Cover Image

PAPERBACK
$28.00



View/Hide Left Panel

Glossary

Accounting for Disclosures: Information that describes a covered entity’s disclosures of protected health information other than for treatment, payment, and health care operations; disclosures made with Authorization; and certain other limited disclosures.

Authorization: An individual’s written permission to allow a covered entity to use or disclose specified protected health information for a particular purpose.

Business Associate: A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting consulting, data aggregation, management, admistrative, accreditation, of financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 85
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Glossary Accounting for Disclosures: Information that describes a covered entity’s disclosures of protected health information other than for treatment, payment, and health care operations; disclosures made with Authorization; and certain other limited disclosures. Authorization: An individual’s written permission to allow a covered entity to use or disclose specified protected health information for a particular purpose. Business Associate: A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting consulting, data aggregation, management, admistrative, accreditation, of financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity.

OCR for page 85
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard. Covered Functions: Those functions of a covered entity the performance of which makes the entity a health care provider, health plan, or health care clearinghouse under the HIPAA Administrative Simplification Rules. Data Use Agreement: An agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected. Designated Record Set: A group of records maintained by or for a covered entity that is (1) the medical and billing records about individuals maintained by or for a covered health care provider; (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. Disclosure: The release, transfer, access to, or divulging of information in any other manner outside the entity holding the information. Food and Drug Administration (FDA) Protection of Human SubjectsRegulations: Regulations intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction (Title 21 CFR, Parts 50 and 56). Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and

OCR for page 85
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity. Health Care Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health Information: Any information, whether oral or recorded in any form or medium, that 1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Health Insurance Portability and Accountability Act of 1996 (HIPAAA): This Act requires, among other things, under the Administrative Simplification subtitle, the adoption of standards, including standards for protecting the privacy of individually identifiable health information. Health Plan: For the purposes of Title II of HIPAA, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)) and including entities and government programs listed in the Rule. Health and Human Services (HHS) Protection of Human SubjectsRegulations: Regulations intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS (Title 45 CFR, Part 46). Hybrid Entity: A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be business associates of one or more of its health care components, depending on the nature of the relationship.

OCR for page 85
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Individually Identifiable Health Information: Information that is a subset of health information including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can by used to identify the individual. Limited Data Set: Refers to protected health information that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual’s Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement. Minimum Necessary: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Unless an exception applies, this standard applies to a covered entity when using or disclosing protected health information or when requesting protected health information from another covered entity. A covered entity that is using or disclosing protected health information for research without Authorization must make reasonable efforts to limit protected health information to the minimum necessary. A covered entity may rely, if reasonable under the circumstances, on documentation of IRB or Privacy Board approval or other appropriate representations and documentation under section 164.512(i) as establishing that the request for protected health information for the research meets the minimum necessary requirements. Privacy Board: A board that is established to review and approve requests for waivers or alterations of Authorization in connection with a use or disclosure of protected health information as an alternative to obtaining such waivers or alterations from an IRB. A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual’s privacy rights and related interests. The board must include at least one member who is not affiliated with the covered entity, is not affiliated with any entity conducting or sponsoring the research, and is not related to any person who is affiliated with any such entities. A Privacy Board cannot have

OCR for page 85
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum any member participating in a review of any project in which the member has a conflict of interest. Protected Health Information: Protected health information is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. Research: A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research. Transaction: The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions: Health care claims or equivalent encounter information Health care payment and remittance advice Coordination of benefits Health care claim status Enrollment and disenrollment in a health plan Eligibility for a health plan Health-plan premium payments Referral certification and authorization The HHS Secretary is also required to adopt standards for first report of injury, claims attachment, and other transactions that the HHS Secretary may prescribe by regulation. Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information.

OCR for page 85
Effect of the Hipaa Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Waiver or Alteration of Authorization: The documentation that the covered entity obtains from a researcher or an IRB or a Privacy Board that states that the IRB or Privacy Board has waived or altered the Privacy Rule’s requirement that an individual must authorize a covered entity to use or disclose the individual’s protected health information for research purposes. Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of the covered entity, whether or not they are paid by the covered entity. SOURCE: Adapted slightly modified from the Glossary in Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule. Posted April 14, 2003 and revised July 13, 2004. Accessed July 11, 2006 at http://privacyruleandresearch.nih.gov/pr_02.asp. Also, includes a personal communication to Roger Herdman from Christina Heide, OCR, DHHS, August 3, 2006.