The following terms are commonly used in HIPAA Compliance. The inclusion of any term, however, does not constitute an endorsement or recommendation by DoctorsManagement or any of its subsidiaries or employees.
Administrative Safeguards: Policies and procedures to maintain security of ePHI (electronic protected health information).
Amendment: Information added to a record in order to correct an omission or error.
ARRA: American Recovery and Reinvestment Act, a.k.a. “Stimulus package.” Includes HITECH.
Authentication: Means of establishing or verifying the identity of an individual
Authorization: Special permission to use protected health information for other than treatment, payment or health operations. It must include certain elements as required by HIPAA.
Bio-identifiers: Biological features or data used to establish or verify the identity of an individual, including fingerprints, full face photos, and iris patterns.
Breach: Impermissible and accidental access, acquisition, use, or disclosure of unsecured ePHI that poses a significant risk of financial, reputational, or other harm to the individual who is the subject of the information. Excludes internal incidents, de-identified information, and information that has been made impossible for the unintended individual to maintain or interpret it.
Breach Notification: Process of informing affected individuals, the Secretary of HHS (Health and Human Services), and the media (if applicable) of unauthorized use or disclosure of unsecured PHI.
Business Associate: Entity or individual that is not a part of the workforce and is not a covered entity, but creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples: billing company, EHR and PMS vendors, ePrescribing gateways, health care clearing houses, IT support.
Business Associate Agreement: Document initiated by covered entities to ensure that business associates maintain required safeguards to protect health information as required by HIPAA.
Confidentiality: Property of not allowing unauthorized persons to have access to information.
Covered Entity: Health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form.
Court Order: An official proclamation by a judge (or panel of judges) that defines the legal relationships between the parties to a hearing, a trial, an appeal or other court proceedings. Such ruling requires or authorizes the carrying out of certain steps by one or more parties to a case. A court order must be signed by a judge. Some jurisdiction may require it to be notarized. The content and provisions of a court order depend on the type of proceeding, the phase of the proceedings in which they are issued, and the procedural and evidentiary rules that govern the proceedings.
Designated Record Set: A group of records maintained by or for a covered entity, including medical and billing records, used by the covered entity to make decisions about the individual who is the subject of the records.
Direct Treatment Relationship: Relationship between a patient and a healthcare provider that is not an indirect relationship.
Encryption: Use of an algorithmic process to transform data into a form that makes it almost impossible to translate into meaningful data (“de-encryption”) without the use of a confidential process or key.
ePHI: Protected Health Information maintained or transmitted in an electronic format.
FACTA: Fair and Accurate Credit Transactions Act. Includes but is not limited to the Red Flag Rules.
FTC: Federal Trade Commission, agency responsible for enforcing FACTA.
GINA: Genetic Information Nondiscrimination Act. Prohibits employers and health plans from discriminating against individuals based solely on genetic information.
Health Care Operations: Business operations of covered entities, including QA/QI, competency assessments, business planning and management, training new healthcare workers, auditing, and evaluating managed care contracts.
HHS: Department of Health and Human Services
HIO: Health Information Organization. A group of organizations that share health-related information according to established protocols to maintain privacy and security. They are not usually covered entities, but may perform some functions as business associates.
HIPAA: Health Insurance Portability and Accountability Act of 1996. Includes Transactions and Code Sets. National Identifiers, Privacy Rule and Security Rule.
HITECH: Health Information Technology for Economic and Clinical Health Act.
Implementation Specification: A detailed description of the method or approach covered entities can use to meet a particular standard.
Identifiers: Data or other types of information used to establish or verify who an individual is.
Indirect Treatment Relationship: A relationship between a patient and a health care provider in which the health care provider delivers the care based on orders from another provider. The second provider provides products or services or reports the diagnosis to the referring provider, who in turn provides the service, product, or report to the patient. Examples: reference laboratory, imaging center, pathologist, radiologist.
Integrity: The property of information or data that means it has not been altered or destroyed.
Law Enforcement Official: Officer or employee of an agency of the United States, a political division, or an Indian tribe with the authority to conduct an investigation or inquiry into a potential law violation. Does not include school attendance personnel.
Limited Data Set: Information with all direct identifiers (name, address, phone number, Social Security number, etc.) removed and allowed by HIPAA to be used in research, public health activities, and health operations. May have some “indirect” identifiers, such as date of birth, service dates, and zip code. The partially de-identified information may be disclosed only if there is a “data use agreement” in place, much like a Business Associate Agreement.
Marketing: Communication about a product or service to encourage the recipient of the communication to use the product or service. Excludes communications about products or services provided by the covered entity or health plan, products or services that are specific for the individual’s care or payment, or services performed by a healthcare provider or plan to an individual as a part of that individual’s care. Also excludes oral or written communication when the covered entity does not receive remuneration from a third party for making the communication.
Minimum Necessary: Least amount of information to the fewest people required to deliver healthcare and receive reimbursement for the care.
NEI: National Employer Identifier; tax ID number established by the Internal Revenue Service.
NPI: National Provider Identifier.
NPPES: National Plan and Provider Enumeration Service; agency responsible for establishing and maintaining national plan and provider numbers.
NPP: Notice of Privacy Practices; the document used to explain to your patients how you may use their protected health information and what their rights concerning their PHI are.
OCR: Office for Civil Rights; agency responsible for enforcing the Privacy and Security Rules.
Omnibus Rule or Omnibus Final Rule: HIPAA regulation changes enacted in 2013 to incorporate many of the changes required by the HITECH requirements into the HIPAA regulations.
Personal Representative: Individual with authority to make decisions on behalf of the patient. May be the patient himself or herself, a parent or a guardian.
PHI: Protected Health Information; individually identifiable health information maintained or transmitted by a covered entity in any form or medium. Personnel or employment records are excluded.
Physical Safeguards: Physical measures to protect the electronic information system and the related buildings and equipment from natural and environmental hazards and from unauthorized intrusion.
Privacy: Confidentiality; right of patients to expect information to be protected from unauthorized access, use, or disclosure.
Privacy Officer: Individual within the practice assigned the responsibility of ensuring compliance with the Privacy Rule. May be the same person as the Security Officer.
Psychiatric Information: Data in the medical record pertaining to a patient’s psychiatric diagnosis, treatment, etc. Does not include psychotherapy notes.
Psychotherapy Notes: Notes recorded in any media by a mental health professional concerning conversations during counseling session and separated from other medical records. Excludes prescriptions, times, type and frequency of treatments, results of clinical tests, diagnosis, functional status, treatment plan, symptoms, prognosis, and progress.
Qualified Protective Order: An order of the court or administrative tribunal or stipulation in litigation or administrative proceedings that prohibits parties from using or disclosing PHI for any purpose other than the litigation or proceeding for which the PHI was requested and requires the destruction or return of the PHI to the practice where it originated, including any copies made, at the end of the proceeding or litigation.
Red Flag Rules: Regulations issued by the FTC (Federal Trade Commission), federal bank regulatory agencies, and the National Credit Union Association, requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
RHIO: Regional Health Information Organization; a group of organizations within a specific geographical area that share healthcare-related information electronically according to national standards. A RHIO typically oversees the means of information exchange and develops healthcare information technology (HIT) standards.
Security: Administrative, physical, and technical safeguards to protect information.
Security Rule: Part of HIPAA that requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI.
Security Officer: Individual within the practice assigned the responsibility of ensuring compliance with the Security Rule. May be the same person as the Privacy Officer.
Subcontractor: A person or entity to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.
Subpoena: A writ by a government agency, most often a court, that has authority to compel testimony by a witness or production of evidence under a penalty for failure. There are two common types of subpoena:
- Subpoena ad testificandum orders a person to testify before the ordering authority or face punishment.
- Subpoena duces tecum orders a person to bring physical evidence before the ordering authority or face punishment.
TPO: Treatment, payment, and health care operations.
Technical Safeguards: The use of technology, policies, and procedures to protect ePHI and controls access to it.
Unsecured PHI: Protected health information in an electronic format that lacks security safeguards such as encryption.
Workforce: All individuals who work in the practice—employees, employers, students, volunteers.