National Academies Press: OpenBook
« Previous: 2 Prepared Presentationsand Discussion
Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×

Glossary

Accounting for Disclosures: Information that describes a covered entity’s disclosures of protected health information other than for treatment, payment, and health care operations; disclosures made with Authorization; and certain other limited disclosures.

Authorization: An individual’s written permission to allow a covered entity to use or disclose specified protected health information for a particular purpose.

Business Associate: A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting consulting, data aggregation, management, admistrative, accreditation, of financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity.

Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×

Covered Entity: A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.

Covered Functions: Those functions of a covered entity the performance of which makes the entity a health care provider, health plan, or health care clearinghouse under the HIPAA Administrative Simplification Rules.

Data Use Agreement: An agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.

Designated Record Set: A group of records maintained by or for a covered entity that is (1) the medical and billing records about individuals maintained by or for a covered health care provider; (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

Disclosure: The release, transfer, access to, or divulging of information in any other manner outside the entity holding the information.

Food and Drug Administration (FDA) Protection of Human SubjectsRegulations: Regulations intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction (Title 21 CFR, Parts 50 and 56).

Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and

Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×

process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.

Health Care Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Information: Any information, whether oral or recorded in any form or medium, that 1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Health Insurance Portability and Accountability Act of 1996 (HIPAAA): This Act requires, among other things, under the Administrative Simplification subtitle, the adoption of standards, including standards for protecting the privacy of individually identifiable health information.

Health Plan: For the purposes of Title II of HIPAA, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)) and including entities and government programs listed in the Rule.

Health and Human Services (HHS) Protection of Human SubjectsRegulations: Regulations intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS (Title 45 CFR, Part 46).

Hybrid Entity: A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be business associates of one or more of its health care components, depending on the nature of the relationship.

Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×

Individually Identifiable Health Information: Information that is a subset of health information including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can by used to identify the individual.

Limited Data Set: Refers to protected health information that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual’s Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.

Minimum Necessary: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Unless an exception applies, this standard applies to a covered entity when using or disclosing protected health information or when requesting protected health information from another covered entity. A covered entity that is using or disclosing protected health information for research without Authorization must make reasonable efforts to limit protected health information to the minimum necessary. A covered entity may rely, if reasonable under the circumstances, on documentation of IRB or Privacy Board approval or other appropriate representations and documentation under section 164.512(i) as establishing that the request for protected health information for the research meets the minimum necessary requirements.

Privacy Board: A board that is established to review and approve requests for waivers or alterations of Authorization in connection with a use or disclosure of protected health information as an alternative to obtaining such waivers or alterations from an IRB. A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual’s privacy rights and related interests. The board must include at least one member who is not affiliated with the covered entity, is not affiliated with any entity conducting or sponsoring the research, and is not related to any person who is affiliated with any such entities. A Privacy Board cannot have

Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×

any member participating in a review of any project in which the member has a conflict of interest.

Protected Health Information: Protected health information is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

Research: A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.

Transaction: The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

  • Health care claims or equivalent encounter information

  • Health care payment and remittance advice

  • Coordination of benefits

  • Health care claim status

  • Enrollment and disenrollment in a health plan

  • Eligibility for a health plan

  • Health-plan premium payments

  • Referral certification and authorization

The HHS Secretary is also required to adopt standards for first report of injury, claims attachment, and other transactions that the HHS Secretary may prescribe by regulation.

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information.

Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×

Waiver or Alteration of Authorization: The documentation that the covered entity obtains from a researcher or an IRB or a Privacy Board that states that the IRB or Privacy Board has waived or altered the Privacy Rule’s requirement that an individual must authorize a covered entity to use or disclose the individual’s protected health information for research purposes.

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of the covered entity, whether or not they are paid by the covered entity.


SOURCE: Adapted slightly modified from the Glossary in Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule. Posted April 14, 2003 and revised July 13, 2004. Accessed July 11, 2006 at http://privacyruleandresearch.nih.gov/pr_02.asp. Also, includes a personal communication to Roger Herdman from Christina Heide, OCR, DHHS, August 3, 2006.

Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×
Page 85
Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×
Page 86
Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×
Page 87
Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×
Page 88
Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×
Page 89
Suggested Citation:"Glossary." Institute of Medicine. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. doi: 10.17226/11749.
×
Page 90
Next: Appendix Workshop Agenda »
Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum Get This Book
×
Buy Paperback | $38.00 Buy Ebook | $30.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to improve the portability and continuity of health insurance; promote medical savings accounts; improve access to long-term care services and coverage; and simplify the administration of health insurance. HIPAA's Administrative Simplification provisions focus on facilitating the electronic exchange of information for financial and administrative functions related to patient care. However, the very advances that make it easier to transmit information also present challenges to preserving the confidentiality of potentially sensitive personal information contained in medical records. In 2003, the President's Cancer Panel discovered HIPAA Privacy Rule slowed research on cancer survivors, as well as causing increased bureaucracy, informed consent problems, and complications for clinical trials. Effect of the HIPAA Privacy Rule on Health Research evaluates the impact of HIPAA provisions and provides guidance to legislators on amendments needed to make this law better serve the interests of cancer survivors and others.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!