hipaa privacy and security operational guide services, inc. hipaa privacy and security operational...
TRANSCRIPT
Ensign Services, Inc.
HIPAA Privacy and Security Operational Guide
This guide has been created for Ensign-affiliated facilities and entities to serve as an overview of
the daily operating policies and procedures with regard to maintaining compliance with the
Health Insurance Portability and Accountability Act (HIPAA).
This operational guide is intended to represent a simplified version of the company’s detailed
policies and procedures and is to be used by workforce members and management as a quick
reference to answer many of the daily questions that arise concerning HIPAA.
The HIPAA Privacy Rule creates national standards to protect a patient’s or resident’s medical
record and other personal health information. As healthcare providers we use and disclose
sensitive individually identifiable information daily and it is our duty to protect that information.
It is important we understand a few important concepts related to our handling of patient or
resident information in order to protect their privacy rights afforded under the HIPAA privacy
rule. An understanding of these concepts will also serve in implementation of policies and
procedures.
Protected Health Information (PHI) is defined as individually identifiable health information
that is transmitted or maintained by a facility/entity in any form or medium.
Individually Identifiable Information is defined as a subset of health information including
demographic information collected from a patient or resident and is created or received by us and
relates to the past, present, or future physical or mental health or condition of a patient or
resident and can be used to identify the patient or resident.
What Information Is Protected?
- Information doctors, nurses, therapists, consultants, and other health care providers
document in the medical record; both on paper and electronically
- Conversations about patient or resident care with others
- Billing and financial information
- Contact information including email address
- Photographs
- Most other health information that includes individually identifiable information
It is best to assume every piece of information is protected and to inquire as to whether or
not it can be used or disclosed for your intended purpose. When in doubt, please ask.
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
USING PATIENT/RESIDENT INFORMATION
When we USE PHI we share, utilize, examine, and analyze information that remains WITHIN
our facility/entity. Examples of use include;
TREATMENT: discussing patient or resident care with physicians, during care conferences,
with nurses/therapists
PAYMENT: billing for services provided, collecting payment, verifying benefits
HEALTHCARE OPERATIONS: collecting data for quality improvement activities,
monitoring, and training activities.
These are all permissible (allowed) uses of a patient’s or resident’s health information.
Are we allowed to include patient/resident information in facility directories and post their
name on the door of their room?
Patients and residents receiving care in a SNF or ALF should be afforded the right to determine;
Whether or not their name is posted outside their room
If their information is shared with family and friends and identify those we may share
information (also applies to hospice and home health)
Whether or not callers may be given information
Whether or not clergy may be given information
At admission, ask the patient or resident to complete the Communication Method Request form
as part of the Notice of Privacy Practices.
Ensure staff are knowledgeable of the patient’s or resident’s preferred methods for
communication.
The following situations are NOT permitted when using PHI:
- Discussing patient or resident care in open, public areas or with others that should not
have the information
- Sharing more information than necessary to provide treatment or bill for services
- Accessing or copying records without a specific treatment, payment, or operational
purpose
What can you do to protect information while using it to care for our patients and
residents?
Limit information to the minimum necessary to accomplish the intended purpose of the
use
Discuss patient and resident care in private areas – when a private area is not available
lower voice and be aware of those that may overhear
When discussing care with the patient or resident in a shared room ask the patient or
resident if they object to the discussion - find a private location if an objection is
expressed
Secure documents from public view
Access only those records/documents needed to accomplish the task of providing
treatment, billing for services, or other operational functions
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
DISCLOSING PATIENT/RESIDENT INORMATION
We also DISCLOSE protected health information for treatment and payment purposes.
Disclosure is the release, transfer, provision of access to, or divulging of PHI OUTSIDE the
facility/entity in order for others to provide treatment or bill for services. These disclosures are
permitted under the HIPAA rule and include; sending records with the patient or resident to the
hospital or to an appointment, faxing PHI to a physician, and transmitting claims for payment.
When disclosing PHI we must follow the Minimum Necessary standard. This standard is
defined as making reasonable efforts to limit the use or disclosure of, and requests for, protected
health information to the minimum necessary to accomplish the intended purpose.
Using or disclosing an entire medical record is not justified unless releasing it is reasonably
necessary to accomplish the purpose of the use or disclosure. An example of reasonably
necessary would be to release the entire record pursuant to a subpoena.
How do we account for these disclosures?
Use the Accounting of Disclosure log to document all disclosures of protected health information
except those for;
- For treatment, payment, and healthcare operations
- To the patient/resident (or personal representative)
- Pursuant to the patient’s/resident’s authorization
- For the facility/entity directory
- To persons involved in the patient’s/resident’s care
- For national security or intelligence purposes
- To correctional institutions or in law enforcement custodial situations
When does Minimum Necessary NOT apply?
You may disclose required PHI;
To healthcare providers for treatment purposes
To the patient or resident
Pursuant to a valid authorization
To the Secretary of the Department of Health and Human Services (DHHS)
As required by law
There are times when, with good intention, we inadvertently disclose information to the wrong
person. Examples of inadvertent disclosures to other HIPAA covered parties include;
Faxing PHI to the wrong physician
Sending one patient’s or resident’s PHI with another patient or resident to the hospital or
to an appointment
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
What do we do when these inadvertent disclosures occur?
Notify Privacy Officer or contact the Compliance Hotline
Secure the PHI by contacting the person/entity to which the PHI was faxed or sent and
inform them of the mistake
Notify the patient or resident, typically by writing and delivering a letter of apology
assuring them the PHI was secured and procedures were implemented to prevent another
mistake
When is a disclosure NOT permitted?
Ø Sharing information with family and/or friends
Ø Posting any patient and resident information, including photographs, on social media
sites
Ø Sending PHI to others that do not have authorization to receive that information
Ø Removing PHI from the facility/entity without it being secure and for a specific
treatment or billing purpose
______________________________________________________________________________
When you become aware of any disclosure resulting in a compromise of patient or resident
health or financial information report it immediately to the Privacy Officer or contact the
Compliance Hotline.
______________________________________________________________________________
Breaches of PHI
What is a breach?
The everyday definition of breach is an infraction or violation of a law, obligation, or standard.
HIPAA defines breach as the acquisition, access, use, or disclosure of protected health
information which compromises the security or privacy of the PHI.
Examples of possible breaches;
- Lost or stolen mobile device, including computers
- Sending/faxing/emailing PHI to someone other than a healthcare provider or authorized
patient/resident representative
- Stolen patient or resident documents from a home or car
- Posting PHI, including pictures, on a social media site
- Unsecured documents (not shredded, left open/unlocked)
- Texting PHI
- Discussing protected information with those that do not have a need to know
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
What must we do when we suspect a breach has occurred?
When we use or disclose PHI in a manner not permitted under the HIPAA rule we must assume a
breach has occurred (PHI has been compromised) and conduct a risk assessment to determine the
extent to which the PHI has been compromised. In some cases the patient or resident must be
notified through a sent letter and in others involving financial information, credit protection is
offered to provide the patient or resident the ability to monitor suspicious activity.
What is NOT a breach?
A breach is not an acquisition, access, or use made in good faith and within the scope of the
employee’s job function and does not result in further use or disclosure, such as;
- Employee unintentionally accesses the wrong medical record – the employee was
working within their job scope and did not use or disclose the information further
- A fax containing PHI was accidentally faxed to the wrong physician’s office - the
physician is a Covered Entity under HIPAA, therefore, must also abide by the HIPAA
rule, and the office notified us of the misdirected fax and shredded the document(s)
- Discussing care with family or friends involved in the patient’s or resident’s care and
known to the facility/entity
How do I protect our PHI from a possible breach?
Ensure all computers and mobile devices are encrypted by only accessing PHI from a
device provided by the IT department
Do not save any PHI on an external drive
Lock PHI in a secure file bag in the trunk when transporting
o Use the PHI in Transit Log to document PHI moving in/out of your facility/entity
Lock medication cart computers in cart when not in use
Use only Tiger Text or Secure Conversations in Point Click Care as a secure means of
texting PHI and educate staff to use only Tiger Text or Secure Conversations in Point
Click Care for texting PHI
When traveling with a computer lock in trunk when not in use
When sending emails containing PHI outside the network, encrypt by typing
[ENCRYPT] in the subject like of the email
Lock the medical records room when unattended and overnight
Shred documents immediately
Remove documents from fax machines immediately after faxing
Verify fax numbers before sending a fax and call the recipient to ensure receipt
Check documents carefully prior to releasing them
Verify identity and authority of those requesting and accepting PHI
Use an approved fax cover sheet
Educate staff about using cell phones in patient and resident care areas within the
facility/entity
Educate staff to refrain from taking photographs or videos of patients or residents
Obtain patient’s/resident’s written consent for all photographs and videos when used for
approved facility/entity activities
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
How do I encrypt an email containing PHI sent outside the company’s network?
In the subject line of the email type [ENCRYPT]
Do not include any PHI in the subject line
Patient/Resident Privacy Rights Afforded Under HIPAA
Patients and residents have the right to make informed choices when seeking care and
reimbursement for care and on how their personal health information may be used. They have
the right to:
Ask to see and get a copy of their health records; including electronic records
Have corrections added to their health information
Receive a notice that tells them how their health information may be used and shared
(this is call the Notice of Privacy Practices)
Give permission before their health information can be used or shared for certain
purposes, such as for marketing
Revoke their permission to share their PHI
Request that healthcare providers communicate with them about medical matters in a
certain way or at a certain location
Decide which friends and family members may have information related to their care
Receive a report on when and why their health information was shared for certain
purposes (this is call an Accounting of Disclosures)
File a complaint with their provider, health insurer, or the Office for Civil Rights
Does a patient or resident automatically have access to every document in their record?
No, there are circumstances in which we can deny a patient or resident access to their
information;
o Psychotherapy notes
o Information compiled in anticipation of, or for use in, a civil, criminal, or administrative
action or proceeding
o In cases where the facility or entity is acting under the direction of a correctional
institution, deny the request of an inmate if such access would endanger the health or
safety of the individual or anyone else
o The information was obtained from someone under a promise of confidentiality, and the
access requested would be reasonably likely to reveal the source of the information
o A licensed health care professional, in the exercise of professional judgment, finds that
access would likely endanger the life or physical safety of the patient/resident, or cause
substantial harm to the patient/resident or another person
o The information references another person (other than a health care provider) and the
access would likely cause substantial harm to that person
o The access request is made by a personal representative and the personal representative
would likely cause harm to the patient/resident or another person
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Can the patient or resident appeal our decision to deny access?
A patient or resident reserves the right to appeal our decision to deny them access to their PHI in
the following circumstances;
- A licensed health care professional, in the exercise of professional judgment, finds that
access would likely endanger the life or physical safety of the patient/resident, or cause
substantial harm to the patient/resident or another person
- The information references another person (other than a health care provider) and the
access would likely cause substantial harm to that person
- The access request is made by a personal representative and the personal representative
would likely cause harm to the patient/resident or another person
A denial letter will be drafted by Compliance and must be provided to the patient or resident
describing the reason for the denial.
The patient or resident must be afforded the opportunity to appeal the denial by completing the
Denial of Access to PHI and Appeal Form
Please contact the Privacy Officer for guidance in these circumstances.
How do I afford patients and residents their rights while in my care?
Designate a HIPAA Liaison within your facility/entity to serve as the contact for
questions and requests
At admission, provide every patient and resident (or representative) a copy of our Notice
of Privacy Practices
If you have a website, post the Notice of Privacy Practices there
Post the Notice of Privacy Practices for patients and residents in a visible location within
your facility/entity (be sure this is at wheelchair height)
Provide copies of the Notice of Privacy Practices on request
At admission, complete the Communication Method Request form with the patient or
resident to understand how and with whom they want their information shared
o Ensure all staff are aware of the patient’s or resident’s wishes
Provide patients and residents access to their medical information, including electronic
documents
o Arrange a time and location with patient or resident
Provide patients and residents the right to request changes to their medical information
when they believe it is incorrect (Request for Amendment of Records)
Allow patients and residents to exercise their right to receive confidential
communications
Provide patients and residents the right to restrict the information we share
Provide patients and residents the right to know with whom we have shared their
information (Accounting of Disclosures)
Be transparent with patients and residents on how to exercise their right to file a
complaint when they believe their rights have been violated
Obtain a signed authorization from the patient or resident (or representative) prior to
releasing records
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Are we permitted to charge the patient/resident (or there representative) to copy their
record?
Yes, you may charge a reasonable, cost-based fee for copying records. The fees may only be
applied to the actual labor for copying, supplies, and postage when records are sent. You may
not charge for the time it takes to locate the record. You may not default to state allowances.
Fees must be calculated;
- Per case (labor and supply costs dependent on size of record)
- As an average and applied to all patients and residents, or
- Defaulting to a charge of $6.50 for each case
You may not charge another healthcare entity when records are requested for continuity of
care.
HIPAA does not override those State laws that provide patients and residents with greater
rights of access to their health information than the HIPAA Privacy Rule does. If your state
provides the patient or resident the right to receive their first copy free of charge, you must
comply with the state’s allowance.
What is an authorization?
An authorization is a document obtained from the patient or resident granting us permission to
release their PHI. The authorization must contain specific elements and be signed and dated by
the patient or resident to be considered valid. A valid authorization form is available on the
portal.
When do I need authorization from the patient or resident?
To release psychotherapy notes (unless used for treatment or training purposes)
For marketing
To sell PHI
To release information to a third party at the patient’s or resident’s request
When do I NOT need authorization from the patient or resident?
Treatment purposes: you may use or disclose PHI when providing treatment or
discussing treatment with other healthcare providers
Payment purposes: you may use or disclose PHI when processing and submitting
information to receive payment for services provided
Operational purposes: you may use PHI internally for activities such as; quality
improvement, data analysis
Providing information to the Department of Health and Human Services (DHHS)
As required by law
Public health activities
Reporting abuse or neglect
Health oversight activities
Judicial and administrative proceedings
Disclosure for decedents
Disclosure for cadaveric organ, eye, or tissue donation purposes
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Disclosure to avert serious threat to health or safety
Disclosure for Worker’s compensation
Authorization is not requested of the patient or resident to gain access to or copy their PHI.
This request is processed through the Request for Access to PHI form.
How do I document compliance with the HIPAA Rule?
When the patient or resident has designated a personal representative to act on their behalf, the
personal representative must be granted the same rights as the patient or resident
At admission, ask the patient or resident (or representative) to acknowledge receipt of the
Notice of Privacy Practices by signing the acknowledgement form
At admission, ask the patient or resident to complete the Communication Method Request
form
Ask the patient or resident to complete and sign the Request to View and Copy PHI form
with requests to access/inspect/copy records
Obtain a signed/dated authorization before disclosing PHI
When a patient or resident believes information in their record is incorrect and requests
an amendment ask the patient or resident to complete and sign a Request For Amendment
of Records form
When a patient or resident wishes to receive confidential communications in a specific
method ask the patient or resident to complete and sign a Request for Confidential
Communication form
Account for disclosures of PHI
Obtain written consent for all photographs and videos used for approved facility/entity
purposes
Ask staff to complete the PHI in Transit log when transporting PHI
Ensure staff complete and attest to completing all HIPAA training
Complete the Breach log for all breaches and notify the Privacy Officer of all breaches
Document discipline provided in response to HIPAA violations
Provide patient or resident with copies of signed documents
File all documentation in the patient’s or resident’s medical record
How do I store my closed medical records?
HIPAA requires the physical security of medical records from fire or water damage, erroneous
destruction and theft.
Individual states also outline storage requirements to include; storage of records IN the facility,
patient health record cannot be removed from the facility unless the record is being moved into
an offsite storage facility, and medical records shall be stored safely to provide protection from
loss, damage, unauthorized use and disclosure.
Short-term storage: lock in a file cabinet in a locked office (double lock standard)
Long-term storage: Catalog and send to a secure, off-site storage facility (example-Iron
Mountain)
Ø Storage sheds do not offer the protection needed to avoid damage or theft
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
What is a Business Associate?
A business associate is a person who creates, receives, maintains, or transmits PHI on our behalf.
They are a separate entity providing a contracted service for us.
Includes those vendors that process claims, bill for services, analyze data, provide coding of
documentation, transmit data, manage benefits, provide quality improvement analysis
When do I need a Business Associate Agreement (BAA)?
When anyone, other than a healthcare provider rendering treatment, that creates, receives,
maintains, or transmits PHI on your behalf a BAA is required.
How do I get a BAA?
Email contracts at [email protected]
Who is not a Business Associate?
- A healthcare provider
- A government agency for determining eligibility for or enrollment in a government health
plan
- A workforce member defined as employees, volunteers, students, medical residents, and
trainees under direct control of the facility/entity, whether or not they are paid by the
facility or entity
If someone is a non-employee how are they granted access to my PHI?
Non-employee workforce members must complete the HIPAA training in Ensign U and sign a
User Agreement outlining their responsibilities related to accessing, using, and disclosing PHI as
part of their function for the facility or entity. Once HIPAA training is complete and the user
agreement signed IT will grant access to electronic systems consistent with the non-employee
workforce member’s role.
What can I do to help?
Remind others to;
o Never post patient or resident information to social media sites
o Discuss patient or resident care in private areas or to lower voices in common areas
o Use only encrypted computers and mobile devices
o Avoid using personal devices in patient and resident care areas
o Verify fax numbers prior to sending PHI via fax
o Double check documents prior to releasing them to another person or facility
o Verify we have permission from the patient or resident to release documents
o Secure PHI at all times
o Secure computers and mobile devices at all times
o Never discuss patient or resident care outside of work
o Report concerns with patient or resident privacy
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Are there fines associated with HIPAA violations?
Fines may be imposed in the following manner;
Violation Category Per Patient – per
violation penalty
Annual cap for all violations of
identical provision
Did not know $100 to $50,000 $1.5 million
Reasonable Cause $1,000 to $50,000 $1.5 million
Willful neglect -
corrected
$10,000 to $50,000 $1.5 million
Willful neglect - not
corrected
$50,000 $1.5 million
What are my next steps?
□ Print and make this operational guide available to your staff
□ Ensure staff are familiar with all HIPAA policies, procedures, and forms available on the
portal
o You may print and make a HIPAA binder if you wish
□ Designate a HIPAA Liaison for your facility/entity
o Compliance can conduct training with this individual as requested
□ Print your personalized Notice of Privacy Practice (NPP) from the portal and post in a
public area within your facility/entity
o Also post on website as applicable
□ Remove all old versions of the NPP from admission documents and replace with the
newest version
□ Determine if texts containing PHI are being sent and ensure encryption through secure
application
□ Ensure staff understand encryption of email containing PHI sent outside the secure
network
□ Determine if staff are using phones in patient and resident care areas and educate to not
using phones to take pictures or record videos of patients or residents
□ Ensure all staff complete HIPAA training as assigned
□ Ensure all active and closed medical records are secure
□ Make secure shred bins readily available to all staff
□ Determine your methodology for charging reasonable fees for copying records and
educate staff to the process
□ Ensure there is a process for maintaining all HIPAA-relevant documentation
□ Make a list of all workforce members (employees, volunteers, students, medical
residents, and trainees under direct control of the facility/entity, whether or not they are
paid by the facility or entity)
o If these workforce members have access to PHI, either on paper or
electronically, ensure there is a signed user agreement in place
o For employees, ensure HIPAA training is complete
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
□ Make a list of all business associates (anyone, other than healthcare providers rendering
treatment, that creates, receives, maintains, or transmits PHI on your behalf)
o Obtain a business associate agreement if one is not in place
Where do I go with questions or for more information?
Become familiar with all HIPAA policies, procedures, and forms
o These are found on the portal
Complete annual HIPAA training
Participate in other available training related to HIPAA
Contact IT at 949-540-1200
Contact the Privacy Officer, Shelley Johnson at 314-852-4143
Contact the Lead Compliance Partner, Casey Bastemeyer at 949-201-3395
Contact the Security Officer, Tyler Douglas at 949-285-2511
Contact the Chief Compliance Officer at 949-540-1212
How do I report a concern?
Contact the Compliance Hotline – 866-256-0955
HIPAA today is so much more than just refraining from discussing
patient/resident information in public areas and protecting passwords.
Taking your knowledge of HIPAA to the next level is critical for ensuring we are
following the numerous regulations.
Please use this guide and other available resources to better understand your
role and responsibility in protecting our patient’s and resident’s health
information.
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Definitions and Acronyms
This guide should be considered as a supplementary reference for understanding definitions and
acronyms when using and understanding company policies and procedures associated with
HIPAA.
Office for Civil Rights (OCR) shall be defined as the branch of the DHHS that is responsible for
federal oversight of the privacy regulations.
Health Insurance Portability and Accountability Act (HIPAA) shall be defined as policies,
procedures and guidelines for maintaining the privacy and security of individually identifiable
health information as well as outlining numerous offenses relating to health care and sets civil
and criminal penalties for violations.
Protected Health Information (PHI) shall be defined as individually identifiable health
information that is transmitted or maintained by a Covered Entity in any form or medium.
Electronic Protected Health Information (e-PHI) shall be defined as individually identifiable
health information maintained in electronic form.
Unsecured Protected Health Information shall be defined as protected health information
(PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized persons
through the use of technology or other methodology.
Individually Identifiable Health Information (IIHI) shall be defined as a subset of health
information including demographic information collected from an individual and is created or
received by a health care provider and relates to the past, present, or future physical or mental
health or condition of an individual.
Disclosure shall be defined as the release, transfer, provision of access to, or divulging
information outside the entity holding the information.
Incidental Disclosure shall be defined as a secondary disclosure that occurs when disclosing
other PHI.
Use shall be defined as sharing, utilization, examination, or analysis of protected information
within a covered entity that maintains such information.
Access shall be defined as the ability or the means necessary to read, write, modify, or
communicate data/information or otherwise use any system resource.
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Confidentiality shall be defined as data or information is not made available or disclosed to
unauthorized persons or processes.
Encryption shall be defined as the use of an algorithmic process to transform data into a form in
which there is a low probability of assigning meaning without use of a confidential process or
key.
Administrative Safeguards shall be defined as administrative actions, and policies and
procedures, to manage the selection, development, implementation, and maintenance of security
measures to protect electronic protected health information and to manage the conduct of the
covered entity's or business associate's workforce in relation to the protection of that information.
Physical safeguards shall be defined as physical measures, policies, and procedures to protect a
covered entity's or business associate's electronic information systems and related buildings and
equipment, from natural and environmental hazards, and unauthorized intrusion.
De-identification shall be defined as the removal of any individually identifiable data that may
allow someone to connect the data in question with a specific person.
Business Associate (BA) shall be defined as a person or organization, other than a member of a
covered entity's workforce, that performs certain functions or activities on behalf of, or provides
certain services to, a covered entity that involve the use or disclosure of individually identifiable
health information or a subcontractor that creates, receives, maintains, or transmits protected
health information on behalf of another business associate.
Business Associate Agreement (BAA) shall be defined as a contract that serves to clarify and
limit, as appropriate, the permissible uses and disclosures of protected health information by the
business associate, based on the relationship between the parties and the activities or services
being performed by the business associate.
Limited Data Set shall be defines as a set of data in which most individual identifiers have been
removed.
Minimum necessary shall be defined as making reasonable efforts to limit the use or disclosure
of, and requests for, protected health information to the minimum necessary to accomplish the
intended purpose.
Good faith shall be defined as the effort made, information given, or transaction done, honestly
and without a deliberate intention to wrong another party
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Breach shall be defined as the acquisition, access, use, or disclosure of protected health
information (PHI) in a manner not permitted under the Privacy Rule which compromises the
security or privacy of the PHI and is presumed to be a breach unless the covered entity or
business associate, as applicable, demonstrates that there is a low probability that the PHI has
been compromised based on a risk assessment.
Covered Entity shall be defined as a healthcare provider who transmits any health information
in electronic form.
Workforce shall be defined as employees, volunteers, trainees, and other persons whose
conduct, in the performance of work for a covered entity or business associate, is under the direct
control of such entity, whether or not they are paid by the covered entity or business associate.
Reasonable accommodation shall be defined as an adjustment made to accommodate an
individual based on a proven need.
Authorization shall be defined as permission given by the individual to use and/or disclose
protected health information about the individual. The requirements of a valid authorization are
defined in the HIPAA regulations.
Designated record set (DRS) shall be defined as a group of records maintained by or for the
facility/entity that consists of the medical and billing records created during care for a
patient/resident and is used, in whole or in part, by or for the facility/entity to make decisions
about the patient/resident.
Record shall be defined as any item, collection, or grouping of information that includes PHI
and is maintained, collected, used, or disseminated by or for the facility/entity.
Healthcare Operations shall be defined as activities of the company related to covered
functions including, but not limited to; quality assessment/process improvement,
development/evaluation of clinical guidelines, patient safety, protocol development, case
management, care coordination, review of professional qualifications, evaluation of
performance, training, accreditation/certification, medical reviews, legal services, compliance
programming, business planning, business management, and audit functions.
Payment shall be defined as activities undertaken by the company related to covered functions
including, but not limited to; obtaining reimbursement for provision of healthcare services,
billing, claims management, collections, and utilization review.
Treatment shall be defined as activities of the company related to covered functions including,
but not limited to; provision, coordination, and management of healthcare and related services,
consultation, and referrals of a patient for healthcare.
HIPAA Privacy and Security Operational Guide/August, 2016
CUSTOMER SECOND-ACCOUNTABILITY-PASSION FOR LEARNING-LOVE ONE ANOTHER-INTELLIGENT RISK TAKING-CELEBRATE-OWNERSHIP
Personal representative shall be defined as someone with the legal authority to act on behalf of
an incompetent adult patient/resident, a minor patient or a deceased patient/resident or the
patient’s/resident’s estate in making health care decisions or in exercising the patient’s/resident’s
rights related to protected health information.
Health Care Agent shall be defined as someone who is appointed via a document signed by a
patient giving the Agent the authority to communicate certain medical decisions in the event that
the patient becomes incapable of making those decisions. A Health Care Agent’s authority is
limited to communicating decisions about life support and comfort care measures. Therefore, the
Health Care Agent’s access to the patient’s medical information is limited to the information
needed to address these decisions.
Health Care Representative shall be defined as someone appointed via a document signed by
the patient and witnessed by two adults giving the Representative authority to decide any and all
health care decisions including decisions about the withdrawal of life support and/or nutrition
and hydration, and decisions to accept or refuse any treatment, service or procedure used to
diagnose or treat the person’s physical or mental condition in the event that that patient becomes
incapable of making such decisions.
Legally Authorized Representative shall be defined as a person authorized either by state law
or by court appointment to make decisions, including decisions related to health care, on behalf
of another person.