Authorization. A document signed and dated by the individual who authorizes use and disclosure of protected health information for reasons other than treatment, payment or health care operations. An authorization must contain a description of the protected health information, the names or class of persons permitted to make a disclosure, the names or class of persons to whom the covered entity may disclose, an expiration date or event, an explanation of the individual’s right to revoke and how to revoke and a statement about potential redisclosures.
Business associate. A person or entity who, on behalf of a covered entity or an organized health care arrangement, performs or assists in the performance of one of the following:
Business associate agreement. A contract between a covered entity and a business associate that does all of the following:
The business associate agreement is usually part of a contract made in the procurement process, but can be part of a Memorandum of Understanding, Grant Agreement or other document.
CMS. Centers for Medicare and Medicaid Services within the U.S. Department of Health and Human Services.
COMPASS Community Partner. An organization, service provider or community service group, such as a hospital, clinic or long-term care facility, that assists individuals applying for human services through COMPASS.
Compliance date. The date by which a covered entity must comply with a standard, implementation specification, requirement or modification specified in this handbook.
Consent. A document signed and dated by the individual that a covered entity obtains prior to using or disclosing protected health information to carry out treatment, payment or health care operations. A consent is not required under the privacy rule.
Covered entity. A health care provider who transmits any health information in electronic form in connection with a transaction covered by the privacy rule, a health care plan or a health care clearinghouse.
Covered functions. Those functions of a covered entity, the performance of which makes the entity a health care plan, health care provider or health care clearinghouse.
DHHS. The U. S. Department of Health and Human Services.
Department. The Pennsylvania Department of Human Services.
Designated record set. The medical records and billing records, including electronic records, about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health care plan; or medical records and billing records used by or for the covered entity to make decisions about individuals.
For purposes of implementing the privacy rule, the Department of Human Services intends to treat all client records as if they were part of the designated record set and afford them the corresponding privacy protection.
Disclosure. The release, transfer, provision of access to or divulging of information outside the entity holding the information.
Health care. Care, services or supplies related to the health of an individual. Health care includes, but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, mental health or palliative care and sale or dispensing of a drug, device, equipment or other item in accordance with a prescription.
Health care clearinghouse. A public or private entity that does either of the following:
Health care plan. An individual or group plan that provides, or pays the cost of, medical care. Health care plan includes:
Health care provider. A provider of services and any other person or organization who furnishes, bills or is paid for health care in the normal course of business and who transmits any health information in electronic form in connection with a covered function.
Health information. Any information, whether oral or recorded in any form or medium, that does both of the following:
For purposes of implementing the privacy rule, the Department of Human Services intends to treat all client records as if they were health information and afford them the corresponding privacy protection.
Health maintenance organization (HMO). A federally qualified HMO and an organization recognized as an HMO under State law.
Health care operations. Health care operations includes any of the following activities:
Health oversight agency. An agency or authority of the United States, Pennsylvania or a political subdivision of a state, or a person or entity acting under a grant of authority from such public agency that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.
Individual. The person who is the subject of protected health information.
Individually identifiable health information. Health information, including demographic (such as names, addresses, telephone numbers, etc. See Section 19.2 relating to document security policy) information collected from an individual that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify an individual.
For purposes of implementing the privacy rule, the Department of Human Services intends to treat all individual records (including electronic records) as if they were health information and afford them the corresponding privacy protection.
Inmate. A person incarcerated in, or otherwise confined to, a correctional institution.
Law enforcement official. An officer or employee of any agency or authority of the United States, Pennsylvania or a political subdivision of a state who is empowered by law to investigate or conduct an official inquiry into a potential violation of law, and to prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law.
Marketing. To make a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service. Marketing does not include the following:
A communication is not included in marketing if the communication is made orally, or the communication is in writing and the covered entity does not receive direct or indirect remuneration from a third party for making the communication.
Notice of privacy practices. A notice to the individual of the uses and disclosures of protected health information and the individual’s rights and the covered entity’s legal duties with respect to protected health information.
Organized health care arrangement. A clinically integrated care setting in which individuals typically receive health care from more than one health care provider or an organized system of health care in which more than one covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement and participate in joint activities.
Personal representative. A person authorized by law to act on behalf of an individual. The representative will be treated as the individual for purposes of disclosure of protected health information.
Privacy officer. The Department’s privacy/client information officer.
Privacy rule. The Federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that created national standards to protect medical records and other protected health information.
Program office coordinator. The program office’s privacy/client information coordinator. other protected health information.
Protected health information (PHI). Individually identifiable health information that is maintained or transmitted in any form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA).
For purposes of implementing the privacy rule, the Department intends to treat all individual records, including electronic records, as if they were health information and afford them the corresponding privacy protection.
Psychotherapy notes. Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.
Public health authority. An agency or authority of the United States, Pennsylvania, a political subdivision of a State or a person or entity acting under a grant of authority from or contract with such public agency that is responsible for public health matters as part of its official mandate.
Research. A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to general knowledge.
Treatment. The provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual or the referral of an individual for health care from one health care provider to another.
Use. With respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.