HIPAA Privacy Glossary of Terms

Business Associate. A person or organization that performs a function or activity on behalf of a covered entity involving the use or disclosure of individually identifiable health information, but is not part of the covered entity's workforce.

Covered Entity. (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

De-identified health information. Health information that does not identify the individual or where identifiable information has been removed. De-identified health information can NOT include the following information: 1.Names, 2. Geographic subdivisions smaller than a state, 3. All elements of dates (except year) related to an individual - including dates of admission, discharge, birth, death - and for persons >89 the year of birth cannot be used, 4. Telephone numbers, 5. FAX numbers, 6. Electronic mail addresses, 7. SSN, 8. Medical Record numbers, 9. Health plan beneficiary numbers, 10. Account numbers, 11. Certificate/license numbers, 12. Vehicle identifiers and serial numbers including license plates, 13. Device identifiers and serial numbers, 14. Web URLs, 15. Internet protocol addresses, 16. Biometric identifiers, including finger and voice prints, 17. Full face photos, and comparable images, 18. Any unique identifying number, characteristic, or code

Disclose. With respect to PHI, means the release, transfer, provision of access to or divulging in any other manner of information outside the entity holding the information.

Health Care Clearinghouse. A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health Care Provider. A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Plan. An individual or group plan that provides, or pays the cost of, medical care. Health plan includes a group health plan, a health insurance issuer, an HMO, Part A or Part B of the Medicare program, the Medicaid program, an issuer of a Medicare supplemental policy, an issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy, an employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. Note: A number of additional government-related plans are also defined as health plans under HIPAA. Please refer to the Act for a comprehensive list.

HIPAA. Stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA establishes national standards for health care transactions, unique health identifiers, code sets for the data elements of the transactions, security of health information, and electronic signature.

Individually Identifiable Health Information. Any information that allows others to identify the patient. A typical record contains the patient's name, address, zip code, birth date, social security number, and telephone number.

Minimal risk. With regard to Waiver of Authorization criteria, minimal risk means: there is an adequate plan to protect PHI from improper use and disclosure, there is a plan to destroy identifiers at the earliest opportunity consistent with the conduct of research, and there are adequate written assurances that PHI will not be reused or disclosed to any other person (except as required or permitted by law).

Minimum necessary standard. The Privacy Rule requires that only the minimum amount of information to accomplish the intended purpose be provided when using, requesting, or disclosing Protected Health Information. Meeting the minimum necessary standard can be accomplished by de-identifying the unneeded information (in other words, removing the individually identifiable information).

PHI. Stands for protected health information, which means individually identifiable health information (with limited exceptions) in any form, including information that is transmitted orally, or in written or electronic form.

Privacy Rule. Privacy Rule refers to the Standards for Privacy of Individually Identifiable Health Information portion of HIPAA. The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.

Protected Health Information (PHI). Protected health information means individually identifiable health information (with limited exceptions) in any form, including information that is transmitted orally, or in written or electronic form. Examples include patient's name, address, zip code, birth date, social security number, and telephone number.

Use. With respect to PHI, use means the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.