Definitions of Terms Used in this Guideline

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 1

AMC/HIPAA Workgroup

235

Definitions of Terms Used in this Guideline

Term

Definitions

Access control

The prevention of unauthorized use of a resource. [ISO 7498-2]

Information-use policy to determine who can have access to what data/

information (both within and external to the organization adopting the access

control policy); policies and procedures preventing access by those who are not

authorized to have it. [Institute of Medicine, 1994].

Accountability

The property that ensures that the actions of an entity can be traced. [ISO 7498 -

The concept that individual persons or entities can be held responsible for

specified actions, such as obtaining informed consent or breaching confidentiality.

[National Research Council, 1997]

Accreditation

The official management authorization for operation of an MIS. It provides a

formal declaration by an Accrediting Authority that a computer system is approved

to operate in a particular security mode using a prescribed set of safeguards.

Accreditation is based on the certification process as well as other management

considerations. An accreditation statement affixes security responsibility with the

Accrediting Authority and shows that proper care has been taken for security.

Anonymized data

Identifiers removed and NO means exists for re-identifying patients/subjects.

Anonymous data

Never labeled with patient/subject identifiers

Audit

To record independently and later examine system activity (e.g., logins and

logouts, file accesses, security violations). See security audit. [O'Reilly, 1992]

Authentication

The corroboration that an entity is the one claimed. [ISO 7498 - 2].

The process of proving that a subject (e.g., a user or a system) is who or what the

subject claims to be. Authentication is a measure used to verify the eligibility of a

subject to access certain information. It protects against the fraudulent use of a

system or the fraudulent transmission of information. There are three classic

ways to authenticate yourself: something you know, something you have, or

something you are. [O'Reilly, 1992]

Providing assurance regarding the identity of subject (author) or object

(information). [ASTM 1762] Authentication of data origin is corroboration that the

source of data is received as is claimed [ASTM E1762] Authentication of user is

the provision of assurance of the claimed identity of an individual or entity [ASTM

E1762]

Authorization

The granting of rights, which includes the granting of access based on access

rights. [ISO 7498 - 2]

The mechanism for obtaining consent for the use and disclosure of health

information. The American Health Information Management Association has

Page 2

AMC/HIPAA Workgroup

236

Term

Definitions

recommended requirements for valid authorization. Within the context of a

computer-based patient record system, these requirements would include that the

authorization be documented (electronically), be addressed to a specific health

care provider, specifically identify the patient, identify the individual or entity

authorized to receive the information, identify the information that is to be

released, specify the purpose for the disclosure, specify under what conditions the

authorization will expire unless revoked earlier, indicate that the authorization is

subject to revocation, be (electronically) signed by the patient or patient's legal

representative, and be dated sometime after the information has been collected.

[AHIMA, 1994a]

Biometrics

In computer security, the use of unique, quantifiable physiological, behavioral, and

morphological characteristics to provide positive personal identification.

Examples of such characteristics are fingerprints, retina patterns, and signatures.

[O'Reilly]

A biometric identification system identifies a human from a measurement of a

physical feature or repeatable action of the individual (e.g., hand geometry, retinal

scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence

characteristics, voice prints, and hand written signature). [ASTM E1762]

Business Associate

A person (who) performs functions or activities on behalf of, or provides the

specified services to or for, an organized health care health care arrangement in

which the covered entity participates. A business associate may be a covered

entity. The definition of business associate excludes a person who is part of the

covered entity's workforce. [45 CFR 160]

Business Partner

A person to whom the covered entity discloses protected health information so

that the person can carry out, assist with the performance of, or perform a function

or activity for the covered entity. [45 CFR 160]

Cache

A block of memory that holds frequently used data or data that is waiting for

another process to use it.

Certification

The technical evaluation performed as part of, and in support of, the accreditation

process that establishes the extent to which a particular computer system or

network design and implementation meet a pre-specified set of security

requirements. [O'Reilly, 1992]

The administrative act of approving a system for use in a particular application.

[National Research Council, 1991]

Chain of trust

(partner) agreement Contract entered into by two business partners in which it is agreed to exchange

data and that the first party will transmit information to the second party, where the

data transmitted is agreed to be protected between the partners. The sender and

receiver depend upon each other to maintain the integrity and confidentiality of the

transmitted information. Multiple such two-party contracts may be involved in

moving information from the originator to the ultimate recipient, for example, a

provider may contract with a clearing house to transmit claims to the clearing

house; the clearing house, in turn, may contract with another clearing house or

with a payer for the further transmittal of those same claims. [45 CFR 142]

Check sum

Numbers summed according to a particular set of rules and used to verify that

transmitted data has not been modified during transmission. [O'Reilly, 1992]

Page 3

AMC/HIPAA Workgroup

237

Term

Definitions

Digits or bits summed according to arbitrary rules and used to verify the integrity

of data. [National Research Council, 1991]

Confidentiality

A condition in which information is shared or released in a controlled manner.

[National Research Council, 1997].

The property that information is not made available or disclosed to unauthorized

individuals, entities or processes. [ISO 7498 - 2].

A security principle that keeps information from being disclosed to any one not

authorized to access it. [O'Reilly]

The act of limiting disclosure of private matters; maintaining the trust that an

individual has placed in one which has been entrusted with private matters.

[CPRI, 1995b]

The status accorded to data or information indicating that it is sensitive for some

reason, and that therefore it needs to be protected against theft or improper use

and must be disseminated only to individuals or organizations authorized to have

it. [Ball and Collen, 1992; OTA, 1993]

Consent

A consent under this section must be in plain language and:

(1) Inform the individual that protected health information may be used and

disclosed to carry out treatment, payment, or health care operations;

(2) Refer the individual to the notice required by � 164.520 for a more complete

description of such uses and disclosures and state that the individual has the right

to review the notice prior to signing the consent;

(3) If the covered entity has reserved the right to change its privacy practices that

are described in the notice in accordance with � 164.520(b)(1)(v)(C), state that the

terms of its notice may change and describe how the individual may obtain a

revised notice;

(4) State that:

(i) The individual has the right to request that the covered entity restrict how

protected health information is used or disclosed to carry out treatment, payment,

or health care operations;

(ii) The covered entity is not required to agree to requested restrictions; and

(iii) If the covered entity agrees to a requested restriction, the restriction is binding

on the covered entity;

(5) State that the individual has the right to revoke the consent in writing, except to

the extent that the covered entity has taken action in reliance thereon; and

(6) Be signed by the individual and dated. [45 CFR 160]

Context based

access

An access control based on the context of a transaction (as opposed to being

based on attributes of the initiator or target). The "external factors" might include

time of day, location of the user, strength of user authentication, etc. [45 CFR

142]

Contingency Plan

A plan for responding to a system emergency. The plan includes performing

backups, preparing critical facilities that can be used to facilitate continuity of

operations in the event of an emergency, and recovering from a disaster.

Synonymous with disaster recovery plan. [O'Reilly, 1992]

Data Authentication

The corroboration that data has not been altered or destroyed in an unauthorized

manner. Examples of how data corroboration may be assured include the use of

a check sum, double keying, a message authentication code, or digital signature.

[45 CFR 142]

Page 4

AMC/HIPAA Workgroup

238

Term

Definitions

Data backup

A retrievable, exact copy of information. [45 CFR 142]

Data Set

A semantically meaningful unit of information exchanged between two parties to a

transaction. [45 CFR 162.103]

De-identified data

A record in which identifying information has been removed to render the

information de-identified and thus not subject to the rule. [45 CFR 150].

Digital signatures

Data appended to, or a cryptographic transformation of, a data unit that allows a

recipient of the data unit to prove the source and integrity of the unit and protect

against forgery e.g., by the recipient. [ISO 7498 - 2].

An authentication mechanism which enables the creator of a message to attach a

code that acts as a signature. The signature guarantees the source and integrity

of the message. [Stallings]

An authentication tool that verifies the origin of a message and the identity of the

sender and receiver. Can be used to resolve any authentication issues between

the sender and receiver. A digital signature is unique for every transaction.

[O'Reilly, 1992]

A means to guarantee the authenticity of a set of input data the same way a

written signature verifies the authenticity of a paper document. A cryptographic

transformation of data that allows a recipient of the data to prove the source and

integrity of the data and protect against forgery. Specifically, an asymmetric

cryptographic technique in which each user is associated with a public key

distributed to potential verifiers of the user's digital signature used to encrypt

messages destined for other users, and a private key known only to the user and

is used to decrypt incoming messages. To sign a document, the document and

private key are input to a cryptographic process which outputs a bit string (the

signature). To verify a signature, the signature, document, and user's public key

are input to a cryptographic process, which returns an indication of success for

failure. Any modification to the document after it is signed will cause the signature

verification to fail (integrity). If the signature was computed using a private key

other than the one corresponding to the public key used for verification, the

verification will fail (authentication). [ASTM E1762]

Disclosure

The release, transfer, provision of access to, or divulging in any other manner of

information outside the entity holding the information. [45 CPR 160]

Firewall

A dedicated computer equipped with safeguards that acts as a single, more easily

defined, Internet connection [Cheswick and Bellovin, 1994]

Hybrid entity

A single legal entity that is a covered entity and whose covered functions are not

its primary functions. [45 CFR 160]

Integrity

The property that data has not been altered or destroyed in an unauthorized

manner. [ISO 7498 - 2].

A security principle that keeps information from being modified or otherwise

corrupted either maliciously or accidentally. Integrity protects against forgery or

tampering.[O'Reilly]

Page 5

AMC/HIPAA Workgroup

239

Term

Definitions

The property that an object (health data or information) is modified only in a

specified and authorized manner. [Ball and Collen, 1992]

Data integrity (the accuracy and completeness of the data) , program integrity,

system integrity, and network integrity are all relevant to consideration of

computer and system security. [National Research Council, 1991]

Internal Audit

The in-house review of the records of system activity (for example, logins, file

accesses, security incidents) maintained by an organization. [45 CFR 142]

Kerberos

The name given to Project Athena's code authentication service. [Stallings, 1995]

Message

authentication codes A code calculated during encryption and appended to a message. If the message

authentication code calculated during decryption matches the appended code, the

message was not altered during transmission. [O'Reilly, 1992] Sometimes the

acronym "MAC" is used for message authentication code.

Minimum Necessary The "minimum necessary" policy in the final rule has essentially three

components: first, it does not pertain to certain uses and disclosures including

treatment-related exchange of information among health care providers; second,

for disclosures that are made on a routine and recurring basis, such as insurance

claims, a covered entity is required to have policies and procedures for governing

such exchanges (but the rule does not require a case-by-case determination); and

third, providers must have a process for reviewing non-routine requests on a

case-by-case basis to assure that only the minimum necessary information is

disclosed. [45 CFR 160]

Need to Know

Principle

A security principle stating that a user should have access only to the data he or

she needs to perform a particular function. (O'Reilly, 1992, as cited in the HISB

draft Glossary of Terms

Penetration testing

Penetration testing is a controlled simulation of a "real-world scenario" executed

as a comparative assessment to test the protective capability of a system and its

resources. As such, penetration testing must have clearly defined strategic and

tactical objectives.

Strategic Objective: Strategically, the objective of penetration testing is to identify

and deploy an ongoing service that provides an informed view, backed up with

evidence, that represents the actual state of security of computational facilities,

network services, and levels of employee security awareness.

Tactical Objective: Tactically, the objective is the identification of infiltration

vulnerabilities and the reduction of the associative risk(s) that a penetration team

is capable of exploiting.

Personal

identification number A number or code of some kind that is unique to an individual and can be used to

provide identity. Often used with automatic teller machines and access devices.

[O'Reilly, 1992]

Typically used in connection with automated teller machines to authenticate a

user. [National Research Council, 1991]

Physical security

Protection of physical computer systems and related buildings and equipment

from fire and other natural and environmental hazards, as well as from intrusion.

Page 6

AMC/HIPAA Workgroup

240

Term

Definitions

Also covers the use of locks, keys, and administrative measures used to control

access to computer systems and facilities. [O'Reilly, 1992]

The measures used to provide physical protection of resources against deliberate

and accidental threats. [CORBA Security Services, 1997]

Privacy

"The right to be let alone." See L. Brandeis, S. Warren, "The Right To Privacy,"

"The claim of individuals, groups, or institutions to determine for themselves when,

how, and to what extent information about them is communicated." See A.

Cavoukian, D. Tapscott, "Who Knows: Safeguarding Your Privacy in a Networked

World," Random House (1995).

Research

A systematic investigation, including research development, testing, and

evaluation, designed to develop or contribute to generalizable knowledge. [45

CFR 160]

Risk

The aggregate effect of the likelihood of occurrence of a particular threat with the

degree of vulnerability to that threat and the potential consequences of the impact

to the organization if the threat did occur. [Stallings, 1995]

Risk management

Risk is the possibility of something adverse happening. Risk management is the

process of assessing risk, taking steps to reduce risk to an acceptable level and

maintaining that level of risk.

(NIST Pub. 800-14)

Role

A privilege attribute representing the position or function a user represents in

seeking security authentication. A given human being may play multiple roles and

therefore require multiple role privilege attributes. [CORBA Security Services,

1997]

Role based access

Role-based access control (RBAC) is an alternative to traditional access control

models (e.g., discretionary or non-discretionary access control policies) that

permits the specification and enforcement of enterprise-specific security policies

in a way that maps more naturally to an organization's structure and business

activities. With RBAC, rather than attempting to map an organization's security

policy to a relatively low-level set of technical controls (typically, access control

lists), each user is assigned to one or more predefined roles, each of which has

been assigned the various privileges needed to perform that role. [45 CFR 142]

Safeguards

The protective measures and controls that are prescribed to meet the security

requirements specified for a system. Those safeguards may include, but are not

necessarily limited to: hardware and software security features; operating

procedures; accountability procedures; access and distribution controls;

management constraints; personnel security; and physical structures, areas, and

devices. Also called security controls.

Sanction policy

Organizations must have policies and procedures regarding disciplinary actions

which are communicated to all employees, agents, and contractors, for example,

verbal warning, notice of disciplinary action placed in personnel files, removal of

system privileges, termination of employment, and contract penalties (ASTM E

1869)

In addition to enterprise sanctions, employees, agents, and contractors must be

advised of civil or criminal penalties for misuse or misappropriation of health

information. Employees, agents, and contractors must be made aware that

Page 7

AMC/HIPAA Workgroup

241

Term

Definitions

violations may result in notification to law enforcement officials and regulatory,

accreditation, and licensure organizations. (ASTM)

Security Policy

The framework within which an organization establishes needed levels of

information security to achieve the desired confidentiality goals. A policy is a

statement of information values, protection responsibilities, and organization

commitment for a system. [OTA, 1993]

The American Health Information Management Association recommends that

security policies apply to all employees, medical staff members, volunteers,

students, faculty, independent contractors, and agents. [AHIMA, 1996c] (as cited

in HISB, Draft Glossary of Terms Related to Information Security in Health Care

Information Systems)

Security testing

A process used to determine that the security features of a system are

implemented as designed and that they are adequate for a proposed applications

environment. This process includes hands-on functional testing, penetration

testing, and verification. [Glossary of INFOSEC and INFOSEC Related Terms--

Idaho State University]

Technical security

mechanism

The processes that are put in place to guard against unauthorized access to data

that is transmitted over a communications network. [45 CFR 142]

Technical security

services

The processes that are put in place (1) to protect information and (2) to control

and monitor individual access to information. [45 CFR 142]

Threat

An action or event that might prejudice security. [ITSEC]

A possible danger to a computer system. See also active threat and passive

threat. [O'Reilly, 1992]

The potential for exploitation of a vulnerability. [National Research Council, 1991]

Tokens

When used in the context of authentication, a physical device necessary for user

identification. [National Research Council, 1991]

A physical item that is used to provide identity. Typically an electronic device that

can be inserted in a door or a computer system to gain access. [O'Reilly, 1992]

Virus

A computer program, typically hidden, that attaches itself to other programs and

has the ability to replicate. In personal computers, "viruses" are generally Trojan

horse programs that are replicated by inadvertent human action and which, when

executed, result in undesired side effects generally unanticipated by the user.

A type of programmed threat. A code fragment (not an independent program) that

reproduces by attaching to another program. It may damage data directly, or it

may degrade system performance by taking over system resources which are

then not available to authorized users. [O'Reilly, 1992]

Code embedded within a program that causes a copy of itself to be inserted in

one or more other programs. In addition to propagation, the virus usually

performs some unwanted function. [Stallings, 1995]

Vulnerability

A security weakness due to failures in analysis, design, implementation, or

Page 8

AMC/HIPAA Workgroup

242

Term

Definitions

operation. [ITSEC]

A weakness in a system that can be exploited to violate the system's intended

behavior. There may be security, integrity, availability, and other vulnerabilities.

The act of exploiting vulnerability represents a threat, which has an associated

risk of being exploited. [National Research Council, 1991]

Workforce

Employees, volunteers, trainees, and other persons under the direct control of a

covered entity, whether or not they are paid by the covered entity. [45 CFR

160.103]

Any person engaged in providing services, administrative support or direction to

those providing services to clients of an Academic Medical Center. This includes

employees of the AMC, professional providers who are given professional

privileges to practice in the AMC, volunteers, students and professionals engaged

in training and supervised under a sanctioned program recognized by the AMC,

the Board of Governors and Directors (or analogous body) and executives

managing the affairs of the AMC.

Workforce Member

A person belonging to the workforce. Clarified by "If there is no business

associate contract, we assume the person is a member of the covered entity's

workforce. We note that independent contractors may or may not be workforce

members. However, for compliance purposes we will assume that such

personnel are members of the workforce if no business associate contract exists."

[45 CFR 160]

See Workforce.