the Record (1997)

Early government report informing HIPAA-style privacy practices.

Threats to security – Insider

Disclosures or access caused by insiders (accidental, curious, etc.).

Threats to security – Outside

External breaches or attacks on a health organization.

Deterrents to security

Alerts and audit trails that discourage improper access or disclosure.

System management precautions

Software management and vulnerability assessments to reduce risk.

Authentication

Verifying the identity of a user or system before granting access.

Authorization

Granting permissions to access PHI based on roles and need-to-know.

Integrity management

Ensuring data has not been altered in an unauthorized way.

Digital signatures

Cryptographic method to verify the source and integrity of data.

Encryption

Scrambling data so it is unreadable without a key; essential for public networks.

Symmetric vs. Asymmetric encryption

Symmetric uses one key; asymmetric uses a public/private key pair.

NIST / ISO 27000 / OAuth2 / OpenID

Standards and frameworks guiding information security and authentication.

SMART on FHIR

API approach using standards for secure healthcare app integrations.

Best practices for secure APIs

Guidelines to securely expose and consume health IT APIs.

Authentication challenges

Problems with passwords, aging policies, and usability vs security.

Two-factor authentication (2FA)

Combining something you know with something you have (e.g., device, biometrics).

Password challenges

Reuse, memorability vs complexity, key-logging, and policy burden.

NIST 800-63 evolution

Shift from strict complexity to usable, long passwords and risk-based changes.

New password recommendations

Allow long passwords (e.g., up to 64 chars); meaningful feedback; avoid arbitrary rules.

Security culture – user behavior

'Good users' can still do bad things; data hygiene and cautious behavior are essential.

HIPAA Privacy Rule

Regulates how PHI may be used/disclosed by covered entities and business associates.

HIPAA Security Rule

Sets security requirements for protecting electronic PHI (ePHI) across CE and BA.

Covered Entities (CEs)

Entities that handle PHI and bill electronically (providers, plans, clearinghouses).

Business Associates (BAs)

Entities or individuals performing work on behalf of CEs with PHI access.

Business Associate Agreement (BAA)

Contract ensuring PHI privacy protections between CE and BA.

Minimum Necessary

Standard to limit PHI disclosures to the minimum amount needed.

Notice of Privacy Practices (NPP)

Plain-language notice of how PHI is used/disclosed and individual rights.

Authorization (non-TPO disclosures)

Permission required to disclose PHI for purposes other than treatment, payment, or operations.

Treatment, Payment, and Health Care Operations (TPO)

Disclosures allowed without authorization when for patient care and related activities.

Public health disclosures

Permitted disclosures to public health authorities for health surveillance and safety.

Research disclosures (non-TPO)

Disclosures allowed under IRB/OHRP oversight; may use existing data with exemptions.

De-identified data disclosures

Disclosures allowed when data are de-identified under expert determination or safe harbor.

Marketing and fundraising

PHI use for marketing requires authorization; fundraising may be permitted with opt-out.

Notice of privacy practices – plain language

NPP must be understandable and include complaint process and privacy officer.

Training and privacy program

Organizations must train staff and designate a privacy officer with sanctions for violations.

Breaches and penalties (OCR)

Breach notification timelines; penalties tiered by severity and neglect.

HIPAA Security Rule core requirements

Access control, emergency access, automatic log-off, audit trails, data integrity, authentication.

Access control

Unique user identities and restricted PHI access based on role.

Audit trail

Records of PHI access/transactions to monitor and investigate activity.

Data integrity

Ensuring PHI is not altered or corrupted; use checksums/digital verification.

Cloud computing and HIPAA

Cloud use allowed with proper safeguards and BAAs; risk assessments advised.

TEFCA (Trusted Exchange Framework and Common Agreement)

Proposed framework to enable nationwide health information exchange.

Common Rule / 45 CFR 46

Federal rules governing rights of human subjects in research.

FERPA

Family Educational Rights and Privacy Act protecting student records.

GINA

Genetic Information Nondiscrimination Act protecting genetic information in health and employment.

GDPR

European data protection law governing personal data and privacy rights.

CCPA

California consumer privacy law granting rights over personal data.

HIPAA pre-emption

HIPAA generally supersedes state privacy laws unless the state law is more protective.

IIHI custodians and processors (proposed evolution)

Concepts for redefining entities responsible for handling IIHI under HIPAA.

Access rights under HIPAA

Individuals have rights to access, amend, and obtain copies of PHI.