Module 1: Introduction to HIPAA
Module 2: Fundamentals of PHI
Module 3: The Privacy Rule – Uses, Disclosures, and Compliance
Module 4: The Security Rule – Uses, Disclosures, and Compliance
1 of 3

1.1.3 Important HIPAA Terminology

We will go through some basic definitions to help you understand important HIPAA terminology.

  • HIPAA Authorization – It is a particular kind of consent obtained by the person to use and/or disclose their protected health information. The HIPAA regulations outline what constitutes a valid authorization.
  • Business Associate – It is an organization or individual that works on behalf of a covered entity to carry out a task involving the disclosure or use of protected health information (PHI). In other words, a third-party organization is a business associate if it has the potential to access certain PHI while doing the tasks that have been allocated to them.

When cooperating with covered entities, the following companies would be regarded as business associates:

  • Software providers with PHI access
  • Businesses that process or collect claims
  • Independent administrators
  • Call services
  • Pharmacists
  • Groups for patient safety or accreditation
  • Healthcare transcription businesses
  • Cloud service providers.


  • Covered Entity – It is an entity subject to HIPAA, such as health plan providers, healthcare providers, and healthcare clearinghouses. Health plan providers include health insurance companies, health maintenance organizations, government programs that pay for healthcare, and military and veterans’ health programs.
  • HITECH – It stands for Health Information Technology for Economic and Clinical Health Act of 2009. The HITECH Act pushed healthcare organizations to use electronic health records and enhance security and privacy safeguards for patient information. This was accomplished through monetary rewards for using electronic health records (EHRs) and stiffer penalties for breaking the HIPAA Privacy and Security Rules.
  • PHI – It is protected health information, and it deals with patients’ personal information.
  • Individual – It is the subject of PHI.
  • ePHI – It is electronically protected health information, such as faxes, emails, data backups, etc.
  • Risk Analysis – It is a set of government-mandated questions to help identify gaps in risk to your business and a covered entity. Risk analysis involves the details of what requires protection, what it should be protected from, and how to protect it.

Business Associate Agreement (BBA)

A HIPAA business associate agreement is an agreement between a covered entity and a company or individual that works for or offers services to the covered entity, as well as access to protected health information (PHI) as part of the function, operation, or service.

In a BAA contract, a business associate guarantees they will secure the PHI of the company’s patients. They must follow specific procedures and limit how they can use or disclose PHI.

A BBA’s goal is to specify your business associate’s obligations regarding the confidentiality and security of your patient’s PHI.

Notify of
0 Discussions
Inline Feedbacks
View all comments
Post a comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Would love your thoughts, please comment.x