What do all those acronyms stand for anyway?

Tod Ferran, CISSP, QSA
By: Tod Ferran
Sometimes I wish I could ban acronyms from the planet. HIPAA includes many such acronyms, mostly security-related. You may come across them in actual HIPAA text, online during security research, or when talking to a healthcare compliance consultant.
CISSP? BA? IRP? What does it all mean!?
SEE ALSO: HIPAA FAQ

Here are the ones you should understand to fully grasp most HIPAA security requirements.

AES (Advanced Encryption Standard): government encryption standard to secure sensitive electronic information.

APT (Advanced Persistent Threat): network attack in which a hacker breaks into a network undetected and harvests information over a long period of time. These guys are really good and very patient. If you don’t have the right software to detect them, such as IDS/IPS and FIM you will likely never know they were there.

BCP (Business Continuity Plan): identifies an organization’s exposure to internal and external threats.

BA (Business Associate): a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services, laboratories.)

BAA (Business Associate Agreement): a contract between a covered entity and business associate to safeguard PHI and comply with HIPAA.

CERT (Computer Emergency Response Team): designated group to handle computer security incidents.

CISO (Chief Information Security Officer): similar to a CSO, but with responsibility for IT rather than entity-wide security.

CISSP (Certified Information Systems Security Professional): a globally recognized certification that confirms an individual’s knowledge about information security.

Covered Entity (CE): a health plan, health care clearinghouse or health care provider that electronically transmits health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans.)

CPOE (Computerized Provider Order Entry): management software that allows physicians to provide electronic instructions to staff (vs. handwritten) on a patient’s treatment and care.

CSO (Chief Security Officer): company position with responsibility towards HIPAA compliance, PCI compliance, physical security, network security, and other security protocols.

DLP (Data Loss Prevention): a piece of software or strategy to ensure users don’t send sensitive information (such as PHI) outside the network.

EHR (Electronic Health Record): digital chart that contains a patient’s comprehensive medical history from multiple healthcare providers.

eMAR (Electronic Medication Administration Record): a way to track medication administration using electronic tracking sensors.

EMR (Electronic Medical Record): digital chart that contains a patient’s medical history from a single practice used for diagnosis and treatment.

ePHI (Electronic Protected Health Information): health information sent or stored electronically protected by the HIPAA Security Rule.

FIM (File Integrity Monitoring): a way of checking software, systems, and applications in order to warn of potential malicious activity.

FW (Firewall): system designed to screen incoming and outgoing network traffic.

GPG (GNU Privacy Guard): the free version of PGP.

HIPAA (Health Insurance Portability and Accountability Act): a federal mandate that, among other things, requires organizations to keep patient data secure through a myriad of privacy and security procedures, policies, and actions.


HIT (Health Information Technology): the management of ePHI and its secure exchange between covered entities, business associates, and patients.

HHS (United States Department of Health and Human Services): the federal organization that created HIPAA.

IDS/IPS (Intrusion Detection System/Intrusion Prevention System): a monitoring system to monitor network security appliances and report malicious activity.

IIHI (Individually Identifiable Health Information): (see PHI)

IRP (Incident Response Plan): policies and procedures to effectively limit the effects of security breach.

IT (Information Technology): anything relating to networks, computers, and programming, and the people that work with those technologies.

MU (Meaningful Use): a requirement that states providers sharing patient data with other healthcare professionals must do so in a way that can be measured.

NPP or NoPP (Notice of Privacy Practices): The required document or notice that provides a clear explanation of patient rights and covered entity practices concerning a patient’s PHI.

OCR (Office for Civil Rights): the federal organization responsible for enforcing HIPAA compliance.

ONC (Office of the National Coordinator for Health Information Technology): The federal organization charged with coordination of nationwide efforts to implement and use advanced health information technology.

PGP (Pretty Good Privacy): data encryption computer program that provides privacy for encrypting emails, files, directories, and disks.

PHI (Protected Health Information): information that can be linked to a particular person (i.e., past, present, or future health condition or healthcare provision) such as patient name, social security number, and medical history.

P&P (Policies and Procedures): In HIPAA compliance, guidelines and principles adopted by an entity with respect to the security of PHI.

P2PE (Point-To-Point Encryption): credit/debit card data encryption from the point of interaction to a merchant solution provider.

RA (Risk Analysis): an assessment of the potential vulnerabilities, threats, and possible risk to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate.

RBAC (Role-Based Access Control): the act of restricting users’ access to systems based on their role within the organization..

RMP (Risk Management Plan): the strategy to implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.

SSL (Secure Socket Layer): Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive information (predecessor to TLS).

TFA (Two-Factor Authentication): two out of three independent methods of authentication are required to verify a computer or network user. The three possible factors are:
  • Something you know (such as a username and password)
  • Something you have (such as an RSA token or cell phone which gives you a new code for each login)
  • Something you are (such as fingerprint or iris scan)
TLS (Transport Layer Security): (See SSL)

VPN (Virtual Private Network): technical strategy for creating secure tunnels over the Internet.

WEP (Wired Equivalent Privacy): an outdated and weak security algorithm for wireless networks.

WPA (Wi-Fi Protected Access): security protocol designed to secure wireless computer networks.

WPA2 (Wi-Fi Protected Access II): (see WPA)

3DES (Triple Data Encryption Standard): a secure encryption standard that encrypts data three times.

What did you think about this post? Tell me @todferran.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.