| Anonymized Data |
Identifiers
removed and NO means exists for re-identifying patients/subjects. |
| Anonymous
Data |
Never
labeled with patient/subject identifiers (see also De-identified
Data). |
| Top
of page |
| Authorization |
Under
HIPAA, the granting of rights to access PHI. Required by
HIPAA for disclosures or uses other than for treatment, payment
or operations (which are covered in the Notice of Privacy
Practices). Treatment cannot be conditioned on granting of
an authorization. An authorization is a specific, detailed
document as to the PHI covered, its use, and includes an
expiration date.
The
mechanism for obtaining approval for the use and disclosure
of health information. The American Health Information Management
Association has recommended requirements for valid authorization.
Within the context of a computer-based patient record system,
these requirements would include that the authorization be
documented (electronically), be addressed to a specific health
care provider, specifically identify the patient, identify
the individual or entity authorized to receive the information,
identify the information that is to be released, specify
the purpose for the disclosure, specify under what conditions
the authorization will expire unless revoked earlier, indicate
that the authorization is subject to revocation, be (electronically)
signed by the patient or patient’s legal representative,
and be dated.
The
process by which a user is identified as what the subject
claims to be. Authentication is a measure used to verify
the eligibility of a subject and the eligibility of that
subject to access certain information. It protects against
the fraudulent use of a system or the fraudulent transmission
of information. |
| Business Associate |
Entity
outside of the organization to or from which PHI will be disclosed
and which performs a business function for a covered entity.
HIPAA requires Business Associate Agreement be in place. A
contract entered into by two business partners in which it
is agreed to exchange data where the data transmitted is agreed
to be protected. The sender and receiver depend upon each other
to maintain the integrity and confidentiality of the transmitted
information. Multiple such two-party contracts may be involved
in moving information from the originator to the ultimate recipient.
For example, a provider may contract with a clearinghouse to
transmit claims to the clearinghouse; the clearinghouse, in
turn, may contract with another clearinghouse or with a payer
for the further transmittal of these same claims. |
 Top of page |
| Common Rule |
The
federal regulations covering protection of human subjects involved
in research and adopted uniformly by all agencies, including
NIH, FDA, OSHA, etc. |
| Confidentiality |
A condition in which information is shared or released in a
controlled manner. The property that information is not made
available or disclosed to unauthorized individuals, entities
or processes.
The
status accorded to data or information indicating that it
is sensitive for some reason, and that therefore it needs
to be protected against theft or improper use and must be
disseminated only to individuals or organizations authorized
to have it. That authorization can be granted by the individual
whose information is to be disclosed. Protection of confidentiality
is an ethical standard of the health professions. |
| Top
of page |
| Consent |
The
voluntary agreement of an individual (informed and competent)
for an action such as release of information. HIPAA permits
but does not require a covered entity to obtain consent for
use or disclosure of PHI for treatment, payment, or healthcare
operations (in contrast to authorization needed for other uses
or disclosures). |
| Covered
Entity |
HIPAA
regulations cover all health care providers, health plans or
clearinghouses or any entities which include components engaged
in these activities which transmits PHI electronically. |
| Top
of page |
| Data Use Agreement |
An agreement between the investigator (recipient) and the covered
entity that the investigator will protect the protected health
information in a Limited Data Set and use it for the agreed
upon purposes. |
| De-identified Data |
A
record in which identifying information removed to render the
information not subject to the HIPAA rules. Means exist to
re-identify the patient if needed. See the list of 18 identifiers
recognized under HIPAA. |
| Top
of page |
| Designated Record Set |
Any
item, collection, or grouping of information that is used
to make decisions about the individual’s medical care
and the bills generated to collect for that care and is maintained,
collected, used, or disseminated by or for a covered entity. The
designated record set does not include information used solely
in health care operations, information in draft form, schedules
or appointment records or working notes. |
| Disclosure |
The release, transfer, provision of access to, or divulging in
any other manner of PHI outside the entity holding the information.
Requires a specific authorization under HIPAA except if disclosure
is related to the provision of health care, payment or operations
of the entity responsible for the PHI or under a limited set
of other circumstances, as for public health purposes. |
| Top
of page |
| Health Care |
Care,
services, or supplies related to the health of an individual.
Health care includes but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, and counseling, service, assessment, or
procedure with respect to the physical or mental condition,
or functional status, of an individual or that affects the
structure or function of the body; and (2) Sale or dispensing
of a drug, device, equipment, or other item in accordance with
a prescription. |
| Health Care Component |
(1)
Components of a covered entity that perform covered functions
are part of the health care component. Covered functions
include the delivery of health care, obtaining payment for
same, health care operations and other activities involving
the use or disclosure of individually identifiable health
information.
(2) Another component of the covered entity is part of the entity's health
care component to the extent that:
| (i) |
It performs, with respect to a component that performs
covered functions, activities that would make such other
component a business associate of the component that
performs covered functions if the two components were
separate legal entities; and |
| |
|
| (ii) |
The activities involve the use or disclosure of
protected health information that such other component
creates or receives from or on behalf of the component
that performs covered functions. |
|
| Top
of page |
| Health Care Operations |
Any
activity of a covered entity protected by HIPAA Regulations
including peer review, quality assessment, case management,
training, legal and auditing services, fraud investigations,
business planning, fund raising, etc. The uses of PHI in operations
are covered by the Notice of Privacy Practices and generally
do not require patient authorization. |
| Health Care Provider |
A
provider of medical or health services, and any other person
or organization that furnishes, bills, or is paid for health
care in the normal course of business. |
| Health Information |
Any information, whether oral or recorded in any form or medium,
that: (1) Is created or received by a health care provider,
health plan, public health authority, employer, life insurer,
school or university, or health care clearinghouse; and (2)
Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health
care to an individual; or the past, present, or future payment
for the provision of health care to an individual. |
| Health Plan |
Any individual or group plan (such as insurance, Medicare or other
federal health care program, managed care, employer or union
coverage), which provides or pays for health care. |
| Top
of page |
| HIPAA |
The Health Insurance Portability and Accountability Act of 1996. |
| Hybrid Entity |
A
single legal covered entity with health care and non-health
care functions, where the former are covered functions but
are not its primary functions. |
| Individual |
The person who is the subject of Protected Health Information. |
| Individually Identifiable |
Any
information, including demographic information, collected from
an Health Information individual that is created or received
by a provider, plan or clearinghouse related to past, present
or future physical or mental health or condition of an individual,
the provision of health care or the past, present or future
payment for same and identifies the individual or could be
reasonably used to do that. |
| Top
of page |
| IRB |
An Institutional Review Board chartered under the Common Rule
to protect human research subjects. In UC these IRBs serve
the Privacy Board function and can grant waivers from the requirement
to obtain patient authorization to use or disclose PHI in research. |
| Limited Data Set |
A
set of data in which most of the Protected Health Information
has been removed. The following identifiers of the Individual
or of the Individual’s relatives, employers or household
members must be removed:
| 1. |
Names; |
| 2. |
Addresses, other than town or city, state, and zip code; |
| 3. |
Telephone numbers; |
| 4. |
Fax numbers; |
5.
|
Electronic mail addresses;
|
| 6. |
Social security numbers; |
| 7. |
Medical record numbers; |
| 8. |
Health plan beneficiary numbers; |
| 9. |
Account numbers; |
| 10. |
Certificate / license numbers; |
| 11. |
Vehicle identifiers and serial numbers (including license
plate numbers);
|
| 12. |
Device identifiers and serial numbers; |
13.
|
Web universal Resource Locators (URLs);
|
| 14. |
Internet Protocol (IP) address numbers;
|
| 15. |
Biometric identifiers, including finger and voice prints;
and |
| 16. |
Full face photographic images and any comparable images. |
|
| Top
of page |
| Need to Know |
A security principle stating that a user should have access only
to the data
Principle needed to perform a particular function. |
| Notice of Privacy Practices |
HIPAA
requires that patients be informed of a covered entity’s
practices and procedures regarding use and disclosure of PHI.
This is achieved by giving the patient, posting and making
available a “Notice of Privacy Practices.” |
| Top
of page |
| Privacy Rule |
The HIPAA regulations that protect the privacy of health information. |
| Protected Information Health (PHI) |
Any individually identifiable health information collected or created
as a consequence of the provision of health care by a covered
entity in any form, including verbal communication with a staff
member. Employment records
or those covered by FERPA are excluded. |
| Provider |
Any
person or entity supplying medical services and who bills for
or is paid for medical services “in the normal course
of business.” |
| Personal
Representative |
Any
person authorized under applicable law to act on behalf of
the Individual patient with respect to the Individual’s
patient’s health care. For example, a personal representative
may include the parent or guardian of a minor patient (unless
the minor has the authority under California law to act on
his or her own behalf), the guardian or conservator of an adult
patient, or the representative of a deceased patient. |
| Top
of page |
| Research |
A
systematic investigation, including research development, testing
and evaluation, designed to develop or contribute to generalizable
knowledge. |
| Single Health Care Component (SHCC) |
HIPAA
permits a complex organization to define itself as a single
entity under HIPAA, thus providing a single set of policies,
procedures and standards, permitting use of uniform forms and
allowing movement of PHI within this single entity under the
notice of privacy practices. |
| Treatment |
The
provision, coordination, or management of health care and related
services by one or more health care providers, including the
coordination or management of health care by a health care
provider with a third party; consultation between health care
providers relating to a patient; or the referral of a patient
for health care from one health care provider to another. |
| Treatment, Payment & Healthcare Operations (TPO) |
The
uses of PHI covered by the Notice of Privacy Practices and
not requiring a
specific authorization. |
| Top
of page |
| Use |
With
respect to individually identifiable health information, the
sharing, employment, application, utilization, examination,
or analysis of such information within an entity that maintains
such information. The utilization of PHI to carry out the business
of a health care provider, plan or clearinghouse. |
| Work Force |
Employees, volunteers and other persons whose conduct, in the performance
of work for a covered entity, is under the direct control of
such entity, whether or not they are paid by the covered entity. |
|
|
