HITCM-PP Study Guide
Glossary of Terms & Acronyms
This page correlates with the HITCM-PP Study Guide, formally titled: Fundamentals of Health Information Technology Management for Physician Practices and Ambulatory Health Service Organizations, 6th Edition (Released August 1, 2024)
Learn more about the HITCM-PP credential and exam qualifications at https://my.pahcom.com/hit
Thank you for continuing your education and for staying on top of your profession!
Access Control
AC
Procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices, or physical access to a controlled space.
Accountable Care Organization
ACA
The comprehensive health care reform law enacted in March 2010 (sometimes known as ACA, PPACA, or “Obamacare”).
The law has 3 primary goals:
Make affordable health insurance available to more people. The law provides consumers with subsidies (premium tax credits) that lower costs for households with incomes between 100% and 400% of the federal poverty level (FPL). Note: If your income is above 400% FPL, you may still qualify for the premium tax credit in 2021.
Expand the Medicaid program to cover all adults with income below 138% of the FPL. (Not all states have expanded their Medicaid programs.)
Support innovative medical care delivery methods designed to lower the costs of health care generally.
Advanced Alternative Payment Models
APMs
Alternative Payment Models, such as those tested by the CMS Innovation Center, reward health care providers for delivering high-quality and coordinated care. APMs can apply to a specific: Health condition, like end-stage renal disease, Care episode, like joint replacement, Provider type, like primary care providers, Community, like rural areas, or Innovation within Medicare Advantage, Medicare Part D, or Medicaid.
Agency for Healthcare Research and Quality
AHRQ
The Agency for Healthcare Research and Quality's (AHRQ) mission is to produce evidence to make health care safer, higher quality, more accessible, equitable, and affordable, and to work within the U.S. Department of Health and Human Services and with other partners to make sure that the evidence is understood and used. We accomplish our mission by focusing on our three core competencies.
Alternative Payment Model Performance Pathway
APP
The APM Performance Pathway (APP) is an optional MIPS reporting and scoring pathway for MIPS eligible clinicians who are also participants in MIPS APMs. Performance is measured across 3 areas - quality, improvement activities, and Promoting Interoperability.
American Academy of Family Physicians
AAFP
A physician organization whose mission is to strengthen family physicians and the communities they care for. Built on decades of proven representation, leadership, and advocacy, we support our members and the specialty with high standards and dynamic opportunities.
American Health Information Management Association
AHIMA
AHIMA educates health information professionals to ensure the patient stays connected to their data throughout the healthcare process.
American National Standards Institute
ANSI
ANSI's mission is to enhance both the global competitiveness of U.S. business and the U.S. quality of life by promoting and facilitating voluntary consensus standards and conformity assessment systems and safeguarding their integrity.
American Public Health Association
APHA
APHA champions the health of all people and all communities. We are the only organization that combines a 150-year perspective, a broad-based member community and the ability to influence policy to improve the public's health.
American Recovery and Reinvestment Act of 2009
ARRA
The American Recovery and Reinvestment Act of 2009 was signed into law by President Obama on February 17th, 2009. It is an unprecedented effort to jumpstart our economy, create or save millions of jobs, and put a down payment on addressing long-neglected challenges so our country can thrive in the 21st century. The Act is an extraordinary response to a crisis unlike any since the Great Depression, and includes measures to modernize our nation's infrastructure, enhance energy independence, expand educational opportunities, preserve and improve affordable health care, provide tax relief, and protect those in greatest need.
Application
App
An application program (application or app for short) is a computer program designed to carry out a specific task other than one relating to the operation of the computer itself, typically to be used by end-users.
Application Program Interface
API
An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. ... An API is often made up of different parts which act as tools or services that are available to the programmer.
Application Service Provider
ASP
An application service provider (ASP) is a business providing computer-based services to customers over a network, such as access to a particular software application (such as customer relationship management) using a standard protocol (such as HTTP).
Armed Forces Health Longitudinal Technology Application
AHLTA
U.S. military electronic health record (EHR) system
Artificial Intelligence
AI
Artificial intelligence (AI) is intelligence demonstrated by machines, as opposed to natural intelligence displayed by animals including humans. ... As machines become increasingly capable, tasks considered to require "intelligence" are often removed from the definition of AI, a phenomenon known as the AI effect.
Assistant Secretary for Preparedness and Response
ASPR
ASPR lies within the U.S. Department of Health and Human Services (HHS) and leads the Administration for Strategic Preparedness and Response and serves as the Secretary’s principal advisor on public health emergencies. This organization leads the nation in preventing, responding to, and recovering from the adverse health effects of man-made and naturally occurring disasters.
Assistant Secretary for Technology Policy
ASTP
As the nation’s health IT coordinator, the Office of the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health IT (hereafter referred to as ASTP) has a duty to ensure standards are in place that support federal policy goals and enable developers to create interoperable health IT products. Our commitment to the development and adoption of health care standards includes a series of cooperative agreements between ASTP and Health Level Seven International® (HL7®) that began in 2015. This collaboration has supported the development and growth of crucial health IT standards incorporated by ASTP regulations and the ONC Health IT Certification Program (Certification Program), as well as tooling and resources for HL7’s standards development community.
Association of State and Territorial Health Officials
ASTHO
ASTHO is the national nonprofit organization representing public health agencies in the United States, the U.S. Territories, and the District of Columbia, and over 100,000 public health professionals these agencies employ. ASTHO members, the chief health officials of these jurisdictions, formulate and influence sound public health policy and ensure excellence in state-based public health practice. ASTHO's primary function is to track, evaluate, and advise members on the impact and formation of public or private health policy which may affect them and to provide them with guidance and technical assistance on improving the nation's health.
Audit and Accountability
AU
Provides procedures for Audit and Accountability, as per the NIST Special Publication 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations.
Bi-directional Health Information Exchange
BHIE
BHIE is a joint information technology data exchange initiative between the DoD and VA, allowing clinicians from both agencies to view electronic health care data from each other’s systems, VA’s Computerized Patient Record System and DoD’s Composite Health Care System.
Biosurveillance
BSV
Biosurveillance primarily focuses on developing effective surveillance, prevention, and operational capabilities for detecting and countering biological threats. S&T takes a system-level approach to integrating information into surveillance architectures, developing and testing advanced detection systems, and implementing a cross-domain focus on biological, chemical, and agricultural threats.
Body Area Networks
BANs
BAN is a technology that allows communication between ultra-small and ultra low-power intelligent sensors/devices that are located on the body surface or implanted inside the body.
Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Business Associate Agreement
BAA
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Process Model
BPM
A business process model is a graphical representation of a business process or workflow and its related sub-processes. Process modeling generates comprehensive, quantitative activity diagrams and flowcharts containing critical insights into the functioning of a given process.
Calendar Year
CY
A period of a year beginning and ending with the dates that are conventionally accepted as marking the beginning and end of a numbered year
Centers for Disease Control
CDC
The Centers for Disease Control and Prevention is the national public health agency of the United States. It is a United States federal agency, under the Department of Health and Human Services, and is headquartered in Atlanta, Georgia.
Centers for Medicare and Medicaid Services
CMS
The Centers for Medicare & Medicaid Services (CMS) is a federal agency within the United States Department of Health and Human Services (HHS) that administers the Medicare program and works in partnership with state governments to administer Medicaid, the Children's Health Insurance Program (CHIP), and health insurance portability standards. In addition to these programs, CMS has other responsibilities, including the administrative simplification standards from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), quality standards in long-term care facilities (more commonly referred to as nursing homes) through its survey and certification process, clinical laboratory quality standards under the Clinical Laboratory Improvement Amendments, and oversight of HealthCare.gov. CMS was previously known as the Health Care Financing Administration (HCFA) until 2001.
Certification Commission for Healthcare Information Technology
CCHIT
The Certification Commission for Health Information Technology (CCHIT) is an independent, not-for-profit group focused on advancing health information technology. Its goal is to create credible, efficient, and sustainable certification programs for electronic health records (EHRs) and the networks they use.
Certified Electronic Health Record Technology
CEHRT
To efficiently capture and share patient data, health care providers need certified electronic health record (EHR) technology (CEHRT) that stores data in a structured format.
Certified Information Security Systems Professional
CISSP
CISSP is an independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)². As of January, 2022 there are 152,632 (ISC)² members holding the CISSP certification worldwide.
Certified Health IT Product List
CHPL
CHPL is a comprehensive and authoritative listing of all certified health information technology that have been successfully tested and certified by the ONC Health IT Certification program
Certified Medical Manager
CMM
The CMM Credential validates knowledge of the Nine Domains of Medical Practice Administration and recognizes the knowledge, skills, and abilities required to manage physician practices and ambulatory service centers in increasingly complex environments. CMMs work as critical links between providers, patients, staff, and payers.
Clinician & Group Consumer Assessment of Health care Providers Survey
CG-CAHPS
CG-CAHPS asks patients to report on their experiences with providers and staff in primary care and specialty care settings. Survey results can be used to: Determine the need for improvement activities and evaluate the impact of those efforts. Monitor the performance of physician practices and groups and reward them for high-quality care. Equip consumers with information they can use to choose physicians and other healthcare providers, physician practices, or medical groups.
Chief Information Officer
CIO
The CIO’s role at their agency is to enable the organization’s mission through the effective use of information resources and information technology. As technology has become increasingly entwined with the daily functions of the Federal Government, the CIO’s role has been expanded.
Chief Information Security Officer
CISO
The agency CISO plays a key role in working with the agency CIO to ensure information security requirements are properly implemented. In most cases, the agency’s internal policies delegate management of the agency’s information to the CIO, who has the authority under FISMA to delegate tasks related to information security to the agency CISO. FISMA does not instruct agencies on how to develop or maintain their information security programs; it simply lists agencies’ information security responsibilities. As a result, no two CISO roles are the same. Some CISOs are responsible for all information security tasks at their agency, while others work with separate operations centers or take on tasks outside of information security to help with organizational priorities. Although FISMA allows for these nuances, CIOs and CISOs are ultimately statutorily responsible for information security, so they must be aware of the range of information security responsibilities assigned to agencies.
Children’s Health Insurance Program
CHIP
Insurance program that provides low-cost health coverage to children in families that earn too much money to qualify for Medicaid but not enough to buy private insurance. In some states, CHIP covers pregnant women.
Each state offers CHIP coverage and works closely with its state Medicaid program. You can apply any time. If you qualify, your coverage can begin immediately, any time of year.
Chronic Care
CC
Chronic care refers to medical care which addresses pre-existing or long-term illness, as opposed to acute care which is concerned with short term or severe illness of brief duration.
Chronic Care Management
CCM
CCM is care coordination services performed outside of the regular office visit for patients with two or more chronic conditions expected to last at least 12 months or until the death of the patient, and that place the patient at significant risk of death, acute exacerbation/decompensation, or functional decline. These services allow eligible practitioners to bill for at least 20 minutes or more of care coordination services per month.
Chronic Disease Management
CDM
CDM is an integrated care approach to managing illness which includes screenings, check-ups, monitoring and coordinating treatment, and patient education. It can improve patients' quality of life while reducing their health care costs by preventing or minimizing the effects of a disease.
Clinical Data Interchange Standards Consortium
CDISC
We develop and advance data standards of the highest quality to transform incompatible formats, inconsistent methodologies, and diverse perspectives into a powerful framework for generating clinical research data that is as accessible as it is illuminating.
Clinical Decision Support
CDS
Clinical decision support (CDS) provides clinicians, staff, patients or other individuals with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and health care. CDS encompasses a variety of tools to enhance decision-making in the clinical workflow. These tools include computerized alerts and reminders to care providers and patients; clinical guidelines; condition-specific order sets; focused patient data reports and summaries; documentation templates; diagnostic support, and contextually relevant reference information, among other tools.
Clinical Document Architecture
CDA
The HL7 Clinical Document Architecture (CDA) is an XML-based markup standard intended to specify the encoding, structure, and semantics of clinical documents for exchange. In November 2000, HL7 published Release 1.0. The organization published Release 2.0 with its "2005 Normative Edition."
Clinical Integration Networks
CIN
A CIN is a collaboration among multiple physicians and other health care providers. It typically covers a wide range of specialties and is designed to enhance the quality and efficiency of care delivery.
Clinical Quality Measures
CQMs
CQMs are tools that help measure or quantify healthcare processes, outcomes, patient perceptions, and organizational structure and/or systems that are associated with the ability to provide high-quality health care. you
College of Healthcare Information Management Executives
CHIME
The College of Healthcare Information Management Executives (CHIME) is the professional organization for Chief Information Officers and other senior healthcare IT leaders. CHIME enables its members and business partners to collaborate, exchange ideas, develop professionally and advocate the effective use of information management to improve the health and care throughout the communities they serve.
Commercial Off-the-Shelf
COTS
Software and hardware that already exists and is available from commercial sources. It is also referred to as off-the-shelf.
Community Health Center
CHC
The community health center (CHC) in the United States is the dominant model for providing integrated primary care and public health services for the low-income and uninsured, and represents one use of federal grant funding as part of the country's health care safety net.
Competitive Risk
Competitive risk is the risk associated with the fact that there are often competing companies on the market, each of which seeks to obtain the highest position and consumer ratings on it to gain maximum benefits for themselves.
Compliance Risk
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture, and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Compliance risk is also known as integrity risk.
Computerized Physician Order Entry
CPOE
Computerized provider order entry (CPOE) refers to the process of providers entering and sending treatment instructions – including medication, laboratory, and radiology orders – via a computer application rather than paper, fax, or telephone.
Concept of Operations
CONOPS
A concept of operations (CONOPS) is a document describing the characteristics of a proposed system from the viewpoint of an individual who will use that system.
CONNECT
CONNECT
CONNECT is a software solution that facilitates the exchange of healthcare information at both the local and national level. CONNECT leverages eHealth Exchange standards and governance and Direct Project specifications to help drive interoperability across health information exchanges throughout the country. Initially developed by federal agencies to support specific healthcare-related missions, CONNECT is now available to all organizations as downloadable open-source software.
Consolidated Clinical Document Architecture
C-CDA
A base standard which provides a common architecture, coding, semantic framework, and markup language for the creation of electronic clinical documents. CDA defines building blocks which can be used to contain healthcare data elements that can be captured, stored, accessed, displayed, and transmitted electronically for use and reuse in many formats. CDA DOES NOT specify how documents are transported, simply how critical data elements should be encoded for exchange and interoperability. To help simplify implementations, commonly used templates were harmonized from existing CDA implementation guides and “consolidated” into a single implementation guide – the C-CDA Implementation Guide (IG).
Consolidated Clinical Document Architecture Implementation Guide
C-CDA-IG
The Consolidated CDA (C-CDA) implementation guide contains a library of CDA templates, incorporating and harmonizing previous efforts from Health Level Seven (HL7), Integrating the Healthcare Enterprise (IHE), and Health Information Technology Standards Panel (HITSP). It represents harmonization of the HL7 Health Story guides, HITSP C32, related components of IHE Patient Care Coordination (IHE PCC), and Continuity of Care (CCD).
Consolidated Health Informatics (CHI) Initiative
CHI
One of the 24 Presidential eGovernment initiatives with the goal of adopting vocabulary and messaging standards to facilitate communication of clinical information across the federal health enterprise. CHI now falls under FHA.
Continuity of Care Document
CCD
The Continuity of Care Document (CCD) is a joint effort of HL7 International and ASTM. CCD fosters interoperability of clinical data by allowing physicians to send electronic medical information to other providers without loss of meaning and enabling improvement of patient care. CCD is an implementation guide for sharing Continuity of Care Record (CCR) patient summary data using the HL7 Version 3 Clinical Document Architecture (CDA), Release 2. CCD establishes a rich set of templates representing the typical sections of a summary record and expresses these templates as constraints on CDA. These same templates for vital signs, family history, plan of care, and so on can then be reused in other CDA document types, establishing interoperability across a wide range of clinical use cases.
Continuity of Care Record
CCR
Organized and transportable core data set of most relevant and timely facts about a patient’s health information and healthcare. Designed for all clinical care referrals/transfers. Technology neutral and vendor neutral. Offered on XML platform to allow variety of presentations. Exchanges most relevant and timely clinical information about a patient among providers, institutions, or others.
Council of State and Territorial Epidemiologists
CSTE
CSTE works to advance public health policy and increase epidemiologic capacity. We also provide information, education, training, and developmental support of practicing epidemiologists in a range of areas, as well as expertise for program and surveillance efforts.
Covered Entities
CE
Covered entities (CE) are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Critical Access Hospital
CAH
A CAH is a designation given to eligible rural hospitals by the centers for Medicare & Medicaid Services designed to reduce the financial vulnerability of rural hospitals and improve access to healthcare. Eligible hospitals must have 25 or fewer acute care inpatient beds, located more than 35 miles from another hospital, maintain an average length of stay of 96 hours or less for acute care patients and provide 24/7 emergency care services.
Current Assessment, Exposure Rating
A calculation of the probability of risk exposure based on the likelihood estimate and the determined benefits or consequences of the risk. Throughout this report, the combination of impact and likelihood is referred to as exposure. Other common frameworks use different terms for this combination, such as level of risk (e.g., ISO 31000, NIST SP 800-30 Rev. 1). On the first iteration of the risk cycle, this may also be considered the initial assessment.
Current Assessment, Impact
Analysis of the potential benefits or consequences that might result from this scenario if no additional response is provided. On the first iteration of the risk cycle, this may also be considered the initial assessment.
Current Assessment, Likelihood
An estimation of the probability, before any risk response, that this scenario will occur. On the first iteration of the risk cycle, this may also be considered the initial assessment.
Current Procedural Terminology
CPT®
Current procedural terminology (CPT) is a set of codes, descriptions, and guidelines intended to describe procedures and services performed by physicians and other health care providers. Each procedure or service is identified with a five-digit code.
Customer Relationship Management
CRM
Customer relationship management (CRM) solutions tailored for patient relationship management provide CRM for health care. These systems tailored for healthcare are sometimes called “patient relationship management” (PRM) platforms. These solutions, used by health systems, Accountable Care Organizations (ACOs), and care management organizations, enable providers, care managers, and other stakeholders to securely communicate with each other and provide access to shared patient health information.
Cybersecurity
Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
Cybersecurity Act of 2015
CSA
On December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015. The Act, arguably the most significant piece of federal cyber-related legislation enacted to date, establishes a mechanism for cybersecurity information sharing among private-sector and federal government entities. Dec 22, 2015
Cybersecurity Act of 2015 Section 405(d)
405(d)
The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector.
Cybersecurity and Infrastructure Security Agency
CISA
The Cybersecurity and Infrastructure Security Agency (CISA) works with partners to defend against today’s threats and collaborating with industry to build more secure and resilient infrastructure for the future. CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure.
Cybersecurity Framework
CSF
The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
Cybersecurity Practices
CSPs
10 practices listed in the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition) to address the five threats that are identified in this government document.
Data Breach
A data breach is an occurrence or disclosure of confidential information, access to confidential information, destruction of data assets, or abusive use of a private IT environment.
Data Loss Prevention
DLP
Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. The terms "data loss" and "data leak" are related and are often used interchangeably.
Data use and reciprocal support agreement
DURSA
The DURSA is a comprehensive, multi-party trust agreement that is entered into voluntarily by public and private organizations (eHealth Exchange participants) that desire to engage in electronic health information exchange with each other as part of eHealth Exchange.
Decision Support System
DSS
A decision support system (DSS) is an information system that supports business or organizational decision-making activities. DSSs serve the management, operations, and planning levels of an organization (usually mid and higher management) and help people make decisions about problems that may be rapidly changing and not easily specified in advance—i.e., unstructured and semi-structured decision problems.
Department of Defense
DoD
The Department of Defense provides the military forces needed to deter war and ensure our nation's security.
Department of Health and Human Services
HHS
DHHS
The U.S. Department of Health and Human Services is a cabinet-level executive branch department of the U.S. federal government created to protect the health of all Americans and providing essential human services. Its motto is "Improving the health, safety, and well-being of America". The mission of the U.S. Department of Health and Human Services (HHS) is to enhance the health and well-being of all Americans, by providing for effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health, and social services.
Department of Homeland Security
DHS
The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. This requires the dedication of more than 240,000 employees in jobs that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. Our duties are wide-ranging, and our goal is clear - keeping America safe.
Digital Footprint
Footprint of digital information left behind by a user’s online activity.
Digital Imaging and Communications in Medicine
DICOM
DICOM® — Digital Imaging and Communications in Medicine — is the international standard for medical images and related information. It defines the formats for medical images that can be exchanged with the data and quality necessary for clinical use.
Digital Subscriber Lines
DSL
DSL, networking technology that provides broadband (high-speed) Internet connections over conventional telephone lines.
Disease Management
DM
Disease management is defined as a system of coordinated healthcare interventions and communications for populations with conditions in which patient self-care efforts are significant.
Distributed Denial of Service
DDoS
DDoS is an attack which attempts to block access to and use of a resource. It is a violation of availability. DDoS is a variation of the DoS attack and can include flooding attacks, connection exhaustion, and resource demand.
Domain Name System
DNS
The Domain Name System (DNS) is the hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks.
E-Government
E-GOV
The Office of E-Government and Information Technology (E-Gov), headed by the Federal Government’s Chief Information Officer (CIO), develops and provides direction in the use of Internet-based technologies to make it easier for citizens and businesses to interact with the Federal Government, save taxpayer dollars, and streamline citizen participation.
Electro-Magnetic Interference
EMI
EMI shielding refers to the reflection and/or adsorption of electromagnetic radiation by a material, which thereby acts as a shield against the penetration of the radiation through the shield.
Electronic Clinical Quality Improvement
eCQI
Electronic clinical quality Improvement (eCQI) is the use of health information technology, the functionality, and data in an electronic health record and/or other health information technology, along with clinical best practices to support, leverage, and advance quality improvement initiatives.
Electronic Clinical Quality Measures
eCQM
Electronic clinical quality measures (eCQMs) are tools that help measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider's electronic health record (EHR). Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care.
Electronic Health Record
EHR
An Electronic Health Record (EHR) is an electronic version of a patient’s medical history, that is maintained by the provider over time, and may include all the key administrative clinical data relevant to that person’s care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates access to information and has the potential to streamline the clinician's workflow. The EHR also could support other care-related activities directly or indirectly through various interfaces, including evidence-based decision support, quality management, and outcomes reporting.
Electronic Lab Reporting
ELR
Electronic Laboratory Reporting (ELR) for public health is the transmission of digital laboratory reports, often from laboratories to state and local public health departments, healthcare systems, and CDC.
Electronic Prescribing
eRX
E-Prescribing is a prescriber's ability to electronically send an accurate, error-free, and understandable prescription directly to a pharmacy from the point-of-care - is an important element in improving the quality of patient care. The inclusion of electronic prescribing in the Medicare Modernization Act (MMA) of 2003 gave momentum to the movement, and the July 2006 Institute of Medicine report on the role of e-prescribing in reducing medication errors received widespread publicity, helping to build awareness of e-prescribing's role in enhancing patient safety. Adopting the standards to facilitate e-prescribing is one of the key action items in the government’s plan to expedite the adoption of electronic medical records and build a national electronic health information infrastructure in the United States.
Eligible Professionals
EPs
A Medicare EP is a doctor of medicine or osteopathy, a doctor of dental surgery or dental medicine, a doctor of podiatric medicine, a doctor of optometry, or a chiropractor, who is legally authorized to practice under state law. A qualifying EP is one who successfully demonstrates meaningful use for the EHR reporting period.
Encryption
Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.
Endpoint Detection & Response
EDR
Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" (e.g., mobile phone, laptop, Internet-of-Things device) to mitigate malicious cyber threats.
Enterprise
An organization that coordinates the operation of one or more processing sites.
Enterprise Architecture
EA
A strategic resource that aligns business and technology, leverages shared assets, builds internal and external partnerships, and optimizes the value of information technology services.
Enterprise Risk Management
ERM
ERM includes traditional aspects of risk management including patient safety and medical liability and expands them with a “big picture” approach to risk across the organization.
Evidence-Based Medicine
EBM
Evidence-based medicine (EBM) is "the conscientious, explicit and judicious use of current best evidence in making decisions about the care of individual patients". The aim of EBM is to integrate the experience of the clinician, the values of the patient, and the best available scientific information to guide decision-making about clinical management.
Fast Healthcare Interoperability Resources
FHIR
A standard for exchanging healthcare information electronically and to support automated clinical decision support and other machine-based processing in a structured and standardized manner.
Federal Health Architecture
FHA
A collaborative body composed of several federal departments and agencies, including the Department of Health and Human Services (HHS), the Department of Homeland Security (DHS), the Department of Veterans Affairs (VA), the Environmental Protection Agency (EPA), the United States Department of Agriculture (USDA), the Department of Defense (DoD), and the Department of Energy (DOE). FHA provides a framework for linking health business processes to technology solutions and standards and for demonstrating how these solutions achieve improved health performance outcomes.
Federal Information Security Modernization Act
FISMA
The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information and operations. ... A set of security policies were made for federal agencies to meet.
Federally Qualified Health Centers (FQHC) Center
FQHC
FQHCs are safety net providers for services typically from an outpatient clinic. SSA Section 1861(aa)
allows additional FQHC Medicare payments.
FQHCs include:
- Community health centers
- Migrant health centers
- Health care for the homeless health centers
- Public housing primary care centers
- Health center program “look-alikes”
- Outpatient health programs or facilities a tribe or tribal organization or an urban Indian
organization operates
Federal Trade Commission
FTC
FTC works to prevent fraudulent, deceptive, and unfair business practices. FTC also provides information to help consumers spot, stop, and avoid scams and fraud.
Firewall
Firewall originally referred to fireproof walls designed to prevent the spread of fire from one room or building to the next. In the computer world these protective separators prevent the spread of viruses within a computer.
Food and Drug Administration
FDA
The Food and Drug Administration is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices; and by ensuring the safety of our nation's food supply, cosmetics, and products that emit radiation. FDA also plays a significant role in the Nation's counterterrorism capability. FDA fulfills this responsibility by ensuring the security of the food supply and by fostering development of medical products to respond to deliberate and naturally emerging public health threats.
Government Accountability Office
GAO
The Government Accountability Office (GAO) is known as "the investigative arm of Congress" and "the congressional watchdog." GAO supports the Congress in meeting its constitutional responsibilities and helps improve the performance and accountability of the federal government for the benefit of the American people.
Hardware
Hardware refers to the physical parts of a computer and related devices.
Health and Medicine Division of the National Academies of Sciences, Engineering, and Medicine
HMD
We deliver independent, objective and evidence-based advice, spark innovation, and confront challenging issues for the benefit of society.
Health and Public Health
HPH
The HPH Sector is one of the 16 critical infrastructure sectors comprised of sector owners and operators and directed by Presidential Policy Directive 21 and the National Defense Authorization Act of 2021 to self-organize, in partnership with the government, around the mission to protect essential healthcare and public health assets and services from existential threats.
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
HICP
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) was developed to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the most pertinent cybersecurity threats. The HICP provides guidance on cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks.
Health Information Exchange
HIE
Health Information Exchange allows health care professionals and patients to appropriately access and securely share a patient’s medical information electronically. There are many health care delivery scenarios driving the technology behind the different forms of health information exchange available today.
Health Information Management
HIM
HIM is the practice of acquiring, analyzing, and protecting digital and traditional medical information vital to providing quality patient care. It is a combination of business, science, and information technology.
Health Information Sharing and Analysis Center
H-ISAC
Health-ISAC Inc. (H-ISAC, Health Information Sharing and Analysis Center), is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating, and sharing vital physical and cyber threat intelligence and best practices with each other.
Health Information Technology
HIT
The application of information processing involving both computer hardware and software that deals with the storage, retrieval, sharing, and use of health care information, data, and knowledge for communication and decision making.
Health Information Technology Advisory Committee
HITAC
The Health Information Technology Advisory Committee (HITAC) was established by the 21st Century Cures Act (P.L. 114-255) and is governed by the provisions of the Federal Advisory Committee Act (FACA), P.L. 92-463, as amended, 5 U.S.C. App. 2, which sets forth standards for the formation and use of federal advisory committees. The HITAC will recommend to the National Coordinator for Health Information Technology policies, standards, implementation specifications, and certification criteria relating to the implementation of a health information technology infrastructure, nationally and locally, that advances the electronic access, exchange, and use of health information. HITAC unifies the roles of, and replaces, the Health Information Technology Policy Committee and the Health Information Technology Standards Committee that were in existence before the date of the enactment of the 21st Century Cures Act.
Health Information Technology Certified Manager for Physician Practice
HITCM-PP
HITCM-PP is a PAHCOM recognized certification program that provides recognition to individual office managers having knowledge, skills, and experience necessary to successfully manage the Health Information Technology inherent in today's ever-changing medical practices.
Health Information Technology Economic and Clinical Health Act
HITECH
Requires the US Department of Health and Human Services (HHS) to incentivize the use of cybersecurity best practices such as HICP. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Health Insurance Portability and Accountability Act
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy and security of protected health information. The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. HIPAA Rules have detailed requirements regarding both privacy and security. The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the HIPAA Security Rule covers electronic protected health information (ePHI). The HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). HIPAA gives patients many rights with respect to their health information.
Health Level 7
HL7
Founded in 1987, Health Level Seven International (HL7) is a not-for-profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services.
Health Resources and Services Administration
HRSA
HRSA programs provide equitable health care to people who are geographically isolated and economically or medically vulnerable. This includes programs that deliver health services to people with HIV, pregnant people, mothers and their families, those with low incomes, residents of rural areas, American Indians and Alaska Natives, and those otherwise unable to access high-quality health care. HRSA programs also support health infrastructure, including through training of health professionals and distributing them to areas where they are needed most, providing financial support to health care providers, and advancing telehealth. In addition, HRSA oversees programs for providing discounts on prescription drugs to safety net providers, facilitating organ, bone marrow, and cord blood transplantation, compensating individuals injured by vaccination, and maintaining data on health care malpractice payments.
Health Sector Coordinating Council
HSCC
The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of industry associations and their members. It has been a platform for collaboration among healthcare industry leaders and the government for more than a decade to address the most pressing security and resiliency challenges to the healthcare sector.
Health Sector Cybersecurity Coordination Center
HC3
The Health Sector Cybersecurity Coordination Center (HC3) is leading the charge for the U.S. Department of Health and Human Services in aiding the protection, coordination, and sharing of cybersecurity information to the Healthcare and Public Health (HPH) sector. HC3 achieves this through developing cyber-attack mitigation resources and fostering HPH sector collaboration and partnerships.
Healthcare Delivery Organization
HDO
A Health Delivery Organization (HDO) is an organization, or group of related organizations, that are involved with the delivery of healthcare services. A hospital is an example of an HDO, as are a group of physician practices acting in concert in an area.
Healthcare Effectiveness Data and Information Set
HEDIS®
The HEDIS measurement set is sponsored, supported, and maintained by National Committee for Quality Assurance NCQA. Measures relate to many significant public health issues such as cancer, heart disease, behavioral health, and diabetes. HEDIS performance data can be used to identify opportunities for improvement, monitor the success of quality improvement initiatives, track improvement and provide a set of measurement standards that allow comparison with other plans. HEDIS data help identify performance gaps and establish realistic targets for improvement.
Healthcare Information and Management Systems Society
HIMSS
HIMSS is a global advisor, thought leader and member association committed to transforming the health ecosystem. As a mission-driven non-profit, HIMSS offers a unique depth and breadth of expertise in health innovation, public policy, workforce development, research, and analytics to advise leaders, stakeholders, and influencers from across the ecosystem on best practices.
HealthIT.gov
A website for ASTP and ONC designed to communicate the US government’s position and programs in the health information technology space. Includes information on the following topics and more: Certification of Health IT, Health Information Technology Advisory Committee (HITAC), Health Equity, HTI-1 Final Rule, HTI-2 Proposed Rule, Information Blocking, Interoperability, Patient Access to Health Records.
HHS Office of Inspector General
HHS-OIG
Since its 1976 establishment, the Office of Inspector General (OIG) has been at the forefront of the Nation's efforts to fight waste, fraud and abuse and to improving the efficiency of Medicare, Medicaid and more than 100 other Department of Health & Human Services (HHS) programs. The majority of the agency’s resources go towards the oversight of Medicare and Medicaid.
HITECH Breach Notification Rule
Regulations that implement provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of American Recovery and Reinvestment Act of 2009 (ARRA). These regulations require entities covered by HIPAA and their business associates to provide notification following a breach of unsecured PHI.
Honeypot
A honeypot is a trap or decoy for attackers. Honeypots are used to distract attackers in order to prevent them from attacking actual production systems. It is a false system that is configured to look and function as a production system and is positioned where it would be encountered by an unauthorized entity who is seeking out a connection or attack point. A honeypot may contain false data in order to trick attackers into spending considerable time and effort attacking and exploiting the false system. A honeypot may also be able to discover new attacks or the identity of the attackers.
ID (Risk Identifier)
ID
A sequential numeric identifier for referring to a risk in the risk register.
Incident
An incident is an occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies (NIST SP 800-114).
Indian Health Service
IHS
The Indian Health Service, an agency within the Department of Health and Human Services, is responsible for providing federal health services to American Indians and Alaska Natives. The provision of health services to members of federally recognized tribes grew out of the special government-to-government relationship between the federal government and Indian tribes. This relationship, established in 1787, is based on Article I, Section 8 of the Constitution, and has been given form and substance by numerous treaties, laws, Supreme Court decisions, and Executive Orders. The IHS is the principal federal health care provider and health advocate for Indian people, and its goal is to raise their health status to the highest possible level. The IHS provides a comprehensive health service delivery system for American Indians and Alaska Natives.
Information Security
IS
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.
Information Sharing and Analysis Organizations
ISAO
America’s cyber adversaries move with speed and stealth. To keep pace, all types of organizations, including those beyond traditional critical infrastructure sectors, need to be able to share and respond to cyber risk in as close to real-time as possible. Organizations engaged in information sharing related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. However, many companies have found it challenging to develop effective information sharing organizations—or Information Sharing and Analysis Organizations (ISAOs). In response, President Obama issued the 2015 Executive Order 13691 directing the Department of Homeland Security (DHS) to encourage the development of ISAOs.
Information Technology
IT
The art and applied sciences that deal with data and information. Examples are capture, representation, processing, security, transfer, interchange, presentation, management, organization, storage, and retrieval of data and information.
Install
Putting software on your computer to use it. You can install software from a CD or DVD, an external hard drive, from a networked computer, or download from the Internet.
Integrated Delivery Network
IDNs
A network of health organizations that offer different health services in different care settings.
Integrated Voice Response
IVR
Automated telephone technology that enables callers to receive or provide information or make voice requests without speaking to a live agent.
Integrating the Healthcare Enterprise
IHE
IHE is an initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.
International Classification of Diseases
ICD
ICD serves a broad range of uses globally and provides critical knowledge on the extent, causes and consequences of human disease and death worldwide via data that is reported and coded with the ICD. Clinical terms coded with ICD are the main basis for health recording and statistics on disease in primary, secondary and tertiary care, as well as on cause of death certificates. These data and statistics support payment systems, service planning, administration of quality and safety, and health services research. Diagnostic guidance linked to categories of ICD also standardizes data collection and enables large scale research.
International Organization for Standardization
ISO
ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g., commercial enterprises, government agencies, not-for-profit organizations).
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a network of networks that consists of private, public, academic, business, and government networks of local to global scope, linked by a broad array of electronic, wireless, and optical networking technologies. The Internet carries a vast range of information resources and services, such as the inter-linked hypertext documents and applications of the World Wide Web (WWW), electronic mail, telephony, and file sharing.
Internet of Things
IOT
The Internet of Things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software, and other technologies that connect and exchange data with other devices and systems over the Internet or other communications networks. Internet of things has been considered a misnomer because devices do not need to be connected to the public internet, they only need to be connected to a network and be individually addressable.
Internet Protocol
IP
Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.
Internet Service Provider
ISP
A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.
Joint Commission on Accreditation of Healthcare Organizations
JCAHO
The mission of The Joint Commission is to continuously improve health care for the public, in collaboration with other stakeholders, by evaluating health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value. Its vision is that all people always experience the safest, highest quality, best-value health care across all settings.
Key Performance Indicator
KPI
A measurable value demonstrating how effectively an organization achieves its key business objectives.
Key Risk Indicator
KRI
A measure used in management to indicate how risky an activity is. Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. KRI gives an early warning to identify potential events that may harm continuity of the activity/project.
Limited Data Sets
LDSs
An LDS is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
Names
Postal address information, other than town or city, State, and zip code
Telephone numbers
Fax numbers
Electronic mail addresses
Social Security numbers
Medical record numbers
Health-plan beneficiary numbers
Account numbers
Certificate and license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifies including fingerprints and voice prints
Full-face photographic images and any comparable image
Local Area Network
LAN
A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network.
Malware
Stands for malicious software which is designed to damage or do other unwanted actions to another unsuspecting computer.
Master Patient Index
MPI
A unique identification number or some other unified way of identifying people and organizations across separate clinical, financial, and administrative systems.
Meaningful Use
MU
Meaningful use leveraged certified electronic health record (EHR) technology for multiple purposes.
Media
Consumer electronic devices that store or play digital files such as audio, images, video, documents, etc. Media can include laptop hard drives or flash USB drives, for example.
Medically Underserved Areas
MUA
Medically Underserved Areas/Populations are areas or populations designated by HRSA as having too few primary care providers, high infant mortality, high poverty or a high elderly population. Health Professional Shortage Areas (HPSAs) are designated by HRSA as having shortages of primary medical care, dental or mental health providers and may be geographic (a county or service area), population (e.g., low income or Medicaid eligible) or facilities (e.g., federally qualified health center or other state or federal prisons). More about shortage areas.
Medicare Access and CHIP Reauthorization Act of 2015
MACRA
The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) is a bipartisan legislation signed into law on April 16, 2015. MACRA created the Quality Payment Program that: Repeals the Sustainable Growth Rate (PDF) formula. Changes the way that Medicare rewards clinicians for value over volume.
Medicare Learning Network
MLN
MLN offers free educational materials for health care professionals on CMS programs, policies, and initiatives.
Merit-based Incentive Payment System
MIPS
The Merit-based Incentive Payment System (MIPS) is a program affecting all Medicare Part B clinicians and determines payment penalties and bonuses.
MIPS Value Pathways
MVPS
A participation framework to participate in MIPS that began with the 2021 performance period.
Mobile Device
Broad term for any computer that is hand-held or otherwise small enough to be portable and used on the go. Generally running a mobile operating system vs. desktop OS (tablets, smart phones, etc.)
Mobile health
mHealth
MHealth refers to health services supported by mobile devices and is based on the premised of ‘care anywhere’ and can include consumer health information, diagnostics, fitness support, remote patient monitoring, video services and text messaging.
Modified Off the Shelf
MOTS
MOTS is a type of software solution that can be modified and customized after being purchased from the software vendor. MOTS is a software delivery concept that enables source code or programmatic customization of a standard prepackaged, market-available software.
Multi-Factor Authentication
MFA
Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.
National Cancer Institute
NCI
The National Cancer Institute (NCI) is the federal government's principal agency for cancer research and training. NCI drives the cancer research enterprise by supporting and convening researchers, paying for facilities and systems, coordinating the National Cancer Plan, and more.
National Committee for Quality Assurance
NCQA
NCQA is an organization that studies how well health plans and doctors provide scientifically recommended care and identifies organizations that are run in ways that make care better. They are responsible for HEDIS measures, Health Plan Accreditation, and Patient-Centered Medical Home Recognition.
National Committee on Vital and Health Statistics
NCVHS
The NCVHS serves as the statutory [42 U.S.C. 242k(k)] public advisory body to the Secretary of Health and Human Services (HHS) for health data, statistics, privacy, and national health information policy and the Health Insurance Portability and Accountability Act (HIPAA). The Committee advises the HHS Secretary, reports regularly to Congress on HIPAA implementation, and serves as a forum for interaction between HHS and interested private sector groups on a range of health data issues.
National Conference of State Legislatures
NCSL
Bipartisan organization providing states support, ideas, connections, and a voice on Capitol Hill. All state legislators and legislative staff are automatically members of NCSL.
National Consortium of Telehealth Resource Centers
NCTRC
NCTRC is dedicated to building sustainable telehealth programs and improving health outcomes for rural and underserved communities and is a collaborative of 12 regional and 2 national Telehealth Resource Centers (TRCs), committed to implementing telehealth programs for rural and underserved communities.
National Council for Prescription Drug Programs
NCPDP
NCPDP is the problem-solving forum for healthcare - successful and respected throughout the industry. We bring diverse stakeholders together to improve the exchange of healthcare information for patients and everyone involved in delivering care. We've been doing this for 40 years. If you don't know us, you should. Collaborate with us to change healthcare for the better.
National Governors Association
NGA
Founded in 1908, the National Governors Association is the voice of the leaders of 55 states, territories, and commonwealths. Our nation’s Governors are dedicated to leading bipartisan solutions that improve citizens’ lives through state government. Through NGA, Governors identify priority issues and deal with matters of public policy and governance at the state, national and global levels.
National Institute of Standards and Technology
NIST
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time — a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials and computer chips, innumerable products and services rely in some way on technology, measurement and standards provided by the National Institute of Standards and Technology.
Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations — from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.
National Institute of Standards and Technology Interagency or Internal Report
NISTIR
NISTIRs are reports help promote the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. NIST researches for its information technology-based reports using one of its six labs: the Information Technology Laboratory (ITL). ITL responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems.
National Institutes of Health
NIH
The National Institutes of Health (NIH), a part of the U.S. Department of Health and Human Services, is the nation’s medical research agency — making important discoveries that improve health and save lives. NIH is the largest biomedical research agency in the world.
National Institute of Standards and Technology
NIST
NIST was founded in 1901 and is now part of the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST’s CSF is the gold standard of cybersecurity frameworks.
National Library of Medicine
NLM
The Library started as a shelf of books in the Surgeon General’s office in 1836 but has grown to a collection of millions of print and electronic resources. The diverse centers, divisions, advisory bodies, and other organizational units that make up NLM contribute in myriad ways to the Library’s mission.
National Plan and Provider Enumeration System
NPPES
NPPES collects information needed to uniquely identify individual and organization health care providers and assigns them a National Provider Number. Also, NPPES maintains and updates the information about the health care providers and disseminates information under the Privacy Act of 1974.
National Provider Identifier
NPI
The NPI is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses must use the NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty.
National Quality Forum
NQF
NQF measures and standards serve as a critically important foundation for initiatives to enhance healthcare value, make patient care safer, and achieve better outcomes.
Nationwide Health Information Network
NHIN
The Nationwide Health Information Network (NHIN), a program under the Office of the National Coordinator for Health Information Technology (ONC), was established in 2004 to improve the quality and efficiency of healthcare by establishing a mechanism for nationwide health information exchange. The NHIN is a set of conventions that provide the foundation for the secure exchange of health information that supports meaningful use. The foundation includes technical, policy, data use and service level agreements and other requirements that enable data exchange, whether between two different organizations across the street or across the country.
Network
Two or more computers are connected to each other and are called a network. A network lets users share files and information (e.g., demonstration systems, temporary test systems, guest networks).
Network Interface Card
NIC
A NIC (also known as a network adapter, LAN adapter, and physical network interface) is a computer hardware component that connects a computer to a computer network.
Network Level Authentication
NLA
Network Level Authentication (NLA) is a feature of Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.
NHIN Health Information Exchange
NHIE
The Nationwide Health Information Network is broadly defined as the set of standards, specifications and policies that enable the secure exchange of health information over the Internet. This program provides a foundation for the exchange of health information across diverse entities, within communities and across the country, helping to achieve the goals of the HITECH Act. The Nationwide Health Information Network Exchange is the first community that implemented these standards, specifications, and policies in production.
Office for Civil Rights
OCR
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy.
Office of Management & Budget
OMB
The Office of Management and Budget oversees the implementation of the President's vision across the Executive Branch. OMB carries out its mission through.
Office of the National Coordinator for Health Information Technology
ONC (or ONCHIT)
The Office of the National Coordinator for Health Information Technology (ONC) is at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide, standards-based health information exchange to improve health care. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS). ONC is the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National Coordinator was created in 2004, through an Executive Order, and legislatively mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009.
Operating System
OS
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. For hardware functions such as input and output and memory allocation, the operating system acts as an intermediary between programs and the computer hardware, although the application code is usually executed directly by the hardware and frequently makes system calls to an OS function or is interrupted by it. Operating systems are found on many devices that contain a computer – from cellular phones and video game consoles to web servers and supercomputers.
Organization
An entity of any size, complexity, or positioning within a larger organizational structure (e.g., a federal agency or company).
Patch
Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product. Software vendors may choose to release updates to fix performance bugs, as well as to provide enhanced security features.
Patient-Centered Medical Home
PCMH
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. For hardware functions such as input and output and memory allocation, the operating system acts as an intermediary between programs and the computer hardware, although the application code is usually executed directly by the hardware and frequently makes system calls to an OS function or is interrupted by it. Operating systems are found on many devices that contain a computer – from cellular phones and video game consoles to web servers and supercomputers.
Per Member Per Month
PMPM
A payment model, generally under capitated reimbursement models or quality payment models, that reimburse a doctor or healthcare entity on a per member per month basis.
Personal Health Record
PHR
An electronic application through which individuals can maintain and manage their health information (and that of others for whom they are authorized) in a private, secure, and confidential environment.
Personally Identifiable Information
PII
Personal Identifiable Information (PII) is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. It is the responsibility of the individual user to protect data to which they have access.
Phishing
Phishing emails are those sent to individuals or businesses asking for sensitive information or encouraging the receiver to visit a fake website. Phishing emails are oftentimes untargeted, mass emails. They may also be in text form. The term "Social Engineering" usually refers to phishing behavior in a broader context.
Physician Fee Schedule
PFS
The PFS is the primary method of payment for enrolled health care providers. Medicare uses the PFS when paying:
Professional services of physicians and other health care providers in private practice
Services covered incident to physicians’ services (other than certain drugs covered as incident to services)
Diagnostic tests (other than clinical laboratory tests)
Radiology services
Physician Quality Reporting Initiative
PQRI
Physician Quality Reporting Initiative (PQRI), now known as the Physician Quality Reporting System (PQRS), is a health care quality improvement incentive program initiated by the Centers for Medicare and Medicaid Services (CMS) in the United States in 2006. It is an example of a "pay for performance" program which rewards providers financially for reporting healthcare quality data to CMS.
Physician Quality Reporting System
PQRS
The Physician Quality Reporting System (PQRS) has been using incentive payments, and began to use payment adjustments in 2015, to encourage eligible health care professionals (EPs) to report on specific quality measures. PQRS gives participating EPs the opportunity to assess the quality of care they are providing to their patients, helping to ensure that patients get the right care at the right time. By reporting PQRS quality measures, providers also can quantify how often they are meeting a particular quality metric. Using the feedback report provided by CMS, EPs can compare their performance on a given measure with their peers.
Physician Voluntary Reporting Program
PVRP
The Physician Voluntary Reporting Program (PVRP) builds on Medicare’s comprehensive efforts to substantially improve the health and function of our beneficiaries by preventing chronic disease complications, avoiding preventable hospitalizations, and improving the quality of care delivered. Under the voluntary reporting program, physicians who choose to participate will help capture data about the quality of care provided to Medicare beneficiaries, to identify the most effective ways to use the quality measures in routine practice and to support physicians in their efforts to improve quality of care.
Picture Archiving and Communication System
PACs
A PACS is a computerized means of replacing the roles of conventional radiological film: images are acquired, stored, transmitted, and displayed digitally.
Population Health ISAC
PH-ISAC
PH-ISAC is an ISAO that prioritizes the cyber-readiness needs of safety net facilities and health systems (e.g., Community Health Centers, behavioral health centers, rural hospitals, community hospitals) as these facility types increasingly are sharing data with larger entities and one another. PH-ISAC is free for health organizations to join.
Port
A port is an entry or exit point from a computer for connecting communications or peripheral devices.
Portfolio
An enterprise comprising one or more systems, organizations, and subordinate enterprises.
Priority
A relative indicator of the criticality of this entry in the risk register, either expressed in ordinal value (e.g., 1, 2, 3) or in reference to a given scale (e.g., high, moderate, low).
Professional Association of Health Care Office Management
PAHCOM
PAHCOM is an association, founded and managed by physician practice owners and managers, for the purpose of leading and improving the level of expertise, such that there is a sure path to success. That requires a shared metric, recognizing those who truly possess the knowledge and experience necessary to lead a medical practice to increasing prosperity in today's complex and highly regulated environment.
Project Management Office
PMO
A project management office (abbreviated to PMO) is a group or department within a business, government agency, or enterprise that defines and maintains standards for project management within the organization. The PMO strives to standardize and introduce economies of repetition in the execution of projects. The PMO is the source of documentation, guidance, and metrics on the practice of project management and execution.
Promoting Interoperability Program
PIP
CMS renamed the EHR Incentive Programs to the Medicare and Medicaid PIPs in April 2018. If you see the acronym “PI,” it refers to Promoting Interoperability; it may be used in front of the word ‘measures” or some other appropriate term.
Protected Health Information
PHI
A term defined by the HIPAA Privacy Rule at 45 C.F.R. sec.160.103. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
Qualifying APM Participant
QP
Advanced Alternative Payment Models (APMs) are one track of the Quality Payment Program that offer incentives for meeting participation thresholds based on your levels of payments or patients through Advanced APMs. If you achieve these thresholds, you become a QP. To become a QP, clinicians must receive at least 75 percent of Medicare Part B payments or see at least 50 percent of Medicare patients through an Advanced APM Entity during the QP performance period (January 1 - August 31).
Quality Payment Program
QPP
The Quality Payment Program (QPP) was created by the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015. The QPP transforms the Medicare physician payment system from one focused on volume to one focused on value.
Quality of Service
QOS
QoS is the description or measurement of the overall performance of a service, such as a telephony or computer network, or a cloud computing service, particularly the performance seen by the users of the network.
Quality Reporting Document Architecture
QRDA
The Quality Reporting Document Architecture (QRDA) is the data submission standard used for a variety of quality measurement and reporting initiatives. It is based on the Health Level Seven International® (HL7®) Clinical Document Architecture (CDA). QRDA creates a standard method to report quality measure results in a structured, consistent format and can be used to exchange eCQM data between systems.
Regional Extension Centers
REC
Regional Extension Centers (RECs) represent a range of organizations that serve local communities throughout the country. The focus is to provide on-the-ground technical assistance for individual and small provider practices, medical practices lacking resources to implement and maintain Electronic Health Records (EHRs), and those who provide primary care services in public and critical access hospitals, community health centers, and other settings that mostly serve those who lack adequate coverage or medical care. RECs have established themselves as trusted advisors for primary care and are helping providers face challenges to achieve meaningful use and leverage those criteria to support quality improvement and transform healthcare.
Regional Health Information Network
RHIO
A Regional Health Information Organization (RHIO, pronounced rio), also called a Health Information Exchange Organization, is a multistakeholder organization created to facilitate a health information exchange (HIE) – the transfer of healthcare information electronically across organizations – among stakeholders of that region's healthcare system. The ultimate objective is to improve the safety, quality, and efficiency of healthcare as well as access to healthcare through the efficient application of health information technology. RHIOs are also intended to support secondary use of clinical data for research as well as institution/provider quality assessment and improvement. RHIO stakeholders include smaller clinics, hospitals, medical societies, major employers, and payers.
Remote patient monitoring
RPM
RPM is a type of telehealth in which healthcare providers monitor patients outside the traditional care setting using digital medical devices, such as weight scales, blood pressure monitors, pulse oximeters, and blood glucose meters. The data collected from these devices are then electronically transferred to providers for care management.
Resource and Patient Management System
RPMS
RPMS is a decentralized integrated solution for management of both clinical and administrative information in these health care facilities. Flexible hardware configurations, over 50 software applications, and network communication components combine to create a comprehensive clinical, financial, and administrative solution; a solution that can stand alone or function in concert with other components as needed.
Responsible, Accountable, Consulted, Informed
RACI
RACI identifies the level of responsibility held by each owner in the creation, review, and approval of project products or documents during each project phase. Two versions of the RACI Matrix template are available- a standard RACI Matrix template and a mini-RACI Matrix template. The mini is designed for the smaller of the low complexity projects, pilot projects, and those who are exploring a proof of concept. The standard version is for all other projects.
Resource and Patient Management System
RPMS
Resource and Patient Management System - or RPMS - is a decentralized integrated solution for management of both clinical and administrative information in these healthcare facilities. Flexible hardware configurations, over 50 software applications, and network communication components combine to create a comprehensive clinical, financial, and administrative solution; a solution that can stand alone or function in concert with other components as needed. Professionals in American Indian, Alaska Native, and private sector health facilities use RPMS every day to efficiently manage programs, maximize revenue generation, and most important, to provide high-quality care for patients.
Responsible, Accountable, Consulted, Informed
RACI
Identifies the level of responsibility held by each owner in the creation, review, and approval of project products or documents during each project phase. Two versions of the RACI Matrix template are available- a standard RACI Matrix template and a mini-RACI Matrix template. The mini is designed for the smaller of the low complexity projects, pilot projects, and those who are exploring a proof of concept. The standard version is for all other projects.
Return on investment
ROI
A return on investment (ROI) analysis is a way to calculate your net financial gains (or losses), taking into account all the resources invested and all the amounts gained through increased revenue, reduced costs, or both.
Risk
The effect of uncertainty on objectives.
Risk Appetite
The types and amount of risk, on a broad level, it is willing to accept in its pursuit of value.
Risk Category
An organizing construct that enables multiple risk register entries to be consolidated (e.g., using SP 800-53 Control Families: Access Control (AC), Audit and Accountability [AU]).
Risk Description
A brief explanation of the cybersecurity risk scenario (potentially) impacting the organization and enterprise. Risk descriptions are often written in a cause-and-effect format, such as “if X occurs, then Y happens”.
Risk Owner
The designated party responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements. The Risk Owner may work with a designated Risk Manager who is responsible for managing and monitoring the selected risk response.
Risk Register
A risk register is a tool in risk management and project management. It is used to identify potential risks in a project or an organization, sometimes to fulfill regulatory compliance but mostly to stay on top of potential issues that can derail intended outcomes.
Risk Response Cost
The estimated cost of applying the risk response.
Risk Response Description
A brief description of the risk response. For example, “Implement software management application XYZ to ensure that software platforms and applications are inventoried,” or “Develop and implement a process to ensure the timely receipt of threat intelligence from [name of specific information sharing forums and sources].
Risk Response Type
The risk response (sometimes referred to as the risk treatment) for handling the identified risk. Values for risk response types are listed in Table 3 and Table 5 of this document.
Risk Tolerance
The level of risk that the organization is willing to accept in pursuit of strategic goals and objectives (NIST SP 800-53).
Rural Health Clinics
RHCs
The RHC program is intended to increase access to primary care services for patients in rural communities. RHCs can be public, nonprofit, or for-profit healthcare facilities. To receive CMS certification, they must be located in a rural area that is designated as an underserved or shortage area. RHCs are required to use a team approach to healthcare delivery, using physicians working with non-physician providers such as nurse practitioners (NPs), physician assistants (PAs), and certified nurse midwives (CNMs) to provide services. The clinic must be staffed at least 50% of the time with an NP, PA, or CNM. RHCs are required to provide outpatient primary care services, basic laboratory services, and be able to provide “first response” services to common life-threatening injuries and acute illnesses.
Safety Assurance Factors for EHR Resilience
SAFER
The SAFER guides are a suite of tools that include checklists and recommended practices designed to help health care providers and the organizations that support them assess and optimize the safety and safe use of electronic health records.
Search Engine Optimization
SEO
SEO is the process of maximizing the number of visitors to a particular website by ensuring that the site appears high on the list of results returned by a search engine.
Secure Sockets Layer
SSL
SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers. Although the SSL protocol was deprecated with the release of TLS 1.0 in 1999, it is still common to refer to these related technologies as “SSL” or “SSL/TLS.” The most current version is TLS 1.3, defined in RFC 8446 (August 2018).
Security Content Automation Protocol
SCAP
A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Note: There are six individual specifications incorporated into SCAP: CVE (common vulnerabilities and exposures); CCE (common configuration enumeration); CPE (common platform enumeration); CVSS (common vulnerability scoring system); OVAL (open vulnerability assessment language); and XCCDF (eXtensible configuration checklist description format).
Service Level Agreement
SLA
Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.
Service Oriented Architecture
SOA
In software engineering, service-oriented architecture (SOA) is an architectural style that supports service orientation. By consequence, it is as well applied in the field of software design where services are provided to the other components by application components, through a communication protocol over a network. A service is a discrete unit of functionality that can be accessed remotely and acted upon and updated independently, such as retrieving a credit card statement online. SOA is also intended to be independent of vendors, products, and technologies.
Short Message Service
SMS
A cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset.
Single Sign On
SSO
SSO is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
Smart phone
A smartphone is a mobile phone that does things other than making phone calls and sending text messages such as taking photos, playing videos, managing e-mail, and surfing the Web.
Software
Software is a general term that describes computer programs including applications and scripts.
Software as a Service
SaaS
SaaS is a cloud computing model where a third-party provider hosts and manages application software that is accessible to users over the Internet.
Spam
Spam refers to junk e-mail or irrelevant postings to a newsgroup or bulletin board that come to your Inbox unsolicited.
Status
A field for tracking the current condition of the risk and any next activities.
Storage Area Networks
SANs
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Store-And-Forward
SFT
SFT is a data communication technique in which a message transmitted from a source note is stored at an intermediary device before being forwarded to the destination note.
Substance Abuse and Mental Health Services Administration
SAMHSA
The Substance Abuse and Mental Health Services Administration (SAMHSA) is the agency within the U.S. Department of Health and Human Services that leads public health efforts to advance the behavioral health of the nation. SAMHSA's mission is to reduce the impact of substance abuse and mental illness on America's communities.
Supply Chain Risk
A supply chain risk is a function of threat, vulnerability, and consequence. A supply chain threat is specific and credible information that a component, system, or service might be targeted by adversaries. A vulnerability is a weakness which is either inherent to the component, system or service, or has been introduced by an outside agent.
Sustainable Growth Rate
SGR
Established as part of the balance budget active 1997, the SGR is the statutory method for determining the annual updates to the Medicare physician fee schedule.
System
A discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Systematized Nomenclature of Medicine
SNOMED
SNOMED International determines global standards for health terms, an essential part of improving the health of humankind. We are committed to maintaining and growing our leadership as the global experts in healthcare terminology, ensuring that SNOMED CT, our world leading product, is accepted as the global common language for clinical terms.
Taxpayer Identification Number
TIN
A TIN is an identification number used by the Internal Revenue Service (IRS) in the administration of tax laws. It is issued either by the Social Security Administration (SSA) or by the IRS. A Social Security number (SSN) is issued by the SSA whereas all other TINs are issued by the IRS.
Transport Layer Security
TLS
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
The TLS protocol aims primarily to provide cryptography, including privacy (confidentiality), integrity, and authenticity through the use of certificates, between two or more communicating computer applications. It runs in the application layer and is itself composed of two layers: the TLS record and the TLS handshake protocols.
TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999, and the current version is TLS 1.3, defined in August 2018. TLS builds on the earlier SSL specifications (1994, 1995, 1996) developed by Netscape Communications for adding the HTTPS protocol to their Navigator web browser.
TLS is the successor of the now-deprecated Secure Sockets Layer (SSL).
Threat
A possible danger to a computer system.
Uninterruptible Power Supply
UPS
A device with an internal battery that allows connected devices to run for at least a short time when the primary power source is lost.
Universal Serial Bus
USB
An industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply between computers, peripherals, and other computers.
USB Drive
A USB drive is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable, and much smaller than an optical disc. Sometimes referred to as a thumb-drive.
Value-Based Payment Modifier
VPM
VPM applies to the Medicare paid amount of physician payments under the Medicare Physician Fee Schedule.
Veterans Health Administration
VHA
The Veterans Health Administration (VHA) is the largest integrated health care system in the United States, providing care at 1,293 health care facilities, including 171 VA Medical Centers and 1,112 outpatient sites of care of varying complexity (VHA outpatient clinics) to over 9 million Veterans enrolled in the VA health care program.
Veterans Health Information Systems and Technology Architecture
VistA
The U.S. Department of Veterans Affairs (VA) developed and maintains a robust EHR known as VistA - the Veterans Health Information Systems and Technology Architecture. This system was designed and developed to support a high-quality medical care environment for the military veterans in the United States. The VistA system is in production today at hundreds of VA medical centers and outpatient clinics across the country.
Virtual Private Network
VPN
A VPN is an encrypted network often created to allow secure connections for remote users.
Virus
Like a biological virus, a computer virus is a program that can infect files and prevent proper functioning of the computer system (sometimes permanently).
Vulnerability
A security weakness in a computer.
Wide Area Network
WAN
A wide area network is a telecommunications network that extends over a large geographic area for the primary purpose of computer networking. Wide area networks are often established with leased telecommunication circuits.
Wired Equivalent Privacy
WEP
A security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network.
Wireless Fidelity
Wi-Fi
Wireless Fidelity refers to networking that allows computers and other devices to communicate over a wireless signal.
Wireless Local Area Network
WLAN
A wireless local area network (WLAN) is a wireless distribution method for two or more devices. WLANs use high-frequency radio waves and often include an access point to the Internet. A WLAN allows users to move around the coverage area, often a home or small office, while maintaining a network connection.
Work Group
WG
A group that shares data via a local network.
240820 | Public