HIPPA

Department: Executive

Subject: HIPAA Compliance/Privacy and Security-Definition

Effective Date: 1/28/11

REVISION DATE: 9/27/18

These definitions are general definitions and not intended to provide complete or legal definitions of terms that are described in the HIPAA Privacy Rules or HITECH Act. Employees, subcontractors, interns, volunteers, providers, or other persons affiliated with Job Haines Home should consult with the Privacy or Security Officer if they have any questions.

Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Administrative Safeguards: Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. (Security)

Amend/Amendment: An amendment to PHI should always be in the form of information added to the existing PHI. This additional information may contain items that substantially change the initial PHI, make parts of the initial PHI more precise, or show some of the original PHI to be incorrect. However, the original PHI is never altered. Changes are indicated by the addition of the amended information.

Authentication: The corroboration that a person is the one claimed.

Authorization: A person served statement of agreement to the use or disclosure of PHI to a third party.

Breach: The unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of PHI.

Business Associate: A person or organization that performs a function or an activity on behalf of Job Haines Home that involves the use or disclosure of PHI. A business associate might also be a person or entity that provides residential or day programs, community participation, therapy, or support of persons served. Business associates may include persons or entities that provide legal, actuarial, accounting, billing, benefit management, claims processing or administration, utilization review, quality assurance, consulting, data aggregation, management, administrative, accreditation, or financial services involving the use or disclosure of PHI.

Business Associate Agreement (BAA): A contract between a covered entity and a business associate, or between a business associate and its business associate subcontractor, that should:

• Establish the permitted and required uses and disclosures of PHI by the business associate.
• Provide that the business associate should use PHI only as permitted by the contract or as required by law, use appropriate safeguards, report any disclosures not permitted by the contract, make certain that agents to whom it provides PHI should abide by the same restrictions and conditions, make PHI available to individuals and make its records available to U.S. Department of Health and Human Services (DHHS).
• Authorize termination of the contract by the covered entity (or business associate if a business associate subcontractor is involved) if the covered entity (or business associate) determines that there has been a violation of the contract.

CMS: Centers for Medicare and Medicaid Services – The agency that regulates and enforces Federal Regulations for Medicare in long term care and other healthcare entities.

Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes.

Consent: A document signed and dated by the individual that a covered entity obtains prior to using or disclosing protected health information to carry out treatment, payment or healthcare operations. Consent is not required under the privacy rule.

Court Order: An order issued from a competent court that requires a party to do or abstain from doing a specific act.

Covered Entity: A health plan, a healthcare clearinghouse, or a healthcare provider that is covered by the Privacy and Security Rules.

De-Identification: The process of converting individually identifiable information into information that no longer reveals the identity of the person served.

De–identified Health Information: Health information that does not identify an individual and does not contain information that can identify or link the information to the individual to whom the information belongs.

Department of Health and Human Services (DHHS): The US Department of Health and Human Services, of which the Office for Civil Rights is a part. This Federal agency is charged with the development, statement and implementation of the Privacy Rule.

Designated Record Set: A group of records maintained by or for Job Haines Home that is:

• The medical records and billing records about individuals maintained by or for Job Haines Home;  or,

• Used, in whole or in part, by or for Job Haines Home to make decisions about individuals.

For purposes of this definition, the term “record” means any item, collection or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Job Haines Home.

Disaster Recovery Plan (DRP): The part of a Contingency Plan that documents the process to restore any loss of data and to recover computer systems if a disaster occurs (i.e., fire, vandalism, natural disaster, or system failure). The document defines the resources, actions, tasks, and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process to attain the stated disaster recovery goals.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside Job Haines Home. The two types of disclosure are:

• Routine Disclosure: Customary disclosures of PHI that Job Haines Home discloses on a regular basis.
• Non-Routine Disclosure: Disclosures of PHI that are not usually disclosed by Job Haines Home.

Electronic Media: Includes the following:

• Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk or digital memory card.
• Transmission media used to exchange information already in electronic storage media. Transmission media includes, for example, the Internet (wide-open), extranet or intranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial up lines, private networks, and the physical movement of removable/ transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form before the transmission.

Electronic PHI (EPHI): Any PHI that is maintained or transmitted in an electronic media and may be accessed, transmitted or received electronically.

Electronic Media: Electronic storage media including memory devices in computers such as hard drives and any removable and/or transportable digital memory medium, such as magnetic tape, magnetic disk, optical disk, or digital memory cards.

Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Financial Records: Admission, billing and other financial information about a person served included as part of the designated record set.

Fundraising: An organized campaign by a private, nonprofit or charitable organization designed to reach out to certain segments of the population or certain identified populations in an effort to raise monies for their organization or for a specific project or purpose espoused by their organization.

Healthcare: Includes, but is not limited to, the following:

• Preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, and counseling, service, assessment or procedure with respect to the physical, emotional or mental condition or functional status of an individual or that affects the structure or function of the body; and,
• Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Healthcare Operations: Any of the following activities of Job Haines Home to the extent that the activities are related to covered functions:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing healthcare costs, protocol development, case management and care coordination, contacting of healthcare providers and patients with information about treatment alternatives; and related functions that do not include treatment;
• Reviewing the competence or qualifications of healthcare professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers, training of non-healthcare professionals, accreditation, certification, licensing, or credentialing activities;
• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
• Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and,
• Business management and general administrative activities of Job Haines Home, including, but not limited to:
• Management activities relating to the implementation of and compliance with the requirements of these policies and the HIPAA Regulation;
• Person served service;
• Resolution of internal grievances;
• The sale, transfer, merger, or consolidation of or part of Job Haines Home with another
  • covered entity, or an entity that following such activity should become a covered entity and
  • due diligence related to such activity; and,
• Consistent with the applicable requirements of Section 2.2, “De-Identification of Health Information”, and creating de-identified health information or a limited data set, and fundraising for the benefit of Job Haines Home, and marketing for which an individual authorization is not required.

Healthcare Provider: An entity that provides healthcare, service or supplies related to the health of an individual, e.g., medical, dental, physical therapy, occupational therapy, speech therapy, behavioral health services, chiropractic clinics, or hospitals.

Health Oversight Agency: An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe that is authorized by law to oversee the healthcare system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

HITECH Act: The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act is a Federal law that was designed to promote the adoption and meaningful use of health information technology and address the privacy and security concerns associated with the electronic transmission of health information. This definition is a general definition and is not intended to fully describe the HITECH Act.

Individually Identifiable Health Information (IIHI): Any information, including demographic information, collected from an individual that:

• Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
• Relates to the past, present or future physical or mental health or condition of an individual, and
  • Identifies the individual or
  • With respect to which there is reasonable basis to believe that the information can be used to identify the individual.

Information System: An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner.

Limited Data Set (LDS): A data set that includes elements such as dates of application, termination, birth and death as well as geographic information such as the five-digit zip code and the individual’s state, county, city, or precinct but still excludes the other 16 elements that “de-identify” information. In addition, this limited data set can only be used if a covered entity enters into a “data use agreement” with the data recipient similar to the agreements entered into between covered entities and their business associates.

Malicious Software: Software, for example, a virus, designed to damage or disrupt a system.

Marketing: To make a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service. Face-to-face communications or those where only a gift of nominal value is provided are not considered marketing under the Privacy Rule. Marketing does not include the following:

• Communications by a covered entity for the purpose of describing the entities participating in a healthcare provider network or healthcare plan network or for the purpose of describing if and the extent to which a product or service (or payment for such product or service) is provided by a covered entity or included in a plan of benefits.
• Communications tailored to the circumstances of a particular individual if the communications are made by a healthcare provider to an individual as part of the treatment of the individual and for the purpose of furthering the treatment of that individual.
• Communications by a healthcare provider or healthcare plan to an individual in the course of managing the treatment of that individual or for the purpose of directing or recommending to that individual alternative treatments, therapies, healthcare providers or settings of care.

 

Master Record: The collection of documents, notes, forms, evaluations, assessments, and other items which collectively document the services provided to an individual in any aspect of services delivery by a provider; individually identifiable data collected and used in documenting services rendered. The master record includes records of care used by case management while providing person served care services, for reviewing person served data, or documenting observations, actions or instructions. Master record consists of two parts: (1) the active record, which is defined as the designated record set and (2) the Administrative Record, which is not part of the designated record set.

Minimum Necessary: The least amount of Protected Health Information needed to achieve the intended purpose of the use or disclosure. Covered Entities are required to limit the amount of Protected Health Information it uses, discloses or requests to the minimum necessary to do the job.

Notice of Privacy Practices: A document required by HIPAA that provides the person served with information about their rights under the Privacy Rule and how Job Haines Home generally uses their Protected Health Information.

Office of Civil Rights: The Department of Health & Human Services’ enforcement agency for the Privacy, Breach and Security Rules. OCR investigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to make certain understanding of and compliance with nondiscrimination and health information privacy laws including HIPAA. (www.hhs.gov/hipaa )

Opt Out: To make a choice to be excluded from services, procedures or practices. Person served rights under HIPAA include many situations where the person served may request to be excluded from a service, procedure or practice. In most cases, Job Haines Home should comply or attempt to comply with the request to be excluded.

Password: Confidential authentication information composed of a string of characters.

Payment: The activities undertaken by a healthcare provider or payer to obtain reimbursement for the provision of care and services.

Person Served: Refers to persons applying, waiting for or receiving services from Job Haines Home.

Personal Representative: The term used in the Privacy Rule to indicate the person who has authority under law to act on behalf of a person served. For purposes of the Privacy Rule, Job Haines Home should treat a personal representative as having the same rights as the person served unless there is a reasonable belief that the personal representative has subjected the person served to abuse or neglect or treating the person as the personal representative could endanger the person served.

Physical Safeguards: Physical measures, policies and procedures to protect electronic information systems, equipment and their data and related buildings and equipment, from threats, natural and environmental hazards and unauthorized intrusion. They include restricting access to PHI, such as using locks and security cameras, retaining off-site computer backups, implementing and maintaining workstation security and data backup and storage.

Policy: A high-level overall plan embracing the general principles and aims of an organization.

Privacy Breach: A violation of one’s responsibility to follow privacy policy and procedure that results in the PHI of a person served being accessed by unauthorized persons.

Privacy Officer: Job Haines Home staff member who has been designated, pursuant to the Privacy Rule, with responsibility for ensuring Job Haines Home compliance with the Privacy Rule.

Privacy Rule: Refers to the regulation issued by the Department of Health and Human Services entitled Standards for Privacy of Individually Identifiable Health Information. The effective date for the Privacy Rule was April 14, 2003. Can be referenced as 45 CFR Part 160 and 45 CFR Part 164 and is amended from time to time. This definition is a general definition and is not intended to fully describe the Privacy Rule.

Protected Health Information (PHI): Any health information maintained by Job Haines Home that is individually identifiable except: (a) employment records held by Job Haines Home in its role as an employer; and, (b) information regarding a person who has been deceased. Protected health information means any health information, including demographic information, whether oral or recorded in any form or medium, including demographic information collected from an individual, that:

• Is created or received by a health-care provider, health plan, employer or health-care clearinghouse; and,

• Relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual; and,
  • That identifies the individual; or
  • There is a reasonable basis to believe the information can be used to identify the individual.

All health information maintained by Job Haines Home is individually identifiable unless and until it is de-identified.

Psychotherapy Notes: Notes that are recorded (in any medium) by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session. Psychotherapy notes should be kept separate from the rest of the master record of the person served.

Qualified Protective Order: A legal command intended to protect a person or thing from an unfair or unjust action.

Order: A mandate, precept; a command or direction authoritatively given; a rule or regulation.

Re-Identification: The process of converting de-identified health information back to individually identifiable health information. Re-identified health information does reveal the identity of the person served and should be treated as PHI under the Privacy Rule.

Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge.

Revoke: To cancel or withdraw an authorization to release medical information.

Risk Analysis: The process of identifying, prioritizing and estimating an organization’s exposure to risk arising from the operation of its information technology system to identify threats and vulnerability. Once identified, the risks can be mitigated by security controls (planned or already in place). Security risks can impact, among other things, the organization’s operations and organizational assets (PHI), the agency’s staff and individuals and third-party entities doing business with the organization. Also known as a security assessment.

Risk Management: Management’s identification, analyses and, when necessary, response to risks that might adversely affect realization of Job Haines Home business objectives in its capacity as a business associate of its clients.

Safeguarding: To make certain safekeeping of Protected Health Information for the person served.

Screen Saver: Any software program designed to, after a certain period of inactivity, display on a workstation monitor a random display of patterns, images, or to simply make the monitor blank so as to prevent an image from being burnt into the monitor.

Security or Security Measures: The administrative, physical and technical safeguards in an information system.

Security Incident: The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.

Security Officer: A position mandated by HIPAA. The responsibilities of this person are to oversee implementation of the requirements mandated by the Final Security regulation and any security requirements included in the other sections of the HIPAA regulation.

Security Rule: The Federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that created national standards to protect electronic medical records. (42 U.S.C. § 1320d, 45 C.F.R. parts 160 and 164, as amended

Subcontractor: A person or entity who acts on behalf of Job Haines Home.

Subpoena: A process to cause a witness to appear and give testimony, commanding him/her to lay aside pretenses and excuses and appear before a court or magistrate therein named at a time therein mentioned to testify for the party named under a penalty thereof. There are two (2) kinds of subpoenas:

• Duces tecum: A request for witnesses to appear and bring specified documents and other tangible items. The subpoena duces tecum requires the individual to appear in court with the requested documents, or simply turn over those documents to the court or to counsel requesting the documents.
• General subpoena (a.k.a. ad testificandum): A command to appear in court at a certain time and place to give testimony regarding a certain matter, for example, to testify that the record was kept in the normal course of business.

 

Technical Safeguards: The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Treatment: The provision, coordination or management of healthcare and related services by Job Haines Home, including the coordination or management of services by Job Haines Home with a third party; consultation with other providers relating to a person served; or the referral of a person served for services between Job Haines Home and another authorized care provider.

Treatment, Payment and Operations (TPO): The Privacy Rule allows sharing of information for purposes of treatment, payment and healthcare operations. Treatment includes use of person served information for providing continuing services. Payment includes sharing of information to bill for provision of services to the person served. Healthcare operations are certain administrative, financial, legal, and quality improvement activities that are necessary for Job Haines Home to run its business and to support the core functions of treatment and payment.

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of that information within Job Haines Home.

User: A person or entity with authorized access.

Whistleblower: A person, usually a staff member, who reveals wrongdoing within an organization to the public, government agencies or to those in positions of authority.

Workforce: Staff, volunteers, trainees and other persons whose conduct, in the performance of work for Job Haines Home is under the direct control of Job Haines Home, whether or not they are paid. Members of the workforce are not business associates.

REFERENCE:

• 42 CFR §160.103