A system that creates accesses, transmits or receives: 1) primary source ePHI, 2) ePHI critical for treatment, payment or health care operations or 3) any form of ePHI and the host system is configured to allow access by multiple people.

The ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.

The provision of a list of disclosures made by a covered entity.

Administrative actions and policies and procedures (1) to manage the selection, development, implementation, and maintenance of security measures, and (2) to protect ePHI and to manage the conduct of the Covered Components’ workforce in relation to the protection of ePHI.

An amendment to a record would indicate that the data is in dispute while retaining the original information. A correction to a record alters or replaces the original record.

A specific type of permission given by the individual to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations.

A system that is typically used by a single individual and is used to create, access, transmit or receive ePHI. However, s System, even if used only by a single user, which supports primary source ePHI or ePHI critical for treatment, payment or health care operations is an Above-threshold System.

The unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed, would not reasonably have been able to retain such information.

An impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.

Generally an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a covered entity that require the disclosure of PHI (such as legal, actuarial, accounting, accreditation).

A written contract between a covered entity and a business associate (BA) that establishes the permitted and required uses and disclosures of protected health information by the BA; requires the BA to implement appropriate safeguards to prevent unauthorized use or disclosure; requires BA to report to covered entity any uses and disclosures not provided for in the contract; to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, requires the business associate to comply with the requirements applicable to the obligation; requires BA to ensure any subcontractors agree to the same restrictions. See our HIPAA Business Associate Agreement Template.

A statement that a situation is unsatisfactory or unacceptable; An allegation of wrongdoing against an individual or organization.

An area within a Hybrid Entity that is a health care provider, health plan, or health care clearinghouse that transmits health information in electronic form in connection with a covered transaction. A Covered Component must comply with HIPAA.

A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with transactions covered by the HIPAA Privacy Rule.

Data if inappropriately handled may result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, or unauthorized access by an individual or many individuals (e.g., student loan information, social security number, driver’s license number, passport or Visa number, state ID card number and protected health information).

An agreement required by the Privacy Rule between a covered entity (the holder of the PHI) and a person or entity that receives the limited data set (e.g. a research investigator) when the data are in the form of a limited data set. A Data use agreement establishes the ways in which the information in the limited data set may be used and how it will be protected.

Health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

A group of records maintained by or for a covered entity that is: the medical records and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used, in whole or in part, by or for the covered entity to make decisions about individuals.

Any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

US Department of Health and Human Services

Means a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.

The part of a Contingency Plan that documents the process to restore any loss of data and to recover computer systems if a disaster occurs (i.e., fire, vandalism, natural disaster, or System failure). The document defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process to attain the stated disaster recovery goals.

The release, transfer, provision of access to, or divulging in any other manner of protected health information outside of the entity holding the information.

The communication or exchange of business documents between companies via computer.

An electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.

is PHI in electronic form.

A minor who is to be treated as an adult for purposes of this policy. An emancipation order allows a minor to consent to “medical, dental or psychiatric care, without parental consent, knowledge or liability.” Courts may declare the minor emancipated if (1) the minor has been married, (2) the minor actively serves in the U.S. armed forces, (3) the minor willingly lives away from home and manages his or her own finances, or (4) the court determines “for good cause” that emancipation is in the “best interest” of the minor. A minor may also be considered emancipated under common law under similar circumstances.

is a subset of a disaster recovery plan that documents processes that support continued operation in case of an emergency. Emergency mode operations documentation includes emergency management/crisis management guidelines and procedures to maintain the integrity, availability and confidentiality of protected health information.

The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

means an individual’s dependent or any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or the individual’s dependent. Relatives by marriage or adoption are treated the same as relatives who share a common biological ancestor. First-degree relatives include parents, spouses, siblings and children. Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces. Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins. Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.

means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect remuneration does not include any payment for treatment of the individual

Appeals for money, sponsorship of events, etc. for the benefit of a covered entity. HIPAA allows the disclosure of protected health information for this purpose without an individual’s authorization.

means information about 1) an individual’s genetic tests, 2) the genetic tests of family members of the individual, 3) the manifestation of a disease or disorder in family members of the individual, or 4) any request for or receipt of genetic services including participation in clinical research which includes genetic services by the individual or their family member. Genetic information includes the genetic information of a pregnant women’s fetus or that of a family member or of any embryo legally held by the individual or family member using an assisted reproductive technology. Genetic information does not include the sex or age of an individual.

means a genetic test, genetic counseling (including obtaining, interpreting, or assessing genetic information), or genetic education.

means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder or pathological condition.

means an employee welfare benefit plan (as defined in the Employee Retirement Income and Security Act of 1974 (ERISA), 29 USC 1002(1)), including insured and self–insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that has 50 or more participants; or is administered by an entity other than the employer that established and maintains the plan.

care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

means a component of a hybrid entity designated by the hybrid entity that functions as a health care provider, as defined by HIPAA.

any of the following activities of a covered entity that relate to its covered functions (i.e., acting as a health care provider and an employer group health plan): conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; underwriting (except as prohibited when involving genetic information), premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities of the entity.

a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

The process of reliable and interoperable electronic health-related information sharing conducted in a manner that protects the confidentiality privacy and security of the information. The electronic movement of health-related information among organizations according to nationally recognized standards.

An organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards.

Federal law enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The HITECH Act promotes adoption and meaningful use of health information technology; widens the scope of privacy and security protections available under HIPAA; increases the potential legal liability for noncompliance; and provides for more enforcement.

A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Also gives Health and Human Services (HHS) the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.

an individual or group plan as defined in HIPAA that provides, or pays the cost of, medical care.

An organization that standardizes health information. One example is a billing company that processes data from its initial format into a standardized billing format.

Certain activities of the covered entity that are related to covered functions. These activities include, but are not limited to: administrative, financial, legal, underwriting and quality improvement activities that are necessary for a covered entity to run its business.

Human Investigation Committee

A HIPAA audit is based off a set of regulations, standards and implementation specifications. The audit is an analysis that helps to pinpoint the organization’s current state and what steps need to be taken to get the organization compliant.

An evaluation is part of the audit – a company must perform an evaluation and undergo periodic evaluations once a year at minimum. As technology changes, different components are added to an organization’s infrastructure and they should be re-evaluated.

While covered entities need to undergo HIPAA audits, third-party business associates also need to comply. This includes any company that might provide services for a covered entity, for example, an application hosted in a cloud and provided to a covered entity.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

a single legal entity that is a covered entity whose business activities include both covered and non–covered functions.

A person or institution acting in lieu of a parent.

Secondary use[s] and disclosure[s] of protected health information (PHI) that cannot reasonably be prevented, limited in nature and that occur as a byproduct of an otherwise permitted use or disclosure.

a relationship between an individual and a health care provider in which the health care provider delivers health care to the individual based on the orders of another health care provider; and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

the person who is the subject of PHI.

a subset of “health information,” including demographic information;

1. that is created or received by a health care provider, health plan, employer, or health care clearinghouse;
2. that relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and
3. that identifies the individual, or might reasonably be used to identify the individual.

is any activity that harms or represents a serious threat to the whole or part of an organizations computer, telephone and network–based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources. Routine detection and remediation of a ‘virus’, ‘malware’ or similar issue that has little impact on the day–to–day business of the organization is not considered an Incident.

A person authorized either by state law or by court appointment to make decisions, including decisions related to health care, on behalf of another person, including someone who is authorized under applicable law to consent on behalf of a prospective subject to the subject’s participation in the procedure involved in the research.

A data set of protected health information that excludes all of the 16 HIPAA specified direct identifiers related to an individual or of relatives, employers, or household members of the individual, but retains geographic subdivisions larger than the postal address, elements of dates including month and day as well as other unique identifying numbers, characteristics or codes not previously listed as a direct identifier and cannot reasonably be used to identify an individual. Limited data sets may only be used for research, public health or for health care operations; and only in conjunction with a data use agreement.

Short for malicious software. Software the is intended to damage or disable computers and computer systems. Malware includes computer programs known as viruses, worms, Trojans, ransomware and spyware. See our HIPAA Malware Protection Policy Template.

means that an individual has been or could reasonably be diagnosed with a given disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved.  A given disease, disorder or condition is no manifested if the diagnosis is based principally on genetic information.

means, to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:

1. to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if the financial remuneration received by the covered entity in exchange for making the communication is reasonable in relation to the covered entity’s costs of making the communication; or
2. for the following purposes except where the covered entity receives financial remuneration in exchange for the communication
   1. to describe a health–related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication (including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits); or
   2. for treatment of the individual, including case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; or
   3. for case management or care coordination, contacting of individuals with information about treatment alternatives and related functions to the extent that these activities do not fall within the definition of treatment.

A standard that requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to certain uses or disclosures such as those requests by a health care provider for treatment purposes, disclosures to the individual who is the subject of the information or pursuant to an individual’s authorization.

A small device that is capable of collecting, storing, transmitting, or processing electronic data or images. These may include a cellular telephone, mobile phone, notebook & laptop computers, smart phone, PDA, non-laptop based tablet (e.g. iPad, kindle, android), or USB-device.

The Privacy Rule requires health plans and covered health care providers to provide adequate notice that provides a clear, user friendly explanation of the individual’s legal rights with respect to their personal health information and the privacy practices of the covered entity.

Office of Civil Rights, the branch of the DHHS that is responsible for federal oversight of the privacy regulations.

Organized Health Care Arrangement, a clinically integrated care setting where individuals typically receive health care from more than one health care provider. Members of an OHCA may agree to abide by the terms of a joint notice of privacy practices and to share PHI as necessary to carry out treatment, payment, or operations relating to the OHCA.

an adult family member or friend who a patient grants authority to have access to the patient’s Protected Health Information (PHI) in order to assist the patient in their care or payment for care.

the activities undertaken by (1) except as prohibited when involving genetic information, a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, including determinations of eligibility and adjudication of claims; risk adjusting; billing, claims management, and collection activities; review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; utilization review activities; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; or (2) a covered health care provider or health plan to obtain or provide reimbursement for the provision of health care.

Someone with the legal authority to act on behalf of an incompetent adult patient, a minor patient or a deceased patient or the patient’s estate in making health care decisions or in exercising the patient’s rights related to the individual’s protected health information.

Protected Health Information

The activity of defrauding an online account holder by posing as a legitimate company or person.

A form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM, or other communication channels.

are measures, policies, and procedures to physically protect the Covered Components’ Systems and related buildings and equipment that contain ePHI, from natural and environmental hazards and unauthorized intrusion.

A review board that is responsible for approving HIPAA waivers of authorization.

The regulations at 45 CFR 160 and 164, which detail the requirements for complying with the standards for privacy under the administrative simplification provisions of HIPAA.

is any individually identifiable health information, including genetic information and demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity.

PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:

• The individual’s past, present or future physical or mental health or condition of an individual; OR
• The provision of health care to the individual; OR
• The past, present or future payment of health care to an individual

Information is deemed to identify an individual if it includes either the patient’s name or any other information that taken together or used with other information could enable someone to determine an individual’s identity. (For example: date of birth, medical records number, health plan beneficiary numbers, address, zip code, phone number, email address, fax number, IP address, license numbers, full face photographic images or Social Security Number.

PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer. PHI also excludes information related to individuals who have been deceased for more than 50 years. (see also definitions of “health information” and “individually identifiable health information”)

Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.  See our HIPAA Malware Protection Policy Template.

means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.

means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Any access to a device on the organizations network through a non–organization controlled network, device, or medium, for example by DSL, cable modem or dial–up connection.

Research is any systematic investigation (including research development, testing, and evaluation) that is designed to contribute to generalizable knowledge.

A documented assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, and an estimation of the security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. Risk analysis involves determining what requires protection, what it should be protected from, and how to protect it.

Internet sites that provide a variety of ways for users to interact, such as e-mail instant messaging, posting informational web pages and picture exchange services. Common Internet social networking sites are Facebook, Twitter, Instagram, LinkedIn, Pinterest, TikTok, Tumblr, VK, Flickr, Vine and MySpace.

A system that is the authoritative data source for a given data element or piece of information used for patient care or billing.

information that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and from which identifying information has been deleted, except that the geographic information need only be aggregated to the level of a five digit zip code.

is any electronic computing or communications device or the applications running thereon which can create, access, transmit or receive data. Systems are typically connected to digital networks. Examples of Systems include:

• A computer system whether or not connected to a data network,
• A database application used by an individual or a set of clients,
• A computer system used to connect over a network to another computer system,
• An analog or digital voice mail system,
• Data network segments including wireless data networks,
• Portable digital assistants / tablets, and
• Cellular (smart) phones

is the technical custodian of a System. This individual provides the technology and processes to implement the decisions of the System Owner. In some circumstances, e.g. small systems, typically Basic ePHI Systems, the System Administrator and the System Owner may be the same person. System Administrators are responsible for the technical operation, maintenance, and monitoring of the System. These duties include implementing appropriate technical, physical and administrative safeguards. See also System Owner.

is the authority, individual, or organization head who has final responsibility for Systems which create, access, transmit or receive ePHI and including responsibility for the ePHI data. In some complex Systems, the functional responsibility for the System and the responsibility for the data may lie with more than one individual. Decisions regarding who has access to the System and related ePHI data and responsibility for the Risk Analysis rest solely with the System Owner. The System Owner usually delegates responsibility for the technical management of a System to a qualified System Administrator or staff who are capable of implementing appropriate technical, physical and administrative safeguards. See also ‘System Administrator’.

are the technology, and the policy and procedures for its use that protect electronic protected health information and control access to it.

using telecommunications (all types of data transmission) technology to replace traditional forms of commuting. Employees work all or part of the time outside the traditional office at remote work locations, which may include the home.

The Health Resources Services Administration defines telehealth as the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.

Telehealth is different from telemedicine because it refers to a broader scope of remote healthcare services than telemedicine. While telemedicine refers specifically to remote clinical services, telehealth can refer to remote non-clinical services, such as provider training, administrative meetings, and continuing medical education, in addition to clinical services.

Telemedicine is the exchange of medical information from one location to another using electronic communication, which improves patient health status. Telemedicine has multiple applications and can be used for different services, which includes wireless tools, email, two-way video, smartphones, and other methods of telecommunications technology.

Treatment, Payment, Health Care Operations

the transmission of information between two parties to carry out financial or administrative activities related to health care.

the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

means development or implementation of;

1. rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
2. the computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
3. The application of any pre-existing condition exclusion under the plan, coverage, or policy; and
4. Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

Underwriting purposes do not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.

A person under 18 years of age and not previously married; not in the Armed Services; not previously emancipated by court proceedings initiated by the parents or the State and in the care and control of the parents.

the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that holds such information.

A person who uses a computer or network service.

means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.