HIPAA Administrative Simplification Rules
The Department of Health and Human Services provided its Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the Genetic Information Nondiscrimination Act, and Other Modifications to the HIPAA Rules (collectively also known as the “Final Rule”) on January 25, 2013. Although the compliance date for the Final Rule was not until September 23, 2013 (and later for some), many companies scrambled to complete the task of updating their business associate agreement (“BAA”) forms before the compliance date.
Understandably, many visiting nurse associations, and many healthcare, home health care, medical device, and other medical technology companies, did not budget for a complete overhaul of their BAA forms (both existing and new) and/or viewed the changes to BAA forms required by the Final Rule as a burdensome expense that should be kept to a minimum. After updating and reviewing hundreds of BAA forms for medical and healthcare clients (both business associates and covered entities), it was surprising to see how many in-house and outside legal counsel provided forms with incorrect citations to definitions and definitions to key terms that did not match the statutory definitions. In some cases the definitions did not match prior or current statutory definitions found in HIPAA or HITECH and varied the meanings of these terms so much as to make the BAA non-compliant with current law. It was also surprising to find no single resource online for relevant definitions for BAA cross-referencing, research or drafting. Therefore, the following table of relevant definitions was created as a quick-reference for cross-referencing statutory definitions in connection with BAA forms and business associate agreement negotiations.
HIPAA Administrative Simplification Rules
(45 CFR 160, 162 & 164) (last updated Jan. 1, 2014)
|Access||45 C.F.R. § 164.304||the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subparts D or E of this part.)|
|Act||45 C.F.R. § 160.103||the Social Security Act|
|Administrative safeguards||45 C.F.R. § 164.304||administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.|
|Administrative simplification provision||45 C.F.R. § 160.103||any requirement or prohibition established by:
(1) 42 U.S.C. 1320d-1320d-4, 1320d-7, 1320d-8, and 1320d-9;
(2) Section 264 of Pub. L. 104-191;
(3) Sections 13400-13424 of Public Law 111-5; or
(4) This subchapter.
|ALJ||45 C.F.R. § 160.103||Administrative Law Judge|
|ANSI||45 C.F.R. § 160.103||American National Standards Institute|
|Authentication||45 C.F.R. § 164.304||the corroboration that a person is the one claimed.|
|Availability||45 C.F.R. § 164.304||the property that data or information is accessible and useable upon demand by an authorized person.|
|Board||45 C.F.R. § 160.502||the members of the HHS Departmental Appeals Board, in the Office of the Secretary, who issue decisions in panels of three.|
|Breach||45 C.F.R. § 164.402||the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
(1) Breach excludes:
(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.
(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.
(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
|Business associate||45 C.F.R. § 160.103||(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 45 C.F.R. § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity may be a business associate of another covered entity.
(3) Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.
|Civil money penalty or penalty||45 C.F.R. § 160.103||the amount determined under § 160.404 of this part and includes the plural of these terms.|
|CMS||45 C.F.R. § 160.103||Centers for Medicare & Medicaid Services within the Department of Health and Human Services.|
|Code set||45 C.F.R. § 162.103||any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. A code set includes the codes and the descriptors of the codes.|
|Code set maintaining organization||45 C.F.R. § 162.103||an organization that creates and maintains the code sets adopted by the Secretary for use in the transactions for which standards are adopted in this part.|
|Common control||45 C.F.R. § 164.103||exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.|
|Common ownership||45 C.F.R. § 164.103||exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.|
|Compliance date||45 C.F.R. § 160.103||the date by which a covered entity or business associate must comply with a standard, implementation specification, requirement, or modification adopted under this subchapter.|
|Confidentiality||45 C.F.R. § 164.304||the property that data or information is not made available or disclosed to unauthorized persons or processes.|
|Contrary||45 C.F.R. § 160.202||when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:
(1) A covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or
(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of Public Law 104-191, or sections 13400-13424 of Public Law 111-5, as applicable.
|Controlling health plan (CHP)||45 C.F.R. § 162.103||a health plan that—
(1) Controls its own business activities, actions, or policies; or
(2)(i) Is controlled by an entity that is not a health plan; and (ii) If it has a subhealth plan(s) (as defined in this section), exercises sufficient control over the subhealth plan(s) to direct its/their business activities, actions, or policies.
|Correctional institution||45 C.F.R. § 164.501||any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.|
|Covered entity||45 C.F.R. § 160.103||(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
|Covered functions||45 C.F.R. § 164.103||those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.|
|Covered health care provider||45 C.F.R. § 162.103||a health care provider that meets the definition at paragraph (3) of the definition of “covered entity” at § 160.103.|
|Data aggregation||45 C.F.R. § 164.501||with respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.|
|Data condition||45 C.F.R. § 162.103||the rule that describes the circumstances under which a covered entity must use a particular data element or segment.|
|Data content||45 C.F.R. § 162.103||all the data elements and code sets inherent to a transaction, and not related to the format of the transaction. Data elements that are related to the format are not data content.|
|Data element||45 C.F.R. § 162.103||the smallest named unit of information in a transaction.|
|Data set||45 C.F.R. § 162.103||a semantically meaningful unit of information exchanged between two parties to a transaction.|
|Descriptor||45 C.F.R. § 162.103||the text defining a code.|
|Designated record set||45 C.F.R. § 164.501||(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
|Designated standard maintenance organization (DSMO)||45 C.F.R. § 162.103||an organization designated by the Secretary under § 162.910(a).|
|Direct data entry||45 C.F.R. § 162.103||the direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan’s computer.|
|Direct treatment relationship||45 C.F.R. § 164.501||a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.|
|Disclosure||45 C.F.R. § 160.103||the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.|
|EIN||45 C.F.R. § 160.103||the employer identification number assigned by the Internal Revenue Service, U.S. Department of the Treasury. The EIN is the taxpayer identifying number of an individual or other entity (whether or not an employer) assigned under one of the following:
(1) 26 U.S.C. 6011(b), which is the portion of the Internal Revenue Code dealing with identifying the taxpayer in tax returns and statements, or corresponding provisions of prior law.
(2) 26 U.S.C. 6109, which is the portion of the Internal Revenue Code dealing with identifying numbers in tax returns, statements, and other required documents.
|Electronic media||45 C.F.R. § 160.103||(1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
|Electronic protected health information||45 C.F.R. § 160.103||information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section.|
|Employer||45 C.F.R. § 160.103||defined as it is in 26 U.S.C. 3401(d) ((d) Employer
For purposes of this chapter, the term “employer” means the person for whom an individual performs or performed any service, of whatever nature, as the employee of such person, except that—
(1) if the person for whom the individual performs or performed the services does not have control of the payment of the wages for such services, the term “employer” (except for purposes of subsection (a)) means the person having control of the payment of such wages, and
(2) in the case of a person paying wages on behalf of a nonresident alien individual, foreign partnership, or foreign corporation, not engaged in trade or business within the United States, the term “employer” (except for purposes of subsection (a)) means such person.)
|Encryption||45 C.F.R. § 164.304||the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.|
|Facility||45 C.F.R. § 164.304||the physical premises and the interior and exterior of a building(s).|
|Family member||45 C.F.R. § 160.103||with respect to an individual:
(1) A dependent (as such term is defined in 45 CFR 144.103), of the individual; or
(2) Any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or of a dependent of the individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents).
(i) First-degree relatives include parents, spouses, siblings, and children.
(ii) Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces.
(iii) Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins.
(iv) Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.
|Financial remuneration||45 C.F.R. § 164.501||direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.|
|Format||45 C.F.R. § 162.103||refers to those data elements that provide or control the enveloping or hierarchical structure, or assist in identifying data content of, a transaction.|
|Genetic information||45 C.F.R. § 160.103||(1) Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information about:
(i) The individual’s genetic tests;
(ii) The genetic tests of family members of the individual;
(iii) The manifestation of a disease or disorder in family members of such individual; or
(iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.
(2) Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:
(i) A fetus carried by the individual or family member who is a pregnant woman; and
(ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology.
(3) Genetic information excludes information about the sex or age of any individual.
|Genetic services||45 C.F.R. § 160.103||(1) A genetic test;
(2) Genetic counseling (including obtaining, interpreting, or assessing genetic information); or
(3) Genetic education.
|Genetic test||45 C.F.R. § 160.103||an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.|
|Group health plan
(also see definition of health plan in this section)
|45 C.F.R. § 160.103||an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act (PHS Act), 42 U.S.C. 300gg-91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:
(1) Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or
(2) Is administered by an entity other than the employer that established and maintains the plan.
|HCPCS||45 C.F.R. § 162.103||the Health [Care Financing Administration] Common Procedure Coding System.|
|Health care||45 C.F.R. § 160.103||care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
|Health care clearinghouse||45 C.F.R. § 160.103||a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
|Health care component||45 C.F.R. § 164.103||a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with § 164.105(a)(2)(iii)(D).|
|Health care operations||45 C.F.R. § 164.501||any of the following activities of the covered entity to the extent that the activities are related to covered functions:
(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
(3) Except as prohibited under § 164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
(6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of § 164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
|Health care provider||45 C.F.R. § 160.103||a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.|
|Health information||45 C.F.R. § 160.103||any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
|Health insurance issuer||45 C.F.R. § 160.103||(as defined in section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2) and used in the definition of health plan in this section) means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan.|
|Health maintenance organization (HMO)||45 C.F.R. § 160.103||(as defined in section 2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the definition of health plan in this section) means a federally qualified HMO, an organization recognized as an HMO under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such an HMO.|
|Health oversight agency||45 C.F.R. § 164.501||an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.|
|Health plan||45 C.F.R. § 160.103||an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
(1) Health plan includes the following, singly or in combination:
(i) A group health plan, as defined in this section.
(ii) A health insurance issuer, as defined in this section.
(iii) An HMO, as defined in this section.
(iv) Part A or Part B of the Medicare program under title XVIII of the Act.
(v) The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et seq.
(vi) The Voluntary Prescription Drug Benefit Program under Part D of title XVIII of the Act, 42 U.S.C. 1395w-101 through 1395w-152.
(vii) An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
(viii) An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy.
(ix) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.
(x) The health care program for uniformed services under title 10 of the United States Code.
(xi) The veterans health care program under 38 U.S.C. chapter 17.
(xii) The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.
(xiii) The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et seq.
(xiv) An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.
(xv) The Medicare Advantage program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.
(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.
(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
(2) Health plan excludes:
(i) Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
(ii) A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):
(A) Whose principal purpose is other than providing, or paying the cost of, health care; or
(B) Whose principal activity is:
(1) The direct provision of health care to persons; or
(2) The making of grants to fund the direct provision of health care to persons.
|HHS||45 C.F.R. § 160.103||the Department of Health and Human Services.|
|Hybrid entity||45 C.F.R. § 164.103||a single legal entity:
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered functions; and
(3) That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(D).
|Implementation specification||45 C.F.R. § 160.103||specific requirements or instructions for implementing a standard.|
|Indirect treatment relationship||45 C.F.R. § 164.501||a relationship between an individual and a health care provider in which:
(1) The health care provider delivers health care to the individual based on the orders of another health care provider; and
(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.
|Individual||45 C.F.R. § 160.103||the person who is the subject of protected health information.|
|Individually identifiable health information||45 C.F.R. § 160.103||information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
|Information system||45 C.F.R. § 164.304||an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.|
|Inmate||45 C.F.R. § 164.501||a person incarcerated in or otherwise confined to a correctional institution.|
|Integrity||45 C.F.R. § 164.304||the property that data or information have not been altered or destroyed in an unauthorized manner.|
|Law enforcement official||45 C.F.R. § 164.103||an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to:
(1) Investigate or conduct an official inquiry into a potential violation of law; or
(2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
|Maintain or maintenance||45 C.F.R. § 162.103||refers to activities necessary to support the use of a standard adopted by the Secretary, including technical corrections to an implementation specification, and enhancements or expansion of a code set. This term excludes the activities related to the adoption of a new standard or implementation specification, or modification to an adopted standard or implementation specification.|
|Malicious software||45 C.F.R. § 164.304||software, for example, a virus, designed to damage or disrupt a system.|
|Manifestation or manifested||45 C.F.R. § 160.103||with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved. For purposes of this subchapter, a disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on genetic information.|
|Marketing||45 C.F.R. § 164.501||(1) Except as provided in paragraph (2) of this definition, marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
(2) Marketing does not include a communication made:
(i) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.
(ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
(A) For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
(B) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
(C) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
|Maximum defined data set||45 C.F.R. § 162.103||all of the required data elements for a particular standard based on a specific implementation specification.|
|Modify or modification||45 C.F.R. § 160.103||refers to a change adopted by the Secretary, through regulation, to a standard or an implementation specification.|
|More stringent||45 C.F.R. § 160.202||in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:
(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:
(i) Required by the Secretary in connection with determining whether a covered entity or business associate is in compliance with this subchapter; or
(ii) To the individual who is the subject of the individually identifiable health information.
(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.
(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.
(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.
(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.
(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
|National Provider Identifier (NPI)||45 C.F.R. § 162.406||standard unique health identifier for health care providers . . . a 10-position numeric identifier, with a check digit in the 10th position, and no intelligence about the health care provider in the number.|
|Operating rules||45 C.F.R. § 162.103||the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications as adopted for purposes of this part.|
|Organized health care arrangement||45 C.F.R. § 160.103||(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;
(2) An organized system of health care in which more than one covered entity participates and in which the participating covered entities:
(i) Hold themselves out to the public as participating in a joint arrangement; and
(ii) Participate in joint activities that include at least one of the following:
(A) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
(C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
(3) A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;
(4) A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or
(5) The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.
|Password||45 C.F.R. § 164.304||confidential authentication information composed of a string of characters.|
|Payment||45 C.F.R. § 164.501||(1) The activities undertaken by:
(i) Except as prohibited under § 164.502(a)(5)(i), a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
(ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:
(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
(v) Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
(vi) Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
(A) Name and address;
(B) Date of birth;
(C) Social security number;
(D) Payment history;
(E) Account number; and
(F) Name and address of the health care provider and/or health plan.
|Person||45 C.F.R. § 160.103||a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.|
|Physical safeguards||45 C.F.R. § 164.304||physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.|
|Plan administration functions||45 C.F.R. § 164.504||administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor.|
|Plan sponsor||45 C.F.R. § 164.103||as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B) ((B) The term “plan sponsor” means (i) the employer in the case of an employee benefit plan established or maintained by a single employer, (ii) the employee organization in the case of a plan established or maintained by an employee organization, or (iii) in the case of a plan established or maintained by two or more employers or jointly by one or more employers and one or more employee organizations, the association, committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan.|
|Protected health information||45 C.F.R. § 160.103||individually identifiable health information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information:
(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
|Psychotherapy notes||45 C.F.R. § 164.501||notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.|
|Public health authority||45 C.F.R. § 164.501||an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.|
|Reasonable cause||45 C.F.R. § 160.401||an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.|
|Reasonable diligence||45 C.F.R. § 160.401||the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.|
|Relates to the privacy of individually identifiable health information||45 C.F.R. § 160.202||with respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.|
|Required by law||45 C.F.R. § 164.103||a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.|
|Research||45 C.F.R. § 164.501||a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.|
|Respondent||45 C.F.R. § 160.103||a covered entity or business associate upon which the Secretary has imposed, or proposes to impose, a civil money penalty.|
|Secretary||45 C.F.R. § 160.103||the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.|
|Security incident||45 C.F.R. § 164.304||the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.|
|Security or Security measures||45 C.F.R. § 164.304||encompass all of the administrative, physical, and technical safeguards in an information system.|
|Segment||45 C.F.R. § 162.103||a group of related data elements in a transaction.|
|Small health plan||45 C.F.R. § 160.103||a health plan with annual receipts of $5 million or less.|
|Stage 1 payment initiation||45 C.F.R. § 162.103||a health plan’s order, instruction or authorization to its financial institution to make a health care claims payment using an electronic funds transfer (EFT) through the ACH Network.|
|Standard||45 C.F.R. § 160.103||a rule, condition, or requirement:
(1) Describing the following information for products, systems, services, or practices:
(i) Classification of components;
(ii) Specification of materials, performance, or operations; or
(iii) Delineation of procedures; or
(2) With respect to the privacy of protected health information.
|Standard setting organization (SSO)||45 C.F.R. § 160.103||
an organization accredited by the American National Standards Institute that develops and maintains standards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of, this part.
|Standard transaction||45 C.F.R. § 162.103||a transaction that complies with an applicable standard and associated operating rules adopted under this part.|
|State||45 C.F.R. § 160.103||refers to one of the following:
(1) For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States Code for such health plan.
(2) For all other purposes, State means any of the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands.
|State law||45 C.F.R. § 160.202||a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.|
|Subcontractor||45 C.F.R. § 160.103||a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.|
|Subhealth plan (SHP)||45 C.F.R. § 162.103||a health plan whose business activities, actions, or policies are directed by a controlling health plan.|
|Summary health information||45 C.F.R. § 164.504||information, that may be individually identifiable health information, and:
(1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and
(2) From which the information described at § 164.514(b)(2)(i) has been deleted, except that the geographic information described in § 164.514(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code.
|Technical safeguards||45 C.F.R. § 164.304||the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.|
|Trading partner agreement||45 C.F.R. § 160.103||an agreement related to the exchange of information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. (For example, a trading partner agreement may specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.)|
|Transaction||45 C.F.R. § 160.103||the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Health care electronic funds transfers (EFT) and remittance advice.
(12) Other transactions that the Secretary may prescribe by regulation.
|Treatment||45 C.F.R. § 164.501||the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.|
|Unsecured protected health information||45 C.F.R. § 164.402||protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.|
|Use||45 C.F.R. § 160.103||with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.|
|User||45 C.F.R. § 164.304||a person or entity with authorized access.|
|Violation or violate||45 C.F.R. § 160.103||as the context may require, failure to comply with an administrative simplification provision.|
|Willful neglect||45 C.F.R. § 160.401||conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.|
|Workforce||45 C.F.R. § 160.103||employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.|
|Workstation||45 C.F.R. § 164.304||an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.|
DISCLAIMER: Each legal matter is unique and prior results do not predict future success. Laws and viable strategies change often and vary depending on jurisdiction. The information above is provided as a convenience only, and is not intended to be legal, accounting or other advice for your specific situation.