All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Center for Healthcare Information Management A health information technology industry association. Centers for Disease Control and Prevention (CDC) An organization that maintains several code sets included in the HIPAA standards, including the ICD-9-CM codes. Centers for Medicare & Medicaid Services (CMS) (1) The HHS agency responsible for Medicare and parts of Medicaid. Centers for Medicare & Medicaid Services has historically maintained the UB-92 institutional EMC format specifications, the professional EMC NSF specifications, and specifications for various certifications and authorizations used by the Medicare and Medicaid programs. Centers for Medicare & Medicaid Services also maintains the HCPCS medical code set and the Medicare Remittance Advice Remark Codes administrative code set. (2) The federal agency that runs the Medicare program. In addition, CMS works with the States to run the Medicaid program. CMS works to make sure that the beneficiaries in these programs are able to get high quality health care. Certification Certification means verifying secure data transmission, storage, backup, access controls, and all the other policies and procedures you must have in place to protect a patient’s privacy; it is the best method by which any organization can ensure that its computer systems are operating under adequate security protocols. In addition, you must document the certification procedure itself to ensure that, in the future, an independent party can verify its validity. Note that the HIPAA final rule renamed the formal term “certification” as the more general term “evaluation.” However, in real life, when you use the term “evaluation,” most vendors won’t know what you are talking about. Thus, for practical purposes your security policy still should incorporate the term “certification.” Certifications help demonstrate accountability and can serve as security reference guides. In addition, they can form an outline of the policies, guidelines, and standards used to secure a network. Certifications can provide: Accountability. Certification provides tangible proof that a computer system is secure. In the event of a computer system compromise, the certification can become a document of accountability to prove that you made efforts to avoid a breach of security. An outline. The certification requirements will provide you with an outline of policies, guidelines, and standards that you can use to protect a computer system. A point of reference. In the case of an audit, the certification also can provide a point-by-point description as to what was secured, how it was secured, and why it was secured. Without proper certification, your practice has no way to provide evidence that its computer systems are operating at a proper standard of security. However, be sure to research the validity of any certification before placing faith in it. While third-party audits and certifications generally are the most valuable, no standard exists by which to judge the certification itself. Certified Nursing Assistant (CNA) CNAs are trained and certified to help nurses by providing non-medical assistance to patients, such as help with eating, cleaning and dressing. Certified Registered Nurse Anesthetist A nurse who is trained and licensed to give anesthesia. Anesthesia is given before and during surgery so that a person does not feel pain. Chain of Trust (COT) A term used in the HIPAA Security NPRM for a pattern of agreements that extend protection of health care data by requiring that each covered entity that shares health care data with another entity require that that entity provide protections comparable to those provided by the covered entity, and that that entity, in turn, require that any other entities with which it shares the data satisfy the same requirements. Chain of Trust Agreement This agreement covers patient data that is shared for business reasons, but other persons or groups outside of the office. The final HIPPA rule revised the term “chain of trust” to a more specific term, “business associate contracts and other arrangements,” to redefine who must enter into a contract under the rule. However, for practical purposes you still will use the term “chain of trust” when dealing with real-world policy development. If a healthcare practice shares patient data with a third party, it must establish a certain level of trust with this party to ensure it will maintain data integrity and confidentiality. The agreement with this party must take the form of a formal, approved contract that clearly outlines each entity’s responsibilities. If the data must pass through multiple parties before reaching its intended recipient, each must establish a trust agreement with your practice, which, as the parent party, ultimately is responsible for the data. Entering into chain of trust agreements ensures that security is maintained despite the data’s location. Without such agreements, one organization’s lower level of security could compromise another organization’s high level of data integrity and confidentiality. For example, if you are sending a patient’s medical record to a specialist, you should not merely compress the files and e-mail them via your home Internet service provider. While you may have a formal agreement with the receiving party, standard e-mail is not secure. Instead, you should learn how to use encryption and even digital signatures Related Terms: Business Associate Agreement Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) Run by the Department of Defense, in the past CHAMPUS gave medical care to active duty members of the military, military retirees, and their eligible dependents. (This program is now called "TRICARE") Claim A claim is a request for payment for services and benefits you received. Claims are also called bills for all Part A and Part B services billed through Fiscal Intermediaries. "Claim" is the word used for Part B physician/supplier services billed through the Carrier. Claim Adjustment Reason Codes A national administrative code set that identifies the reasons for any differences, or adjustments, between the original provider charge for a claim or service and the payer's payment for it. This code set is used in the X12 835 Claim Payment & Remittance Advice and the X12 837 Claim transactions, and is maintained by the Health Care Code Maintenance Committee. Claim Attachment Any of a variety of hardcopy forms or electronic records needed to process a claim in addition to the claim itself. Claim Medicare Remark Codes See Medicare Remittance Advice Remark Codes. Related Terms: Medicare Remittance Advice Remark Codes Claim Status Category Codes A national code set that indicates the general category of the status of health care claims. This code set is used in the X12 277 Claim Status Notification EDI transaction, and is maintained by the Health Care Code Maintenance Committee. Claim Status Codes A national code set for indicating the status of health care claims. This code set is used in the X12 277 Claim Status Notification EDI transaction, and is maintained by the Health Care Code Maintenance Committee. Clearinghouse See Health Care Clearinghouse. Related Terms: Health Care Clearinghouse Clinical Modification (CM) See International Classification of Diseases . Related Terms: International Classification of Diseases Code Set Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions. Also see Part II, 45 CFR 162.103. Related Terms: Maintenance Code Set Maintaining Organization An organization that creates and maintains the code sets adopted by the Secretary for use in the transactions for which standards are adopted in this part. [45 CFR 162.103] Code of Federal Regulations (CFR,C.F.R.) The Code of Federal Regulations is a publication established by Act of Congress (44 U.S.C. § 1510). It represents a compilation of all the regulations issued by Federal administrative agencies that have general applicability and legal effect. As a consequence the contents of the CFR covers a wide range of subjects. Most states prepare comparable compilations of state agency regulations, generally called their Administrative Code. Federal statutes furnish the authority and the limits for regulations that appear in the CFR. This means that the regulations on a subject should be read together with any pertinent portions of the U.S. Code. It also means that courts will, upon occasion, hold that regulations which appear in the Code of Federal Regulations are invalid because they conflict with a Federal statute. Related Terms: United States Code College of Healthcare Information Management Executives (CHIME) A professional organization for health care Chief Information Officers (CIOs). Comment Commentary on the merits or appropriateness of proposed or potential regulations provided in response to an NOI, an NPRM, or other federal regulatory notice. Related Terms: Notice of Intent ; Notice of Proposed Rulemaking Community Mental Health Center A facility that provides the following services: Outpatient services, including specialized outpatient services for children, the elderly, individuals who are chronically ill, and residents of the CMHC's mental health services area who have been discharge from inpatient treatment at a mental health facility, 24 hour a day emergency care services, Day treatment, other than partial hospitalization services, or psychosocial rehabilitation services, Screening for patients considered for admission to State mental health facilities to determine the appropriateness of such admission, and Consultation and education services. Compliance date Under HIPAA, this is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective data of the associated final rule for most entities, but 36 months after the effective data for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective data, but can be longer for small health plans and for complex changes. HIPAA Privacy Standards went into effect April 15, 2001; the two year grace period ends on April 15, 2003, at which time anyone not complying with the standards can be cited and/or charged. For the electronic rule only, Congress in 2001 enacted legislation allowing a one-year extension for most covered entities provided that they submit a plan for achieving compliance. As a result, covered entities that qualify for the extension will have until October 16, 2003 to meet the electronic standards instead of the original October 16, 2002 deadline. (Small health plans must still meet the October 16, 2003 compliance date and are not eligible for an extension under the new law.) A "Small health plan" is defined as a plan with annual receipts of $5 million or less. HHS clarified the annual receipt test to mean, for insured plans, $5 million in premiums paid in the most recent fiscal year and, for self-insured plans, $5 million in claims paid in the most recent fiscal year. Comprehensive Inpatient Rehabilitation Facility A facility that provides comprehensive rehabilitation services under the supervision of a physician to inpatients with physical disabilities. Services include physical therapy, occupational therapy, speech pathology, social or psychological services, and orthotics and prosthetics services. Comprehensive Outpatient Rehabilitation Facility (1)A facility that provides comprehensive rehabilitation services under the supervision of a physician to outpatients with physical disabilities. Services include physical therapy, occupational therapy, and speech pathology services. (2)A facility that provides a variety of services including physicians' services, physical therapy, social or psychological services, and outpatient rehabilitation. Computer-based Patient Record Institute (CPRI) An industry organization that promotes the use of healthcare information systems, including electronic healthcare records. Confidentiality Your right to talk with your health care provider without anyone else finding out what you have said. Confidentality as applied to PHI, means the property that data or information is not made available or disclosed to unauthorized persons or processes. Congressional Budget Office (CBO) The Congressional Budget Office is a small, nonpartisan agency that produces policy analyses, cost estimates, and budget and economic projections that serve as a basis for Congress's decisions about spending and taxes. Every piece of legislation affecting the use of the nation's resources undergoes CBO's scrutiny. The agency is a public-sector think tank that employs an elite, multidisciplinary staff of professional analysts—public-policy experts, economists, budgeteers, and other critical thinkers who enjoy challenges—at levels ranging from undergraduate and graduate interns to seasoned researchers with doctorates and substantial experience. Consent and Authorization (Basic Rule) A covered entity may use or disclose PHI only: With the consent of the individual for treatment, payment, or health care operations; With the authorization of the individual for all other uses or disclosures; As permitted under this rule for certain public policy purposes. Related Terms: Authorization Consolidated Omnibus Budget Reconciliation Act (COBRA) COBRA is a law that makes an employer let you remain covered under the employer's group health plan for a period of time after: the death of your spouse, losing your job, or having your work hours reduced, or getting a divorce. You may have to pay both your share and the employer's share of the premium. Consumer Assessment of Health Plans Study (CAHPS) An annual nationwide survey that is used to report information on Medicare beneficiaries' experiences with managed care plans. The results are shared with Medicare beneficiaries and the public. Contingency Plan Every computer system must have a documented and audited backup and full recovery plan in case of an emergency. The initial step in developing the plan is to assess applications and data to determine what is critical to daily operations. The plan must include an emergency operating procedure to use until systems can be placed back online and testing procedures to ensure a system can be restored fully from backups. Without this plan in place, your practice/business can and will fall prey to a number of debilitating situations. Natural disasters, power outages, computer viruses, or even a simple program crash could shut down permanently any organization that is not prepared. The plan also must address how your business handles backup media, as doing so in an insecure manner could give an unauthorized person complete access to your computer system’s files. You must store all backups in a secure location, and it should be off-site; otherwise, a fire could wipe you out completely. Typical backup storage locations are on a remote server, in a bank deposit box, or at a remote building under your control. You should not store backup media near the primary data. This could lead to a total loss of data if a major disaster occurs, such as a fire or terrorist attack. Coordination of Benefits (COB) A process for determining the respective responsibilities of two or more health plans that have some financial responsibility for a medical claim. Also called cross­over. Related Terms: Cross­over Correctional Institution Any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial. Cost-Based Health Maintenance Organization A type of managed care organization that will pay for all of the enrollees/members' medical care costs in return for a monthly premium, plus any applicable deductible or co-payment. The HMO will pay for all hospital costs (generally referred to as Part A) and physician costs (generally referred to as Part B) that it has arranged for and ordered. Like a health care prepayment plan (HCPP), except for out-of-area emergency services, if a Medicare member/enrollee chooses to obtain services that have not been arranged for by the HMO, he/she is liable for any applicable deductible and co-insurance amounts, with the balance to be paid by the regional Medicare intermediary and/or carrier. Covered Entities With Multiple Covered Functions A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions. The covered entity may not use or disclose the protected health information of an individual who receives services from one covered function (e.g., health care provider) for another covered function (e.g., health plan) if the individual is not involved with the other function. Covered Entity (CE) The following are covered entities under the HIPAA regulations: A health plan. A health care clearinghouse. A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. [45 CFR 160.103] The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). For help in determining whether you are covered, use the decision tool at: http://cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/CoveredEntityFlowcharts.pdf Covered Functions Those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. Covered Information All individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity. This includes individually identifiable health information in paper records that never has been electronically stored or transmitted. (See Sec. 164.501, definition of "protected health information", for further discussion.) Cross­over See Coordination of Benefits. Related Terms: Coordination of Benefits Current Dental Terminology (CDT) A medical code set, maintained and copyrighted by the ADA, that has been selected for use in the HIPAA transactions. Related Terms: American Dental Association Current Procedural Terminology (CPT) A medical code set, maintained and copyrighted by the AMA, that has been selected for use under HIPAA for non-institutional and non-dental professional transactions.