Glossary
HIPAA Enforcement Training for State Attorneys General
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
Term |
Definition |
||
| Addressable Implementation Specifications (Security Rule) | Implementation specifications (see term below) are methods or approaches that entities must put in place to achieve compliance with the standards provided in the HIPAA Privacy and Security Rules. Addressable implementation specifications under the Security Rule are NOT optional; however, covered entities are permitted to determine whether each addressable implementation specification is “reasonable and appropriate” for their individual environments. If it is not reasonable and appropriate, the covered entity may substitute a reasonable and appropriate alternative security measure. Entities must document the rationale for their decision and implement an equivalent alternative measure if it is reasonable and appropriate. | ||
| Administrative Safeguards (Security Rule) | A set of policies and procedures that a covered entity must have in place to protect ePHI that it creates, receives, stores, or transmits. Administrative safeguards include standards and implementation specifications for risk analysis and management, access management, workforce training, and evaluation of security measures. | ||
| Administrative Requirements | The Secretary of HHS adopted standards and implementation specifications for certain health care transactions including health claims, health plan enrollment, eligibility for a health plan, health care payments, claim status, referral certification and authorization, and coordination of benefits. See Part 162 of the HIPAA Administrative Simplification regulation. | ||
| Administrative Simplification | Subtitle F of Title II of HIPAA is the Administrative Simplification portion of the law. It encourages improvements in efficiencies and effectiveness in the health care system through the requirement that HHS adopt standards for the electronic transmission of certain health information. Section 264 of Subtitle F, Recommendations with Respect to Privacy of Certain Health Information, requires the Secretary of HHS to establish standards with respect to the privacy of individually identifiable health information. HHS promulgated the HIPAA Privacy and Security Rules to implement this statutory requirement. | ||
| Affiliated Covered Entity | Legally separate covered entities that are affiliated by common ownership or control and that designate themselves (including their health care components) as a single covered entity for Privacy Rule compliance purposes. | ||
| American Recovery and Reinvestment Act (ARRA) | ARRA is the acronym for the American Recovery and Reinvestment Act, also known as the stimulus bill, which was enacted in 2009. | ||
| ARRA/HITECH | The HITECH Act, enacted as part of ARRA, promotes the widespread adoption and use of health information technology and strengthens privacy and security protections for individuals’ protected health information. Subtitle D of HITECH extends certain provisions in the Privacy and Security Rules to apply directly to business associates of covered entities, and establishes new breach notification requirements for covered entities and their business associates. HITECH defines what constitutes a breach of PHI, and provides criteria for determining whether or not notice is required to individuals who are data subjects, HHS, and the media. HITECH also improves enforcement by increasing penalties and establishing SAG authority to enforce the HIPAA Rules on behalf of residents of their states. | ||
| Availability (Security Rule) | ePHI is accessible and useable upon demand by an authorized person. The loss of availability could delay treatment, or lead to inappropriate treatment in the absence of adequate information. | ||
| Return to top | |||
| Breach | Section 13400 defines a “breach” as the unauthorized acquisition, access, use or disclosure of PHI which compromises the privacy or security of such information. The HITECH Act also provides several exceptions to the definition of “breach” that generally apply to impermissible uses and disclosures that are harmless inadvertent or unintentional errors, as long as the PHI is not further impermissibly used or disclosed. Therefore, not all impermissible uses and disclosures under the Privacy Rule will constitute breaches. For example, it would not be a breach where a nurse, who is generally authorized to access PHI at the covered entity, pulls up the wrong patient’s information on the computer. She skims through the PHI before realizing that it is the wrong patient. Even though this was an impermissible use of PHI because she was not specifically authorized to access this patient’s information, it does not constitute a breach under the HITECH Act because it was a use made in good faith and within the course and scope of the nurse’s employment with the covered entity. |
||
| Breach Notification | Section 13402, “Notification in the Case of Breach,” of ARRA/HITECH requires a covered entity that discovers a breach of unsecured PHI to notify each individual who may have been affected by the breach, as well as HHS. Paper notification, whether by the covered entity or its business associate, is required by first class mail to the last known address of the individual or his/her next of kin, unless preference is specified by the individual for electronic mail. If more than 500 individuals are affected, the covered entity must also provide notice to prominent media within the State or jurisdiction. | ||
| Business Associate | Business associates are individuals or organizations that, on behalf of or for a covered entity (or, after the HITECH Final Rule, another business associate), perform a function or activity involving the use or disclosure of PHI, or provide certain services to a covered entity that involve the use or disclosure of PHI. | ||
| Business Associate Agreement | Covered entities must obtain satisfactory assurances that these business associates will safeguard protected health information. This means that a covered entity and business associate must enter into a business associate agreement that specifies how patients’ PHI may or may not be used. The business associate agreement must also require the business associate to inform the covered entity of any uses or disclosures made that were not permitted by its contract. If this is not done, it constitutes a violation of the Privacy Rule and the business associate agreement. The covered entity may end its contract with the business associate if it determines that the business associate violated a material term of the contract. | ||
| Return to top | |||
| Civil Money Penalties (CMP) | If the covered entity does not resolve an indication of HIPAA noncompliance in a way that is satisfactory to HHS, including through demonstrated, voluntary compliance or a completed corrective action plan or other type of agreement, Office for Civil Rights (OCR) may decide to impose civil money penalties on the covered entity. The precise amount of a civil money penalty will depend on many factors listed in the enforcement rule, such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, and whether the covered entity’s failure to comply was due to willful neglect. Note that if a preliminary review of the facts indicates a possible violation due to willful neglect, the Secretary is required to conduct an investigation. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. | ||
| Confidentiality (Security Rule) | ePHI is not made available or disclosed to unauthorized persons or processes. The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. | ||
| Contrary | A state law that is contrary to the HIPAA Rules is preempted by HIPAA. For example, a state law would be “contrary” to federal breach notification requirements if the covered entity or business associate would find it impossible to comply with both the state law and the federal requirements or if the state law presents an obstacle to the accomplishment and execution of the full purposes of the requirements, as applicable. The exceptions from preemption for certain state laws provided in 45 CFR § 160.203 do not apply to state breach notification requirements. To date, HHS has not deemed any state law to be contrary to HIPAA. | ||
| Covered Entity (CE) | Covered entities are health plans, health care clearinghouses, or health care providers who transmit any health information in electronic form in connection with a covered transaction. | ||
| Return to top | |||
| Designated Record Set | A group of records maintained by a covered entity, and includes an individual’s medical and billing records enrollment, payment, claims adjudication, and case management record systems of a health plan; and other records used by covered entities to make decisions about individuals. For example, a health plan member has right to see records related to denial of payment for a treatment. Does not have right to examine every actuarial spreadsheet into which her history of payment has contributed if not used to make decisions about her own coverage. |
||
| Disclosure | The release, transfer, provision of access to or divulging of PHI—in any manner—outside of a covered entity holding the PHI. | ||
| Return to top | |||
| Electronic Protected Health Information (ePHI) | Electronic protected health information is protected health information that is created, received, maintained or transmitted in electronic format. | ||
| Encryption | Defined as a method of converting an original regular text, such as that of an email or document, into unreadable text that may be decrypted into readable text by an authorized user. The goal of encryption is to protect ePHI from being accessed and viewed by unauthorized users. The Security Rule includes two implementation specifications related to encryption. While both of these are addressable, adopting encryption technologies will be reasonable and appropriate for many covered entities based on their analysis of risks. | ||
| Return to top | |||
| Health Care Clearinghouses | Health care clearinghouses are entities that process or facilitate the processing of health information from nonstandard format or content into standard format or content, or from standard format or content into nonstandard format or content, for another entity. They conduct these functions on behalf of another entity, such as a health plan, so usually act as “business associates” of other covered entities. |
||
Health Care Provider |
Provider of services, a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. | ||
| Health information (HI) | Defined in the HIPAA statute and the Privacy Rule as any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. | ||
| Health Insurance Portability and Accountability Act of 1996 (HIPAA) | The Health Insurance Portability and Accountability Act of 1996, often referred to by its acronym, “HIPAA,” was enacted by Congress as Public Law 104–191. HIPAA consists of five titles, two of which are briefly described here Title I addresses Health Care Access, Portability, and Renewability and was enacted to protect the health insurance of workers should they lose their jobs. Title II addresses Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform. Subtitle F of Title II, entitled Administrative Simplification, required the Secretary of HHS to establish standards to protect the privacy of individuals’ health information if Congress did not do so by a certain date (Congress did not). | ||
| Health Information Technology for Economic and Clinical Health Act (HITECH) | Title XIII and Title IV of Division B of ARRA, known collectively as the Health Information Technology for Economic and Clinical Health Act (HITECH), encourage the adoption of health information technology and strengthen privacy and security protections for PHI. | ||
| Health Plans | Health plans include health insurance companies; health maintenance organizations (HMOs); group health plans, e.g., employer-sponsored health plans; government programs that pay for health care such as Medicare and Medicaid; and the military and veterans health care programs. | ||
| Hybrid Entity | A single covered entity that performs some business functions that are covered by HIPAA and some that are not, and is permitted to designate its components that conduct HIPAA-related functions so that most requirements of the Privacy and Security Rules apply to only those health care components. | ||
| Return to top | |||
| Implementation Specifications | Many Privacy and Security Rule standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach covered entities should use to implement a particular standard. Under the HIPAA Privacy Rule, all standards and implementation specifications are required. Under the Security Rule, all standards are required, while the implementation specifications for the security standards are considered to be either “required” or “addressable.” | ||
| Individually Identifiable Health Information (IIHI) | Individually Identifiable Health Information is defined in the HIPAA statute and the Privacy Rule as any health information, including demographic information collected from an individual, that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or to past, present, or future payment for the provision of health care to an individual; and that identifies the individual. Information is IIHI if it is health information and either identifies the individual or there is a reasonable basis to believe it can be used to identify the individual. |
||
| Integrity | ePHI is not altered or destroyed in an unauthorized manner. A failure to ensure the integrity of PHI could lead to inappropriate treatment due to incomplete or inaccurate information. |
||
| Return to top | |||
| Limited Data Set | A limited data set is comprised of data from which most PHI has been removed, except for dates and geographic information; this information may be used only for research, public health, or health care operations purposes. . Data recipients must sign a Data Use Agreement stating the information will be used only for the specified purposes, no attempt will be made to re-identify it, and it will not be re-disclosed. |
||
| Return to top | |||
| Minimum Necessary | This Privacy Rule standard requires that when using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. |
||
| Return to top | |||
| Notice of Privacy Practices | The HIPAA Privacy Rule provides patients with a number of rights related to their own PHI. These rights are reflected in a “Notice of Privacy Practices” that covered entities are required to provide to each individual at the time of initial contact. The Notice of Privacy Practices must be written in plain language and must inform individuals about their rights, uses and disclosures of PHI that the covered entity may make, and the covered entity’s duties. | ||
| Return to top | |||
| Organized Health Care Arrangements (OHCA) | An organizational structure under which two or more covered entities participate jointly to provide health care or health coverage. Participating elements may disclose PHI to each other for treatment, payment, or health care operations purposes. | ||
| Return to top | |||
| Physical Safeguards (Security Rule) |
The policies and procedures covered entities and their business associates are required to put in place to ensure the physical protection of electronic information systems and related buildings and equipment from natural threats, environmental threats, or unauthorized physical intrusion. These can include providing protection against fires, floods, or theft of equipment. The Privacy Rule also requires, but does not specify as above, physical safeguards to protect the privacy of protected health information. | ||
| Privacy Rule | Title II, Section 264 of the HIPAA statute required the Secretary of HHS (if Congress did not act) to promulgate final regulations with respect to the privacy of individually identifiable health information (IIHI) that addressed the rights of an individual who is a subject of IIHI and the procedures that should be established for the exercise of such rights. It also required the Secretary to address the uses and disclosures of such information that should be authorized or required. |
||
| Protected Health Information (PHI) | Protected Health Information is any individually identifiable health information(IIHI) that is held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. IIHI held by a non-covered entity or a non-business associate of a covered entity is not PHI. | ||
| Return to top | |||
| Reasonable and Appropriate (Security Rule) | The Security Rule standards require covered entities to evaluate risks and vulnerabilities in their environments in order to implement safeguards that will protect against threats or vulnerabilities and ensure confidentiality, availability, and integrity of ePHI The selection of safeguards that are “reasonable and appropriate” is based on the covered entity’s analysis of risks. Although the Security Rule allows covered entities to implement safeguards that are "reasonable and appropriate" based on the risk analysis, this allowance is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of the Security Rule. Failure to implement safeguards that address the covered entity’s risk analysis could result in violations of the Security Rule, which would be subject to SAG enforcement. |
||
| Required Implementation Specifications | Required implementation specifications must be implemented by all covered entities. See implementation specifications above. | ||
| Resolution Agreement | One type of “informal resolution” of a situation indicating noncompliance with HIPAA is a resolution agreement, often incorporating a corrective action plan, which is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations. OCR has used this process in cases in which voluntary compliance was not sufficient. The resolution agreement names the covered entity, identifies the conduct that is the subject of the resolution agreement, and describes the obligations the covered entity agrees to perform. The resolution agreement also describes the payment agreed to by the covered entity, and requires the covered entity to make reports to HHS for a period of time, typically three years. During this period, the covered entity is monitored to ensure that compliance with the obligations it has agreed to perform. |
||
| Risk (Security Rule) | Risk is the likelihood of a given threat triggering or exploiting a particular vulnerability, and the resulting impact on the organization. Therefore, risk is a combination of factors or events (threats and vulnerabilities) which, if they occur, may have an adverse impact on the confidentiality, availability, and/or integrity of ePHI. | ||
| Risk Analysis (Security Rule) | The Security Management Process standard in the Security Rule is an administrative action that requires covered entities to implement policies and procedures to prevent, detect, contain, and correct security violations. As part of their security management process, covered entities are required to conduct a risk analysis. That is, they must perform an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI they create, receive, maintain, or transmit. | ||
| Return to top | |||
| Safeguards (Security Rule) |
Covered entities are required to implement certain security safeguards to protect their information systems and the ePHI they contain against anticipated threats and vulnerabilities, and to prevent unauthorized access to, or disclosure of, ePHI. | ||
| Security Standards | The HIPAA Security Rule is meant to complement the HIPAA Privacy Rule in protecting ePHI. It defines three types of security safeguards—administrative, physical, and technical. Covered entities are required to implement certain safeguards to protect their information systems and the ePHI they contain against anticipated threats and vulnerabilities, and to prevent unauthorized access to or disclosure of ePHI. |
||
| Standard Transactions | A health care provider who conducts one of the following standard transactions with a health plan is considered a HIPAA covered entity, and therefore subject to the HIPAA Rules: (a) requesting payment (a “health care claims or equivalent encounter information” transaction); (b) making certain inquiries about a benefit plan for an enrollee (an “eligibility for a health plan” transaction); (c) requesting authorization for providing health care or for referring an individual to another health care provider (a “referral certification and authorization” transaction); and (d) inquiring regarding the status of a health care claim (a “health care claim status” transaction). | ||
| State Law | For HIPAA preemption analysis, a “state law” means a constitution, statute, regulation, rule, common law, or other state action having the force and effect of law. | ||
| Return to top | |||
| Technical Safeguards (Security Rule) |
The technologies and the policies and procedures that covered entities must use and put in place to protect ePHI from unauthorized access and disclosure. Technical safeguards include user logins and passwords established with appropriate access level controls; and audit logs that determine who has gained access, where they went, and what they did. | ||
| Threat | National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 defines threat as the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threats that could impact the confidentiality, integrity, or availability of ePHI include natural threats, such as floods, earthquakes, tornadoes, and landslides; human threats, such as intentional network and computer-based attacks, malicious software uploads, unintentional data entry or deletion, or inaccurate data entry resulting in unauthorized access to ePHI; environmental threats, such as power failures, pollution, chemicals, and liquid leakage. |
||
| Transactions | Transactions are exchanges of information between two parties for specific purposes. For example, a health care provider will send a claim to a health plan to request payment for medical services. Through the HIPAA Transactions and Code Sets Rule, HHS adopted standard transactions for the electronic exchange of health information for certain purposes. | ||
| Return to top | |||
| Unsecured PHI | Defined as PHI that is not secured through the use of a technology or methodology specified by HHS’ Breach Notification Guidance. The guidance recognizes encryption and destruction as the methods for securing PHI. | ||
| Use | The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information(IIHI), within the entity. Use refers to activities involving (IIHI) that occur within a covered entity. | ||
| Return to top | |||
| Vulnerability | Vulnerability is defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in inappropriate access to or disclosure of ePHI. | ||