- Authorization — A document signed and dated by the individual who authorizes use and disclosure of protected health information for reasons other than treatment, payment or health care operations. An authorization must contain a description of the protected health information, the names or class of persons permitted to make a disclosure, the names or class of persons to whom the covered entity may disclose, an expiration date or event, an explanation of the individual's right to revoke and how to revoke and a statement about potential redisclosures.
- Business associate — A person or entity who, on behalf of a covered entity or an organized health care arrangement, performs or assists in the performance of one of the following:
- A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing.
- Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for such covered entity or organized health care arrangement.
- Business associate agreement — A contract between a covered entity and a business associate that does all of the following:
- Establishes the permitted and required uses and disclosures of personal health information (protected health information) by the business associate.
- Provides that the business associate will use protected health information only as permitted by the contract or as required by law, use appropriate safeguards, report any disclosures not permitted by the contract, ensure that agents to whom it provides protected health information will abide by the same restrictions and conditions, make protected health information available to individuals and make its record available to U.S. Department of Health and Human Services.
- Authorizes termination of the contract by the Department if the Department determines that there has been a violation of the contract.
The business associate agreement is usually part of a contract made in the procurement process, but can be part of a Memorandum of Understanding, Grant Agreement or other document.
- CMS — Centers for Medicare and Medicaid Services within the U.S. Department of Health and Human Services.
- COMPASS Community Partner — An organization, service provider or community service group, such as a hospital, clinic or long-term care facility, that assists individuals applying for human services through COMPASS.
- Compliance date — The date by which a covered entity must comply with a standard, implementation specification, requirement or modification specified in this handbook.
- Consent — A document signed and dated by the individual that a covered entity obtains prior to using or disclosing protected health information to carry out treatment, payment or health care operations. A consent is not required under the privacy rule.
- Covered entity — A health care provider who transmits any health information in electronic form in connection with a transaction covered by the privacy rule, a health care plan or a health care clearinghouse.
- Covered functions —Those functions of a covered entity, the performance of which makes the entity a health care plan, health care provider or health care clearinghouse.
- DHHS — The U. S. Department of Health and Human Services.
- Department — The Pennsylvania Department of Human Services.
- Designated record set — The medical records and billing records, including electronic records, about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health care plan; or medical records and billing records used by or for the covered entity to make decisions about individuals. For purposes of implementing the privacy rule, the Department of Human Services intends to treat all client records as if they were part of the designated record set and afford them the corresponding privacy protection.
- Disclosure —The release, transfer, provision of access to or divulging of information outside the entity holding the information.
- Health care — Care, services or supplies related to the health of an individual. Health care includes, but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, mental health or palliative care and sale or dispensing of a drug, device, equipment or other item in accordance with a prescription.
- Health care clearinghouse — A public or private entity that does either of the following:
- Processes health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
- Receives a standard transaction from another entity and processes health information into nonstandard format or nonstandard data content for the receiving entity.
- Health care plan — An individual or group plan that provides, or pays the cost of, medical care. Health care plan includes:
- A group health care plan (created pursuant to the Employee Retirement Income Security Act of 1974 [ERISA]).
- A health insurance issuer.
- An HMO.
- Part A or Part B of the Medicare program.
- The Medical Assistance program.
- An issuer of a Medicare supplemental policy
- An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy.
- An employee welfare benefit plan.
- The health care program for active military personnel.
- The veterans health care program.
- The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS).
- The Indian Health Service program under the Indian Health Care Improvement Act.
- The Federal Employees Health Benefits Program.
- An approved State child health care plan.
- The Medicare+Choice program.
- A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.
- Any other individual or group plan.
- Health care provider — A provider of services and any other person or organization who furnishes, bills or is paid for health care in the normal course of business and who transmits any health information in electronic form in connection with a covered function.
- Health information — Any information, whether oral or recorded in any form or medium, that does both of the following:
- Is created or received by a health care provider, health care plan, public health authority, employer, life insurer, school or university or health care clearinghouse.
- Relates to the physical or mental health or condition of an individual, the provision of health care to an individual or payment for the provision of health care to an individual.
For purposes of implementing the privacy rule, the Department of Human Services intends to treat all client records as if they were health information and afford them the corresponding privacy protection.
- Health maintenance organization (HMO) — A federally qualified HMO and an organization recognized as an HMO under State law.
- Health care operations — Health care operations includes any of the following activities:
- Conducting quality assessment and quality improvement activities.
- Reviewing the competence or qualifications of health care professionals.
- Evaluating practitioner and provider performance, health care plan performance and conducting training programs of non-health care professionals, accreditation, certification, licensing or credentialing activities.
- Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care.
- Conducting or arranging for medical review, legal services and auditing functions including fraud and abuse detection and compliance programs.
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.
- Business management and general administrative activities of the entity.
- Health oversight agency — An agency or authority of the United States, Pennsylvania or a political subdivision of a state, or a person or entity acting under a grant of authority from such public agency that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
- Individual — The person who is the subject of protected health information.
- Individually identifiable health information — Health information, including demographic (such as names, addresses, telephone numbers, etc. See Section 19.2 relating to document security policy) information collected from an individual that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify an individual.
For purposes of implementing the privacy rule, the Department of Human Services intends to treat all individual records (including electronic records) as if they were health information and afford them the corresponding privacy protection. - Inmate — A person incarcerated in, or otherwise confined to, a correctional institution.
- Law enforcement official — An officer or employee of any agency or authority of the United States, Pennsylvania or a political subdivision of a state who is empowered by law to investigate or conduct an official inquiry into a potential violation of law, and to prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law.
- Marketing — To make a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service. Marketing does not include the following:
- Communications by a covered entity for the purpose of describing the entities participating in a health care provider network or health care plan network or for the purpose of describing if and the extent to which a product or service (or payment for such product or service) is provided by a covered entity or included in a plan of benefits.
- Communications tailored to the circumstances of a particular individual if the communications are made by a health care provider to an individual as part of the treatment of the individual and for the purpose of furthering the treatment of that individual.
- Communications by a health care provider or health care plan to an individual in the course of managing the treatment of that individual or for the purpose of directing or recommending to that individual alternative treatments, therapies, health care providers or settings of care.
A communication is not included in marketing if the communication is made orally, or the communication is in writing and the covered entity does not receive direct or indirect remuneration from a third party for making the communication.
- Notice of privacy practices — A notice to the individual of the uses and disclosures of protected health information and the individual's rights and the covered entity's legal duties with respect to protected health information.
- Organized health care arrangement — A clinically integrated care setting in which individuals typically receive health care from more than one health care provider or an organized system of health care in which more than one covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement and participate in joint activities.
- Personal representative — A person authorized by law to act on behalf of an individual. The representative will be treated as the individual for purposes of disclosure of protected health information.
- Privacy officer — The Department's privacy/client information officer.
- Privacy rule — The Federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that created national standards to protect medical records and other protected health information.
- Program office coordinator — The program office's privacy/client information coordinator. other protected health information.
- Protected health information (PHI) — Individually identifiable health information that is maintained or transmitted in any form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA).
For purposes of implementing the privacy rule, the Department intends to treat all individual records, including electronic records, as if they were health information and afford them the corresponding privacy protection. - Psychotherapy notes — Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.
- Public health authority — An agency or authority of the United States, Pennsylvania, a political subdivision of a State or a person or entity acting under a grant of authority from or contract with such public agency that is responsible for public health matters as part of its official mandate.
- Research — A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to general knowledge.
- Treatment — The provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual or the referral of an individual for health care from one health care provider to another.
- Use — With respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.