Glossary and Terms
- The administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect Electronic Protected Health Information and to manage the conduct of the Health Care Component’s Workforce members in relation to the protection of that information. 45 CFR §164.304
- Data or information is accessible and usable upon demand by an authorized person. 45 CFR § 164.304
- The unauthorized acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the Protected Health Information. A Breach may occur with respect to Protected Health Information in any form, and not only in electronic form.
“Breach” does not include:
(a) Any unintentional acquisition, access, or use of Protected Health Information by a member of the Health Care Component Workforce or by a person acting under authority of the Health Care Component or the Health Care Component’s Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the HIPAA Privacy Rule.
(b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at the Health Care Component or Health Care Component’s Business Associate to another person authorized to access Protected Health Information at the Health Care Component or the Health Care Component’s Business Associate, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by the HIPAA Privacy Rule.
(c) A disclosure of Protected Health Information where the Health Care Component or the Health Care Component’s Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Business Associate Agreement
- A person not a member of any Health Care Component’s Workforce or entity that (i) on behalf of a Health Care Component, creates, receives, maintains or transmits Protected Health Information for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities listed at 42 C.F.R. 3.20, billing, benefit management, practice management, and repricing; or (ii) provides, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a Health Care Component where the provision of the service involves the disclosure of Protected Health Information from such Health Care Component, or from another Business Associate of such Health Care Component to the person. 45 CFR §160.103
- A contract between a Covered Entity (or Hybrid Entity) and its Business Associate governing the uses and disclosures of PHI. In most cases, the Covered Entity and Business Associate will enter into a companion services contract describing the covered functions or activities being performed by the Business Associate, the compensation and other terms of the transaction.
- Ordained or equivalent religious representatives of the community’s faith groups who are not members of an HCC Workforce.
- The property that data or information is not made available or disclosed to unauthorized persons or processes. 45 CFR §164.304
- A Health Plan, Health Care Clearinghouse or Health Care Provider that transmits any Health Information in electronic form in connection with a transaction covered by HIPAA. 45 CFR § 160.103
- Those functions of a Covered Entity the performance of which makes the entity a Health Plan, Health Care Provider, or Health Care Clearinghouse. 45 CFR § 164.103
Designated Record Set
- Information that does not identify an Individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an Individual. The HIPAA Privacy Rule provides two methods for de-identifying PHI, the most common of which is removal of 18 enumerated direct and indirect identifiers. 45 CFR § 164.514(b)(2)(i).
Disaster Recovery Plan
- A Health Care Provider’s medical and billing Records; a Health Plan’s enrollment, payment, claims adjudication and case or medical management Records systems; and any information used, in whole or in part, by or for the covered entity to make decisions about Individuals.
- A plan to protect the people, information, technology, and facilities used to deliver health care. Action plans should be based on risks identified in a risk analysis and typically include administrative, physical, and technical safeguards; policies and procedures; and organizational standards.
- The release, transfer, provision of access to, or divulging in any manner of Protected Health Information by an individual within the Health Care Component to a person or entity outside the Health Care Component.
Electronic Protected Health Information (ePHI)
- (1) Electronic storage media on which data are or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission. 45 CFR § 160.103
Emergency Mode Operations Plan
- The subset of Protected Health Information that is (i) transmitted by Electronic Media; or (ii) maintained in any medium constituting Electronic Media. 45 CFR § 160.103
- Procedures established to enable the continuation of UI business processes and to ensure protection of the security of ePHI while operating in emergency mode.
- Any entity or unit outside the Hybrid Entity.
- Physical premises and the interior and exterior of a building(s). 45 CFR § 164.304
Health Care Clearinghouse
- A publication (in any medium) that contains elements of an Individual’s Protected Health Information, such as name, location in the Facility, the Individual’s general condition, and religion.
Facility Security Plan
A plan that manages physical security for IT resources.
Health Care Component
- A public or private entity that a) processes or facilitates the processing of Health Information received from another entity in a non-standard format or containing non-standard data content into standard data elements or a standard transaction; or b) receives a standard transaction from another entity and processes or facilitates the processing of Health Information into non-standard format or non-standard data content for the receiving entity. 45 CFR § 160.103
Health Care Operations
- A component or combination of components of a Hybrid Entity designated by the Hybrid Entity as component(s) that meet the definition of Covered Entity or Business Associate if such component(s) were separate legal entities. 45 CFR § 164.103; 45 CFR § 164.105(a)(2)(iii)(D)
Health Care Provider
- Business and administrative functions including conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; conducting training programs; accreditation; credentialing; conducing or arranging for medical review, legal services, and auditing functions; business planning and development; and business management and general administrative activities. 45 CFR § 164.501. Health Care Operations do not include research and many marketing and fundraising activities.
- A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. 45 CFR § 160.103
- Any information, including genetic information, whether oral or recorded in any form or medium, that: (1) is created or received by a Health Care Provider, Health Plan, public health authority, employer, life insurer, school or university, or Health Care Clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future payment for the provision of health care to an Individual. 45 CFR § 160.103
- An individual or group plan that provides, or pays the cost of, medical care. 45 CFR § 160.103
- An individual appointed by the head of the Health Care Component who serves in that role for a Health Care Component, with the following responsibilities with respect to that Health Care Component: Work with the Health Care Component head, as defined for the Health Care Component, to identify members of the Health Care Component’s Workforce who engage in activities that involve use of Protected Health Information and assure they are trained; cooperate with the Privacy and Security Official(s) in the development of policies and procedures and other compliance activities; and serve as point of contact for questions, audits and problem resolution regarding the Health Care Component’s compliance with HIPAA.
- A single legal entity: (1) that is a Covered Entity; (2) whose business activities include both covered and non-covered functions; and (3) that designates its Health Care Components. 45 CFR § 164.103
Individually Identifiable Health Information
- The person who is the subject of Protected Health Information.
- Information that is a subset of Health Information, including demographic information collected from an Individual, and that
1. is created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and
2. relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past present or future payment for the provision of health care to an Individual; and
a. identifies the Individual, or
b. with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. 45 CFR § 160.103
Limited Data Set
- The property that data or information has not been altered or destroyed in an unauthorized manner. 45 CFR § 164.304
- Protected Health Information that excludes the 16 direct identifiers set forth at 45 CFR § 164.514(e)(2).
- Making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Marketing does not include a communication made:
(b) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for a patient, only if any financial remuneration received by the Health Care Component in exchange for making the communication is reasonably related to the Health Care Component’s cost of making the communication; or,
(c) For the following Treatment and Health Care Operations purposes where the HCC does not receive any financial remuneration (including direct or indirect payment) in exchange for making the communication:
i. For Treatment of a patient by the Health Care Component-Provider, including case management or care coordination for
the patient, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the patient;
ii. To describe a health-related product or service (or payment for such product or service) that is provided by the Health Care Component, including communications about the entities participating in a Health Care Provider network or Health Plan network, replacement of, or enhancements to, a Health Plan, and health-related products or services available only to a Health Plan enrollee that add value to, but are not part of, a plan of benefits; or
iii. For case management or care coordination, contacting of patients with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of Treatment.
- Networks other than a UI campus network.
- The activities undertaken by:
a. A Health Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Health Plan; and
b. A Health Care Provider or Health Plan to obtain or provide reimbursement for the provision of health care.
Such activities include, but are not limited to:
a. Determinations of eligibility or coverage and the adjudication or subrogation of health benefit claims;
b. Risk adjusting amounts due based on enrollee health status and demographic characteristics;
c. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing;
d. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
e. Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and,
f. Disclosure to consumer reporting agencies certain information relating to collection of premiums or reimbursement. 45 CFR § 164.501
- A person with authority to act on behalf of another individual, including a deceased individual, in making decisions related to health care and/or health care information. 45 CFR § 164.502(g)
- Physical measures, policies and procedures (e.g., locks and identification cards) to protect the Health Care Component’s electronic information systems and related buildings and equipment, from natural and environmental hazards and from unauthorized intrusion. 45 CFR §164.304
Protected Health Information (PHI)
- A person designated by the president of the University who is responsible for the development and implementation of the Hybrid Entity’s HIPAA privacy policies and procedures. The Privacy Official may delegate responsibility for privacy functions unless otherwise indicated. The Privacy Official may also serve as the Security Official if so designated. 45 CFR § 164.530(a)(1)(i)
Public Health Activities
- A subset of Individually Identifiable Health Information that is (a) transmitted by Electronic Media; (b) maintained in any medium constituting Electronic Media; or (c) transmitted or maintained in any other form or medium. 45 CFR §160.103 (Note: Information pertaining to a patient who has been deceased for more than 50 years is no longer Protected Health Information.) Protected Health Information does not include Individually Identifiable Health Information in education records under FERPA or employment records held by a Covered Entity as an employer.
- The activities of public health authorities that are legally authorized to receive Protected Health Information for the purpose of preventing or controlling disease, injury or disability. 45 CFR § 164.512(b)
- Any item, collection or grouping of information that includes Protected Health Information and is maintained, collected, used or disseminated by or for the Covered Entity.
- A systematic investigation including research development, testing and education, designed to develop or contribute to generalizable knowledge. 45 CFR § 164.501
- The process that identifies the security risks to information system security and determines the probability of occurrence and the resulting impact for each Threat/Vulnerability identified given the security controls in place; prioritizes risks; and results in recommended possible actions/controls that could reduce or offset the determined risk.
- A process that prioritizes, evaluates and implements security controls that will reduce or offset the risks determined in the Risk Assessment process to satisfactory levels, given the organization’s mission and available resources.
- UI campus network infrastructure.
- Internal process of reviewing information system access and activity, done on a periodic basis, as a result of a potential breach, in response to a complaint or on suspicion of employee wrongdoing.
- The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. 45 CFR § 164.304
- The person designated by the president of the University who is responsible for the development and implementation of the Hybrid Entity’s HIPAA security policies and procedures. The Security Official may delegate responsibility for security functions unless otherwise
indicated. The Security Official may also serve as the Privacy Official if so designated. 45 CFR § 164.308(a)(2)
- A person or organization to whom a Health Care Component-Business Associate delegates a Business Associate function, activity, or service, other than in the capacity of a member of the Workforce of the Health Care Component. 45 CFR § 160.103
- The technology, policy, and procedures for the use of Electronic Protected Health Information that protect and control access to it. 45 CFR § 160.103
- The potential for a particular threat source to cause loss or to successfully exploit a particular Vulnerability.
- The provision, coordination, or management of health care and related services by one or more Health Care Providers, including the coordination or management of health care by a Health Care Provider with a third party; consultation between Health Care Providers relating to a patient; or the referral of a patient for health care from one Health Care Provider to another. 45 CFR § 164.501
Unsecured Protected Health Information
- A University of Illinois school, college, division, department or other unit.
- Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services. Protected Health Information is deemed “secured” only if it is encrypted or destroyed in accordance with the guidance referenced by Health and Human Services and published by the National Institute of Standards and Testing.
- The employment, application, examination or analysis of Individually Identifiable Health Information by an individual within the Health Care Component or the sharing of Protected Health Information with an individual within the Health Care Component.
- A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and leads to a compromise in the integrity of that system.
- Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for an HCC is under the direct control of the HCC.