Access Control

Access Control (AC) policies are high-level requirements that specify how access is managed and who, under what circumstances, may access what information. While AC policies can be application-specific and thus taken into consideration by the application vendor, policies are just as likely to pertain to user actions within the context of an organizational unit or across organizational boundaries. For instance, policies may pertain to resource usage within or across organizational units or may be based on need-to-know, competence, authority, obligation, or conflict-of-interest factors. Such policies may span multiple computing platforms and applications.[NIST-IR-7316]


An evaluative process in which a organization undergoes an examination of its policies, procedures, and performance by an external organization ("accrediting body") to ensure that it is meeting predetermined criteria. It usually involves both on- and off-site surveys.

Being accredited means that a facility or organization has met certain quality standards. These standards are set by private, nationally recognized groups that check on the quality of care at health care facilities and organizations.

 Organizations that accredit Medicare Managed Care Plans include the National Committee for Quality Assurance, the Joint Commission on Accreditation of Healthcare Organizations, and the American Accreditation Health Care Commission/URAC.

Actuarially Sound

The federal statutory standard to which capitation payments made by state Medicaid programs under risk contracts to managed care organizations (MCOs) are held. See Capitation Payment, MCO, Risk Contract.

Adequate Security

Security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls. (NIST 800-37)


An asset is something that has value to a business. An asset extends beyond physical items to include people, information, reputation, intellectual property (IP), and software.

Asset Management

Obtaining and updating an accurate inventory of all IT assets, including the discovery of security gaps related to the asset operations and configuration. Asset management also involves enforcing security requirements to address identified security gaps.

A“Tier” Drugs

A specific list of prescription drugs that are part of a health plan formulary. Patient copayments may be linked to tier in what is called tier pricing.


The end result of the SOC 2 audit. The SOC 2 report is an attestation report (not a certification). For example, the SOC 2 auditor will attest those controls have been appropriately designed.

Breach Notification Rule

The HIPAA Breach Notification Rule requires companies to notify patients when their PHI is impermissibly used or disclosed (or “breached”).

Business Associates

Business Associates under HIPAA are any individual, organization, or agency that performs certain functions that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity (ex: SaaS platforms, IT contractors, cloud storage, CPA firms).


An Entity that is certified to be contracted to and OSC to provide consultative advice OR certified assessments.  (CMMC-AB)


The end result of a process and granted by one of a handful of certifying organizations.


A specific procedure or protocol that is in place to address a risk. Controls have an owner, an action and can have a time frame.  We wrote a great blog about controls, check it out!

Control Inheritance

A situation in which a system or application receives protection from controls (or portions of controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides.

Control Mapping

The activity of applying your relevant controls to a framework such as SOC 2, ISO 27001, HIPAA, NIST, or even regulations such as CCPA and GDPR.

Corrective Action

The activities that are undertaken by the organization to get a nonconformity back into conformance.


An attack is an attempt by malicious criminals to compromise an asset by destroying, altering, or gaining unauthorized access. A cyber attack will trigger the Incident Response Policy of your organization.


The nuts-and-bolts practices that protect networks from threats that come over the internet. A subset of IT Security.

Electronic Protected Health Information (ePHI)

Defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. ePHI includes any of the 18 distinct demographics that can be used to identify a patient.  ePHI is also a subset of data that is part of the MARSe CMS Framework.


The set of objectives, principles, and requirements that comprise a certification or attestation requirement.


Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Reinforcement of compliance for business associates of covered entities to HIPAA.


Health Insurance Portability and Accountability Act of 1996(HIPAA). A Federal law to enforce privacy and security of electronic patient health information (ePHI) for covered entities and their business associates from being disclosed without the patient's consent or knowledge.

Information Asset

Information or data that is of value to an organization. Examples include patient records, employees’ information, intellectual property, and company data.

Information Security

Measures, procedures, processes, and technologies that businesses deploy to ensure the confidentiality, integrity, and availability of information.

Information Security Incident

A suspected, attempted, successful, or imminent threat of unauthorized access, modification, use, disclosure, or destruction of information assets. Information security incident also refers to interference with information technology operation or violation of acceptable use policy. An Incident Response policy and plan are required as part of the NIST 800-53Framework.

Information Security Management System (ISMS)

A formal security program that is continuously improved upon, refined, and monitored.  

ISO (International Standards Organization)

An international body that creates, maintains, and publishes frameworks that include everything from quality assurance to data privacy.

ISO IEC 27001:2013

This is the official name of the current ISO 27001framework. The framework provides guidance and controls to establish and maintain an information security management system.

IT Security

IT security refers to the practices that an organization puts in place to secure data. The goal is to ensure the confidentiality ,availability and integrity of company information. Often seen interchangeably with Information Security.

Privacy Rule

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.


A scenario that leads to an unexpected outcome. Often composed of threats or vulnerabilities to assets or a ‘what could go wrong’ statement

Security Rule

The foundation to ensure integrity, confidentiality, and security of ePHI.


System Organization Controls. A set of reports where CPAs form an opinion (or attest) on controls.

 SOC 1 - For services that impact financial reporting

 SOC 2 - For IT systems that process data

 SOC 3 - A public facing SOC 2 report.

 Test Exception

An anomaly in the design or operation of a control found bythe auditor. Something to avoid, but often unavoidable.


A potential cause of an incident that may result in a breachof information security or compromise of operations.