Your Compliance Edge

HIPAA Terms

- A -

Administrative Simplification: Title II, Subtitle F of HIPAA, which gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. This is also the name of Title II, Subtitle F, Part C of HIPAA.

American National Standards Institute (ANSI): An organization that accredits various standard-setting committees, and monitors their compliance with the open rule-making process that they must follow to qualify for ANSI accreditation. HIPAA prescribes that the standards mandated under it be developed by ANSI-accredited bodies whenever practical.

Authorization: An authorization by the patient is required for most non-routine disclosures of protected health information (PHI).

- B -

Business associate: A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity’s workforce. A business associate can also be a covered entity in its own right.

- C -

Code set: Any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. The term "code set" includes both the codes and their descriptions.

Companion guide: A document prepared by each payer to specify the conditional data elements and segments that must be used when conducting HIPAA standard transactions with that payer organization. The guide also outlines connectivity requirements and other useful information to support implementation of the HIPAA standard transactions. The companion guide is designed to supplement, but not to contradict any of the requirements in the implementation guide.

Compliance date: This is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective date of the associated final rule for most entities, but 36 months after the effective date for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective date, but can be longer for small health plans and for complex changes.

Consent: Consent by the patient is required for use and disclosures of protected health information (PHI) used for treatment, payment, and operations (TPO).

Covered entity: A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

- D -

Data condition: A description of the circumstances in which certain data is required.

Data content: All the data elements and code sets inherent to a transaction, and not related to the format of the transaction.

Data element: The smallest named unit of information in a transaction.

Data format: Those data elements that provide or control the enveloping or hierarchical structure, or assist in identifying the data content of, a transaction.

De-identification: Removal or coding of the listed 18 elements of PHI and other additional elements if there was reason to believe that the remaining information by itself or in combination with other available information could identify an individual.

Direct data entry (DDE): The direct entry of data that is immediately transmitted into a health plan’s computer.

Disclosure: Release or divulgence of information by an entity to persons or organizations outside of that entity.

DSMO: Designated Standard Maintenance Organization.

- E -

EDI: Electronic Data Interchange - X12 and similar variable-length formats for the electronic exchange of structured data. EDI is sometimes used more broadly to mean any electronic exchange of formatted data.

- H -

Health care clearinghouse: Entity that processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes or facilitates the processing of that information into nonstandard format or nonstandard data content for a receiving entity.

Health plan: An individual or group plan that provides, or pays the cost of, medical care.

HHS (also DHHS): Department of Health and Human Services. The federal government department that has overall responsibility for implementing HIPAA, among other things.

HIPAA (Health Insurance Portability and Accountability Act): A federal law that ensures the privacy and security of protected health information and patients' access to their health-care records.

- I -

Implementation Guide (IG): A document explaining the proper use of a standard for a specific business purpose. The X12N HIPAA IGs are the primary reference documents used by those implementing the associated transactions, and are incorporated into the HIPAA regulations by reference.

Individually identifiable health information (IIHI): The subset of health information, including demographic information, collected from an individual on which there is a reasonable basis to believe that the information can be used to identify the individual.

- M -

Minimum necessary: The principle that, to the extent practical, individually identifiable health information should only be disclosed to the extent needed to support the purpose of the disclosure.

Multiple function covered entity: A single legal entity, affiliated entity, or other arrangement that combines the functions or operations of health care providers, health plans, and health care clearinghouses.

- N -

National employer ID: A system for uniquely identifying all sponsors of health care benefits.

National patient ID: A system for uniquely identifying all recipients of health care services. This is sometimes referred to as the national individual identifier (NII), or as the health care ID.

National payer ID: A system for uniquely identifying all organizations that pay for health care services. Also known as health plan ID, or plan ID.

National provider ID: A system for uniquely identifying all providers of health care services, supplies, and equipment.

- O -

Office for Civil Rights (OCR): The HHS department responsible for enforcing the HIPAA privacy rules, among other things.

- P -

Plan sponsor: An entity that sponsors a health plan. This can be an employer, a union, or some other entity.

Protected health information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium.

- R -

Role-based access: Appropriate access for each person or class of person to the category or categories of protected health information to which access is needed.

- S -

Standard: Standard means a rule, condition, or requirement describing information for products, systems, services or practices.

- T -

Third party administrator (TPA): Processes health care claims and performs related business functions for a health plan.

Trading partner agreement (TPA): An agreement related to the exchange of information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. (For example, a trading partner agreement may specify, among other things, the duties and responsibilities of each party to the agreement in conducting a standard transaction.)

Transactions: This is the exchange of information between two parties to carry out financial or administrative activities related to health care.

Treatment, payment & operations (TPO): Treatment – the provision, coordination, or management of health care and related services by one or more health care providers. Payment – activities undertaken by a health care provider or health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or the activities by a covered health plan or provider to obtain or provide reimbursement for the provision of health care, including but not limited to: determination of eligibility, billing, claims management, collection activities, and utilization review. Operations – the activities of the covered entity to the extent that the activities are related to covered functions, conducting quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals, underwriting, compliance programming, business planning and management, and customer service.

- U -

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity that maintains such information.

- W -

Workforce: Employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity.

- X -

X12 standard: The term currently used for any X12 standard for electronic data interchange that has been approved since the most recent release of X12 American National Standards.