All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Access Your ability to get needed medical care and services. Related Terms: Administrative Simplification Accredited Standards Committee (ASC) An organization that has been accredited by ANSI for the development of American National Standards. Related Terms: American National Standards; American National Standards Institute Administrative Code Sets (ACS) Code sets that characterize a general business situation, rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-clinical or non-medical code sets. Compare to medical code sets. Related Terms: Medical Code Sets Administrative Requirements HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources. Privacy Policies and Procedures A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Privacy Personnel A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices. Workforce Training and Management Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule. Mitigation A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule. Data Safeguards A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. Complaints A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS. Retaliation and Waiver A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility. Documentation and Record Retention A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented. Fully-Insured Group Health Plan Exception The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan. Administrative Simplification (A/S) Title II, Subtitle F, of HIPAA, which gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Related Terms: Access; Health Insurance Portability and Accountability Act; Joint Commission on Accreditation of Healthcare Organizations; US Department of Health and Human Services Administrative safeguards Administrative safeguards are administrative actions, and policies and prodedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (PHI) and to manage the conduct of the covered entity's workforce in relation to the protection of that information. Admission Date The date the patient was admitted for inpatient care, outpatient service, or start of care. For an admission notice for hospice care, enter the effective date of election of hospice benefits. Affliated Covered Entity Legally separate covered entities that are affiliated by common ownership or control may designate themselves (including their health care components) as a single covered entity for Privacy Rule compliance. The designation must be in writing. An affiliated covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions American Association for Homecare (AAHomecare) An industry association for the home care industry, including home IV therapy, home medical services and manufacturers, and home health providers. AAHomecare was created through the merger of the Health Industry Distributors Associations Home Care Division (HIDA Home Care), the Home Health Services and Staffing Association (HHSSA), and the National Association for Medical Equipment Services (NAMES). Related Terms: Health Industry Distributors Association, Home Care Division; Home Health Services and Staffing Association; National Association for Medical Equipment Services American Dental Association (ADA) A professional organization for dentists. The ADA maintains a hardcopy dental claim form and the associated claim submission specifications, and also maintains the Current Dental Terminology (CDT ....) medical code set. The ADA and the Dental Content Committee (DeCC), which it hosts, have formal consultative roles under HIPAA. Related Terms: Current Dental Terminology American Health Information Management Association (AHIMA) An association of health information management professionals. AHIMA sponsors some HIPAA educational seminars. Related Terms: Health Insurance Portability and Accountability Act American Hospital Association (AHA) A health care industry association that represents the concerns of institutional providers. The AHA hosts the NUBC, which has a formal consultative role under HIPAA. Related Terms: National Uniform Billing Committee American Medical Association A professional organization for physicians. The AMA is the secretariat of the NUCC, which has a formal consultative role under HIPAA. The AMA also maintains the Current Procedural Terminology (CPT ....) medical code set. American Medical Informatics Association A professional organization that promotes the development and use of medical informatics for patient care, teaching, research, and health care administration. American National Standards (ANS) Standards developed and approved by organizations accredited by ANSI. Related Terms: Accredited Standards Committee; American National Standards Institute; National Council for Prescription Drug Programs American National Standards Institute An organization that accredits various standards-setting committees, and monitors their compliance with the open rule-making process that they must follow to qualify for ANSI accreditation. HIPAA prescribes that the standards mandated under it be developed by ANSI-accredited bodies whenever practical. Related Terms: Accredited Standards Committee; American National Standards American Public Human Services Association (APHSA) Founded in 1930, APHSA is a nonprofit, bipartisan organization of individuals and agencies concerned with human services. Members include all state and many territorial human service agencies, more than 1,200 local agencies, and several thousand individuals who work in or otherwise have an interest in human service programs. APHSA educates members of Congress, the media, and the broader public on what is happening in the states regarding welfare, child welfare, health care reform, and other issues involving families and the elderly. The association’s mission is to develop, promote, and implement public human service policies that improve the health and well-being of families, children, and adults. APHSA is also an umbrella for several component groups. American Society for Testing and Materials (ASTM) A standards group that has published general guidelines for the development of standards, including those for health care identifiers. ASTM Committee E31 on Healthcare Informatics develops standards on information used within healthcare. Ancillary Services Professional services by a hospital or other inpatient health program. These may include x-ray, drug, laboratory, or other services. Association for Electronic Health Care Transactions (AFEHCT) An organization that promotes the use of EDI in the health care industry. Related Terms: Electronic Data Interchange Authentication Authentication means the corrobation that a person is the one claimed. Authorization A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances. An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes. All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003. Psychotherapy Notes A covered entity must obtain an individual’s authorization to use or disclose psychotherapy notes with the following exceptions : The covered entity who originated the notes may use them for treatment. A covered entity may use or disclose, without an individual’s authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner or as required by law. Marketing Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service. The Privacy Rule carves out the following health-related activities from this definition of marketing: Communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication; Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan; Communications for treatment of the individual; and Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual. Marketing also is an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value. No authorization is needed, however, to make a communication that falls within one of the exceptions to the marketing definition. An authorization for marketing that involves the covered entity’s receipt of direct or indirect remuneration from a third party must reveal that fact. Related Terms: Consent and Authorization (Basic Rule) Automated Clearinghouse (ACH) See: Health Care Clearinghouse Related Terms: Health Care Clearinghouse Availability Availability means the property that data or information is accessible and useable upon demand by an authorized person.