HIPAA COMPLIANCE     DISCLAIMER Overview of HIPAA HIPAA Terms Privacy Standards US HHS Privacy Brief Security Standards Security Guide for IT Requirements for Data Does it Affect Me? HIPAA Non-Compliance Filing HIPAA Complaint BioCert® for HIPAA HHS & CMS Guides

HIPAA Terms and Definitions- Biometrics Direct

PROTECTING THE PRIVACY OF PATIENTS' HEALTH INFORMATION - US Dept of Health and Human Services

HIPAA History: Public Law No. 104-191 (Aug. 21, 1996)

On August 21, 1996, the United States Congress enacted the Health Insurance Portability and Accountability Act (“HIPAA”), now codified at 42 USC § 201 et seq. (42 U.S.C. 1320d-2). HIPAA Administrative Simplification is divided into three key standards: Code sets, Privacy, and Security. Each of the above standards has its own implementation date: Code sets (10-16-02), Privacy (4-16-03), & Security (4-21-05). OJA will make every reasonable effort to be compliant with these key standards by the assigned date or will request an extension when possible.

The Office of Juvenile Affairs is a covered entity required to conform with HIPAA guidelines for two reasons:

1. The agency bills under Title XIX electronically; and
2. Pursuant to HIPAA standards, OJA is considered to be a health care provider.

Full HIPAA regulations can be found in the Code of Federal Regulations (CFR) Title 45 – Public Welfare Subtitle A Department of Health and Human Services, Subchapter C Administrative data requirements, Part 160 - General Administrative requirements, & Part 162, and Part 164. (45 CFR § 160, 162 & 164 link)

HIPAA Terms and Definitions

Accounting for Disclosures: Upon request, a covered entity must provide the individual with an accounting of each disclosure by date, the Protected Health Information (PHI) disclosed, the identity of the recipient of the PHI, and the disclosure. However, where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency of such disclosures. A covered entity is not required to account for all disclosures of PHI. An accounting is not required for disclosures made:

* Prior to the covered entity's compliance date; * For Treatment, Payment and Healthcare Operation (TPO) purposes; * To the individual or pursuant to the individuals written authorization; or * As part of a limited data set.

Act means the HIPAA Act - Code of Federal Regulations (CFR) Title 45 – Public Welfare Subtitle A

ANSI: American National Standards Institute.

Authorization:

1. Allows use/disclosure of protected health information (PHI) for purposes beyond treatment, payment, or health care operations (T.P.O.).
2. A form to release information other than TPO. It must be signed by the individual and their personal representative and must be specific to each request for information. The form must identify the person or group who will be authorized to receive the information.

Business Associate (BA): A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.

CFR: Code of Federal Regulations: The codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the Federal Government, divided into 50 titles that represent broad areas subject to Federal regulation, with each volume of the CFR updated once each calendar year and issued quarterly.  HIPAA is part of the 45 CFR

Compliance Date: The date by which a covered entity must comply with a standard, implementation specification, requirement, or modification adopted under this subchapter.  The guidance outlines CMS' approach to enforcement of the TCS provisions and reiterates what officials have been saying all along: "October 16, 2003 is the deadline... (a)fter that date, covered entities, including health plans, may not conduct noncompliant transactions" and "CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for enforcement...".

CMS: Centers for Medicare and Medicaid Services (HCFA prior to July 1, 2001)

Consent: Allows a provider to use/disclose PHI for Treatment, payment, or health care operations (T.P.O.).

Correctional Institutions: Any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, for the confinement or rehabilitation of a person charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody include juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial. (45 CFR §164.501)

Covered Entity (CE): Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Also see Part II, 45 CFR 160.103.

Covered Function: Functions that make an entity a health plan, a health care provider, or a health care clearinghouse. Also see Part II, 45 CFR 164.501.

Data Element: Under HIPAA, this is the smallest named unit of information in a transaction. Also see Part II, 45 CFR 162.103. Disclosure: Release or divulgence of information by an entity to persons or organizations outside of that entity. Also see Part II, 45 CFR 164.501.

Disclosure: When one entity or agency provides PHI to another entity or agency.

HCFA: Health Care Financing Administration within the Department of Health and Human Services.  Now CMS

Healthcare Operations: Any of the following activities of the covered entity to the extent that the activities are related to covered functions:

1. Conducting quality assessment and improvement activities, population-based activities, and related functions that do not include treatment;
2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner, provider, and health plan performance, conducting training programs where students learn to practice or improve their skills as health-care providers, training of non-health-care professionals, accreditation, certification, licensing, or credentialing activities,
3. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits;
4. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
5. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
6. Business management and general administrative activities of the entity.[45 CFR 164.501]

Health Information: Any information whether oral or recorded in any form or medium that:

1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. (45 CFR §160.103)

Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that makes a number of changes that have the goal of allowing persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives DHHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191.

Health Plan: An individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 USC 300gg-91(a)2)). (45 CFR §160.103)

• Health plan includes the following, singly or in combination: 
  • A group health plan, health insurance issuer, or a HMO.
  • Part A or B of the Medicare program under Title XVIII or the Act.
  • The Medicaid program under Title XIX of the Act, 42 U.S.C. 1396, et seq.
  • An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1).
  • An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.
  • The Indian Health Service program under Indian Health Care Improvement Act, 25 USC 1601, et seq.
  • An approved state, child health plan under Title XIX of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 USC 1397, et seq.
  • Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 USC 300gg-91(a)(2)).

Hybrid Entity: A covered entity whose covered functions are not its primary functions. Also see Part II, 45 CFR 164.504.

Individually Identifiable Health Information (IIHI): Information that is a subset of health information, including demographic information collected from an individual. It is information that is created or received by a covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. This is information that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. (45 CFR §160.103)

Marketing: To make a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or services. It does not include communications made by a health care provider to an individual as part of the treatment of that individual. (45 CFR §164.501)

Minimum Necessary Disclosure: The Privacy Rule stipulates that covered entities limit the amount of information disclosed to the minimum necessary to achieve the specified goal [45 CFR 164.514(d)(1)]. This requirement would not apply if the disclosure were required by law, authorized by the individual, or for treatment purposes.

Payment:

The activities undertaken by:

• A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
• A health-care provider or health plan to obtain or provide reimbursement for the provision of health care; and
  • The activities relate to the individual to whom health care is provided and include, but are not limited to
    • Determinations of eligibility or coverage and adjudication or subrogation of health benefit claims,
    • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
    • Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance) and related health-care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
    • Utilization review activities, including pre-certification and preauthorization of services, concurrent and retrospective review of services; and
    • Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
      • Name and address;
      • Date of birth;
      • Social security number;
      • Payment history;
      • Account number; and
      • Name and address of the health-care provider or health plan.

Personal Representative: An individual who has assumed the care of a minor or an adult, or may have the authority to act on behalf of a deceased individual or his or her estate. (45 CFR §164.502 (G))

Protected Health Information (PHI): PHI is individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to

• The past, present, or future physical or mental health, or condition of an individual;
• Provision of health care to an individual; or
• Payment for the provision of health care to an individual.
• If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. See Part II, 45 CFR 164.501.

Privacy Notice: explains to the clients how their health information will be treated and protected. It explains the Patient’s Rights as set forth in HIPAA. (45 CFR §164.520)

Psychotherapy Notes: Notes recorded (in any medium) by a health care provider who is a mental health professional documenting and analyzing the contents of conversations during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. (See also 45 CFR §164.501)

Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. (45 CFR §164.501)

Small Health Plan: Health plan with annual receipts of $5 million or less.

T.P.O: Treatment, Payment, and Health Care Operations.

Tracking disclosures: see Accounting for Disclosures

Treatment: is the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. (45 CFR §164.501)

Workforce: Under HIPAA, this means employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. Also see Part II, 45 CFR 160.103.