All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z PAYERID HCFA's term for their pre­HIPAA National Payer ID initiative. Password A Password is confidential authentication information composed of a string of characters. Patient Access to Records Disclosure and use of health information without consent or authorization is permissible if the disclosure is made only to the patient. Also, for the first time patients receive the right of full access to medical records. The right includes the ability to correct errors or misstatements appearing in the record. Payer In health care, an entity that assumes the risk of paying for medical treatments. This can be an uninsured patient, a self­insured employer, or a health care plan or HMO. Payment The activities undertaken by: A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care; and The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to: Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; Risk adjusting amounts due based on enrollee health status and demographic characteristics; Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing; Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement: Name and address; Date of birth; Social security number; Payment history; Account number; and Name and address of the health care provider and/or health plan. Penalties The rule also creates a system for compliance review by HHS Office of Civil Rights and a system of sanctions ranging from civil penalties of $100 per day to criminal charges, which could lead to prison sentences of up to ten years and fines of up to $250,000. The penalties for non-compliance with the transactions and code sets is $100 per occurance up to a maxmimum of $25,000 per standard per year. The civil penalties for covered entities that violate the privacy standards are $100 PER incident, per year, per standard violated to a maximum of $25,000 per person. The federal criminal penalties for violation of privacy are: Up to $50,000 fine and/or up to one year in prison for obtaining or disclosing protected heatlh information Up to a $100,000 fine and/or up to five years in prison for obtaining protected health information under false pretenses. Up to $250,000 fine and/or up to ten years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. Permitted Use and Disclosures A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:(1)To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make. (1)To the Individual A covered entity may disclose protected health information to the individual who is the subject of the information. (2)Treatment, Payment, Health Care Operations A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See “Treatment, Payment, Health Care Operations”. Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual. Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity. Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization as described below. Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. (3) Uses and Disclosures with Opportunity to Agree or Object Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual. Facility Directories It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on an individual’s informal permission to list in its facility directory the individual’s name, general condition, religious affiliation, and location in the provider’s facility. The provider may then disclose the individual’s condition and location in the facility to anyone asking for the individual by name, and also may disclose religious affiliation to clergy. Members of the clergy are not required to ask for the individual by name when inquiring about patient religious affiliation. For Notification and Other Purposes A covered entity also may rely on an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care. This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts. (4)Incidental Use and Disclosure The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule. See “Incidental Uses and Disclosures”. (5)Public Interest and Benefit Activities The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information. Required by Law Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders). Public Health Activities Covered entities may disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law. See OCR “Public Health” Guidance; CDC Public Health and HIPAA Guidance. Victims of Abuse, Neglect or Domestic Violence In certain circumstances, covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence. Health Oversight Activities Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs. Judicial and Administrative Proceedings Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided. Law Enforcement Purposes Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime. Decedents Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law. Cadaveric Organ, Eye, or Tissue Donation Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue. Research “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought. A covered entity also may use or disclose, without an individuals’ authorization, a limited data set of protected health information for research purposes (see discussion below). See OCR “Research” Guidance; NIH Protecting PHI in Research. Serious Threat to Health or Safety Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal. Essential Government Functions An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs. Workers’ Compensation Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses. See OCR “Workers’ Compensation” Guidance. (6) Limited Data Set A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set. Personal Representative the Privacy Rule requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule. A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights. For instance, covered entities must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual’s rights under the Rule, a personal representative may also authorize disclosures of the individual’s protected health information. Special case: Minors In most cases, parents are the personal representatives for their minor children. Therefore, in most cases, parents can exercise individual rights, such as access to the medical record, on behalf of their minor children. In certain exceptional cases, the parent is not considered the personal representative. In these situations, the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children. If State and other law is silent concerning parental access to the minor’s protected health information, a covered entity has discretion to provide or deny a parent access to the minor’s health information, provided the decision is made by a licensed health care professional in the exercise of professional judgment. Physical Safeguards Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Plan ID See National Payer ID Plan Sponsor A employer or purchaser who sponsors a a group health plan as defined in section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B). A Group Health Plan is an employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that has 50 or more participants or is administered by an entity other than the employer that established and maintains the plan. Policy Written decisions made by those in authority to direct the actions of others. They generally contain guidelines to govern, and set limits within which individuals are expected to operate. A policy is an upper-level command as to what should or should not occur. It is not a specific step-by-step outline that someone can follow to complete a task. Instead, the policy operates as a control or command that staff will implement as they see fit. For example, an Internet use policy may declare that the practice logs all Web surfing traffic. The policy does not address how to do this or to what extent; the specifics are up to the staff responsible for the hardware and software that will perform the logging. A policy is not a step-by-step guideline. It is an upper-level command. Policy Advisory Group (PAG) A generic name for many work groups at WEDI and elsewhere. Preferred Provider Organization (PPO) A managed care plan in which you use doctors, hospitals, and providers that belong to the network. You can use doctors, hospitals, and providers outside of the network for an additional cost. Also, an M+CO coordinated care plan that: (a) has a network of providers that have agreed to a contractually specified reimbursement for covered benefits with the organization offering the plan; (b) provides for reimbursement for all covered benefits regardless of whether the benefits are provided with the network of providers; and (c) is offered by an organization that is not licensed or organized under State law as an HMO. See Social Security Act Section 1852(e)(2)(D), 42 U.S.C. §139w-22(e)(2)(D). Privacy Notice(s) Each covered entity must develop a health information notice to be made available at a patient’s request describing how it uses and distributes health care information. The notice must also advise that patients have the right to request restrictions on the use or distribution of records. Covered entities, however, are not required to agree to restrict use or distribution. The list that covered entities provide of uses and distribution of health information will be a lengthy one. Reportedly, a model privacy notice developed by the American Hospital Association and listing possible uses of health information covered nine pages. Privacy Official and Contact Person Covered entities are required to designate an individual as the covered entity's privacy official, responsible for the implementation and development of the entity's privacy policies and procedures. We also proposed that covered entities be required to designate a contact person to receive complaints about privacy and provide information about the matters covered by the entity's notice. We indicated that the contact person could be, but was not required to be, the person designated as the privacy official. We proposed to leave implementation details to the discretion of the covered entity. We expected implementation to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, and large organizations creating a full-time privacy official. In proposed § 164.512, we also proposed to require the covered plan or provider's privacy notice to include the name of a contact person for privacy matters. The final regulation retains the requirements for a privacy official and contact person as specified in the NPRM. These designations must be documented. The designation of privacy official and contact person positions within affiliated entities will depend on how the covered entity chooses to designate the covered entity(ies) under § 164.504(b). If a subsidiary is defined as a covered entity under this regulation, then a separate privacy official and contact person is required for that covered entity. If several subsidiaries are designated as a single covered entity, pursuant to § 164.504(b), then together they need have only a single privacy officer and contact person. If several covered entities share a notice for services provided on the same premises, pursuant to § 164.520(d), that notice need designate only one privacy official and contact person for the information collected under that notice. These requirements are consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper "Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment." This paper notes that "accountability is enhanced by having focal points who are responsible for assessing compliance with policies and procedures..." (p. 29) Procedure Procedures are standardized, documented administrative practices. Basically, the step-by-step processes by which policies are implemented. This typically is a lower-level, detailed instruction set that a computer technician creates to perform a specific function. The technician would establish a procedure to install a program that monitors and detects pornographic Web traffic. Another procedure would be created to manage and review the logs from this program. Procedures are the step-by-step instructions to meet a defined goal. Procedure Coding System (PCS) See International Classification of Diseases Related Terms: International Classification of Diseases Professional EMC NSF A 320­byte flat file record format used to submit professional claims. Related Terms: National Standard Format Protected Health Information (PHI) Individually identifiable health information: Except as provided in paragraph (2) of this definition, that is: Transmitted by electronic media; Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or Transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in: Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and Records described at 20 U.S.C. 1232g(a)(4)(B)(iv). PHI includes references to not only the patient, but also their relatives, employers, or household members. The items that constitute PHI: Name Address Phone Numbers Fax Number Dates (birth, death, admission, discharge, etc.) Social Security Number E-mail Address Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate or License Numbers Vehicle Identifiers and Serial Numbers, including license plate numbers Device Identifiers and Serial Numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometric Identifiers, including finger and voice prints Full Face Photographic Images and any comparable images Any other unique identifying number, characteristic, or code Patient's Medical History Exclusion for Employment Records The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. Provider Sponsored Organization (PSO) A group of doctors, hospitals, and other health care providers that agree to give health care to Medicare beneficiaries for a set amount of money from Medicare every month. This type of managed care plan is run by the doctors and providers themselves, and not by an insurance company. Provider Taxonomy Codes A code set for identifying the provider type and area of specialization for all health care providers. A given provider can have several Provider Taxonomy Codes. This code set is used in the X12 278 Referral Certification and Authorization and the X12 837 Claim EDI transactions, and is maintained by the Health Care Provider Taxonomy Committee. Related Terms: X12 837 Psychotherapy Notes Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. Public Health Authority An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. Public Law (PL,P. L.) Ex. PL 104­191 (HIPAA).