Healthcare professionals must comprehend key terms because the passage of HIPAA has created new language and abbreviations which must be mastered.
HIPAA- The Health Insurance Portability and Accountability Act of 1996 or HIPAA is a federal law that gives individuals rights over health information. HIPAA is a set of rules that limits who can access health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.3
PHI is Protected Health Information (PHI) that identifies a patient or client such as past, present, or future diagnoses, conditions, outcomes, care plans, and billing statements. PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act.4
ePHI is Protected health information in electronic form. Examples include online billing systems, electronic medical records, a server with health insurance enrollments, and a case manager’s laptop with patient assessment records.
IIHI is Individually Identifiable Health Information (IIHI) that can be linked to a patient or client such as demographics, social security numbers, diagnoses, zip codes, and email addresses.
PTO- Payment, treatment, and healthcare operations (PTO) are the three areas where PHI can be disclosed. Treatment refers to providing, managing, and coordinating care. Payment includes various activities related to billing, utilization review, and coverage determination. Operations cover maintaining medical records, exchange of data for care coordination, and billing.
Business Associate- A business associate is an entity or person who has access to the Protected Health Information (PHI) or ePHI of a covered entity. This written document outlines each party’s responsibilities to protect PHI. Examples include companies that process claims for hospitals or physician practices, utilization review companies, case management companies, and quality improvement organizations.
Office of Civil Rights (OCR) is a branch of the Health and Human Services Department (HHS) that investigates HIPAA allegations and imposes fines and penalties.
Covered Entity is any business or individual that has access to Protected Health Information (PHI). Covered entities include health plans, case management companies, medical research organizations, medical record copy services, and billing companies.
Risk Analysis/Assessment is an entity’s written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its protected data. A risk management plan outlines protections and measures to countermand risks. Both the risk analysis and risk management plans are cost-effective compliance mechanisms.
Technical Safeguards are electronic security measures that covered entities use to secure ePHI. This can include following policies and procedures that protect and control access to ePHI.
Security Rules commonly refer to the Security Standards for the Protection of Electronic Protected Health Information. Security Rules are found at 45 CFR Part 160 and Part 164, Subparts A and C.