Privacy and Security Terminology

types of, and reasons for, modification to an entity's established right of access to a terminal, transaction, progran1, or process.

- A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

-Any other function or activity regulated by this subchapter; or

 

- A person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity (or to or for an organized health care arrangement in which the covered entity participates) where the provision of the service involves the disclosure of individually identifiable health information from such covered entity (or arrangement), or from another business associate of such covered entity (or arrangement), to the person.

- A health plan (as defined in 45 C.F.R. 160.IO3).

- A health care clearinghouse.

- A health care provider who transmits any health information in electronic form in

connection with a transaction covered by this HIPAA ' s Administrative Simplification provisions.

 

event of fire, vandalism, natural disaster, or system failure. (CPRI, 1996c, as cited in HISB, --

 

DRAFT GLOSSARY OF TERMS RELATED TO INFORMATION SECURITY IN HEALTH CARE INFORMATION SYSTEMS draft Glossary of Terms Related to Information Security in Health Care Information Systems)

encipherment). An encryption algorithm combines plaintext with other values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines. (ED! Security, Control, and Audit)

Group Health Plan - An employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise

Guideline -a policy or rule intended to give practical guidance.

 

        Health care operations -Any of the following activities (see 45 C.F.R. I64.501) of the covered entity to the extent that the activities are related to covered functions, and:

- Conducting quality assessment and improvement activities;

- Reviewing the competence or qualifications of health care professionals

-Underwriting, premium rating

- Conducting or arranging for medical review, legal services, and auditing functions,

including fraud and abuse detection and compliance programs; Business planning

- Business management and general administrative activities of the entity

        HHS or Secretary -the Department of Health and Human Services or the Secretary of

Health and Human Services.

 

        Health information -Any information, oral or recorded in any medium, that:

- Is created or received by a health care provider, health plan, public health authority,

employer, life insurer, school or university, or health care clearinghouse; and

- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

        Hybrid entity -Means a single legal entity that is a covered entity and whose covered functions are not its primary functions.

        Implementation Specification -Specific requirements or instructions for implementing a standard.

        Individual - The person who is the subject of protected health information.

Individually identifiable health information -Means information that is a subset of health

information, including demographic information collected from an individual, and: (I) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual-

Limited data set. Means protected health information that excludes the following direct

identifiers of the individual or of relatives, employers, or household members of the individual identified in 45 C.F.R. 164.5l4(e).

 

clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as employer.

that maps more naturally to an organization's structure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-Ievel set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

-That summarizes the claims history, claims expenses, or type of claims experienced by

individuals for whom a Plan Sponsor has provided health benefits under a Group Health Plan; and

-From which the identifiers of the individual or of relatives, employers, or household

members of the individual specified in 45 C.F.R. 154.504(a), are removed

 

(O'Reilly, 1992) (As cited in HISB, DRAFT GLOSSARY OF TERMS RELATED TO INFORMATION SECURITY IN HEALTH CARE INFORMATION SYSTEMS drafts Glossary of Terms Related to Information Security in Health Care Information Systems).