Access
Your ability to get needed medical care and services.
Related Terms: Administrative Simplification
|
Accredited Standards Committee (ASC)
An organization that has been accredited by ANSI for the development of American National Standards.
Related Terms: American National Standards; American National Standards Institute
|
Administrative Code Sets (ACS)
Code sets that characterize a general business situation, rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-clinical or non-medical code sets. Compare to medical code sets.
Related Terms: Medical Code Sets
|
Administrative Requirements
HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.
Privacy Policies and Procedures A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.
Privacy Personnel A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Workforce Training and Management Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
Mitigation A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
Data Safeguards A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
Complaints A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice.
Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS.
Retaliation and Waiver A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
Documentation and Record Retention A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Fully-Insured Group Health Plan Exception The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.
|
Administrative Simplification (A/S)
Title II, Subtitle F, of HIPAA, which gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.
Related Terms: Access; Health Insurance Portability and Accountability Act; Joint Commission on Accreditation of Healthcare Organizations; US Department of Health and Human Services
|
Administrative safeguards
Administrative safeguards are administrative actions, and policies and prodedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (PHI) and to manage the conduct of the covered entity's workforce in relation to the protection of that information.
|
Admission Date
The date the patient was admitted for inpatient care, outpatient service, or start of care. For an admission notice for hospice care, enter the effective date of election of hospice benefits.
|
Affliated Covered Entity
Legally separate covered entities that are affiliated by common ownership or control may designate themselves (including their health care components) as a single covered entity for Privacy Rule compliance. The designation must be in writing. An affiliated covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions
|
American Association for Homecare (AAHomecare)
An industry association for the home care industry, including home IV therapy, home medical services and manufacturers, and home health providers. AAHomecare was created through the merger of the Health Industry Distributors Associations Home Care Division (HIDA Home Care), the Home Health Services and Staffing Association (HHSSA), and the National Association for Medical Equipment Services (NAMES).
Related Terms: Health Industry Distributors Association, Home Care Division; Home Health Services and Staffing Association; National Association for Medical Equipment Services
|
American Dental Association (ADA)
A professional organization for dentists. The ADA maintains a hardcopy dental claim form and the associated claim submission specifications, and also maintains the Current Dental Terminology (CDT ....) medical code set. The ADA and the Dental Content Committee (DeCC), which it hosts, have formal consultative roles under HIPAA.
Related Terms: Current Dental Terminology
|
American Health Information Management Association (AHIMA)
An association of health information management professionals. AHIMA sponsors some HIPAA educational seminars.
Related Terms: Health Insurance Portability and Accountability Act
|
American Hospital Association (AHA)
A health care industry association that represents the concerns of institutional providers. The AHA hosts the NUBC, which has a formal consultative role under HIPAA.
Related Terms: National Uniform Billing Committee
|
American Medical Association
A professional organization for physicians. The AMA is the secretariat of the NUCC, which has a formal consultative role under HIPAA. The AMA also maintains the Current Procedural Terminology (CPT ....) medical code set.
|
American Medical Informatics Association
A professional organization that promotes the development and use of medical informatics for patient care, teaching, research, and health care administration.
|
American National Standards (ANS)
Standards developed and approved by organizations accredited by ANSI.
Related Terms: Accredited Standards Committee; American National Standards Institute; National Council for Prescription Drug Programs
|
American National Standards Institute
An organization that accredits various standards-setting committees, and monitors their compliance with the open rule-making process that they must follow to qualify for ANSI accreditation. HIPAA prescribes that the standards mandated under it be developed by ANSI-accredited bodies whenever practical.
Related Terms: Accredited Standards Committee; American National Standards
|
American Public Human Services Association (APHSA)
Founded in 1930, APHSA is a nonprofit, bipartisan organization of individuals and agencies concerned with human services. Members include all state and many territorial human service agencies, more than 1,200 local agencies, and several thousand individuals who work in or otherwise have an interest in human service programs. APHSA educates members of Congress, the media, and the broader public on what is happening in the states regarding welfare, child welfare, health care reform, and other issues involving families and the elderly.
The association’s mission is to develop, promote, and implement public human service policies that improve the health and well-being of families, children, and adults. APHSA is also an umbrella for several component groups.
|
American Society for Testing and Materials (ASTM)
A standards group that has published general guidelines for the development of standards, including those for health care identifiers. ASTM Committee E31 on Healthcare Informatics develops standards on information used within healthcare.
|
Ancillary Services
Professional services by a hospital or other inpatient health program. These may include x-ray, drug, laboratory, or other services.
|
Association for Electronic Health Care Transactions (AFEHCT)
An organization that promotes the use of EDI in the health care industry.
Related Terms: Electronic Data Interchange
|
Authentication
Authentication means the corrobation that a person is the one claimed.
|
Authorization
A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.
An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes.
All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.
Psychotherapy Notes
A covered entity must obtain an individual’s authorization to use or disclose psychotherapy notes with the following exceptions :
- The covered entity who originated the notes may use them for treatment.
- A covered entity may use or disclose, without an individual’s authorization, the psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner or as required by law.
Marketing
Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service. The Privacy Rule carves out the following health-related activities from this definition of marketing:
- Communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication;
- Communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan;
- Communications for treatment of the individual; and
- Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.
Marketing also is an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information, in exchange for direct or indirect remuneration, for the other entity to communicate about its own products or services encouraging the use or purchase of those products or services. A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value. No authorization is needed, however, to make a communication that falls within one of the exceptions to the marketing definition. An authorization for marketing that involves the covered entity’s receipt of direct or indirect remuneration from a third party must reveal that fact.
Related Terms: Consent and Authorization (Basic Rule)
|
Automated Clearinghouse (ACH)
See: Health Care Clearinghouse
Related Terms: Health Care Clearinghouse
|
Availability
Availability means the property that data or information is accessible and useable upon demand by an authorized person.
|
Biometric Identifier
An identifier based on some physical characteristic, such as a fingerprint.
|
Biometrics
The science and technology of measuring and statistically analyzing biological data.
In information technology, it usually refers to technologies for measuring and analyzing human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements, especially for authentication purposes.
|
Birthing Center
A facility, other than a hospital's maternity facilities or a physician's office, which provides a setting for labor, delivery, and immediate post-partum care as well as immediate care of new born infants.
|
Blue Cross and Blue Shield Association
An association that represents the common interests of Blue Cross and Blue Shield health plans. The BCBSA serves as the administrator for the Health Care Code Maintenance Committee and also helps maintain the HCPCS Level II codes.
|
Business Associate (BA)
(1)A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.
(2)A person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity.
- Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:
- On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
- A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
- Any other function or activity regulated by this subchapter;
or
- Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
- A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement
- A covered entity may be a business associate of another covered entity.
Related Terms: Business Associate Agreement
|
Business Associate Agreement
HIPAA applies directly to:
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter 45 CFR 160.103.
It does not apply to any other parties, except for a special group HIPAA calls Business Associates(BA). BA's are businesses that have access to protected health information(PHI) from a covered entity as a normal course of business. (See the definition of a Business Associate for more clarification of the term.) Since HIPAA does not apply directly, the law mandates that covered entities MUST have the BA sign a Business Associate Agreement(BAA) agreeing to provide the same privacy and security to the data that the covered must do. If the BA refuses to sign or violates this agreement, the covered entity must ultimately stop doing business with the BA.
This agreement is a contract that is enforceable in court and is sometime referred to as the Business Associate Contract.
There are various levels of BAA's depending on the level of access or availability the BA has to the PHI. A janitorial firm or computer consultant, for example, is not given access to PHI but has availability to it. These BAA's should be a confidentiality agreement. On the other hand, a third party collection business or a law firm representing the covered entity is given direct access to the PHI and must sign a full BAA. Essentially, in the later example, the Agreement pulls the BA deep into the HIPAA compliance water. That Agreement says the BA will treat the data the same as the covered entity.
There are circumstances where BA's give the protected health information to another party that may not even have a direct relationship with the original covered entity. This type of relationship requires a "Chain of Trust" Agreement between the multiple Business Associates. (See Chain of Trust for more details.)
The Office of Civil Rights gives this definition:
When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. Covered entities that have an existing written contract or agreement with business associates prior to October 15, 2002, which is not renewed or modified prior to April 14, 2003, are permitted to continue to operate under that contract until they renew the contract or April 14, 2004, whichever is first.
Related Terms: Business Associate; Chain of Trust Agreement
|
Business Model
A model of a business organization or process.
|
Business Partner (BP)
A term used in the HIPAA Privacy NPRM to identify organizations that perform business functions for a covered entity, and should therefore be required to accept the same obligations for protecting any individually identifiable health care information that they receive from the covered entity.
|
Business Relationships
The term agent is often used to describe a person or organization that assumes some of the responsibilities of another one. This term has been avoided in the final rules so that a more HIPAA-specific meaning could be used for business associate.
|
Center for Healthcare Information Management
A health information technology industry association.
|
Centers for Disease Control and Prevention (CDC)
An organization that maintains several code sets included in the HIPAA standards, including the ICD-9-CM codes.
|
Centers for Medicare & Medicaid Services (CMS)
(1) The HHS agency responsible for Medicare and parts of Medicaid. Centers for Medicare & Medicaid Services has historically maintained the UB-92 institutional EMC format specifications, the professional EMC NSF specifications, and specifications for various certifications and authorizations used by the Medicare and Medicaid programs. Centers for Medicare & Medicaid Services also maintains the HCPCS medical code set and the Medicare Remittance Advice Remark Codes administrative code set.
(2) The federal agency that runs the Medicare program. In addition, CMS works with the States to run the Medicaid program. CMS works to make sure that the beneficiaries in these programs are able to get high quality health care.
|
Certification
Certification means verifying secure data transmission, storage, backup, access controls, and all the other policies and procedures you must have in place to protect a patient’s privacy; it is the best method by which any organization can ensure that its computer systems are operating under adequate security protocols. In addition, you must document the certification procedure itself to ensure that, in the future, an independent party can verify its validity.
Note that the HIPAA final rule renamed the formal term “certification” as the more general term “evaluation.” However, in real life, when you use the term “evaluation,” most vendors won’t know what you are talking about. Thus, for practical purposes your security policy still should incorporate the term “certification.”
Certifications help demonstrate accountability and can serve as security reference guides. In addition, they can form an outline of the policies, guidelines, and standards used to secure a network.
Certifications can provide:
-
Accountability. Certification provides tangible proof that a computer system is secure. In the event of a computer system compromise, the certification can become a document of accountability to prove that you made efforts to avoid a breach of security.
-
An outline. The certification requirements will provide you with an outline of policies, guidelines, and standards that you can use to protect a computer system.
-
A point of reference. In the case of an audit, the certification also can provide a point-by-point description as to what was secured, how it was secured, and why it was secured.
-
Without proper certification, your practice has no way to provide evidence that its computer systems are operating at a proper standard of security. However, be sure to research the validity of any certification before placing faith in it. While third-party audits and certifications generally are the most valuable, no standard exists by which to judge the certification itself.
|
Certified Nursing Assistant (CNA)
CNAs are trained and certified to help nurses by providing non-medical assistance to patients, such as help with eating, cleaning and dressing.
|
Certified Registered Nurse Anesthetist
A nurse who is trained and licensed to give anesthesia. Anesthesia is given before and during surgery so that a person does not feel pain.
|
Chain of Trust (COT)
A term used in the HIPAA Security NPRM for a pattern of agreements that extend protection of health care data by requiring that each covered entity that shares health care data with another entity require that that entity provide protections comparable to those provided by the covered entity, and that that entity, in turn, require that any other entities with which it shares the data satisfy the same requirements.
|
Chain of Trust Agreement
This agreement covers patient data that is shared for business reasons, but other persons or groups outside of the office.
The final HIPPA rule revised the term “chain of trust” to a more specific term, “business associate contracts and other arrangements,” to redefine who must enter into a contract under the rule. However, for practical purposes you still will use the term “chain of trust” when dealing with real-world policy development.
If a healthcare practice shares patient data with a third party, it must establish a certain level of trust with this party to ensure it will maintain data integrity and confidentiality. The agreement with this party must take the form of a formal, approved contract that clearly outlines each entity’s responsibilities. If the data must pass through multiple parties before reaching its intended recipient, each must establish a trust agreement with your practice, which, as the parent party, ultimately is responsible for the data. Entering into chain of trust agreements ensures that security is maintained despite the data’s location. Without such agreements, one organization’s lower level of security could compromise another organization’s high level of data integrity and confidentiality.
For example, if you are sending a patient’s medical record to a specialist, you should not merely compress the files and e-mail them via your home Internet service provider. While you may have a formal agreement with the receiving party, standard e-mail is not secure. Instead, you should learn how to use encryption and even digital signatures
Related Terms: Business Associate Agreement
|
Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)
Run by the Department of Defense, in the past CHAMPUS gave medical care to active duty members of the military, military retirees, and their eligible dependents. (This program is now called "TRICARE")
|
Claim
A claim is a request for payment for services and benefits you received. Claims are also called bills for all Part A and Part B services billed through Fiscal Intermediaries. "Claim" is the word used for Part B physician/supplier services billed through the Carrier.
|
Claim Adjustment Reason Codes
A national administrative code set that identifies the reasons for any differences, or adjustments, between the original provider charge for a claim or service and the payer's payment for it. This code set is used in the X12 835 Claim Payment & Remittance Advice and the X12 837 Claim transactions, and is maintained by the Health Care Code Maintenance Committee.
|
Claim Attachment
Any of a variety of hardcopy forms or electronic records needed to process a claim in addition to the claim itself.
|
Claim Medicare Remark Codes
See Medicare Remittance Advice Remark Codes.
Related Terms: Medicare Remittance Advice Remark Codes
|
Claim Status Category Codes
A national code set that indicates the general category of the status of health care claims. This code set is used in the X12 277 Claim Status Notification EDI transaction, and is maintained by the Health Care Code Maintenance Committee.
|
Claim Status Codes
A national code set for indicating the status of health care claims. This code set is used in the X12 277 Claim Status Notification EDI transaction, and is maintained by the Health Care Code Maintenance Committee.
|
Clearinghouse
See Health Care Clearinghouse.
Related Terms: Health Care Clearinghouse
|
Clinical Modification (CM)
See International Classification of Diseases .
Related Terms: International Classification of Diseases
|
Code Set
Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions. Also see Part II, 45 CFR 162.103.
Related Terms: Maintenance
|
Code Set Maintaining Organization
An organization that creates and maintains the code sets adopted by the Secretary for use in the transactions for which standards are adopted in this part. [45 CFR 162.103]
|
Code of Federal Regulations (CFR,C.F.R.)
The Code of Federal Regulations is a publication established by Act of Congress (44 U.S.C. § 1510). It represents a compilation of all the regulations issued by Federal administrative agencies that have general applicability and legal effect. As a consequence the contents of the CFR covers a wide range of subjects. Most states prepare comparable compilations of state agency regulations, generally called their Administrative Code.
Federal statutes furnish the authority and the limits for regulations that appear in the CFR. This means that the regulations on a subject should be read together with any pertinent portions of the U.S. Code. It also means that courts will, upon occasion, hold that regulations which appear in the Code of Federal Regulations are invalid because they conflict with a Federal statute.
Related Terms: United States Code
|
College of Healthcare Information Management Executives (CHIME)
A professional organization for health care Chief Information Officers (CIOs).
|
Comment
Commentary on the merits or appropriateness of proposed or potential regulations provided in response to an NOI, an NPRM, or other federal regulatory notice.
Related Terms: Notice of Intent ; Notice of Proposed Rulemaking
|
Community Mental Health Center
A facility that provides the following services:
- Outpatient services, including specialized outpatient services for children, the elderly, individuals who are chronically ill, and residents of the CMHC's mental health services area who have been discharge from inpatient treatment at a mental health facility,
- 24 hour a day emergency care services,
- Day treatment, other than partial hospitalization services, or psychosocial rehabilitation services,
- Screening for patients considered for admission to State mental health facilities to determine the appropriateness of such admission, and
- Consultation and education services.
|
Compliance date
Under HIPAA, this is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective data of the associated final rule for most entities, but 36 months after the effective data for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective data, but can be longer for small health plans and for complex changes.
HIPAA Privacy Standards went into effect April 15, 2001; the two year grace period ends on April 15, 2003, at which time anyone not complying with the standards can be cited and/or charged.
For the electronic rule only, Congress in 2001 enacted legislation allowing a one-year extension for most covered entities provided that they submit a plan for achieving compliance. As a result, covered entities that qualify for the extension will have until October 16, 2003 to meet the electronic standards instead of the original October 16, 2002 deadline. (Small health plans must still meet the October 16, 2003 compliance date and are not eligible for an extension under the new law.)
A "Small health plan" is defined as a plan with annual receipts of $5 million or less. HHS clarified the annual receipt test to mean, for insured plans, $5 million in premiums paid in the most recent fiscal year and, for self-insured plans, $5 million in claims paid in the most recent fiscal year.
|
Comprehensive Inpatient Rehabilitation Facility
A facility that provides comprehensive rehabilitation services under the supervision of a physician to inpatients with physical disabilities. Services include physical therapy, occupational therapy, speech pathology, social or psychological services, and orthotics and prosthetics services.
|
Comprehensive Outpatient Rehabilitation Facility
(1)A facility that provides comprehensive rehabilitation services under the supervision of a physician to outpatients with physical disabilities. Services include physical therapy, occupational therapy, and speech pathology services.
(2)A facility that provides a variety of services including physicians' services, physical therapy, social or psychological services, and outpatient rehabilitation.
|
Computer-based Patient Record Institute (CPRI)
An industry organization that promotes the use of healthcare information systems, including electronic healthcare records.
|
Confidentiality
Your right to talk with your health care provider without anyone else finding out what you have said.
Confidentality as applied to PHI, means the property that data or information is not made available or disclosed to unauthorized persons or processes.
|
Congressional Budget Office (CBO)
The Congressional Budget Office is a small, nonpartisan agency that produces policy analyses, cost estimates, and budget and economic projections that serve as a basis for Congress's decisions about spending and taxes. Every piece of legislation affecting the use of the nation's resources undergoes CBO's scrutiny. The agency is a public-sector think tank that employs an elite, multidisciplinary staff of professional analysts—public-policy experts, economists, budgeteers, and other critical thinkers who enjoy challenges—at levels ranging from undergraduate and graduate interns to seasoned researchers with doctorates and substantial experience.
|
Consent and Authorization (Basic Rule)
A covered entity may use or disclose PHI only:
- With the consent of the individual for treatment, payment, or health care operations;
- With the authorization of the individual for all other uses or disclosures;
- As permitted under this rule for certain public policy purposes.
Related Terms: Authorization
|
Consolidated Omnibus Budget Reconciliation Act (COBRA)
COBRA is a law that makes an employer let you remain covered under the employer's group health plan for a period of time after: the death of your spouse, losing your job, or having your work hours reduced, or getting a divorce. You may have to pay both your share and the employer's share of the premium.
|
Consumer Assessment of Health Plans Study (CAHPS)
An annual nationwide survey that is used to report information on Medicare beneficiaries' experiences with managed care plans. The results are shared with Medicare beneficiaries and the public.
|
Contingency Plan
Every computer system must have a documented and audited backup and full recovery plan in case of an emergency. The initial step in developing the plan is to assess applications and data to determine what is critical to daily operations. The plan must include an emergency operating procedure to use until systems can be placed back online and testing procedures to ensure a system can be restored fully from backups.
Without this plan in place, your practice/business can and will fall prey to a number of debilitating situations. Natural disasters, power outages, computer viruses, or even a simple program crash could shut down permanently any organization that is not prepared.
The plan also must address how your business handles backup media, as doing so in an insecure manner could give an unauthorized person complete access to your computer system’s files. You must store all backups in a secure location, and it should be off-site; otherwise, a fire could wipe you out completely. Typical backup storage locations are on a remote server, in a bank deposit box, or at a remote building under your control.
You should not store backup media near the primary data. This could lead to a total loss of data if a major disaster occurs, such as a fire or terrorist attack.
|
Coordination of Benefits (COB)
A process for determining the respective responsibilities of two or more health plans that have some financial responsibility for a medical claim. Also called crossover.
Related Terms: Crossover
|
Correctional Institution
Any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.
|
Cost-Based Health Maintenance Organization
A type of managed care organization that will pay for all of the enrollees/members' medical care costs in return for a monthly premium, plus any applicable deductible or co-payment. The HMO will pay for all hospital costs (generally referred to as Part A) and physician costs (generally referred to as Part B) that it has arranged for and ordered. Like a health care prepayment plan (HCPP), except for out-of-area emergency services, if a Medicare member/enrollee chooses to obtain services that have not been arranged for by the HMO, he/she is liable for any applicable deductible and co-insurance amounts, with the balance to be paid by the regional Medicare intermediary and/or carrier.
|
Covered Entities With Multiple Covered Functions
A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions. The covered entity may not use or disclose the protected health information of an individual who receives services from one covered function (e.g., health care provider) for another covered function (e.g., health plan) if the individual is not involved with the other function.
|
Covered Entity (CE)
The following are covered entities under the HIPAA regulations:
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. [45 CFR 160.103]
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). For help in determining whether you are covered, use the decision tool at: http://cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/CoveredEntityFlowcharts.pdf
|
Covered Functions
Those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.
|
Covered Information
All individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity. This includes individually identifiable health information in paper records that never has been electronically stored or transmitted. (See Sec. 164.501, definition of "protected health information", for further discussion.)
|
Crossover
See Coordination of Benefits.
Related Terms: Coordination of Benefits
|
Current Dental Terminology (CDT)
A medical code set, maintained and copyrighted by the ADA, that has been selected for use in the HIPAA transactions.
Related Terms: American Dental Association
|
Current Procedural Terminology (CPT)
A medical code set, maintained and copyrighted by the AMA, that has been selected for use under HIPAA for non-institutional and non-dental professional transactions.
|
D-Codes
Previously, HCPCS Level II has contained a set of codes with a high-order value of "D" to identify some dental procedures. The final HIPAA transactions and code sets rule states that these D-codes will be dropped from the HCPCS, and that, under HIPAA, CDT codes will be used to identify all dental procedures.
|
Data Aggregation
With respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
|
Data Condition
The rule that describes the circumstances under which a covered entity must use a particular data element or segment. [45 CFR 162.103]
|
Data Content
All the data elements and code sets inherent to a transaction, and not related to the format of the transaction. Data elements that are related to the format are not data content. [45 CFR 162.103]
|
Data Content Committee (DCC)
See Designated Data Content Committee.
|
Data Council
A coordinating body within HHS that has high-level responsibility for overseeing the implementation of the A/S provisions of HIPAA.
|
Data Dictionary (DD)
A document or system that characterizes the data content of a system.
|
Data Element
The smallest named unit of information in a transaction. [45 CFR 162.103]
|
Data Interchange Standards Association (DISA)
A body that provides administrative services to X12 and several other standards-related groups.
Related Terms: X-12
|
Data Mapping
The process of matching one set of data elements or individual code values to their closest equivalents in another set of them.
|
Data Model
A conceptual model of the information needed to support a business function or process.
|
Data Set
A semantically meaningful unit of information exchanged between two parties to a transaction. [45 CFR 162.103]
|
Data Standards Maintenance Organizations (DSMO)
An organization designated by the Secretary under 162.910(a). [45 CFR 162.103]
|
De-identification
The removal of any individually identifiable data that may allow someone to connect the data in question with a specific person.
The Office of Civil Rights gives this clarification:
There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either:
a formal determination by a qualified statistician; or the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual
|
Dental Content Committee
An organization, hosted by the American Dental Association, that maintains the data content specifications for dental billing. The Dental Content Committee has a formal consultative role under HIPAA for all transactions affecting dental health care services.
|
Descriptor
The text defining a code. [45 CFR 162.103]
|
Designated Code Set
A medical or administrative code set which HHS has designated for use in one or more of the HIPAA standards.
|
Designated DCC
See Designated Data Content Committee
|
Designated Data Content Committee
(or Designated DCC)
An organization which HHS has designated for oversight of the business data content of one or more of the HIPAA-mandated transaction standards.
|
Designated Record Set
- A group of records maintained by or for a covered entity that is:
- The medical records and billing records about individuals maintained by or for a covered health care provider;
- The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Used, in whole or in part, by or for the covered entity to make decisions about individuals.
- For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
|
Designated Standard
A standard which HHS has designated for use under the authority provided by HIPAA.
|
Designated Standard Maintenance Organization (DSMO)
An organization designated by the Secretary under 162.910(a). [45 CFR 162.103]
|
Digital Imaging and Communications in Medicine (DICOM)
A standard for communicating images, such as xrays, in a digitized form. This standard could become part of the claim attachments standards.
|
Direct Data Entry (DDE)
The direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan's computer.
|
Direct Treatment Relationship
A treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.
|
Discloses to Public Health Activities
General Public Health Activities.
The Privacy Rule permits covered entities to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability. This would include, for example, the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. See 45 CFR 164.512(b)(1)(i). Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority. See 45 CFR 164.512(b (1)(i). Covered entities who are also a public health authority may use, as well as disclose, protected health information for these public health purposes. See 45 CFR 164.512(b)(2).
A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR 164.501. Examples of a public health authority include State and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration (OSHA).
|
Disclosure
The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
|
Draft Standard for Trial Use (DSTU)
An archaic term for any X12 standard that has been approved since the most recent release of X12 American National Standards. The current equivalent term is X12 Standard.
Related Terms: X-12
|
EDI Translator
A software tool for accepting an EDI transmission and converting the data to another format, or for converting a nonEDI data file into an EDI format for transmission.
|
Effective Date
This is the date that a final rule is effective. This is usually 60 days after it is published in the Federal Register.
Related Terms: Federal Register
|
Electronic Commerce (EC)
The exchange of business information by electronic means.
|
Electronic Data Interchange (EDI)
This usually means X12 and similar variable-length formats for the electronic exchange of structured data. It is sometimes used more broadly to mean any electronic exchange of formatted data.
Related Terms: Association for Electronic Health Care Transactions; Medicare Remittance Advice Remark Codes; Value-Added Network; X-12
|
Electronic Healthcare Network Accreditation Commission (EHNAC)
An organization that accredits health care clearinghouses.
|
Electronic Media
(1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory medium; or
(2) Transmission media used to exchange information already in electronic memory medium. Tranmission media include, for example, the Internet (wideopen), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dialup lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission.
[45 CFR 160.103]
|
Electronic Media Claims (EMC)
This term usually refers to a flat file format used to transmit or transport claims, such as the 192byte UB92 Institutional EMC format and the 320byte Professional EMC NSF.
Related Terms: National Standard Format ; UB-92
|
Electronic Remittance Advice (ERA)
Any of several electronic formats for explaining the payments of health care claims.
|
Employers
The rule requires that group health plans cannot disclose protected health information about employees to employers except as it relates to providing and paying for health care. Employers will also be required to create firewalls between company officials who work on company health plans and those involved in personnel or employment related matters.
|
Encryption
Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
|
Explanation of Medicare Benefits (EOMB)
A notice that is sent to you after the doctor files a claim for Part B services under the Original Medicare Plan. This notice explains what the provider billed for, the Medicare-approved amount, how much Medicare paid, and what you must pay. This is being replaced by the Medicare Summary Notice (MSN), which sums up all the services (Part A and B) that were given over a certain period of time, generally monthly.
Related Terms: Medicare Benefits Notice; Medicare Summary Notice
|
Explanation of Member Benefits (EOMB)
|
Facility
Facility means the physical premises and the interior and exterior of a building(s).
|
Federal Register (FR,F.R.)
The Federal Register is the official daily publication for Rules, Proposed Rules, and Notices of Federal agencies and organizations, as well as Executive Orders and other Presidential Documents.
Related Terms: Effective Date; United States Code
|
First Report of Injury (FRI)
See X12 148
|
Flat File
This term usually refers to a file that consists of a series of fixedlength records that include some sort of record type code.
|
Format
Those data elements that provide or control the enveloping or hierarchical structure, or assist in identifying data content of, a transaction. [45 CFR 162.103]
|
Freedom of Information Act (FOIA)
A law that requires the U.S. Government to give out certain information to the public when it receives a written request. FOIA applies only to records of the Executive Branch of the Federal Government, not to those of the Congress or Federal courts, and does not apply to state governments, local governments, or private groups.
|
GAP Analysis
See "Risk Assessment".
Related Terms: Risk Assessment
|
Group Health Plan
(See also: health plan)
An employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act (PHS Act), 42 U.S.C. 300gg-91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:
- Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or
- Is administered by an entity other than the employer that established and maintains the plan.
See 45 CFR 160.103 for a more detailed description.
|
Guideline
A guideline is an intermediary step that acts as a suggestion.
Guidelines often are not rules but rather strong hints that users should follow.
For example, a guideline can provide a template for new policies. While following such a guideline is not required, if all policies are created using the principles the guideline provides, employees would be able more easily to learn the general format of a policy and locate the desired information. On the other hand, not following the guideline to create a new policy would not break a rule or require punishment
|
HCFA Common Procedural Coding System (HCPCS)
A medical code set that identifies health care procedures, equipment, and supplies for claim submission purposes. It has been selected for use in the HIPAA transactions.
HCPCS Level I contains numeric CPT4 codes which are maintained by the AMA.
HCPCS Level II contains alphanumeric codes used to identify various items and services (such as: medical supplies, ambulance services, injectible drugs, and specific supplies) that are not included in the CPT4 code set. These are maintained by HCFA, the BCBSA, and the HIAA.
HCPCS Level III contains alphanumeric codes that are assigned by Medicaid state agencies to identify additional items and services not included in levels I or II. These are usually called "local codes", and must have "W", "X", "Y", or "Z" in the first position.
HCPCS Procedure Modifier Codes can be used with all three levels, with the WA ZY range used for locally assigned procedure modifiers.
|
HCFA1450
HCFA's name for the institutional uniform claim form, or UB92.
Related Terms: UB-92
|
HCFA1500
HCFA's name for the professional uniform claim form. Also known as the UCF1500.
|
HIPAA Data Dictionary (HIPAA DD)
A data dictionary that defines and crossreferences the contents of all X12 transactions included in the HIPAA mandate. It is maintained by X12N/TG3.
Related Terms: X-12; X12N/TG3
|
Health Care
Care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
- Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body;
- Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- Procurement or banking of blood, sperm, organs, or any other tissue for administration to individuals. [45 CFR 160.103]
|
Health Care Clearinghouse
A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that does either of the following functions:
- Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
- Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. [45 CFR 160.103]
The Office of Discrimination offers further clarification:
Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.
In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information.
Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
Related Terms: Automated Clearinghouse; Clearinghouse
|
Health Care Code Maintenance Committee
An organization administered by the BCBSA that is responsible for maintaining certain coding schemes used in the X12 transactions. These include the Claim Adjustment Reason Codes, the Claim Status Category Codes, and the Claim Status Codes.
Related Terms: X-12
|
Health Care Financing Administration (HCFA)
A subgroup within the Department of Health and Human Services.
The DHHS agency responsible for Medicare and parts of Medicaid. HCFA has historically maintained the UB-92 institutional EMC format specifications, the professional EMC NSF specifications, and specifications for various certifications and authorizations used by the Medicare and Medicaid programs. HCFA also maintains the HCPCS medical code set and the Medicare Remittance Advice Remark Codes administrative code set.
|
Health Care Operations
Any of the following activities of the covered entity to the extent that the activities are related to covered functions, and any of the following activities of an organized health care arrangement in which the covered entity participates:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
- Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
- Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of the entity, including, but not limited to:
- Management activities relating to implementation of and compliance with the requirements of this subchapter;
- Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
- Resolution of internal grievances;
- Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity; and
- Consistent with the applicable requirements of § 164.514, creating de- identified health information, fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not required as described in § 164.514(e)(2).
|
Health Care Plan
As defined in section 1171(5), Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
Two types of government-funded programs are not health plans: (1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and (2) those programs whose principal activity is directly providing health care, such as a community health center, or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance.
|
Health Care Provider
A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. [45 CFR 160.103]
Clarification as issued by the Office of Discrimination:
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction.
The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.
Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
|
Health Care Provider Taxonomy Committee
An organization administered by the BCBSA that is responsible for maintaining the Provider Taxonomy coding scheme used in the X12 transactions. The detailed code maintenance is done under the guidance of X12N/TG2/WG15.
Related Terms: X-12
|
Health Industry Business Communications Council (HIBCC)
A council of health care industry associations which has developed a number of technical standards used within the health care industry.
|
Health Industry Distributors Association, Home Care Division (HIDA Home Care)
One of the organizations that later merged to form the Association for American Homecare.
Related Terms: American Association for Homecare
|
Health Informatics Standards Board (HISB)
An ANSIaccredited standards group that has developed an inventory of candidate standards for consideration as possible HIPAA standards.
|
Health Information
Any information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. [45 CFR 160.103]
|
Health Insurance Association of America (HIAA)
An industry association that represents the interests of commercial health care insurers. The HIAA participates in the maintenance of some code sets, including the HCPCS Level II codes.
|
Health Insurance Issuer
(As defined in section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2) and used in the definition of health plan in this section) means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. [45 CFR
160.103]
Such term does not include a group health plan.
|
Health Insurance Portability and Accountability Act (HIPAA)
A Federal law that makes a number of changes that have the goal of allowing persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191.
The final version of the HIPAA Privacy regulations were issued in December 2000, and went into effect on April 14, 2002. Normally, rules go into effect 60 days after publication in the Congressional Record. Due to a glitch, the rules did not go into effect until April 14th instead of in February of 2001.
A two-year "grace" period was included; enforcement of the HIPAA Privacy Rules begins on April 14, 2003.
Related Terms: Administrative Simplification; American Health Information Management Association
|
Health Level Seven (HL7)
An ANSI-accredited group that defines standards for the cross-platform exchange of information within a health care organization. HL7 is responsible for specifying the Level Seven OSI standards for the health industry. Some HL7 standards have been encapsulated in the X12 standards used for transmitting claim attachments, which are expected to part of the HIPAA claim attachments standard. The HL7 Claims Attachment SIG (CA-SIG) is responsible for the HL7 portion of this standard.
|
Health Maintenance Organization (HMO)
A federally qualified HMO, an organization recognized as an HMO under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such an HMO. [45 CFR 160.103]
(As defined in section 2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the definition of health plan in this section.)
|
Health Oversight Agency
An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
|
Health Plan
An individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg- 91(a)(2)). [45 CFR 160.103]
Health plan includes the following, singly or in combination:
- A group health plan, as defined in this section.
- A health insurance issuer, as defined in this section.
- An HMO, as defined in this section.
- Part A or Part B of the Medicare program under title XVIII of the Act.
- The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et seq.
- An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
- An issuer of a long-term care policy, excluding a nursing home fixed- indemnity policy.
- An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.
- The health care program for active military personnel under title 10 of the United States Code.
- The veterans health care program under 38 U.S.C. chapter 17.
- The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)(as defined in 10 U.S.C. 1072(4)).
- The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.
- The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et seq.
- An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.
- The Medicare + Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.
- A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.
- Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
Health plan excludes:
- Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
- A government-funded program (other than one listed in paragraph (1)(i)- (xvi)of this definition):
- Whose principal purpose is other than providing, or paying the cost of, health care; or
- Whose principal activity is:
- The direct provision of health care to persons; or
- The making of grants to fund the direct provision of health care to persons.
|
Health Plan ID
See National Payer ID
|
Healthcare Financial Management Association (HFMA)
An organization for the improvement of the financial management of healthcarerelated organizations. The HFMA sponsors some HIPAA educational seminars.
|
Healthcare ID
See National Patient ID
|
Healthcare Information Management Systems Society (HIMSS)
A professional organization for healthcare information and management systems professionals.
|
Home Health Services and Staffing Association (HHSSA)
One of the organizations that later merged to form the Association for American Homecare.
Related Terms: American Association for Homecare
|
Hybrid Entity
The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a “hybrid entity.” (The activities that make a person or organization a covered entity are its “covered functions.” ) To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule.
|
Hydra
a multiheaded creature that becomes moreso whenever you attempt to make it less so
|
Identifiable Health Information (IHI)
|
Impact Analysis
See "Risk Analysis".
|
Implementation Guide (IG)
A document explaining the proper use of a standard for a specific business purpose. The X12N HIPAA IGs are the primary reference documents used by those implementing the associated transactions, and are incorporated into the HIPAA regulations by reference.
Related Terms: Implementation Specification
|
Implementation Specification
The specific instructions for implementing a standard.
[45 CFR 160.103]
Related Terms: Implementation Guide
|
Incidental Uses and Disclosures
General Provision
The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. (See 45 CFR 164.502(a)(1)(iii)) An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.
Reasonable Safeguards
A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. (See 45 CFR 164.530(c)) It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.
|
Indirect Treatment Relationship
A relationship between an individual and a health care provider in which:
- The health care provider delivers health care to the individual based on the orders of another health care provider; and
- The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.
|
Individual
The person who is the subject of protected health information.
|
Individually Identifiable Health Information
Information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
|
Information Access Control
Security in any computer system requires formal policies and procedures for granting and controlling access to available resources. Your practice should develop specific criteria for granting defined levels of access to all users and adopt the required mechanisms to maintain access control.
Before you grant a user access to your practice’s computer system, you must determine his or her level of access based on job role and the information that person needs to get the job done. For example, a billing department employee will need access to a patient’s financial information as well as scheduling information to determine when the next office visit is due. On the other hand, a receptionist might need access only to the scheduling system; if the receptionist in your practice has no reason see the financial or personal medical data of patients, you should establish a method to restrict his or her access to that data.
Note that in the HIPAA final rule, the term “access control” was removed as being too narrow. Nevertheless, access controls will form the basis of your HIPAA security plan, so it is important that you understand them.
|
Information Model
A conceptual model of the information needed to support a business function or process.
|
Information System
Information System means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
|
Inmate
A person incarcerated in or otherwise confined to a correctional institution.
|
Integrity
Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.
|
Interactive Health Care Eligibility/Benefit Response (IHCEBR)
See X12 271
|
Interactive HealthCare Eligibility/Benefits Inquiry (IHCEBI)
See X12 270
|
Interactive Healthcare Claim/Encounter (IHCLME)
See X12 837
|
International Association of Industrial Accident Boards and Commissions (IAIABC)
One of their standards is under consideration for use for the First Report of Injury standard under HIPAA.
|
International Classification of Diseases (ICD)
A medical code set maintained by the World Health Organization (WHO). The primary purpose of this code set was to classify causes of death. A US extension of this coding system, maintained by the NCHS within the CDC, identifies morbidity factors, or diagnoses. The ICD-9-CM codes have been selected for use in the HIPAA transactions.
How the abbreviation ICDnCM/PCS breaks down:
ICD = International Classification of Diseases
n = revision number
CM = Clinical Modification
PCS = Procedure Coding System
Related Terms: Clinical Modification ; International Classification of Diseases, Revision 9, Clinical Modification; National Center for Health Statistics ; Procedure Coding System ; World Health Organization
|
International Classification of Diseases, Revision 9, Clinical Modification (ICD-9-CM)
Related Terms: International Classification of Diseases
|
International Organization for Standardization (ISO)
An organization that coordinates the development and adoption of numerous international standards.
|
International Standards Organization
See International Organization for Standardization (ISO)
|
J-Codes
Previously, HCPCS Level II has contained a set of codes with a high-order value of "J" to identify some drugs and some other items. The final HIPAA transactions and code sets rule states that any J-codes identifying drugs will be dropped from the HCPCS, and that NDC codes will be used to identify all drug products.
|
Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
An organization that accredits healthcare organizations. In the future, the JCAHO may play a role in certifying these organizations’ compliance with the HIPAA A/S requirements.
Related Terms: Administrative Simplification
|
Joint Healthcare Information Technology Alliance (JHITA)
A healthcare industry association that represents AHIMA, AMIA, CHIM, CHIME, and HIMSS on legislative and regulatory issues affecting the use of health information technology.
|
Law Enforcement Official
An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to:
- Investigate or conduct an official inquiry into a potential violation of law; or
- Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
|
Limited Data Set
Information that does not include directly identifiable information. This limited data may be used for research, public health, and health care operations.
To further protect privacy, the final Rule conditions disclosure of the limited data set on a covered entity and the recipient entering into a data use agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, and to ensure the security of the data, as well as not to identify the information or use it to contact any individual.
|
Logical Observation Identifiers, Names and Codes
(LOINC™): A set of universal names and ID codes that identify laboratory and clinical observations. These codes, which are maintained by the Regenstrief Institute, are expected to be used in the Claims Attachment standard mandated under HIPAA.
|
Maintain
See Maintenance
|
Maintenance
Activities necessary to support the use of a standard adopted by the Secretary, including technical corrections to an implementation specification, and enhancements or expansion of a code set. This term excludes the activities related to the adoption of a new standard or implementation specification, or modification to an adopted standard or implementation specification.'' [45 CFR 162.103]
Related Terms: Code Set; Standard
|
Malicious Software
Malicious Software means software, for example, a virus, designed to damage or disrupt a system.
|
Managed Care Organization (MCO)
Managed Care Organizations are entities that serve Medicare or Medicaid beneficiaries on a risk basis through a network of employed or affiliated providers. The term generally includes HMOs, PPOs, and Point of Service plans. In the Medicaid world, other organizations may set up managed care programs to respond to Medicaid managed care. These organizations include Federally Qualified Health Centers, integrated delivery systems, and public health clinics.
Also, a health maintenance organization, an eligible organization with a contract under §1876 or a Medicare-Choice organization, a provider-sponsored organization, or any other private or public organization, which meets the requirements of §1902 (w) to provide comprehensive services.
|
Marketing
What is “Marketing”?
The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below.
Examples of “marketing” communications requiring prior authorization are:
- A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
- A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
What Else is “Marketing”?
Marketing also means: “An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” This part of the definition to marketing has no exceptions. The individual must authorize these marketing communications before they can occur.
Not included in this definition are:
- communications made by a covered entity for the purpose of describing the participating providers and health plans in a network, or describing the services offered by a provider or the benefits covered by a health plan; and
- communications made by a health care provider as part of the treatment of a patient and for the purpose of furthering that treatment, or made by a provider or health plan in the course of managing an individual's treatment or recommending an alternative treatment.
|
Massachusetts Health Data Consortium (MHDC)
An organization that seeks to improve healthcare in New England through improved policy development, better technology planning and implementation, and more informed financial decision making.
|
Maximum Defined Data Set
All of the required data elements for a particular standard based on a specific implementation specification." [45 CFR 162.103]
An entity creating a transaction is free to include whatever data any receiver might want or need. The recipient is free to ignore any portion of the data that is not needed to conduct their part of the associated business transaction, unless the inessential data is needed for coordination of benefits.
|
Medical Code Sets
Codes that characterize a medical condition or treatment. These code sets are usually maintained by professional societies and public health organizations.
See also: administrative code sets.
Related Terms: Administrative Code Sets
|
Medical Records Institute (MRI)
Organization that promotes the development and acceptance of electronic health care record systems.
|
Medicare Benefits Notice (MBN)
A notice you get after your doctor files a claim for Part A services in the Original Medicare Plan. It says what the provider billed for, the Medicare-approved amount, how much Medicare paid, and what you must pay. You might also get an Explanation of Medicare Benefits (EOMB) for Part B services or a Medicare Summary Notice (MSN).
Related Terms: Explanation of Medicare Benefits
|
Medicare Remittance Advice Remark Codes
A national code set for providing either claim-level or service-level Medicare-related messages that cannot be expressed with a Claim Adjustment Reason Code. This code set is used in the X12 835 Claim Payment & Remittance Advice EDI transaction, and is maintained by the HCFA.
See also: CARC, EDI, HCFI, X12-835
Related Terms: Claim Medicare Remark Codes; Electronic Data Interchange
|
Medicare Summary Notice (MSN)
A notice you get after the doctor files a claim for Part A and Part B services in the Original Medicare Plan. It explains what the provider billed for, the Medicare-approved amount, how much Medicare paid, and what you must pay. You might also get a notice called an Explanation of Medicare Benefits (EOMB) for Part B services or a notice of utilization.
Related Terms: Explanation of Medicare Benefits
|
Memorandum of Understanding (MOU)
A document providing a general description of the kinds of responsibilities that are to be assumed by two or more parties in their pursuit of some goal(s). More specific information may be provided in an associated SOW.
Related Terms: Statement of Work
|
Minimum Necessary Information: Use or Requests
A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
The minimum necessary requirement is not imposed in any of the following circumstances: (a) disclosure to or a request by a health care provider for treatment; (b) disclosure to an individual who is the subject of the information, or the individual’s personal representative; (c) use or disclosure made pursuant to an authorization; (d) disclosure to HHS for complaint investigation, compliance review or enforcement; (e) use or disclosure that is required by law; or (f) use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
Access and Uses
For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
Disclosures and Requests for Disclosures
Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
Reasonable Reliance
If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from: (a) a public official, (b) a professional (such as an attorney or accountant) who is the covered entity’s business associate, seeking the information to provide services to or for the covered entity; or (c) a researcher who provides the documentation or representation required by the Privacy Rule for research.
|
Minimum Scope of Disclosure
The principle that, to the extent practical, individually identifiable health information should only be disclosed to the extent needed to support the purpose of the disclosure.
|
Minnesota Center for Healthcare Electronic Commerce (MCHEC)
MCHEC is a membership-driven organization whose purpose is to assist the health care industry in adopting standardized electronic commerce solutions to increase efficiency and provide better health care to patients. Assistance is provided by training, standards development, pilot projects and similar efforts. Membership in MCHEC is open to any health care industry organization in Minnesota.
The Minnesota Health Data Institute established MCHEC as a full committee in 1999, and as such, the MCHEC Management Committee is empowered to oversee all MCHEC programs and report to th e Board of the Institute.
http://www.mhdi.org/mchec/ Minnesota Health Data Institute
|
Minnesota EDI Healthcare Users Group (MEHUG)
MEHUG is a voluntary group of individuals from health care organizations in Minnesota who meet on a regular basis. The vision of MEHUG is to encourage a smooth unified movement toward industry wide Electronic Data Interchange (EDI) and Electronic Commerce (EC) participation.
|
Minnesota Health Data Institute (MHDI)
A publicprivate partnership for improving the quality and efficiency of heath care in Minnesota. MHDI includes the Minnesota Center for Healthcare Electronic Commerce (MCHEC), which supports the adoption of standards for electronic commerce and also supports the Minnesota EDI Healthcare Users Group (MEHUG).
|
Modification
Refers to a change adopted by the Secretary, through regulation, to a standard or an implementation specification. [45 CFR 160.103]
|
Modify
see Modification
|
NCPDP Batch Standard
An NCPDP standard designed for use by lowvolume dispensers of pharmaceuticals, such as nursing homes. Use of Version 1.0 of this standard has been mandated under HIPAA.
|
NCPDP Telecommunication Standards
An NCPDP standard designed for use by highvolume dispensers of pharmaceuticals, such as retail pharmacies. Use of Version 5.1 of this standard has been mandated under HIPAA.
|
NUBC EDI Technical Advisory Group (NUBC EDI TAG)
Coordinates issues affecting both the NUBC and the X12 standards.
Related Terms: X-12
|
National Association for Medical Equipment Services (NAMES)
One of the groups that later merged to form the American Association for Homecare
Related Terms: American Association for Homecare
|
National Association of Health Data Organizations (NAHDO)
A group that promotes the development and improvement of state and national health information systems.
|
National Association of Insurance Commissioners (NAIC)
An association of the insurance commissioners of the states and territories.
|
National Association of State Medicaid Directors (NASMD)
An association of state Medicaid directors. NASMD is affiliated with the American Public Human Services Association (APHSA).
|
National Center for Health Statistics (NCHS)
A federal organization within the CDC that collects, analyzes, and distributes health care statistics. The NCHS maintains the ICDnCM codes.
Related Terms: International Classification of Diseases
|
National Committee for Quality Assurance (NCQA)
An organization that accredits managed care plans or Health Maintenance Organizations (HMOs). In the future, the NCQA may play a role in certifying these organizations' compliance with the HIPAA A/S requirements.
|
National Committee on Vital and Health Statistics (NCVHS)
A Federal body within HHS which has an important advisory role under HIPAA.
|
National Council for Prescription Drug Programs (NCPDP)
An ANSI-accredited group that maintains a number of standard formats for use by the retail pharmacy industry, some of which are included in the HIPAA mandates.
Related Terms: American National Standards; Standard
|
National Drug Code (NDC)
A medical code set that identifies prescription drugs and some over the counter products, and that has been selected for use in the HIPAA transactions.
|
National Employer ID
A system for uniquely identifying all sponsors of health care benefits.
|
National Health Information Infrastructure (NHII)
This is a healthcarespecific lane on the Information Superhighway, as described in the National Information Infrastructure (NII) initiative. Conceptually, this includes the HIPAA A/S initiatives.
|
National Individual Identifier (NII)
See National Patient ID
|
National Patient ID
A system for uniquely identifying all recipients of health care services. This is sometimes referred to as the National Individual Identifier (NII), or as the Healthcare ID.
|
National Payer ID
A system for uniquely identifying all organizations that pay for health care services. Also known as Health Plan ID, or Plan ID.
|
National Provider File (NPF)
The database envisioned for use in maintaining a national provider registry.
|
National Provider ID
System for uniquely identifying all providers of health care services, supplies, and equipment.
|
National Provider Registry
The organization envisioned for assigning the national provider IDs.
|
National Provider System (NPS)
The administrative system envisioned for supporting a national provider registry.
|
National Standard Format (NSF)
Generically, this applies to any national standard format, but it is often used in a more limited way to designate the Professional EMC NSF, a 320byte flat file record format used to submit professional claims.
Related Terms: Electronic Media Claims ; Professional EMC NSF
|
National Uniform Billing Committee (NUBC)
An organization, chaired and hosted by the American Hospital
Association, that maintains the UB-92 hardcopy institutional billing form and the data element specifications for both the hardcopy form and the 192-byte UB-92 flat file EMC format. The NUBC has a formal consultative role under HIPAA for all transactions affecting institutional health care services.
Related Terms: American Hospital Association; UB-92
|
National Uniform Claim Committee (NUCC)
An organization, chaired and hosted by the American Medical Association, that maintains the HCFA1500 claim form and a set of data element specifications for professional claims submission via the HCFA1500 claim form, the Professional EMC NSF, and the X12 837. The NUCC has a formal consultative role under HIPAA for all transactions affecting nondental noninstitutional professional health care services.
|
NonMedical Code Sets
See Administrative Code Sets.
|
North Carolina Healthcare Information and Communications Alliance (NCHICA)
An organization that promotes the advancement and integration of information technology into the health care industry.
|
Notice of Intent (NOI)
A document that describes a subject area for which the Federal Government is considering developing regulations. It may describe what the government considers to be the relevant considerations, and invite comments from interested parties. These comments can then be used in developing an NPRM or a final regulation.
Related Terms: Comment
|
Notice of Privacy Practices
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.
- Notice Distribution A covered health care provider with a direct treatment relationship with individuals must deliver a privacy practices notice to patients starting April 14, 2003 as follows:
- Not later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery);
- By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice; and
- In emergency treatment situations, the provider must furnish its notice as soon as practicable after the emergency abates.
Covered entities, whether direct treatment providers or indirect treatment providers (such as laboratories) or health plans must supply notice to anyone on request. A covered entity must also make its notice electronically available on any web site it maintains for customer service or benefits information.
The covered entities in an organized health care arrangement may use a joint privacy practices notice, as long as each agrees to abide by the notice content with respect to the protected health information created or received in connection with participation in the arrangement. Distribution of a joint notice by any covered entity participating in the organized health care arrangement at the first point that an OHCA member has an obligation to provide notice satisfies the distribution obligation of the other participants in the organized health care arrangement.
A health plan must distribute its privacy practices notice to each of its enrollees by its Privacy Rule compliance date. Thereafter, the health plan must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request. A health plan satisfies its distribution obligation by furnishing the notice to the “named insured,” that is, the subscriber for coverage that also applies to spouses and dependents.
- Acknowledgement of Notice Receipt A covered health care provider with a direct treatment relationship with individuals must make a good faith effort to obtain written acknowledgement from patients of receipt of the privacy practices notice. The Privacy Rule does not prescribe any particular content for the acknowledgement. The provider must document the reason for any failure to obtain the patient’s written acknowledgement. The provider is relieved of the need to request acknowledgement in an emergency treatment situation.
Access Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information in a covered entity’s designated record set. The “designated record set” is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. The Rule excepts from the right of access the following protected health information: psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories. For information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion. Covered entities may impose reasonable, cost-based fees for the cost of copying and postage.
Amendment The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete. If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual’s detriment. If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Rule specifies processes for requesting and responding to a request for amendment. A covered entity must amend protected health information in its designated record set upon receipt of notice to amend from another covered entity.
Disclosure Accounting Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
The Privacy Rule does not require accounting for disclosures: (a) for treatment, payment, or health care operations; (b) to the individual or the individual’s personal representative; (c) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.
Restriction Request Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death. A covered entity is under no obligation to agree to requests for restrictions. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.
Confidential Communications Requirements Health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card.
Health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual. The health plan may not question the individual’s statement of endangerment. Any covered entity may condition compliance with a confidential communication request on the individual specifying an alternative address or method of contact and explaining how any payment will be handled.
|
Notice of Proposed Rulemaking (NPRM)
A document that describes and explains regulations that the Federal Government proposes to adopt at some future date, and invites interested parties to submit comments related to them. These comments can then be used in developing a final regulation.
Related Terms: Comment
|
Office for Civil Rights (OMB)
The HHS entity responsible for enforcing the HIPAA privacy rules.
|
Office of Management & Budget (OMB)
A Federal Government agency that has a major role in reviewing proposed Federal regulations.
|
Open System Interconnection (OSI)
A multilayer ISO data communications standard. Level Seven of this standard is industryspecific, and HL7 is responsible for specifying the level seven OSI standards for the health industry.
|
Organized Health Care Arrangement
- A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;
- An organized system of health care in which more than one covered entity participates, and in which the participating covered entities:
- Hold themselves out to the public as participating in a joint arrangement; and
- Participate in joint activities that include at least one of the following:
- Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
- Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
- Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
- A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;
- A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or
- The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.
The Office of Civil Rights offered this clarification:
The Privacy Rule identifies relationships in which participating covered entities share protected health information to manage and benefit their common enterprise as “organized health care arrangements.” Covered entities in an organized health care arrangement can share protected health information with each other for the arrangement’s joint health care operations.
|
PAYERID
HCFA's term for their preHIPAA National Payer ID initiative.
|
Password
A Password is confidential authentication information composed of a string of characters.
|
Patient Access to Records
Disclosure and use of health information without consent or authorization is permissible if the disclosure is made only to the patient. Also, for the first time patients receive the right of full access to medical records. The right includes the ability to correct errors or misstatements appearing in the record.
|
Payer
In health care, an entity that assumes the risk of paying for medical treatments. This can be an uninsured patient, a selfinsured employer, or a health care plan or HMO.
|
Payment
- The activities undertaken by:
- A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
- A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
- The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:
- Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
- Risk adjusting amounts due based on enrollee health status and demographic characteristics;
- Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
- Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
- Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
- Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
- Name and address;
- Date of birth;
- Social security number;
- Payment history;
- Account number; and
- Name and address of the health care provider and/or health plan.
|
Penalties
The rule also creates a system for compliance review by HHS Office of Civil Rights and a system of sanctions ranging from civil penalties of $100 per day to criminal charges, which could lead to prison sentences of up to ten years and fines of up to $250,000.
The penalties for non-compliance with the transactions and code sets is $100 per occurance up to a maxmimum of $25,000 per standard per year.
The civil penalties for covered entities that violate the privacy standards are $100 PER incident, per year, per standard violated to a maximum of $25,000 per person.
The federal criminal penalties for violation of privacy are:
- Up to $50,000 fine and/or up to one year in prison for obtaining or disclosing protected heatlh information
- Up to a $100,000 fine and/or up to five years in prison for obtaining protected health information under false pretenses.
- Up to $250,000 fine and/or up to ten years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
|
Permitted Use and Disclosures
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:(1)To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
(1)To the Individual A covered entity may disclose protected health information to the individual who is the subject of the information.
(2)Treatment, Payment, Health Care Operations A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See “Treatment, Payment, Health Care Operations”.
- Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
- Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.
- Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Most uses and disclosures of psychotherapy notes for treatment, payment, and health care operations purposes require an authorization as described below. Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.
(3) Uses and Disclosures with Opportunity to Agree or Object Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
- Facility Directories It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on an individual’s informal permission to list in its facility directory the individual’s name, general condition, religious affiliation, and location in the provider’s facility. The provider may then disclose the individual’s condition and location in the facility to anyone asking for the individual by name, and also may disclose religious affiliation to clergy. Members of the clergy are not required to ask for the individual by name when inquiring about patient religious affiliation.
- For Notification and Other Purposes A covered entity also may rely on an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care. This provision, for example, allows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
(4)Incidental Use and Disclosure The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule. See “Incidental Uses and Disclosures”.
(5)Public Interest and Benefit Activities The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.
- Required by Law Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).
- Public Health Activities Covered entities may disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law. See OCR “Public Health” Guidance; CDC Public Health and HIPAA Guidance.
- Victims of Abuse, Neglect or Domestic Violence In certain circumstances, covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.
- Health Oversight Activities Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
- Judicial and Administrative Proceedings Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
- Law Enforcement Purposes Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Decedents Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
- Cadaveric Organ, Eye, or Tissue Donation Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
- Research “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought. A covered entity also may use or disclose, without an individuals’ authorization, a limited data set of protected health information for research purposes (see discussion below). See OCR “Research” Guidance; NIH Protecting PHI in Research.
- Serious Threat to Health or Safety Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
- Essential Government Functions An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.
- Workers’ Compensation Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses. See OCR “Workers’ Compensation” Guidance.
(6) Limited Data Set A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
|
Personal Representative
the Privacy Rule requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule. A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual
The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights. For instance, covered entities must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual’s rights under the Rule, a personal representative may also authorize disclosures of the individual’s protected health information.
Special case: Minors In most cases, parents are the personal representatives for their minor children. Therefore, in most cases, parents can exercise individual rights, such as access to the medical record, on behalf of their minor children. In certain exceptional cases, the parent is not considered the personal representative. In these situations, the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children. If State and other law is silent concerning parental access to the minor’s protected health information, a covered entity has discretion to provide or deny a parent access to the minor’s health information, provided the decision is made by a licensed health care professional in the exercise of professional judgment.
|
Physical Safeguards
Physical Safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
|
Plan ID
See National Payer ID
|
Plan Sponsor
A employer or purchaser who sponsors a a group health plan as defined in section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B).
A Group Health Plan is an employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that has 50 or more participants or is administered by an entity other than the employer that established and maintains the plan.
|
Policy
Written decisions made by those in authority to direct the actions of others. They generally contain guidelines to govern, and set limits within which individuals are expected to operate.
A policy is an upper-level command as to what should or should not occur. It is not a specific step-by-step outline that someone can follow to complete a task. Instead, the policy operates as a control or command that staff will implement as they see fit. For example, an Internet use policy may declare that the practice logs all Web surfing traffic. The policy does not address how to do this or to what extent; the specifics are up to the staff responsible for the hardware and software that will perform the logging.
A policy is not a step-by-step guideline. It is an upper-level command.
|
Policy Advisory Group (PAG)
A generic name for many work groups at WEDI and elsewhere.
|
Preferred Provider Organization (PPO)
A managed care plan in which you use doctors, hospitals, and providers that belong to the network. You can use doctors, hospitals, and providers outside of the network for an additional cost.
Also, an M+CO coordinated care plan that: (a) has a network of providers that have agreed to a contractually specified reimbursement for covered benefits with the organization offering the plan; (b) provides for reimbursement for all covered benefits regardless of whether the benefits are provided with the network of providers; and (c) is offered by an organization that is not licensed or organized under State law as an HMO. See Social Security Act Section 1852(e)(2)(D), 42 U.S.C. §139w-22(e)(2)(D).
|
Privacy Notice(s)
Each covered entity must develop a health information notice to be made available at a patient’s request describing how it uses and distributes health care information. The notice must also advise that patients have the right to request restrictions on the use or distribution of records. Covered entities, however, are not required to agree to restrict use or distribution. The list that covered entities provide of uses and distribution of health information will be a lengthy one. Reportedly, a model privacy notice developed by the American Hospital Association and listing possible uses of health information covered nine pages.
|
Privacy Official and Contact Person
Covered entities are required to designate an individual as the covered entity's privacy official, responsible for the implementation and development of the entity's privacy policies and procedures. We also proposed that covered entities be required to designate a contact person to receive complaints about privacy and provide information about the matters covered by the entity's notice. We indicated that the contact person could be, but was not required to be, the person designated as the privacy official. We proposed to leave implementation details to the discretion of the covered entity. We expected implementation to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, and large organizations creating a full-time privacy official. In proposed § 164.512, we also proposed to require the covered plan or provider's privacy notice to include the name of a contact person for privacy matters.
The final regulation retains the requirements for a privacy official and contact person as specified in the NPRM. These designations must be documented. The designation of privacy official and contact person positions within affiliated entities will depend on how the covered entity chooses to designate the covered entity(ies) under § 164.504(b). If a subsidiary is defined as a covered entity under this regulation, then a separate privacy official and contact person is required for that covered entity. If several subsidiaries are designated as a single covered entity, pursuant to § 164.504(b), then together they need have only a single privacy officer and contact person. If several covered entities share a notice for services provided on the same premises, pursuant to § 164.520(d), that notice need designate only one privacy official and contact person for the information collected under that notice.
These requirements are consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper "Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment." This paper notes that "accountability is enhanced by having focal points who are responsible for assessing compliance with policies and procedures..." (p. 29)
|
Procedure
Procedures are standardized, documented administrative practices. Basically, the step-by-step processes by which policies are implemented.
This typically is a lower-level, detailed instruction set that a computer technician creates to perform a specific function. The technician would establish a procedure to install a program that monitors and detects pornographic Web traffic. Another procedure would be created to manage and review the logs from this program.
Procedures are the step-by-step instructions to meet a defined goal.
|
Procedure Coding System (PCS)
See International Classification of Diseases
Related Terms: International Classification of Diseases
|
Professional EMC NSF
A 320byte flat file record format used to submit professional claims.
Related Terms: National Standard Format
|
Protected Health Information (PHI)
Individually identifiable health information:
- Except as provided in paragraph (2) of this definition, that is:
- Transmitted by electronic media;
- Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or
- Transmitted or maintained in any other form or medium.
- Protected health information excludes individually identifiable health information in:
- Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and
- Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
PHI includes references to not only the patient, but also their relatives, employers, or household members.
The items that constitute PHI:
- Name
- Address
- Phone Numbers
- Fax Number
- Dates (birth, death, admission, discharge, etc.)
- Social Security Number
- E-mail Address
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate or License Numbers
- Vehicle Identifiers and Serial Numbers, including license plate numbers
- Device Identifiers and Serial Numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) Address Numbers
- Biometric Identifiers, including finger and voice prints
- Full Face Photographic Images and any comparable images
- Any other unique identifying number, characteristic, or code
- Patient's Medical History
Exclusion for Employment Records
The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information.
|
Provider Sponsored Organization (PSO)
A group of doctors, hospitals, and other health care providers that agree to give health care to Medicare beneficiaries for a set amount of money from Medicare every month. This type of managed care plan is run by the doctors and providers themselves, and not by an insurance company.
|
Provider Taxonomy Codes
A code set for identifying the provider type and area of specialization for all health care providers. A given provider can have several Provider Taxonomy Codes. This code set is used in the X12 278 Referral Certification and Authorization and the X12 837 Claim EDI transactions, and is maintained by the Health Care Provider Taxonomy Committee.
Related Terms: X12 837
|
Psychotherapy Notes
Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.
Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
|
Public Health Authority
An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
|
Public Law (PL,P. L.)
Ex. PL 104191 (HIPAA).
|
Regenstrief Institute
A research foundation for improving health care by optimizing the capture, analysis, content, and delivery of health care information. Regenstrief maintains the LOINC coding system that is being considered for use as part of the HIPAA claim
attachments standard.
|
Required By Law
A mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court- ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
|
Research
In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.
Research Use/Disclosure Without Authorization.
To use or disclose protected health information without authorization by the research participant, a covered entity must obtain one of the following:
- Documented Institutional Review Board (IRB) or Privacy Board Approval
- Preparatory to Research
- Research on Protected Health Information of Decedents
- Limited Data Sets with a Data Use Agreement
- Research Use/Disclosure With Individual Authorization
- Accounting for Research Disclosures
- Transition Provisions
|
Risk Analysis
A process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.
|
Risk Assessment
Commonly accepted as the process of defining deficiencies or "gaps" in your current security program.
Related Terms: GAP Analysis
|
Risk Management
The process of assessing risk, taking steps to reduce the risk to an acceptable level and maintaining that level of risk.
|
Secretary
The Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated. [45 CFR 160.103]
|
Security
HIPAA health information privacy rules will require staff training, physical and informational security measures, and safeguards for protecting health information. Training must be documented and must be provided to new employees within a reasonable time.
|
Security Incident
Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
|
Security or Security Measures
Security or Security Measures encompass all of the administrative, physical, and technical safeguards in an informational system.
|
Segment
A group of related data elements in a transaction. [45 CFR 162.103]
|
Small Health Plan
1. A health plan with annual receipts of $5 million or less. [45 CFR 160.103]
2. A group health plan with fewer than 50 participants.
The HIPAA does not define a "small health plan" but instead leaves the definition to be determined by the Secretary. The Conference Report suggests that the appropriate definition of a "small health plan" is found in current section 2791(a) of the Public Health Service Act, which is a group health plan with fewer than 50 participants.
|
Standard
A prescribed set of rules, conditions, or requirements describing the following information for products, systems, services or practices:
- Classification of components.
- Specification of Materials, performance, or operations.
- Delineation of procedures. [45 CFR 160.103]
A standard is a mechanism or process used to implement a policy. For example, if an Internet use policy blocks access to pornography across the entire organization, it would be possible to set up a computer server to detect violations of this policy. A network administrator would have to configure a rule to “block pornography” at each office or point where users can access the Internet. Note that a standard is not a step-by-step instruction set but a standard solution to a policy.
Related Terms: Maintenance; National Council for Prescription Drug Programs
|
Standard Setting Organization (SSO)
An organization accredited by the American National Standards Institute [ANSI] that develops and maintains standards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of, this part. [45 CFR 160.103]
|
Standard Transaction
A transaction that complies with the applicable standard adopted under this part. [45 CFR 162.103]
|
Standard Transaction Format Compliance System (STFCS)
An EHNAC-sponsored WPC-hosted HIPAA compliance certification service.
See also: EHNAC, WPC
Related Terms: Washington Publishing Company
|
State
Refers to one of the following:
- For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States Code for such health plan.
- For all other purposes, State means any of the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam. [45 CFR 160.103]
|
State Administrative Codes
see Administrative Code
|
State Uniform Billing Committee (SUBC)
A statespecific affiliate of the NUBC.
|
Statement of Work (SOW)
Document describing the specific tasks and methodologies that will be followed to satisfy the requirements of an associated contract or MOU.
See also: MOU
Related Terms: Memorandum of Understanding
|
Strategic National Implementation Process (SNIP)
A WEDI program for helping the health care industry identify and resolve HIPAA implementation issues.
Related Terms: Workgroup for Electronic Data Interchange
|
Structured Data
Usually refers to data in which the meaning of a given part can be inferred by its location within an overall structure, such as a record layout.
See also: unstructured data.
|
Subcontractor
A person or entity that enters into a subcontract to carry out, assist with the performance of, or perform on behalf of a business associate and thereby assumes some of the obligations of the contract between the business associate and the covered entity.
|
Summary Health Information
Information that summarizes claims history, claims expenses, or types of claims experienced by individuals for whom a plan sponsor provides health benefits that may be individually identified.
|
Technical Safeguards
Technical Safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
|
Third Party Administrator (TPA)
An entity that processes health care claims and performs related business functions for a health plan.
|
Trading Partner Agreement (TPA)
An agreement related to the exchange of information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. [45 CFR 160.103]
For example, a trading partner agreement may specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.
|
Training
In § 164.518(b) of the NPRM covered ermaties must provide training on the entities' policies and procedures to all members of the workforce likely to have access to protected health information. Each entity would be required to provide initial training by the date on which this rule became applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, we proposed that when a covered entity made material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties were related to the change within a reasonable time of making the change.
The NPRM would have required that, upon completion of the training, the trainee would be required to sign a statement certifying that he or she received the privacy training and would honor all of the entity's privacy policies and procedures. Entities would determine the most effective means of achieving this training requirement for their workforce. At least every three years after the initial training, covered entities would be required to have each member of the workforce sign a new statement certifying that he or she would honor all of the entity's privacy policies and procedures. The covered entity would have been required to document its policies and procedures for complying with the training requirements.
The final regulation requires covered entities to train all members of their workforce on the policies and procedures with respect to protected health information required by this rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. We do not change the proposed time lines for training existing and new members of the workforce, or for training due to material changes in the covered entity's policies and procedures. HHS eliminated both the requirement for employees to sign a certification following training and the triennial re-certification requirement. Covered entities are responsible for implementing policies and procedures to meet these requirements and for documenting that training has been provided.
|
Transaction
The transmission of information between two parties to carry out financial or administrative activities related to health care. [45 CFR 160-103]
It includes the following types of information transmissions:
- Health care claims or equivalent encounter information.
This transaction may be used to submit health care claim billing information, encounter information, or both, from health care providers to payers, either directly or via intermediary billers and claims clearinghouses.
- Health care payment and remittance advice.
This transaction may be used by a health plan to make a payment to a financial institution for a health care provider (sending payment only), to send an explanation of benefits remittance advice directly to a health care provider (sending data only), or to make payment and send an explanation of benefits remittance advice to a health care provider via a financial institution (sending both payment and data).
- Coordination of benefits.
This transaction set can be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the furnishing, billing, and/or payment of health care services within a specific health care/insurance industry segment.
In addition to the nine electronic transactions specified in section 1173(a)(2) of the Act, section 1173(f) directs the Secretary to adopt standards for transferring standard data elements among health plans for coordination of benefits. This particular provision does not state that these should be standards for electronic transfer of standard data elements among health plans. However, we believe that the Congress, when writing this provision, intended for these standards to be an electronic form of transactions for coordination of benefits and sequential processing of claims. The Congress expressed its intent on these matters generally in section 1173(a)(1)(B)of the Act, where the Secretary is directed to adopt "other financial and administrative transactions ... consistent with the goals of improving the operation of the health care system and reducing administrative costs."
- Health care claim status.
This transaction may be used by health care providers and recipients of health care products or services (or their authorized agents) to request the status of a health care claim or encounter from a health plan.
- Enrollment and disenrollment in a health plan.
This transaction may be used to establish communication between the sponsor of a health benefit and the payer. It provides enrollment data, such as subscriber and dependents, employer information, and primary care health care provider information. A sponsor is the backer of the coverage, benefit, or product. A sponsor can be an employer, union, government agency, association, or insurance company. The health plan refers to an entity that pays claims, administers the insurance product or benefit, or both.
- Eligibility for a health plan.
This transaction may be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber’s policy. It also can be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and payers) to information receivers (such as physicians, hospitals, third party administrators, and government agencies).
- Health plan premium payments.
This transaction may be used by, for example, employers, employees, unions, and associations to make and keep track of payments of health plan premiums to their health insurers. This transaction may also be used by a health care provider, acting as liaison for the beneficiary, to make payment to a health insurer for coinsurance, copayments, and deductibles.
- Referral certification and authorization.
This transaction may be used to transmit health care service referral information between health care providers, health care providers furnishing services, and payers. It can also be used to obtain authorization for certain health care services from a health plan.
- First report of injury.
This transaction may be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements.
- Health claims attachments.
This transaction may be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review.
- Other transactions that the Secretary may prescribe by regulation.
Under section 1173(a)(1)(B) of the Act, the Secretary may adopt standards, and data elements for those standards, and for other financial and administrative transactions deemed appropriate by the Secretary. These transactions would be consistent with the goals of improving the operation of the health care system and reducing administrative costs.
|
Transaction Change Request System
A system established under HIPAA for accepting and tracking change requests for any of the HIPAA mandated transactions standards via a single web site.
See http://crs.hipaa.org.
|
Translator
See EDI Translator.
|
Treatment
The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
|
Treatment, Payment & Operations
HIPAA requires a signed patient authorization for release of any protected health information (PHI)except for certain circumstances. (Originally, HIPAA required a signed consent form which was replaced with the Notice of Privacy Practices requirement for normal operational use of PHI.) One broad category of exceptions is for TPO - "Treatment, Payment and healthcare Operations."
The core health care activities of “Treatment,” “Payment,” and “Health Care Operations” are defined in the Privacy Rule at 45 CFR 164.501.
“Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
“Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
“Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
Even though HIPAA does not require a signed consent form for TPO, a clinic can optionally choose to require such a signed form prior to release.
|
UB-82
Uniform institutional claim form developed by the NUBC that was in general use from 1983 - 1993.
|
UB-92
Uniform institutional claim form developed by the NUBC that has been in use since 1993.
Related Terms: Electronic Media Claims ; HCFA1450; National Uniform Billing Committee
|
US Department of Health and Human Services (HHS)
Related Terms: Administrative Simplification
|
Uniform Bill (UB)
UB as in UB82 or UB92.
|
Uniform Claim Form (UCF)
UCF, as in UCF1500.
|
Uniform Claim Task Force (UCTF)
Organization that developed the initial HCFA-1500 Professional Claim Form. The maintenance responsibilities were later assumed by the NUCC.
|
United Nations Centre for Facilitation of Procedures and Practices for Administration, Commerce, and Transport (UN/CEFACT)
An international organization dedicated to the elimination or simplification of procedural barriers to international commerce.
|
United Nations Rules for Electronic Data Interchange for Administration, Commerce, and Transport (UN/EDIFACT)
An international EDI format. Interactive X12 transactions use the EDIFACT message syntax.
Related Terms: X-12
|
United States Code (USC,U.S.C.)
The United States Code is a consolidation and codification by subject matter of the general and permanent laws of the United States. The Office of the Law Revision Counsel of the U.S. House of Representatives prepares and publishes the US Code pursuant to section 285b of title 2 of the Code.
The Code does not include regulations issued by executive branch agencies, decisions of the Federal courts, treaties, or laws enacted by State or local governments. Regulations issued by executive branch agencies are available in the Code of Federal Regulations. Proposed and recently adopted regulations may be found in the Federal Register.
Related Terms: Code of Federal Regulations ; Federal Register
|
Unstructured Data
This term usually refers to data that is represented as free-form text, as an image, etc., where it is not practical to predict exactly what data will appear where.
Compare to: structured data.
|
Use
With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
|
User
A User is a person or entity with authorized access.
|
Utah Health Information Network (UHIN)
A publicprivate coalition for reducing health care administrative costs through the standardization and electronic exchange of health care data.
|
Value-Added Network (VAN)
Vendor of EDI data communications and translation services.
Related Terms: Electronic Data Interchange
|
Virtual Private Network (VPN)
Technical strategy for creating secure connections, or tunnels, over the internet.
|
Waiver of Rights
In the final regulation, but not in the proposed regulation, we provide that a covered entity may not require individuals to waive their rights to file a complaint with the Secretary or their other rights under this rule as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits. This provision ensures that covered entities do not take away the rights that individuals have been provided in Parts 160 and 164.
|
Washington Publishing Company (WPC)
Company that publishes the X12N HIPAA Implementation Guides and the X12N HIPAA Data Dictionary, and that also developed the X12 Data Dictionary.
Related Terms: Standard Transaction Format Compliance System; X-12
|
Welfare Benefit Plan
Any plan, fund, or program which was established or maintained by an employer or by an employee organization, or by both, to the extent that such plan, fund, or program was established or is maintained for the purpose of providing for its participants or their beneficiaries, through the purchase of insurance or otherwise, medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, death or unemployment, or vacation benefits, apprenticeship or other training programs, or day care centers, scholarship funds, or prepaid legal services, or any benefit described in section 302(c) of the Labor Management Relations Act, 1947 (other than pensions on retirement or death, and insurance to provide such pensions).
|
Work Group (WG)
|
Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of a covered entity, whether or not they are paid by the covered entity." [45 CFR 160.103]
|
Workgroup for Electronic Data Interchange (WEDI)
A health care industry group that lobbied for HIPAA A/S, and that has a formal consultative role under the HIPAA legislation.
Related Terms: Strategic National Implementation Process
|
Workstation
A Workstation is an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similiar functions, and electronic media stored in its immediate environment.
|
World Health Organization (WHO)
An organization that maintains the International Classification of Diseases (ICD) code set.
Related Terms: International Classification of Diseases
|
Written Authorization
A patients’ written authorization is required before the use or disclosure of health care information that is not for a "permissible purpose." Generally, this is information received for a purpose that is not treatment, payment or health care operations. For example, a written authorization is needed before a patient’s health information can be included on a list for marketing purposes. Unlike consents, a health care provider cannot refuse treatment if an authorization is not provided or is revoked.
|
Written Consent
Prior written consent to health care providers will be the new starting point before any health care provider can use or disclose protected health information to carry out treatment, payment or health care operations. Information that does not identify the individual is not covered. Consent can be revoked, and exceptions exist, including use or disclosure for medical emergencies, treatment of inmates, public health crisis or disease control. Any health care provider – such as a physician – can, under the rule, condition treatment on obtaining an initial consent or restoring a revoked consent. All patients must be advised that they may review the covered entities’ privacy policy. The consent requirement was added to the final rule after initial comments were filed with HHS. It has drawn criticism for the cost and the complexity of compliance, as well as delaying patient treatment.
|
X-12
An American National Standards Institute (ANSI)-accredited group that defines EDI standards for many American industries, including health care insurance. Most of the electronic transaction standards mandated or proposed under HIPAA are X12 standards.
Related Terms: Data Interchange Standards Association; Draft Standard for Trial Use ; Electronic Data Interchange; HIPAA Data Dictionary ; Health Care Code Maintenance Committee; Health Care Provider Taxonomy Committee; NUBC EDI Technical Advisory Group ; United Nations Rules for Electronic Data Interchange for Administration, Commerce, and Transport ; Washington Publishing Company
|
X12 148
X12's First Report of Injury, Illness, or Incident EDI transaction. This standard could eventually be included in the HIPAA mandate.
|
X12 270
X12's Health Care Eligibility & Benefit Inquiry EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 271
X12's Health Care Eligibility & Benefit Response EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 274
X12's Provider Information EDI transaction.
|
X12 275
X12's Patient Information EDI transaction. This transaction is expected to part of the HIPAA claim attachments standard.
|
X12 276
X12's Health Care Claims Status Inquiry EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 277
X12's Health Care Claim Status Response EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates. This transaction is also expected to be part of the HIPAA claim attachments standard.
|
X12 278
X12's Referral Certification and Authorization EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 811
X12's Consolidated Service Invoice & Statement EDI transaction.
|
X12 820
X12's Payment Order & Remittance Advice EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 831
X12's Application Control Totals EDI transaction.
|
X12 834
X12's Benefit Enrollment & Maintenance EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 835
X12's Health Care Claim Payment & Remittance Advice EDI transaction. Version 4010 of this transaction has been included in the HIPAA mandates.
|
X12 837
X12's Health Care Claim or Encounter EDI transaction. This transaction can be used for institutional, professional, dental, or drug claims. Version 4010 of this transaction has been included in the HIPAA mandates.
Related Terms: Provider Taxonomy Codes
|
X12 997
X12's Functional Acknowledgement EDI transaction.
|
X12 IHCEBI & IHCEBR
X12's Interactive Healthcare Eligibility & Benefits Inquiry (IHCEBI) and Response (IHCEBR) transactions. These are being combined and converted to UN/EDIFACT Version 5 syntax.
|
X12 IHCLME
X12's Interactive Healthcare Claim Transaction.
|
X12 Standard
The term currently used for any X12 standard that has been approved since the most recent release of X12 American National Standards. Since a full set of X12 American National Standards is only released about once every five years, it is the X12 standards that are most likely to be in active use. These standards were previously called Draft Standards for Trial Use.
|
X12/PRB
The X12 Procedures Review Board.
|
X12F
A subcommittee of X12 that defines EDI standards for the financial industry. This group maintains the X12 811 [generic] Invoice and the X12 820 [generic] Payment & Remittance Advice transactions, although X12N maintains the associated HIPAA Implementation Guides.
|
X12J
A subcommittee of X12 that reviews X12 work products for compliance with the X12 design rules.
|
X12N
A subcommittee of X12 that defines EDI standards for the insurance industry, including health care insurance.
|
X12N/SPTG4
The HIPAA Liaison Special Task Group of the Insurance Subcommittee (N) of X12. This group's responsibilities have been assumed by X12N/TG3/WG3.
|
X12N/TG1
The Property & Casualty Task Group (TG1) of the Insurance Subcommittee (N) of X12.
|
X12N/TG2
The Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12.
|
X12N/TG2/WG1
The Health Care Eligibility Work Group (WG1) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 270 Health Care Eligibility & Benefit Inquiry and the X12 271 Health Care Eligibility & Benefit Response EDI transactions, and is also responsible for maintaining the IHCEBI and IHCEBR transactions.
|
X12N/TG2/WG10
The Health Care Services Review Work Group (WG10) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 278 Referral Certification and Authorization EDI transaction.
|
X12N/TG2/WG12
The Interactive Health Care Claims Work Group (WG12) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the IHCLME EDI transaction.
|
X12N/TG2/WG15
The Health Care Provider Information Work Group (WG15) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 274 Provider Information EDI transaction.
|
X12N/TG2/WG19
The Health Care Implementation Coordination Work Group (WG19) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This is now X12N/TG3/WG3.
|
X12N/TG2/WG2
The Health Care Claims Work Group (WG2) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 837 Health Care Claim or Encounter EDI transaction.
|
X12N/TG2/WG3
The Health Care Claim Payments Work Group (WG3) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 835 Health Care Claim Payment & Remittance Advice EDI transaction.
|
X12N/TG2/WG4
The Health Care Enrollments Work Group (WG4) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 834 Benefit Enrollment & Maintenance EDI transaction.
|
X12N/TG2/WG5
The Health Claims Status Work Group (WG5) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 276 Health Care Claims Status Inquiry and the X12 277 Health Care Claim Status Response EDI transactions.
|
X12N/TG2/WG9
The Health Care Patient Information Work Group (WG9) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 275 Patient Information EDI transaction.
|
X12N/TG3
The Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12. TG3 maintains the X12N Business and Data Models and the HIPAA Data Dictionary.
Related Terms: HIPAA Data Dictionary
|
X12N/TG3/WG1
The Property & Casualty Work Group (WG1) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12.
|
X12N/TG3/WG2
The Healthcare Business & Information Modeling Work Group (WG2) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12.
|
X12N/TG3/WG3
The HIPAA Implementation Coordination Work Group (WG3) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12. This was formerly X12N/TG2/WG19 and X12N/SPTG4.
|
X12N/TG3/WG4
The ObjectOriented Modeling and XML Liaison Work Group (WG4) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12.
|
X12N/TG4
The Implementation Guide Task Group (TG4) of the Insurance Subcommittee (N) of X12. This group supports the development and maintenance of X12 Implementation Guides, including the HIPAA X12 IGs.
|
X12N/TG8
The Architecture Task Group (TG8) of the Insurance Subcommittee (N) of X12.
|
