Skip to site content


Availability: Ensuring timely and reliable access to and use of information

Breach: the unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Contingency Plan: A formal document that establishes continuity of operations processes in case of a disaster. It includes names of responsible parties to be contacted, data to be restored, and location of such data. Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.

Covered Entity: Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. IHS is a covered entity.

De-identified protected health information: is any information about a patient that does not identify the patient and with respect to which there is no reasonable basis to believe that the information can be used to identify the patient.

Designated Record Set: "Designated Record Set" shall mean (1)a group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider, (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2)For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

Electronic Health Record: "Electronic Health Record" shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

Incident: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Individual: the person who is the subject of protected health information.

Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Limited Data Set: Set of data that may be used for research, public health or health care operations without an authorization or waiver of authorization. The limited data set is defined as PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual: names; postal address information, (other than town or city, State and zip code); telephone and FAX numbers; electronic mail addresses; SSN; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plates; device identifiers and serial numbers; web universal resource locators (URLs); internet protocol (IP) address; biometric identifiers, including finger and voice prints; full face photos, and comparable images.

Privacy Rule: "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.

Protected Health Information: Individually identifiable health information transmitted or maintained in any form.

Required By Law: means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law.

Risk Assessment: The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses.

Secretary: "Secretary" in IHS usually refers to the Secretary of the United States Department of Health and Human Services or his/her designee.

Sensitive Information: Information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under The Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA).

System Security Plan: Formal document that provides an overview of the security requirements of the information system and describes the security controls in place or planned for meeting those requirements.