Accounting of Disclosures

The HIPAA regulations give individuals the right to know to whom their medical records have been disclosed for up to six years prior to the date of the request. The rule excludes disclosures for treatment, payment, and health care operations—essentially anything you would want to know. The HITECH (Health Information Technology for Economic and Clinical Health) section of the 2009 federal stimulus bill shortens the accounting period to three years and includes disclosures for treatment, payment, and health care operations. What information needs to be accounted for and in what format are contentious enough issues that the Department of Health and Human Services has still not published regulations for implementing the law.

Affordable Care Act (ACA)

Tortuously enacted 2010 law whose primary purpose is to ensure universal access to health care, by way of a mandate that all individuals have health insurance. Insurance may be provided through employment or purchased individually. Individuals may buy a health plan directly from an insurer or through a state or federal insurance exchange. Those who cannot afford to buy health insurance will be partially or fully subsidized by the government. Also known as the Patient Protection and Affordable Care Act (PPACA).

Beacon Community

A program established and funded under ARRA (the American Recovery and Reinvestment Act) that supports on-going health information exchange in 17 communities around the U.S.

Business Associate (BA)

A business associate is any person or organization that creates, receives, maintains or transmits PHI on behalf of a covered entity. Previously, business associates’ HIPAA liability was indirect, by way of a contract known as a business associate agreement (BAA) with a covered entity to adhere to the HIPAA regulations. A BAA is still required, but business associates are now directly liable under parts of the HIPAA Privacy Rule and all of the Security Rule, including for:

  • Impermissible uses and disclosures of PHI;
  • Failure to notify a covered entity of a breach of PHI;
  • Failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BA contract);
  • Failure to disclose PHI when the Department of Health and Human Services (HHS) requires it for an investigation into a business associate’s compliance w/ HIPAA;
  • Failure to provide an accounting of disclosures; and
  • Failure to comply with the applicable requirements of the security rule.

Business associates remain contractually liable for other requirements of the BAA.

Common Rule

Applies to federally supported research on human subjects, as well as research that is not federally supported but the institutions conducting it voluntarily agree to comply with federal standards. The Common Rule generally requires that an ethics committee or Institutional Review Board (IRB) review the proposed research and sets out explicit standards for informed consent by research subjects, although an IRB may waive the consent requirements.

Confidentiality of Medical Information Act (CMIA)

The section of the California Civil Code that regulates the use and disclosure of individually identifiable medical information by licensed health care professionals and other health care providers. (Cal. Civ. Code §§ 56-56.37)

Covered Entity

HIPAA applies only to covered entities, which it specifies as health care providers, health plans (health insurers and HMOs), and health care clearinghouses. Health care providers include hospitals, physicians, and other caregivers, as well as researchers who provide health care and receive, access or generate individually identifiable health care information. Pharmacists and pharmacies are also HIPAA covered entities.

De-identified information

Information that is "de-identified" by HIPAA standards—that is, has had 18 specific identifiers removed. De-identified information does not require an individual’s consent or authorization for disclosure. See also, Limited Data Set.

Designated Record Set

All records for a particular patient that are created and maintained by or for a covered entity, including treatment, billing, and administrative records. Records that meet this definition are covered by HIPAA.

E-prescribing

The use of computer technology by doctors and other medical practitioners to write and send prescriptions to participating pharmacies electronically, rather than by faxing or calling a pharmacy, or giving patients handwritten prescriptions to take to the pharmacy. E-prescribing is already evolving into automated systems that can create and refill patients’ prescriptions, manage their medications and view their history, connect to a pharmacy or dispensary, and integrate prescription data with an electronic medical record system.

eHealth Exchange

Federal agencies and private partners that are stakeholders in the process of developing secure electronic health information exchange; formerly called Nationwide Health Information Network (NHIN). Also abbreviated as NwHIN.

eHealth Initiative

Nonprofit organization engaged in standardization of health information technology to improve patient care; a sample initiative is advocacy of electronic prescribing, or e-prescribing.

Electronic Health Record (EHR)

A digital record of health care information generated within a medical institution or environment, such as a hospital, clinic or doctor’s office. It may include medical history, laboratory results, immunizations, prescription lists, demographics, etc. The Affordable Care Act (ACA), which is also known as “Obamacare,”includes Medicare payment incentives to move medical record-keeping in the direction of all electronic records. This will make data sharing easier, but also raises serious privacy and security concerns. Also known as Electronic Medical Records (EMR)

Electronic Medical Record (EMR)

A digital record of health care information generated within a medical institution or environment, such as a hospital, clinic or doctor’s office. It may include medical history, laboratory results, immunizations, prescription lists, demographics, etc. The Affordable Care Act (ACA), which is also known as “Obamacare,”includes Medicare payment incentives to move medical record-keeping in the direction of all electronic records. This will make data sharing easier, but also raises serious privacy and security concerns. Also known as Electronic Health Record (EHR).

Electronic prescribing

The use of computer technology by doctors and other medical practitioners to write and send prescriptions to participating pharmacies electronically, rather than by faxing or calling a pharmacy, or giving patients handwritten prescriptions to take to the pharmacy. E-prescribing is already evolving into automated systems that can create and refill patients’ prescriptions, manage their medications and view their history, connect to a pharmacy or dispensary, and integrate prescription data with an electronic medical record system. Also known e-prescribing.

Formulary

List of prescription drugs that a specific health care plan covers.

Health Benefits Exchange

The Affordable Care Act (ACA), also known as "Obamacare," calls for the creation of state insurance exchanges to act as markets where people can compare policies and buy health insurance. Individuals may also buy directly from insurers without going through an exchange, or receive coverage as an employee benefit. As an alternative for residents of states that decline to create exchanges, the federal government will also operate a health insurance exchange. The ACA eliminates pre-existing medical conditions as a basis of insurance underwriting. The hope is that the increased size of a market where everyone must be insured (or pay a tax penalty) and no one can be denied coverage will create competition that will drive down the cost of health insurance.

Health Care Clearinghouse

A health care clearinghouse is an organization that standardizes health information. One example would be a billing company that processes data from its initial format into a standardized billing format. Such transactions are almost always electronic and involve disclosure of protected health information (PHI).

Health Care Operations

Health care operations are broadly defined as activities of covered entities that involve maintaining and monitoring the institution. They can include conducting quality assessment and improvement activities; developing clinical guidelines; case management; reviewing the competence or qualifications of health care professionals; professional education and training; fraud and abuse programs; business planning and management; and customer service. This catch-all is an exception to the HIPAA consent requirements on the use and disclosure of PHI and requires no specific authorization.

Health Care Provider

Health care provider is a person or organization that furnishes health care services and supplies, or that bills or is paid for them. Health care providers can be individuals (doctors, nurses, pharmacists, lab technicians) or organizations (hospitals, clinics, practice groups—along with their administrative staff). Health care researchers are also considered providers.

Health Information Exchange (HIE)

Health Information Exchange (HIE) is used as a verb and a noun. As a verb it is the electronic transmission of healthcare-related data among facilities, health information organizations (HIOs) and government agencies; as a noun it is used interchangeably with HIO to mean an organization that transmits health data. The goal of HIE is secure universal transmission of individual health data to improve health care delivery and make it more efficient. See the entry on health information organization (HIO) for an explanation of that term.

Health Information Organization (HIO)

Commonly used interchangeably with HIE, an HIO is an organization that enables the movement of health-related data among covered entities.

Health Information Technology for Economic and Clinical Health Act (HITECH Act)

The Health Information Technology for Economic and Clinical Health Act was included in the 2009 stimulus bill known as the American Recovery and Reinvestment Act (ARRA) to promote the adoption of electronic health record (EHR) and health information exchange technology in the US. Among other things, it extends HIPAA requirements to business associates of covered entities and extends breach notification requirements to medical records (which was already the law in California) and calls for immediate patient access to electronic records.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996, which has two sections. Title I allows people who change or lose their jobs to continue their health insurance coverage. Title II is what people usually mean when they refer to HIPAA: the federal law that provides uniform baseline privacy and security standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. The regulations that the Department of Health and Human Services developed to implement the law also give patients access to their medical records and some control over how their personal health information is used and disclosed. HIPAA does not pre-empt state laws that provide stronger protections. HIPAA took effect on April 14, 2003. HIPAA is feared but poorly understood. From a privacy perspective, it could be more accurately described as a disclosure law than one that protects information.

The HIPAA regulations have two parts: the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule covers all protected health information (PHI), whether it’s in paper or electronic format. The Security Rule applies only to PHI in electronic format. The Privacy Rule and the Security Rule both set baseline standards for protection of the information they cover.

Individually Identifiable Health Information (IIHI)

A subset of health information that identifies the individual or can reasonably be used to identify the individual; HIPAA protects individually identifiable health information. Common individual identifiers include name, address, and social security number, but may also include date of birth, Zip Code, or county location. If the information is not individually identifiable, such as healthcare research information that only identifies a particular population, not individuals, then it is not protected by HIPAA. In research, this can get complicated, and further inquiry should be made when seeking a determination on a small population. IIHI only becomes PHI when a covered entity creates, receives, or maintains the information.

Institutional Review Board (IRB)

An IRB is a committee at an institution that reviews proposed research projects. It is responsible for protection of all human subjects involved, although it may waive the requirement for informed consent if it decides that it is unnecessary or that a project could not proceed

Limited data set

A limited data set is PHI that has had all direct identifiers removed (i.e., name, address, phone and fax numbers, email address and URLs, SSN, photo, etc.) but that may retain indirect identifiers, including date of birth, age, five-digit ZIP code, and medical admission, discharge, and service dates. Limited data sets can be used for research or public health purposes without authorization. A covered entity that releases limited data sets must have agreements with recipients that specify how and for what period the data will be used, and that it can’t be shared with third parties.

Meaningful use

The term in the HITECH Act that sets out requirements to be implemented in three stages over a five-year period (2009–2014) for health care providers to be able to show that they're using EHRs in ways that are measurable to show the quality and quantity of adoption of the technology. Some meaningful use criteria are electronic prescribing (e-prescribing), maintaining an up-to-date problem list of patients’ current and active diagnoses, keeping current lists of patients’ medications and medication allergies, and giving patients a clinical summary of all office visits.

Medi-Cal

California’s Medicaid program of government-financed health care insurance for low-income individuals.

mHealth

Term for the use of mobile phones and other mobile technology in medical care.

Notice of Privacy Practices (NPP)

HIPAA-mandated notice that covered entities must give to patients and research subjects that describes how a covered entity may use and disclose their protected health information, and informs them of their legal rights regarding PHI. Standard uses and disclosures include: treatment, payment and health care operations; appointment reminders; treatment alternatives; health-related benefits and services; directories of patients admitted to hospitals; research; and as required by law. It may or may not contain information about patients’ rights to access their records. Recent HIPAA updates require the notice to state that (1) sale of PHI is prohibited without written consent; (2) a covered entity has a duty to notify affected individuals of a breach of unsecured PHI; (3) patients have the right to opt out of receiving fundraising communications from a covered entity; (4) patients who pay for treatment out-of-pocket and in full have the right restrict disclosures of PHI to a health plan. In addition, most health plans will need to inform individuals of the prohibition against using or disclosing genetic information for underwriting purposes. The NPP must be signed as an acknowledgment that you have received and read it. For that reason it is often mistaken for a consent form, but it is not.

Office for Civil Rights (OCR)

Division of the Department of Health and Human Services that is responsible for enforcing the HIPAA regulations.

Patient Protection and Affordable Care Act (PPACA)

Tortuously enacted 2010 law whose primary purpose is to ensure universal access to health care, by way of a mandate that all individuals have health insurance. Insurance may be provided through employment or purchased individually. Individuals may buy a health plan directly from an insurer or through a state or federal insurance exchange. Those who cannot afford to buy health insurance will be partially or fully subsidized by the government. Also known as the Affordable Care Act (ACA).

Personal Health Record (PHR)

A personal health record (PHR) is an electronic record (online or on portable media) of an individual’s health information. It is generally thought of as belonging to and managed by the individual. Information that goes into a PHR may come from both individuals and their health care providers. It ideally creates a complete, dynamic, and up-to-date health record. Data elements would include personal and demographic information, allergies, medications, immunizations, and diagnostic and treatment records.

Privacy Rule

The section of the HIPAA regulations that sets out the requirements for covered entities regarding the saving, accessing, and sharing an individual’s medical and personal information, including a patient’s own right to access. The Privacy Rule applies to PHI in paper format as well as electronic. (Subpart E of Part 164 of Title 45 of CFR §§164.500 to 164.534)

Protected Health Information (PHI)

PHI is individually identifiable health information that is created, transmitted, or maintained by a covered entity. If it is electronically transmitted it falls under the HIPAA security as well as privacy regulations. PHI in electronic form is sometimes referred to as EPHI.

Psychotherapy Notes

Notes recorded by a health care provider who is a mental health professional during a counseling session, either in private or in a group. These notes are separate from documentation that goes into a medical chart or record and do not include prescriptions. Use and disclosure of psychotherapy notes requires specific written patient authorization. Patients do not have access to psychotherapy notes about themselves.

Security Rule

The section of the HIPAA regulations that establishes the administrative, physical, and technical security safeguards required for the use of electronic Protected Health Information. The Rule identifies various security standards for each type of safeguard, and for each standard, it sets out required and/or addressable (optional) implementation specifications. (Subpart C, Part 164, 45 CFR §§164.300 to 164.318)

Telehealth

Provision of health services or information via the telecommunications infrastructure. Telemedicine, more specifically, involves providing clinical services remotely, and may also encompass providing health education. Also known as telemedicine.

Telemedicine

Provision of health services or information via the telecommunications infrastructure. Telemedicine, more specifically, involves providing clinical services remotely, and may also encompass providing health education. Also known as telehealth.

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Computer crime and copyright laws silence helpful hackers, making us all less safe, explains @Hacker0x01: https://eff.org/r.vo5f

May 21 @ 5:02pm

Diverse groups stand united against any short-term reauthorization of Section 215: https://eff.org/r.2dbm

May 21 @ 2:57pm

Proposed South African Internet censorship regulation would require video bloggers to obtain a license: https://eff.org/r.b539

May 21 @ 1:29pm
JavaScript license information