Confidentiality: HIPAA – Common Acronyms & Terms

Act of Disclosures
Refers to the right of patients, with limitations, to a statement of the uses and disclosures of their protected health information for a period of time not to exceed six years prior to the date of request.
Authorization
The mechanism for obtaining from patients or their designees specific rights for the non-routine use and disclosure of protected health information (PHI). The rights obtained by an authorization are specified by that authorization.
BA
Business Associate (see below)
Business Associate
An entity that performs functions on behalf of or provides services to or for a covered entity. A business associate may be a person, organization, or agency.
Consent
A signed document which gives health care providers permission to disclose protected health information (PHI) for purposes of treatment, payment, or operations (TPO). Under HIPAA regulations, obtaining consent is optional for disclosing PHI for purposes of TPO
CE
Covered Entity (see below)
Covered Entity
Health plans, clearinghouses (billing services, re-pricing companies, health management information systems or community health information systems that process information on behalf of other entities) and health care providers that conduct billing and funds transfers electronically.
De-Identified Patient Information
A record in which patient identifying information has been removed. Only information that “identifies” an individual is subject to HIPAA’s privacy standard.
Disclosure
Refers to the dissemination of information by the covered entity holding the information to parties outside the covered entity.
Fundraising
The organized activity of raising funds for an institutional cause.
Health Care Provider
Includes entities such as hospitals, nursing homes, clinical labs, and pharmacies, and individual providers such as physicians, nurses, psychotherapists and other persons or entities that furnish, bill, or are paid for, health care in the ordinary course of business.
HIPAA/Privacy Rule
HIPAA officially stands for the Health Insurance Portability and Accountability Act of 1996 – federal regulations providing comprehensive protection for the privacy of health information. The Privacy Rule refers to the privacy standards set forth under HIPAA.
IRB
Institutional Review Board (see below)
Institutional Review Board
Also known as IRB’s, these institutionally-defined boards are responsible for reviewing research protocols to assure compliance with guidelines and with federal law as related to the appropriate use of humans in research.
Marketing
Communications about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service. In general, activities which include treatment, payment, and operations are excerpted from the definition of marketing.
Minimum necessary
The least information necessary to accomplish the intended purpose of the use, disclosure, or request.
Notice
A general notice that describes how medical information may be used and disclosed and how individuals can get access to that information. The notice sets forth patient rights and advises patients how to file complaints if they feel their rights have been violated.
Payment
Essentially any activity this is undertaken by a health plan to obtain premiums or to fulfill its responsibility for coverage or health care providers’ activities undertaken to obtain or provide reimbursement for the provision of health care. This includes, but is not limited to, billing, claims management, collection activities, obtaining payments from reinsurance, and related health care data processing, review of health care services, with respect to medical necessity, coverage, appropriateness of care, or justification of charges, utilization review activities, including pre-certification and post authorization of services.
Personal representative
An individual that has assumed the care of an adult or minor.
Privacy Rule
Refers to the privacy standards set forth under the Health Insurance Portability and Accountability Act.
PHI
Protected Health Information (see below)
Protected Health Information (PHI)
Any information, including demographic information that has the potential of tying the identity of the patient to their health record. Applies to information transmitted or maintained in any form or medium, including electronic, paper, and oral.
Psychotherapy notes
Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.
Research
Systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Treatment, Payment, and Operations (TPO)
Constitutes what is called the “routine” uses and disclosures of protected health information.
TPO
Treatment, Payment, and Operations
Treatment
Preventive, diagnostic, therapeutic, rehabilitation, maintenance, and palliative care provided to an individual, as well as the provision, coordination, or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Use
Refers to a covered entity accessing PHI for internal purposes. Examples of use include medical staffs accessing PHI during the treatment process, or the accounting department accessing PHI to prepare a patient’s bill. Use should always follow HIPAA’s “minimum necessary” standard.

Comments or Suggestions?

We want Quest to be your source for important information that you need to succeed at in your work but we need your help:

Was this article helpful? Was it missing something you needed to get the job done?

Tell us what you think, what you know about this article. What are we doing well, and what we could do better.

All fields are required.