Definitions
Accounting of Disclosures: Unless an exception applies, individuals have the right to receive an accounting of disclosures of their protected health information made by a covered entity during the six years prior to the date on which the accounting is requested.
Amendment: Individuals have the right to request that a covered entity amend protected health information
Authorization: A valid authorization is a document that gives a covered entity permission to use a patient's protected health information for specific purposes that are generally different than the usual course of treatment, payment or health care operations.
Breach: The unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
Business Associate: A person or entity that performs a function or activity on behalf of a covered entity but that is not a member of the covered entity's workforce.
CLIA: Clinical Laboratory Improvements Amendments of 1988
Compliance Officer: The corporate officer who is generally responsible for the Corporate Compliance Program.
Compound Authorization: Under certain circumstances an authorization for use or disclosure of protected health information may be combined with another document to create a compound authorization.
Confidential Communications: Covered health care providers and health plans must generally accommodate reasonable requests by individuals to receive communications of their protected health information by alternative means or in alternative locations in order to maintain confidentiality of the patient's information.
Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction.
De-identified Health Information: De- identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: 1) a formal determination by a qualified statistician; or 2) the removal of specified identifiers of the individual and of the individual’s relatives, household members and employers is required and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
Department of Health and Human Services: (HHS) The federal government department that has oversight for implementing HIPAA.
Designated Record Set That group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment claims adjudication and case or medical management record systems.
Direct Treatment Relationship The relationship between a provider and a patient where the provider is directly treating the patient as opposed to under the direction of another provider.
Disclosure: The release, transfer, provision of, access to or divulging in any other manner of information outside the entity holding the information.
Health Care Clearinghouse: An entity that processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data into standard data elements or a standard transaction. Such entities also may receive standard transactions from another entity and process or facilitate the processing of health information into nonstandard format or nonstandard data for the receiving entity.
Health Care Operations: Include, among other activities: conducting quality assessment and improvement activities; reviewing the competency or qualifications of health care providers; underwriting, premium rating, and other activities relating to a contract of health insurance or health benefits; conducting or arranging for medical review, legal service, and auditing functions; business planning and development, and; business management and general administrative activities of a covered entity.
Health Care Provider: A provider of services, a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health Information: Any information, whether oral or recorded in any form or medium, that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Health Plan: Generally includes group health plans, health insurance issuers, HMOs, federal health care programs or other government health care programs, employee welfare benefit plans, and other mechanisms established to provide health insurance coverage.
HIPAA: The Health Insurance Portability and Accountability Act of 1996. A federal law that allows people to qualify for comparable health insurance coverage when they change employment. Title II, Subtitle F, of HIPAA mandates the use of standards for the electronic exchange of health care information; specifies what code sets are to be used within the standards; requires the use of national identifiers for patients, providers, payers and employers; specifies standards to protect the security and privacy of individually identifiable health care information.
HITECH: The Health Information Technology for Economic and Clinical Health Act was enacted February 17, 2009. HITECH provides additional privacy and security rules for covered entities, business associates, vendors of personal health records and other similar entities.
Indirect Treatment Relationship: Where a provider delivers health care to an individual based on the orders of another provider. A provider with an indirect treatment relationship typically provides services or products, or reports the diagnosis or results associated with a patient's health care, directly to another provider, who then provides the services or products or reports to the patient.
Individually Identifiable Health Information: Individually identifiable health information is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual, and which identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Limited Data Set: A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members and employers have been removed. A limited data set may be used and disclosed for research, health care operations and public heal purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
Medical Record: “Record” means any written, printed or electronically recorded material maintained by a provider in the course of providing to a patient concerning the patient and the services provided, along with the substance of any communication made by a patient to a provider in confidence in connection with the provision of or information otherwise acquired by the provider about a patient in confidence and in connection with the provision of to the patient. The medical records of EVMS Health Services patients are the property of EVMS Health Services. The patient’s right of privacy in the content of the patient’s medical record is recognized. The information in the medical record shall be protected as required by applicable Federal and state laws.
Minimum Necessary: Generally, providers and health plans must limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use or disclosure. This does not apply to providers who are using or disclosing the information for treatment purposes or if the information is disclosed to the individual who is the subject of the information.
Notice of Privacy Practices: Unless an exception applies, HIPAA requires that covered entities give an individual a notice describing how the entity may use or disclose his or her protected health information and the individual's rights with respect to that information.
OCR: Office of Civil Rights, the DHHS agency designated to enforcement and support the Privacy Standards of HIPAA.
Payment Activities: undertaken by a covered entity that relate to providing insurance benefits or reimbursement for providing health services. The HIPAA Privacy Rule describes what activities specifically pertain to payment.
Personal Health Record: An electronic record of personally identifiable heath information on an individual that can be drawn from multiple sources and that is managed, shared and by or primarily for the individual.
Personal Representative: A person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate.
Privacy: Privacy or health information refers to how the information is used or disclosed once it has been appropriately accessed.
Privacy Rule: HIPAA regulations also entitled Standards for Privacy of Individually Identifiable Health Information promulgated by the Department of Health and Human Services. The first comprehensive federal protection for the privacy of health information.
Privacy Officer: Covered entities must designate a person who is responsible for the development and implementation of the entity's policies and procedures related to privacy. Covered entities must also designate a person to handle complaints regarding privacy.
Protected Health Information (PHI): Individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium.
Re-Identification: A covered entity may assign a number for re-identification; however, the creation of the numbering system should not be based on the information and the covered entity is forbidden from disclosing the reidentification scheme.
Security: All the administrative, physical and technical safeguards in an information system. An information system is an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications and people.
Treatment: The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.