Appendix A

Selected Privacy Rule Concepts and Definitions

The following concepts and definitions are adapted from the regulatory language. For further information, see the citations to the Privacy Rule.

Accounting. An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures (a) to carry out treatment, payment and health care operations [45 CFR § 164.506]; (b) to individuals of protected health information about them [45 CFR § 164.502]; (c) incident to a use or disclosure otherwise permitted or required by this subpart, as provided in 45 CFR §164.502; (d) pursuant to an authorization as provided in 45 CFR §164.508; (e) for the facility's directory or to persons involved in the individual's care or other notification purposes, as provided in 45 CFR §164.510; (f) for national security or intelligence purposes as provided in 45 CFR §164.512(k)(2), (g) to correctional institutions or law enforcement officials as provided in 45 CFR §164.512 (k)(5); or (h) as part of a limited data set in accordance with 45 CFR §164.514(e); or (i) that occurred prior to the compliance date for the covered entity…. Such an accounting must meet the following requirements: (1) except as otherwise provided by paragraph (a) of this section, the accounting must include disclosures of protected health information that occurred during the six years (or such shorter time period at the request of the individual as provided in paragraph (a)(3) of this section) prior to the date of the request for an accounting, including disclosures to or by business associates of the covered entity; (2) except as otherwise provided by paragraphs (b)(3) or (b)(4) of this section, the accounting must include for each disclosure: the date of the disclosure, the name of the entity or person who received the protected health information, and if known, the address of such entity or person; a brief description of the protected health information disclosed; and, a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or in lieu of such a statement, a copy of the individual's written authorization pursuant to 45 CFR § 164.508, or a copy of a written request for a disclosure under 45 CFR § 164.502(a)(2)(ii) or 45 CFR § 164.512, if any.

If, during the period covered by the accounting, the covered entity has made multiple disclosures of protected health information to the same person or entity for a single purpose under 45 CFR § 164.502(a)(2)(ii) or 45 CFR § 164.512, the accounting may, with respect to such multiple disclosures, provide the information required by paragraph (b)(2) of 45 CFR § 164.528 for the first disclosure during the accounting period, the frequency, periodicity, or number of the disclosures made during the accounting period, and the date of the last such disclosure during the accounting period [45 CFR § 164.528].

Modified accounting procedures are also provided for covered entities making research disclosures involving >50 persons [45 CFR § 164.528(b)(4)].

Business associate. A person who, on behalf of a covered entity or of an organized health care arrangement [45 CFR § 154.501] in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of . . . a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or any other function or activity regulated by this subchapter; or provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation [45 CFR § 164.501], management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health-care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the individual [45 CFR § 160.103].

Covered entity. 1) a health plan; 2) a health­care clearinghouse; 3) a health­care provider who transmits any health information in electronic form in connection with a transaction [45 CFR § 160.103].

Covered functions. Those functions of a covered entity the performance of which makes the entity a health plan, health­care provider, or health­care clearinghouse [45 CFR § 164.103].

Data aggregation. With respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFR §164.501].

De­identified health information. Health information that does not identify an individual and with respect to which no reasonable basis exists to believe that the information can be used to identify an individual is not individually identifiable information. [45 CFR § 164.514(a)].

Disclosure. The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information [45 CFR § 160.103].

Electronic media. 1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or 2) transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial­up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission [45 CFR § 160.103].

Health care. Care, services, or supplies related to the health of an individual. It includes but is not limited to 1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and, 2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription [45 CFR § 160.103].

Health­care clearinghouse. A public or private entity, including a billing service, repricing company, community health management information system, community health information system, or value-added network or switch that 1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction or 2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity [45 CFR § 160.103].

Health­care operations. Any of the following activities of the covered entity to the extent that the activities are related to covered functions: 1) conducting quality assessment and improvement activities, population­based activities, and related functions that do not include treatment; 2) reviewing the competence or qualifications of health care professionals, evaluating practitioner, provider, and health plan performance, conducting training programs where students learn to practice or improve their skills as health­care providers, training of nonhealth­care professionals, accreditation, certification, licensing, or credentialing activities; 3) underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits; 4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; 5) business planning and development, such as conducting cost­management and planning­related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and 6) business management and general administrative activities of the entity [45 CFR § 164.501].

Health­care provider. A provider of services, (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health­care services, (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other individual or organization that furnishes, bills, or is paid for health care in the normal course of business [45 CFR § 160.103].

Health information. Any information, whether oral or recorded in any form or medium, that 1) is created or received by a health­care provider, health plan, public health authority, employer, life insurer, school or university, or health­care clearinghouse; and 2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual [45 CFR § 160.103].

Health plan. An individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg­91(a)(2)). Health plan includes the following, singly or in combination: (i) a group health plan as defined in 45 CFR § 160.103 of the Privacy Rule; (ii) a health insurance issuer, as defined in 45 CFR § 160.103 of the Privacy Rule; (iii) an HMO, as defined in 45 CFR § 160.103 of the Privacy Rule; (iv) Part A or B of the Medicare program under title XVIII of the Act; (v) the Medicaid program under title XIX of the Act, 42 U.S.C. 1396 et seq.; (vi) an issuer of a Medicare supplemental policy, (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)); (vii) an issuer of a long­term care policy, excluding a nursing home fixed­indemnity policy; (viii) an employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers; (ix) the health care program for active military personnel under title 10, U.S.C.; (x) the veterans health-care program under 38 U.S.C. Ch. 17; (xi) the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)); (xii) the Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.; (xiii) the Federal Employees Health Benefits Program under 5 U.S.C. 8902, et seq.; (xiv) an approved state child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act; 42 U.S.C. 1397, et seq.; (xv) the Medicare+Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w­21 through 1395w­28; (xvi) a high risk pool that is a mechanism established under state law to provide health insurance coverage or comparable coverage to eligible individuals; (xvii) any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg­91(a)(2)) [45 CFR § 160.103].

The term health plan excludes: (i) any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in §2791(c)(1) of the PHS Act, 42 U.S.C. 300gg­91(c)(1); and, (ii) a government­funded program, other than the one listed in items (i)­(xvi) above, whose principal purpose is other than providing, or paying the cost of, health care, or whose principal activity is 1) the direct provision of health care to individuals; or 2) the making of grants to fund the direct provision of health care to individuals [45 CFR § 160.103].

Hybrid entity. A single legal entity 1) that is a covered e ntity; 2) whose business activities include both covered and noncovered functions; and 3) that designates its health-care components [45 CFR § 164.103].

Individually identifiable health information. A subset of health information, including demographic information collected from an individual, and 1) is created or received by a health­care provider, health plan, employer, or health­care clearinghouse; and, 2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and, that identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual [45 CFR § 164.501].

Limited data set. Protected health information that excludes certain direct identifiers of the individual or of relatives, employers, or household members of the individual. Direct identifiers to be excluded can be found in 45 CFR § 164.514(e)(2).

Minimum necessary. For any type of disclosure that a covered entity makes on a routine and recurring basis, that the covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. For all other disclosures, covered entities must develop and implement criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought and review requests for disclosure on an individual basis in accordance with such criteria. A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when (a) making disclosures to public officials that are permitted under 45 CFR § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose, (b) if the information is requested by another covered entity (c) their business associates providing personal services, or (d) documentation or representations that comply with the applicable requirements of 45 CFR § 164.512(i) have been provided by an individual requesting the information for research purposes [45 CFR § 164.514(d)(3)].

The minimum necessary standard also applies to uses of protected health information [45 CFR § 164.514(d)(2)] and requests for protected health information [45 CFR § 164.514(d)(4)].

Notice. An individual, with certain exceptions, has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity and of the individual's rights, and the covered entity's legal duties, with respect to protected health information. The notice must be written in plain language and contain the following elements: (i) a header as specified in the rule; (ii) a description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and health care operations, and a description of each of the other purposes for which the covered entity is permitted or required to use or disclose protected health information without the individual's written consent or authorization. If a use or disclosure is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law (as defined in 45 CFR § 160.202). Each description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by the Privacy Rule or other applicable law, and a statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization as provided by 45 CFR § 164.508(b)(5).

A separate statement must be included in the notice if a covered entity intends to engage in any of the following activities. The statement should explain that 1) the covered entity may contact the individual to provide appointment reminders or information regarding treatment alternatives or other health­related benefits; 2) the covered entity may contact the individual to raise funds for the covered entity; or 3) a group health plan, health insurer, or HMO with respect to a group health plan may disclose protected health information to the sponsor of the plan.

The notice must contain a statement of the individual's rights with respect to the protected health information and a brief description of how the individual may exercise these rights, a statement of the covered entity's duties, a statement that individuals may complain to the covered entity or the Secretary if they believe their privacy rights have been violated, contact information, and the effective date of the notice [45 CFR § 164.520].

Payment. 1) The activities undertaken by (i) a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) a health­care provider or health plan to obtain or provide reimbursement for the provision of health care; and 2) the activities relate to the individual to whom health care is provided and include, but are not limited to (i) determinations of eligibility or coverage and adjudication or subrogation of health benefit claims; (ii) risk adjusting amounts due based on enrollee health status and demographic characteristics; (iii) billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop­loss insurance) and related health-care data processing; (iv) review of health-care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; (v) utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and (vi) disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement: (a) name and address; (b) date of birth; (c) social security number; (d) payment history; (e) account number; and (f) name and address of the health­care provider or health plan [45 CFR § 164.501].

Protected health information (PHI). Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes individually identifiable health information in: (i) education records covered by the Family Education Rights and Privacy Act (20 U.S.C. 1232g); (ii) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a covered entity in its role as employer [45 CFR § 160.103].

Public health authority. An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or an individual or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or individuals or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate [45 CFR § 164.501].

Examples of public health authorities include state and local health departments, CDC, National Institutes of Health (NIH), Food and Drug Administration (FDA), and Occupational Safety and Health Administration (OSHA).

Required by law. A mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. This term includes, but is not limited to court orders and court­ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health­care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits [45 CFR § 164.103].

Research. A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge [45 CFR § §164.501].

Statistical de­identification. A properly qualified statistician using accepted analytical techniques concludes that the risk is limited that the information could be used, alone or in combination with other reasonably available information to identify the subject of the information [45 CFR § 164.514(b)].

Safe harbor method. A covered entity or its agent removes a comprehensive set of identifiers enumerated in the Privacy Rule, which includes but is not limited to, names, geographic subdivisions smaller than states, dates more specific than years, contact information, identification numbers and photographic images, and has no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is a subject of the information, or the individual's relatives, employers, or household members. Eighteen specific identifiers will need to be removed to achieve de­identification [45 CFR § 164.514(b)].

Transaction. The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; and other transactions that the Secretary may prescribe by regulation [45 CFR § 164.103].

Treatment. The provision, coordination, or management of health care and related services by one or more health­care providers, including the coordination or management of health care by a health­care provider with a third party; consultation between health­care providers relating to a patient; or the referral of a patient for health care from one health­care provider to another [45 CFR § 164.501].

Use. With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information [45 CFR § 160.103].