Return to: Academic Health Center : U of M Home

Gold University of Minnesota M. Skip to main content.University of Minnesota. MyU | One Stop | Directories | Search U of M  
Driven to Discover.
HIPAA Privacy and Security
What's Inside

PRIVACY Home



  Home > Overview of HIPAA Privacy and Security > Glossary of HIPAA Terms
 

Glossary of HIPAA Terms

Activities Preparatory to Research:
Activities performed in anticipation of research or to establish the feasibility of research where access to information may be granted for the purpose of the review, but no identifying information may be taken away in any form from the health care component.

Authorization:
Document by which the individual agrees that certain PHI may be used or disclosed. Authorization is not required for purposes of treatment, payment or health care operations and certain other purposes as permitted by HIPAA.

Business Associates:
With respect to a health care component, a person or entity not a part of the University who, on behalf of the health care component performs or assists in the performance of certain functions requiring use or disclosure of PHI. Members of the workforce of one University health care component who perform the business function for another University health care component are not business associates. See Procedure 2.10.3.9 - Disclosing PHI to Business Associates.

Consent under Minnesota law:
A consent to release individual health information for treatment, payment or health care operations is valid under Minnesota law if it is signed and dated by the individual or the individual's personal representative. The consent is effective for no more than one year, unless the individual specifically agrees to a longer period for current treatment, third party payment, fraud investigations or quality of care review. A consent that meets the requirements of Minnesota law is not sufficient to authorize a use or disclosure where written authorization is required by HIPAA.

Covered Entity:
A health plan, health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a covered transaction.

Data Use Agreement:
Written agreement between a health care component and a person requesting a disclosure of PHI contained in a limited data set. Data use agreements must meet the requirements of limited data set procedure.

De-identified Data:
Data that does not identify an individual and reasonably cannot be used to identify an individual. Health information must be de-identified using Procedure 2.10.2.4 - De-identifying Data for Research.

Designated Records Set:
Group of items, collections, or groupings of information that include PHI and are maintained, used, collected or disseminated by or for a health care component that are the medical and billing records about individuals maintained by or for the health care component.

Disclosure:
To release, transfer, provide access to, or divulge PHI outside the University health care component.

Electronic Protected Health Information (ePHI):
ePHI is protected health information (PHI) that is created, stored, transmitted, or received electronically.

External Researcher:
Any researcher who is not an employee, credentialed staff member, or an individual affiliated through a formal affiliation agreement with the covered entity or health care component that is the holder of the PHI. External researchers, in addition to meeting HIPAA requirements, must meet Minnesota authorization requirements for the following: activities preparatory to research; research using individual health information of decedents; or when obtaining an IRB alteration of the HIPAA individual authorization requirements. Minnesota authorization requirements for external researchers are found in Appendix A.

Fundraising:
Activities undertaken for the purpose of raising funds for the benefit of the University or an institutionally related foundation.

Health Care:
Care, services or supplies related to the health of an individual. Health care includes but is not limited to:

  1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to physical or mental state.

  2. Sale or dispensing of drugs, devices, equipment or other item in accordance with a prescription condition, or functional status of an individual or that affects the structure or function of the body.

Health Care Component:
Unit(s) of the University that provide health care or are part of the health plan and are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.

Health Care Operations:
Any of the following activities of the covered entity to the extent that the activities are related to covered functions (i.e. those functions of a health care provider or health plan that make it a covered entity):

  1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines where generalizable knowledge is not the primary purpose, population based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives, and related functions that do not include treatment;

  2. Reviewing the competence or qualifications of health care professionals;

  3. Evaluating practitioner and provider performance & health plan performance;

  4. Conducting training programs in which students, trainees or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers;

  5. Training of non-health care professionals;

  6. Accreditation, certification, licensing, or credentialing activities;

  7. Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;

  8. Underwriting, premium rating and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits, and transferring, securing or placing a contract of reinsurance;

  9. Business planning and development, such as conducting cost-management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies;

  10. Business management and general administrative activities, including but not limited to:

    • Activities related to implementation and compliance with HIPAA;

    • Customer service, including provision of data analyses for policy holders, plan sponsors or other customers, provided that PHI is not disclosed to the policy holder, plan sponsor or customer;

    • Resolution of internal grievances;

    • The sale, transfer, merger or consolidation of all or part of the covered entity, or an entity that will become a covered entity, and due diligence related to such activity;

    • Creating de-identified data or a limited data set; and

    • Fundraising for the benefit of the health care component.

Health Care Provider:
A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business and who transmits information in electronic form to carry out financial or administrative activities related to health care.

Health Plan Component:
Designated health care component of the University that performs covered functions in the course of administering a group health plan, as defined in 45 C.F.R. §160.103, sponsored by the University.

Hybrid Entity:
Single legal entity that is a covered entity, performs business functions that are both covered and non-covered, and designates health care components.

Individual Health Information:
Protected health information covered by HIPAA and health records protected under Minnesota state law.

Individual:
The person who is the subject of PHI.

Internal Researcher:
Any researcher who is internal to the covered entity or health care component that is the holder of the PHI through status as an employee, credentialed staff member, or an individual affiliated through a formal affiliation agreement.

Institutional Review Board (IRB):
Committee that has been formally designated as required by federal regulations to review and monitor research involving human subjects and to assure that appropriate steps are taken to protect the rights and welfare of humans participating as subjects in the research.

Limited Data Set:
A subset of individual health information that has had certain direct identifiers removed, but does contain other PHI that could potentially identify the individual, and is used for a specific research purpose, public health or health care operations purposes only. A limited data set is not considered de-identified data.

Marketing:
The following types of communications are marketing activities:

  1. An arrangement between a health care component and any other entity whereby the health care component discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service; or

  2. A communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the activity meets one of the exclusions from the marketing definition. The categories of communications which are excluded from the definition of marketing when made by the health care component are communications about:

    1. The individual's treatment;

    2. Case management or care coordination for the individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to the individual; or

    3. Description of a health related product or service, or payment for the product or service that is provided by, or included in the health care component's plan of benefits.

Payment:
Activities undertaken by a health plan to obtain premiums or for coverage determinations and/or responsibilities by a provider or health plan to obtain or provide reimbursement.

Personal Representative:
A person who has authority under state law to act on behalf of an individual to make decisions related to health care.

Privacy Coordinator:
Person designated by each health care component and charged with carrying out the HIPAA compliance responsibilities for a health care component.

Privacy Officer:
Person and associated office designated by the University to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.

Protected Health Information ("PHI"):
Health information transmitted or maintained in any form or medium that:

  1. Identifies or could be used to identify an individual;

  2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and

  3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

The following records are exempted from the definition of PHI:

  1. Student records maintained by an educational institution;

  2. Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. §1232(a)(4)(B)(iv); and

  3. Employment records held by a covered entity in its role as employer.

Provider Component:
Designated health care component of the University that performs covered functions in the course of providing health care to individuals at the University.

Psychotherapy notes:
Notes recorded by a mental health therapist in documenting or analyzing the contents of conversation during a counseling session that capture the therapist's impressions about the patient and contain details of the conversation. Psychotherapy notes are separated from the rest of the patient's medical record and used only by the provider who created the note.

The following information is not psychotherapy notes:

  1. Medication prescription and monitoring;

  2. Session start/stop times;

  3. Modalities and frequency of treatment;

  4. Results in clinical tests; and

  5. Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.

Research:
Systematic investigation, including development, testing and evaluation designed to develop or contribute to generalizable knowledge.

Secretary:
Secretary shall mean the Secretary of the Department of Health and Human Services or designee.

Trainee:
Person involved in an educational program at the University that provides for the development of additional skills and the opportunity to learn new techniques and acquire experience in the given professional field or in the conduct of research.

Treatment:
Provision, coordination, or management of health care and related services by one or more providers, including coordination and management of care by provider with third party, consultation between providers about a patient, or referrals.

Use:
To employ, apply, utilize, examine or analyze PHI maintained within the health care component of the University.

Volunteer:
Individual who performs uncompensated services for the University under the direction and control of a University supervisor.

Workforce:
All employees, volunteers, trainees and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.

Feedback | Notice of Privacy Practices


©2007-2008 Regents of the University of Minnesota. All rights reserved. Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer. Last modified on June 5, 2008