Glossary of HIPAA Terms
Activities Preparatory to Research: activities performed in anticipation of research or to establish the feasibility of research where access to information may be granted for the purpose of the review, but no identifying information may be taken away in any form from the health care component.
Authorization: document by which the individual agrees that certain protected health information (PHI) may be used or disclosed for research purposes.
Business Associates: with respect to a health care component, a person who on behalf of the health care component performs or assists in the performance of certain functions requiring use or disclosure of protected health information (PHI). Members of the health care component workforce who are performing the function in their capacity as a member of the workforce are not business associates..
Central Repository of Research Subject Information: a physical archive or storage area where one or more of several components of individual health information are permanently maintained.
Covered Transaction: transmission of information between two parties to carry out financial or administrative activities related to health care
Data use Agreement: Written agreement between a covered entity or health care component and a researcher requesting a disclosure of protected health information (PHI) contained in a limited data set. Data use agreements must meet the requirements of Creating and Disclosing a Limited Data Set.
De-identified Data: Health information that does not identify an individual and with respect to which there is not a reasonable basis to believe that the information can be used to identify the individual. Data is de-identified if a person with appropriate knowledge and skill uses accepted scientific principles and methods to determine the risk is very small that information could be used to identify the individual and documents the method used to justify such a conclusion; or if all of the following identifiers for the individual and the individual’s relatives, employers or household members are removed:
2. All geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but may retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people.
3. For dates directly related to the individual, all elements of dates, except year. (date of birth, admission date, discharge date, date of death)
4. All ages over 89 or dates indicating such an age, except that you may have an aggregate category of individuals 90 and older.
5. Telephone Number
6. Fax Number
7. Email address
8. Social Security Number
9. Medical Record Number
10. Health Plan Number
11. Account Numbers
12. Certificate or license numbers
13. Vehicle identification/serial numbers
14. Device identification/serial numbers
15. Universal Resource Locators (URL)
16. Internet Protocol addresses
17. Biometric Identifiers
18. Full face photographs and comparable images
19. Any other unique identifying number, characteristic or code.
Designated Records Set: Group of items, collections, or groupings of information that include PHI and are maintained, used, collected or disseminated by or for a Provider Component that are the medical records and billing records about individuals maintained by or for the Provider Component.
Disclosure: to release, transfer, provide access to, or divulge protected health information (PHI) outside the University health care component. Disclosure also includes providing information or access to another person for purposes other than the original research purpose for which the information was released.
External Researcher: Any researcher who is not an employee, credentialed staff member, or an individual affiliated through a formal affiliation agreement with the covered entity or health care component that is the holder of the protected health information (PHI). External researchers, in addition to meeting HIPAA requirements, must meet University’s authorization requirements for the following: activities preparatory to research; research using individual health information of decedents; or when obtaining an IRB alteration of the HIPAA individual authorization requirements.
Health Care: care, services or supplies related to the health of an individual. Health care includes but is not limited to:
1. preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to physical or mental state
2. sale or dispensing of drugs, devices, equipment or other item in accordance with a prescription condition, or functional status of an individual or that affects the structure of function of the body.
Health Care Component: a component or combination of components designated by the University as health care components. The requirements of covered entities apply to the health care components of the University. These covered health care components include units that provide health care (“Provider Components”) and units (“Service Components”) that perform business or professional services requiring access to protected health information (“PHI”) on behalf of the University.
Health Care Operations: any of the following activities of the covered entity to the extent that the activities are related to covered functions:
1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines where generalizable knowledge is not the primary purpose, population based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives, and related functions that do not include treatment;
2. Reviewing the competence or qualifications of health care professionals;
3. Evaluating practitioner and provider performance & health plan performance
4. Conducting training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers;
5. Training of non-health care professionals;
6. Accreditation, certification, licensing, or credentialing activities;
7. Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
8. Underwriting, premium rating and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits [including reinsurance];
9. Business planning and development, such as conducting cost-management and planning related analyses related to managing and operating the entity, including formulary development & administration, development or improvement of methods of payment or coverage policies;
10. Business management and general administrative activities;
11. Activities related to implementation and compliance with HIPAA;
12. Customer service, including provision of data analyses for policy holders, plan sponsors or other customers, provided that PHI is no disclosed;
13. Resolution of internal grievances;
14. The sale, transfer, merger or consolidation of all or part of the covered entity, or an entity that will become a covered entity, and due diligence related to such activity;
15. Creating de-identified data or a limited data set; and
16. Fundraising for the benefit of the health care component.
Health Care Provider: a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business and who transmits information in electronic form in connection with a covered transaction.
Health Plan Component: designated health care component of the University that performs covered functions in the course of administering a health plan for the University.
HIPAA: acronym for the Health Insurance Portability and Accountability Act of 1996.
Hybrid Entity: single legal entity that is a covered entity, performs business functions that are both covered and non-covered, and designates health care components.
Individual Health Information: health information about an individual that:
1. is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
2. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
Internal Researcher: Any researcher who is internal to the covered entity or health care component that is the holder of the protected health information (PHI) through status as an employee, credentialed staff member, or an individual affiliated through a formal affiliation agreement.
Limited Data Set: A subset of individual health that has had certain direct identifiers removed, but does contain other protected health information (PHI) that could potentially identify the individual, and is used for a specific research purpose. A limited data set is not considered de-identified data.
Marketing: The following types of communications are marketing activities:
1. an arrangement between a health care component and any other entity whereby the health care component discloses protected health information (PHI) to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service; or
2. a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the activity meets one of the exclusions from the marketing definition. The categories of communications which are excluded from the definition of marketing when made by the health care component are communications about:
i. The individual’s treatment;
ii. Case management or care coordination for the individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to the individual; or
iii. Description of a health related product or service, or payment for the product or service that is provided by, or included in the health care component’s plan of benefits.
Payment: Activities undertaken by a health plan to obtain premiums or for coverage determinations/responsibilities, by a provider or plan to obtain or provide reimbursement
Personal Representative: a person who has authority under state law to act on behalf of an individual to make decisions related to health care.
Privacy Coordinator: person designated by each health care component and charged with carrying out the HIPAA compliance responsibilities for their respective health care component.
Privacy Officer: person and associated office designated by the University to carry out and coordinate activities related to privacy of health information as required by HIPAA.
Protected Health Information (“PHI”): individual health information that is transmitted or maintained in any form or medium. The following records are exempted from the definition of protected health information (PHI):
1. student records maintained by an educational institutions;
2. treatment records about a post-secondary students meeting the requirements of 20 USC 1232(a)(4)(B)(iv); and
3. employment records held by a covered entity in its role as employer
Provider Component: designated health care component of the University that performs covered functions in the course of providing health care to individuals at the University.
Psychotherapy notes: notes recorded in documenting or analyzing the contents of counseling that capture the therapist’s impressions about the patient and containing details of the conversation that are considered inappropriate for the medical record. Psychotherapy notes are separated from the rest of the patient’s medical record. The following are not psychotherapy notes: medication prescription and monitoring, session start/stop times, modalities and frequency of treatment, results in clinical tests and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.
Research: systematic investigation, including development, testing and evaluation designed to develop or contribute to generalizable knowledge.
Research subject information: all information, data, or knowledge relating to the care or health of a University research subject.
Secretary: Secretary shall mean the Secretary of the Department of Health and Human Services or designee.
Service Component: designated health care component of the University that perform business or professional services requiring access to protected health information (PHI) on behalf of provider components.
Summary Data: A collection of patient care, public health or clinical information which does not reveal the identity of individual research subjects
Trainee: person involved in an educational program at the University that provides for the development of additional skills and the opportunity to learn new techniques and acquire experience in the given professional field or in the conduct of research.
Treatment: provision, coordination, or management of health care and related services by one or more providers, including coordination and management of care by provider with third party, consultation between providers about a patient, or referrals.
Use: to employ, apply, utilize, examine or analyze PHI maintained within the health care component of the University.
Volunteer: individual who performs uncompensated services for the University under the direction and control of a University supervisor.
Workforce: all employees, volunteers, trainees and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.