Authorization
A Covered Entity (CE) is not allowed to share or disclose Protected Health Information (PHI) for reasons other than those specifically allowed by the HIPAA Privacy Rule. The Privacy Rule covers allowable usage and disclosure of PHI including to whom the information can be disclosed and under what circumstances the information can be shared. The HIPAA Authorization provides the patient’s consent to sharing data with the third-party. Except for treatment, payment, or healthcare operations, explicit consent is required by the patient to use the data.
The Authorization agreement must be clear and understandable, and must state the reasons why the CE wishes to use/share the information.
Business Associate (BA)
A third-party that performs a function or activity on behalf of a covered entity or provides services to the CE, that may come into contact with PHI but is not part of the covered entity’s workforce. A business associate can also be a covered entity in their own right.
Business Associate Agreement (BAA)
A contract that clearly defines the roles and responsibilities of a business associate and the covered entity with respect to HIPAA. The BAA provides assurance to the CE that the BA will implement the Administrative, Technical and Physical safeguards needed to secure PHI and will restrict usage per the Privacy Rule.
Covered Entities (CE)
Covered Entities are organizations that are legally required to comply with the HIPAA Rules. This includes:
- Health Plans
- Healthcare Clearinghouses
- Healthcare Providers (including clinics, hospitals, nursing homes, etc.)
A Business Associate can also be classified as a Covered Entity depending on their operations.
Data Breach
A Data Breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized manner under the Privacy Rule.
Electronic Data Interchange (EDI)
The process of sending data from one company to the other company electronically.
Electronic Medical Record (EMR)
An EMR is a computer-based medical record of a patient. This is also called an Electronic Health Record (EHR) or Electronic Paper Record (EPR). This is the digital equivalent of paper record.
Electronic Protected Health Information (ePHI)
Any PHI that is created, transmitted, or received electronically is considered as ePHI.
Minimum Necessary Rule
The Minimum Necessary Rule defines that CEs are required by HIPAA Privacy Rule to take reasonable effort to limit the release of PHI to the minimum necessary to accomplish the purpose of the request.
Notice of Privacy Practices (NPP)
The CE must provide each patient with an NPP that explains how health information will be used and disclosed by the Covered Entity, their rights under HIPAA, and how to file a complaint against a CE if the patient feels that he entity has violated HIPAA.
Office for Civil Rights (OCR)
The OCR is the branch of Health & Human Services (HHS) responsible for the oversight of the HIPAA privacy & security regulations, federal oversight and compliance with HIPAA.
Protected Health Information (PHI)
All individually identifiable health information related to the healthcare or health insurance, including but not limited to demographics, medical history, test results, insurance, etc.
P.S. – Part 3 will cover the HITECH Act, HIPAA Regulatory, Omnibus, Privacy, & Security Rule in detail.