Document Actions
HIPAA Definitions
The following are definitions of common terms used in the HIPAA regulations. There are two guiding concepts that run throughout. Understanding the basics of these two concepts will help you understand the definitions below.
First, HIPAA protects health information - known as Protected Health Information (PHI) - that can be associated with a specific person.
Second, HIPAA is known as an exception regulation, meaning that you can use, transfer, or disclosure PHI with others in only two circumstances. You must either have the patient’s permission to share the PHI, or you must meet one of the exceptions listed in the regulations. The three most common exceptions are Treatment, Payment, and Operations (TPO). If the use, transfer, or disclosure is for one of these three purposes, then the patient’s authorization is not required.
The following definitions are available on this page. These are simplifications of the actual definitions found in the HIPAA regulations. If you wish to review the official versions, you can find them in the HIPAA Regulation Text.
Individually Identifiable Health Information
Authorization – A covered entity may not use or disclose PHI without a valid authorization from the patient, unless the use or disclosure meets one of the HIPAA exceptions. The authorization must be written in plain language, and a copy must be given to the patient. Among other things, a valid authorization must include a specific description of the PHI to be used or disclosed, the names of person(s) from whom and to whom the use or disclosure can be made, and the purpose of the use or disclosure. (A more complete list can be found in the Regulation Text.) The actual use or disclosure made by the covered entity must be consistent with the information in the authorization.
Business Associate - A business associate is any person or organization outside of your own organization with which you share PHI in order for them to perform a service for your organization. This includes entities that perform administrative, billing, legal, storage, and other services. Before sharing PHI with a business associate, you must have a business associate agreement in place with that organization or risk monetary penalties. More information on Business Associates is available on the BAA FAQ page. In addition, two decision trees are available that help you to determine whether or not your relationship with another entity is a Business Associate relationship. The first decision tree should be used when you are the covered entity, and the second when you may be the business associate of another entity.
Covered Entities – HIPAA applies only to covered entities. A covered entity might be a hospital, a physician practice, or any other provider who transmits health information in electronic form. Insurers and HMOs are also examples of covered entities. The University of Louisville is a covered entity, though of a special type known as a Hybrid Entity. HIPAA generally does not apply to non-covered entities, unless HIPAA is applied to a business associate through a Business Associate Agreement.
Designated Record Set - A designated record set includes all of the records for a particular patient that are created and maintained by or for a covered entity. This includes any record maintained for treatment purposes, billing, and administrative purposes. A record that is created by a provider outside your organization but that is maintained in a file by your organization is included in a designated record set. Any record that falls under this definition and is compiled and maintained by or for a covered entity is covered by HIPAA.
Disclosure - A disclosure occurs anytime that you share PHI outside your own covered entity. HIPAA allows disclosure of PHI in only two circumstances – you must have the authorization of the individual to whom the PHI pertains, or you must meet a HIPAA exception. The three most common exceptions are when the disclosure is for treatment, payment, or operational purposes. Note that even when a disclosure fits under a HIPAA exception, if the receiver obtains the PHI in order to perform a service to your organization, a business associate agreement must be in place before the PHI is disclosed. If you are unsure whether a particular disclosure is permissible under HIPAA, please contact the privacy office for guidance.
Health Information - Health Information is broadly defined and includes any health information that pertains to a particular individual. The health information does not have to be created by your own hospital or physician practice group, because health information is also created by employers, universities, public health officials, and other organizations. In addition to written information, oral information is also included in this definition, so what you say about someone’s PHI is subject to HIPAA.
Health Plan - A health plan is any group health insurance plan and includes all private healthcare insurers and HMOs, as well as public programs such as Medicaid and Medicare, federal and state employee benefits programs, and military and Veterans Administration programs.
Healthcare - Healthcare is broadly defined and includes any care, service, or supply related to the mental or physical health of an individual. Some examples are physician and hospital encounters, diagnostic procedures, and pharmaceutical transactions.
Healthcare Clearinghouse - A healthcare clearinghouse is a third party organization that facilitates transactions between healthcare providers and insurers. PHI is typically disclosed in this process. Such a disclosure is permissible under the HIPAA payment exception. Healthcare clearinghouses are covered entities.
Healthcare Operations - Healthcare operations is one of the three most commonly used exceptions under HIPAA that allows individuals to use and disclose PHI without an authorization. Examples of healthcare operations are activities dealing with internal quality review, planning, and cost management; professional accreditation; underwriting; operational support; business planning; and business management.
Healthcare Provider - A healthcare provider includes both individuals and their organizations, such as a hospital or physician practice. A provider furnishes, bills, or is paid for healthcare services or supplies and may have access to PHI when performing their duties in the normal course of business. Some examples are physicians, nurses, practice managers, and administrative staff.
Individually Identifiable Health Information (IIHI) – HIPAA protects individually identifiable health information. Health information is individually identifiable if you can tell or could figure out to whom it refers by looking at it. Common identifiers include name, address, and social security number, but may also include date of birth, Zip Code, or county location. If the information is not individually identifiable, such as healthcare research information that only identifies a particular population, not individuals, then it is not protected by HIPAA. In research, this can get complicated, and further inquiry should be made when seeking a determination on a small population. IIHI only becomes PHI when a covered entity creates, receives, or maintains the information.
Notice of Privacy Practices (NPP) – The NPP is a document that tells patients how you may use and disclose their PHI and also informs patients of their legal rights regarding their PHI. Every entity that directly provides a healthcare service to the patient must provide in writing a copy of the NPP and obtain the patient’s written acknowledgement of receipt of the NPP. Several elements are required in order for the NPP to be valid; these can be found in the Regulation Text, and an NPP template is also available.
Payment - Payment is one of the three most common exceptions to HIPAA. A covered entity may exchange PHI with another organization if the disclosure is for payment purposes. Payment refers to any activity related to obtaining payment for healthcare services. Most often, this relates to transactions between the healthcare provider and the insurer, but also includes eligibility determinations and claims management.
Protected Health Information - PHI is any individually identifiable health information that is created, transmitted, or maintained by a covered entity. If the information is individually identifiable and is health information, then it is protected by HIPAA.
Treatment - Treatment is one of the three most common exceptions to HIPAA. PHI can be disclosed between providers without an authorization if the transfer is for treatment purposes. Commonly, this occurs when a healthcare provider consults with another healthcare provider about a particular patient or when a patient is referred to a different healthcare provider.
Use - “Use” refers to any occurrence where individually identifiable health information is utilized within the entity that maintains the information. Some examples include a physician sharing information with an office nurse and a practice plan’s coder discussing a diagnosis with a physician. The second example would be a disclosure if the coder or the coder’s company is under contract to the covered entity, not an employee of it.
Workforce - The workforce at a covered entity includes employees, residents, volunteers, students, and other persons that carry out the tasks and duties of the covered entity. It does not matter whether the individual is paid by the covered entity, as long as the covered entity controls their activities that involve PHI.
Home
About Us
Index A-to-Z
Find People
Contact Us