The purpose of this glossary is to provide definitions of key terms that are frequently used when discussing the HIPAA rule, regulations, policies, and procedures. It is designed to help explain the terms used on this site, but is not intended to be a legal document.
Title II, Subtitle F, of HIPAA, gives the U.S. Department of Health and Human Services the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.
See Business Associate
An identifier based on some physical characteristic, such as a fingerprint.
A person who performs functions or activities on behalf of, or certain services for, a covered entity (but is not a part of the covered entity's workforce) that involve the use or disclosure of protected health information.. Examples of business associate activities and functions include, but are not limited to,(a) claims processing or administration, (b) data analysis processing or administration, (c) utilization review, (d) quality assurance, (e) billing, (f) benefits management, (g) practice management, (h) re-pricing and (i) information technology, patient safety activities The business associate may also receive or create protected health information in the course of providing the following types of services to the covered entity: (a) legal, (b) actuarial, (c) accounting, (d) consulting, (e) data aggregation, (f) management, (g) administrative, (h) accreditation or (i) financial.
Business Associates also include:
- a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.
- "subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate."
Centers for Disease Control and Prevention
Components: (ACC College HIPAA)
- Covered Entities
- Dental Hygiene and Massage Therapy
- Business Associates
- Health Sciences programs
- Health Professions Institute Programs
- Human Services Programs
- Non-Business Associates
- Non-Business Associate Educational Departments
- Other ACC Departments
Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a HIPAA transaction.
Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. The Privacy Rule provides two methods by which health information can be designated as de-identified.
- Apply statistical or scientific principles
- Very small risk that anticipated recipient could identify invidual
"Safe Harbor" method:
The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers
(E) Fax numbers
(F) Email addresses
(G) Social security numbers
(H) Medical record numbers
(I) Health plan beneficiary numbers
(J) Account numbers
(K) Certificate/license numbers
(L) Vehicle identifiers and serial numbers, including license plate numbers
(M) Device identifiers and serial numbers
(N) Web Universal Resource Locators (URLs)
(O) Internet Protocol (IP) addresses
(P) Biometric identifiers, including finger and voice prints
(Q) Full-face photographs and any comparable images
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
The United States Department of Health and Human Services
Designated Record Set:
A group of records that:
- Includes medical records and billing records about individuals maintained by or for the health care provider; or
- Is used, in whole or in part, by or for the covered entity to make decisions about individuals.
Direct Treatment Relationship:
A treatment relationship between an individual and a health care provider who delivers care directly to the individual.
The release of information by an entity to persons or organizations outside of that entity.
Education conducted through training programs in which students, trainees, or practitioners in the health care field learn under supervision to practice or improve their skills as health care providers and/or training of non-health care professionals.
Electronic storage material including memory devices in computers (hard drives) and any removable/ transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet, using internet technology to link a business with information accessible only to collaborating parties, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission.
Individually identifiable health information that is: (1) transmitted by electronic media (2) maintained in electronic media.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Under HIPAA this is an employee welfare benefit plan that provides medical care and that:
- Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or
- Is administered by an entity other than the employer that established and maintains the plan.
Means care, services, or supplies related to the health of an individual. Health care includes but is not limited to the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care. Further it can be the assessment or procedure with respect to the physical or mental condition, or functional status of an individual. Sale or dispensing of a drug or device in accordance to a prescription is also termed as health care.
Health Care Clearinghouse:
Under HIPAA, this is an entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
Health Care Components: Those parts of a hybrid entity that:
- Perform covered functions under the HIPAA Privacy Rule (that is, health care provider, health plan, or health care clearinghouse functions), or
- Receive, use, or disclose protected health information in the course of performing support functions for those components performing covered functions (e.g., legal, accounting, internal audit, information technology).
Health Care Operations:
A broad range of business and administrative activities of a covered entity, including but not limited to the following:
- Quality assessment and improvement activities;
- Education and training of students and other trainees;
- Reviewing the competence or qualifications of health care professionals, evaluating provider performance, health plan performance, and training, accreditation, certification, licensing, or credentialing activities;
- Conducting or contracting for health care, legal, or audit services; and
- Business planning, business management, and general administrative activities.
Health Care Provider:
A provider of medical or health services and any other person or organization who furnishes, bills for, or is paid for health care in the normal course of business.
Department of Health and Human Services
Means any information, whether oral or recorded in any form of medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
The Health Insurance Portability and Accountability Act of 1996
A covered entity whose functions covered by HIPAA are not its primary functions. A covered entity performs both health-related and functions not related to health and has segregated its various functions into health care components and non-health care components for purposes of compliance with the HIPAA Privacy Rule. Austin Community College is a hybrid entity.
A relationship between an individual and a health care provider in which:
- The health care provider delivers health care to the individual based on the orders of another health care provider; and
- The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who then provides the services or products or reports to the individual.
The subject of protected health information.
Protected health information that excludes the following identifiers of the individual or of the individual's relatives, employers, or household members:
- Addresses, other than town or city, state, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers (including license plate numbers);
- Device identifiers and serial numbers;
- Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger- and voiceprints; and
- Full-face photographic images and any comparable images.
Protected health information (see definition below)
Compensation or reimbursement for the provision of health care services.
Any person authorized under applicable law to act on behalf of the individual with respect to the individual's health care. For example, a personal representative may include the parent or guardian of a minor patient (unless the minor has the authority under Texas law to act on his or her own behalf), the guardian or conservator of an adult patient, or the representative of a deceased patient.
A regulation established under HIPAA which sets national standards for protecting the privacy of certain health information. The Privacy Rule became effective on April 14, 2003, and applies to health plans, health care clearinghouses and health care providers who conduct certain health care transactions electronically.
Protected Health Information (PHI) :
Individually identifiable health information, maintained in any form or medium, that is created or received by a health care provider, health plan, or health care clearinghouse and that relates to:
- The past, present or future mental or physical health of the individual;
- Provision of health care to the individual; or,
- Payment for the provision of health care to the individual.
Protected health information does not include education records covered by the Family Educational Rights and Privacy Act (FERPA) or employment records held by a covered entity in its role as employer. Following are some examples of identifiers, the presence of which cause health information to be protected health information:
- Date of birth
- Telephone number
- Fax number
- E-mail address
- Social Security number
- Medical record number
- Account number
- Driver's license number
- Credit card number
- Names of relatives
- Name of employer
- Health plan beneficiary number
- Vehicle or other device serial number
- Universal Resource Locator (URL)
- Internet Protocol (IP) address numbers,
- Finger- or voiceprints
- Photographic or digital images
- Type of injury, disease or condition
- Type of treatment
- Date and time of treatment
Protected health information does not include information related to blood banking activities, including procurement, testing, and other procedures.
The Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years.
"an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect."
A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
The Secretary of the United States Department of Health and Human Services.
Social Security number
Treatment, payment, and health care operations.
The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
- Health care claims or equivalent encounter information;
- Health care payment and remittance advice;
- Coordination of benefits;
- Health care claim status;
- Enrollment and disenrollment from a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certification and authorization;
- First report of injury;
- Health claims attachments; and
- Other transactions that the Secretary may prescribe by regulation.
The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers (relating to a patient); or the referral of a patient for health care (from one health care provider to another.)
With respect to protected health information, the sharing, employment, application, utilization, examination, or analysis of such information within the Austin Community College Covered Entity.
A covered entity's employees, faculty, staff, volunteers, trainees, and other persons whose conduct, in the course of work for the covered entity, is under the covered entity's direct control, whether or not they are paid by the covered entity.