Glossary and Terms
Administrative Safeguards
The administrative actions, policies and procedures to manage the selection, development,
implementation and maintenance of security measures to protect Electronic Protected Health
Information and to manage the conduct of the Health Care Component’s Workforce members in
relation to the protection of that information. 45 CFR §164.304.
Availability
Data or information is accessible and usable upon demand by an authorized person. 45 CFR §
164.304
Breach
The unauthorized acquisition, access, use, or disclosure of Protected Health Information in
a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of
the Protected Health Information. A Breach may occur with respect to Protected Health
Information in any form, and not only in electronic form.
“Breach” does not include:
- (a) Any unintentional acquisition, access, or use of Protected Health Information by a
member of the Health Care Component Workforce or by a person acting under authority of the
Health Care Component or the Health Care Component’s Business Associate, if such
acquisition, access, or use was made in good faith and within the scope of authority and
does not result in further use or disclosure in a manner not permitted by the HIPAA Privacy
Rule.
- (b) Any inadvertent disclosure by a person who is authorized to access Protected Health
Information at the Health Care Component or Health Care Component’s Business Associate to
another person authorized to access Protected Health Information at the Health Care
Component or the Health Care Component’s Business Associate, and the information received as
a result of such disclosure is not further used or disclosed in a manner not permitted by
the HIPAA Privacy Rule.
- (c) A disclosure of Protected Health Information where the Health Care Component or the
Health Care Component’s Business Associate has a good faith belief that an unauthorized
person to whom the disclosure was made would not reasonably have been able to retain such
information.
Business Associate
A person not a member of any Health Care Component’s Workforce or entity that (i) on behalf
of a Health Care Component, creates, receives, maintains or transmits Protected Health
Information for a function or activity regulated by HIPAA, including claims processing or
administration, data analysis, processing, or administration, utilization review, quality
assurance, patient safety activities listed at 42 C.F.R. 3.20, billing, benefit management,
practice management, and repricing; or (ii) provides, legal, actuarial, accounting,
consulting, data aggregation, management, administrative, accreditation, or financial
services to or for a Health Care Component where the provision of the service involves the
disclosure of Protected Health Information from such Health Care Component, or from another
Business Associate of such Health Care Component to the person. 45 CFR §160.103.
Business Associate Agreement
A contract between a Covered Entity (or Hybrid Entity) and its Business Associate governing
the uses and disclosures of PHI. In most cases, the Covered Entity and Business Associate
will enter into a companion services contract describing the covered functions or activities
being performed by the Business Associate, the compensation and other terms of the
transaction. U of I Standard
BAA.
Clergy
Ordained or equivalent religious representatives of the community’s faith groups who are not
members of an HCC Workforce.
Confidentiality
The property that data or information is not made available or disclosed to unauthorized
persons or processes. 45 CFR §164.304.
Covered Entity
A Health Plan, Health Care Clearinghouse or Health Care Provider that transmits any Health
Information in electronic form in connection with a transaction covered by HIPAA. 45 CFR §
160.103.
Covered Functions
Those functions of a Covered Entity the performance of which makes the entity a Health Plan,
Health Care Provider, or Health Care Clearinghouse. 45 CFR § 164.103.
De-identified Information
Information that does not identify an Individual and with respect to which there is no
reasonable basis to believe that the information can be used to identify an Individual. The
HIPAA Privacy Rule provides two methods for de-identifying PHI, the most common of which is
removal of 18 enumerated direct and indirect identifiers. 45 CFR § 164.514(b)(2)(i).
Designated Record Set
A Health Care Provider’s medical and billing Records; a Health Plan’s enrollment, payment,
claims adjudication and case or medical management Records systems; and any information
used, in whole or in part, by or for the covered entity to make decisions about Individuals.
Disaster Recovery Plan
A plan to protect the people, information, technology, and facilities used to deliver health
care. Action plans should be based on risks identified in a risk analysis and typically
include administrative, physical, and technical safeguards; policies and procedures; and
organizational standards.
Disclosure
The release, transfer, provision of access to, or divulging in any manner of Protected
Health Information by an individual within the Health Care Component to a person or entity
outside the Health Care Component.
Electronic Media
- (1) Electronic storage media on which data are or may be recorded electronically, including,
for example, devices in computers (hard drives) and any removable/transportable digital
memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
- (2) Transmission media used to exchange information already in electronic storage media.
Transmission media include, for example, the Internet, extranet or intranet, leased lines,
dial-up lines, private networks, and the physical movement of removable/transportable
electronic storage media. Certain transmissions, including of paper, via facsimile, and of
voice, via telephone, are not considered to be transmissions via electronic media if the
information being exchanged did not exist in electronic form immediately before the
transmission. 45 CFR § 160.103.
Electronic Protected Health Information (ePHI)
The subset of Protected Health Information that is (i) transmitted by Electronic Media; or
(ii) maintained in any medium constituting Electronic Media. 45 CFR § 160.103.
Emergency Mode Operations Plan
Procedures established to enable the continuation of UI business processes and to ensure
protection of the security of ePHI while operating in emergency mode.
External Entity
Any entity or unit outside the Hybrid Entity.
Facility
Physical premises and the interior and exterior of a building(s). 45 CFR § 164.304.
Facility Directory
A publication (in any medium) that contains elements of an Individual’s Protected Health
Information, such as name, location in the Facility, the Individual’s general condition, and
religion.
Facility Security Plan
A plan that manages physical security for IT resources.
Health Care Clearinghouse
A public or private entity that a) processes or facilitates the processing of Health
Information received from another entity in a non-standard format or containing non-standard
data content into standard data elements or a standard transaction; or b) receives a
standard transaction from another entity and processes or facilitates the processing of
Health Information into non-standard format or non-standard data content for the receiving
entity. 45 CFR § 160.103.
Health Care Component
A component or combination of components of a Hybrid Entity designated by the Hybrid Entity
as component(s) that meet the definition of Covered Entity or Business Associate if such
component(s) were separate legal entities. 45 CFR § 164.103; 45 CFR § 164.105(a)(2)(iii)(D).
Health Care Operations
Business and administrative functions including conducting quality assessment and
improvement activities; reviewing the competence or qualifications of health care
professionals; conducting training programs; accreditation; credentialing; conducing or
arranging for medical review, legal services, and auditing functions; business planning and
development; and business management and general administrative activities. 45 CFR §
164.501. Health Care Operations do not include research and many marketing and fundraising
activities.
Health Care Provider
A provider of medical or health services and any other person or organization who furnishes,
bills, or is paid for health care in the normal course of business. 45 CFR § 160.103.
Health Information
Any information, including genetic information, whether oral or recorded in any form or
medium, that:
- (1) is created or received by a Health Care Provider, Health Plan, public
health authority, employer, life insurer, school or university, or Health Care
Clearinghouse; and
- (2) relates to the past, present, or future physical or mental health or
condition of an Individual; the provision of health care to an Individual; or the past,
present, or future payment for the provision of health care to an Individual. 45 CFR §
160.103.
Health Plan
An individual or group plan that provides, or pays the cost of, medical care. 45 CFR §
160.103.
HIPAA Liaison
An individual appointed by the head of the Health Care Component who serves in that role for
a Health Care Component, with the following responsibilities with respect to that Health
Care Component: Work with the Health Care Component head, as defined for the Health Care
Component, to identify members of the Health Care Component’s Workforce who engage in
activities that involve use of Protected Health Information and assure they are trained;
cooperate with the Privacy and Security Official(s) in the development of policies and
procedures and other compliance activities; and serve as point of contact for questions,
audits and problem resolution regarding the Health Care Component’s compliance with HIPAA.
Hybrid Entity
A single legal entity: (1) that is a Covered Entity; (2) whose business activities include
both covered and non-covered functions; and (3) that designates its Health Care Components.
45 CFR § 164.103.
Individual
The person who is the subject of Protected Health Information.
Individually Identifiable Health Information
Information that is a subset of Health Information, including demographic information
collected from an Individual, and that
- is created or received by a Health Care Provider, Health Plan, employer, or Health Care
Clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an
Individual; the provision of health care to an Individual; or the past present or future
payment for the provision of health care to an Individual; and
- identifies the Individual, or with respect to which there is a reasonable basis
to believe the information can be used to identify the Individual. 45 CFR § 160.103.
Integrity
The property that data or information has not been altered or destroyed in an unauthorized
manner. 45 CFR § 164.304.
Limited Data Set
Protected Health Information that excludes the 16 direct identifiers set forth at 45 CFR §
164.514(e)(2).
Marketing
Making “a communication about a product or service that encourages recipients of the
communication to purchase or use the product or service.” Marketing does not include a
communication made:
- (b) To provide refill reminders or otherwise communicate about a drug or biologic that is
currently being prescribed for a patient, only if any financial remuneration received by the
Health Care Component in exchange for making the communication is reasonably related to the
Health Care Component’s cost of making the communication; or,
- (c) For the following Treatment and Health Care Operations purposes where the HCC does not
receive any financial remuneration (including direct or indirect payment) in exchange for
making the communication:
- i. For Treatment of a patient by the Health Care Component-Provider, including case
management or care coordination for the patient, or to direct or recommend alternative
treatments, therapies, health care providers, or settings of care to the patient;
- ii. To describe a health-related product or service (or payment for such product or
service) that is provided by the Health Care Component, including communications about
the entities participating in a Health Care Provider network or Health Plan network,
replacement of, or enhancements to, a Health Plan, and health-related products or
services available only to a Health Plan enrollee that add value to, but are not part
of, a plan of benefits; or
- iii. For case management or care coordination, contacting of patients with information
about treatment alternatives, and related functions to the extent these activities do
not fall within the definition of Treatment.
Non-Secure Network
Networks other than a UI campus network.
Payment
The activities undertaken by:
- a. A Health Plan to obtain premiums or to determine or fulfill its responsibility for
coverage and provision of benefits under the Health Plan; and
- b. A Health Care Provider or Health Plan to obtain or provide reimbursement for the
provision of health care.
Such activities include, but are not limited to:
- a. Determinations of eligibility or coverage and the adjudication or subrogation of health
benefit claims;
- b. Risk adjusting amounts due based on enrollee health status and demographic
characteristics;
- c. Billing, claims management, collection activities, obtaining payment under a contract for
reinsurance, and related health care data processing;
- d. Review of health care services with respect to medical necessity, coverage under a health
plan, appropriateness of care, or justification of charges;
- e. Utilization review activities, including precertification and preauthorization of
services, concurrent and retrospective review of services; and,
- f. Disclosure to consumer reporting agencies certain information relating to collection of
premiums or reimbursement. 45 CFR § 164.501.
Personal Representative
A person with authority to act on behalf of another individual, including a deceased
individual, in making decisions related to health care and/or health care information. 45
CFR § 164.502(g).
Physical Safeguards
Physical measures, policies and procedures (e.g., locks and identification cards) to protect
the Health Care Component’s electronic information systems and related buildings and
equipment, from natural and environmental hazards and from unauthorized intrusion. 45 CFR
§164.304.
Privacy Official
A person designated by the president of the University who is responsible for the
development and implementation of the Hybrid Entity’s HIPAA privacy policies and procedures.
The Privacy Official may delegate responsibility for privacy functions unless otherwise
indicated. The Privacy Official may also serve as the Security Official if so designated. 45
CFR § 164.530(a)(1)(i).
Protected Health Information (PHI)
A subset of Individually Identifiable Health Information that is
(a) transmitted by
Electronic Media; (b) maintained in any medium constituting Electronic Media; or (c)
transmitted or maintained in any other form or medium. 45 CFR §160.103 (Note: Information
pertaining to a patient who has been deceased for more than 50 years is no longer Protected
Health Information.) Protected Health Information does not include Individually Identifiable
Health Information in education records under FERPA or employment records held by a Covered
Entity as an employer.
PHI Identifiers
- 1.) Name
- 2.) Geographic subdivisions smaller than a state
- 3.) Dates (except year) directly related to the individual
- 4.) Telephone numbers
- 5.) Fax numbers
- 6.) Email addresses
- 7.) Social security numbers
- 8.) Medical record numbers
- 9.) Health plan beneficiary numbers
- 10.) Account numbers
- 11.) Certificate/license numbers
- 12.) Vehicle identifiers and serial numbers
- 13.) Device identifiers and serial numbers
- 14.) Web Universal Resource Locators (URLs)
- 15.) Internet Protocol (IP) address numbers
- 16.) Biometric identifiers (finger, voice prints)
- 17.) Full face photos and comparable images
- 18.) Any other unique identifier
Public Health Activities
The activities of public health authorities that are legally authorized to receive Protected
Health Information for the purpose of preventing or controlling disease, injury or
disability. 45 CFR § 164.512(b).
Record
Any item, collection or grouping of information that includes Protected Health Information
and is maintained, collected, used or disseminated by or for the Covered Entity.
Research
A systematic investigation including research development, testing and education, designed
to develop or contribute to generalizable knowledge. 45 CFR § 164.501.
Risk Assessment
The process that identifies the security risks to information system security and determines
the probability of occurrence and the resulting impact for each Threat/Vulnerability
identified given the security controls in place; prioritizes risks; and results in
recommended possible actions/controls that could reduce or offset the determined risk.
Risk Management
A process that prioritizes, evaluates and implements security controls that will reduce or
offset the risks determined in the Risk Assessment process to satisfactory levels, given the
organization’s mission and available resources.
Secure Network
UI campus network infrastructure.
Security Audits
Internal process of reviewing information system access and activity, done on a periodic
basis, as a result of a potential breach, in response to a complaint or on suspicion of
employee wrongdoing.
Security Incidents
The attempted or successful unauthorized access, use, disclosure, modification or
destruction of information or interference with system operations in an information system.
45 CFR § 164.304.
Security Official
The person designated by the president of the University who is responsible for the
development and implementation of the Hybrid Entity’s HIPAA security policies and
procedures. The Security Official may delegate responsibility for security functions unless
otherwise indicated. The Security Official may also serve as the Privacy Official if so
designated. 45 CFR § 164.308(a)(2).
Subcontractor
A person or organization to whom a Health Care Component-Business Associate delegates a
Business Associate function, activity, or service, other than in the capacity of a member of
the Workforce of the Health Care Component. 45 CFR § 160.103.
Technical Safeguards
The technology, policy, and procedures for the use of Electronic Protected Health
Information that protect and control access to it. 45 CFR § 160.103.
Threat
The potential for a particular threat source to cause loss or to successfully exploit a
particular Vulnerability.
Treatment
The provision, coordination, or management of health care and related services by one or
more Health Care Providers, including the coordination or management of health care by a
Health Care Provider with a third party; consultation between Health Care Providers relating
to a patient; or the referral of a patient for health care from one Health Care Provider to
another. 45 CFR § 164.501.
Unit
A University of Illinois school, college, division, department or other unit.
Unsecured Protected Health Information
Protected Health Information that is not rendered unusable, unreadable, or indecipherable to
unauthorized persons through the use of a technology or methodology specified by the
Secretary of Health and Human Services. Protected Health Information is deemed “secured”
only if it is encrypted or destroyed in accordance with the guidance referenced by Health
and Human Services and published by the National Institute of Standards and Testing.
Use
The employment, application, examination or analysis of Individually Identifiable Health
Information by an individual within the Health Care Component or the sharing of Protected
Health Information with an individual within the Health Care Component.
Vulnerability
A weakness or flaw in an information system that can be accidentally triggered or
intentionally exploited by a threat and leads to a compromise in the integrity of that
system.
Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work
for an HCC is under the direct control of the HCC.