| A | B |
|---|
| Administrative simplification | streamline and standardize healthcare industry’s inefficient business practices |
| Consent | detailed document giving a covered entity permission to use or disclose PHI for treatment, payment and operations |
| Affiliated covered entity | legally separate covered entities, affiliated by common ownership or control |
| Business associate (BA) | person or organization outside of the covered entity, that performs functions or activities involving PHI on their behalf |
| Business associate agreement (BAA) | signed contract that allows covered entity providers to disclose PHI to another entity who in turn agrees to abide by the provider's security and privacy requirements |
| Covered entity (CE) | a healthcare provider, plan, or clearinghouse that is required to comply with HIPAA |
| De-identified information | where personal characteristics have been stripped resulting in being unable to identify the patient to whom the documents pertain |
| Designated record set (DRS) | group of records maintained by or for a covered entity that is used for making decisions about the patient |
| Disclosure | release of identifiable patient information to another person or entity |
| Facility directory | a list of patients currently being treated in the facility |
| Hybrid entity | an entity that performs both covered and noncovered functions under the HIPAA privacy rule |
| Incidental uses and disclosures | occurs as a part of permitted use or disclosure in the course of doing business |
| Individual | the term used by HIPAA to reference the person who is the subject of PHI |
| Limited data set | PHI that excludes direct identifiers of the individual, where the information is not considered de-identified |
| Minimum necessary | limits access, use and disclosure of PHI based on a "need to know" basis |
| Notice of Privacy Practices (NPP) | informs individuals as to how a covered entity uses and discloses their patient-identifiable information as well as the individual's right and the entities legal duties regarding that information |
| Organized healthcare arrangement (OHCA) | two or more covered entities that share PHI and that are recognized by the public as a single entity |
| Personal representative | one who has the legal authority to act on behalf of another individual and who is treated as the individual regarding use and disclosure of PHI |
| Privacy Rule | another name for the portion of HIPAA legislation that relates to the access use and disclosure of PHI |
| Protected health information (PHI) | individually identifiable health information that is transmitted or maintained in electronic or any other form or medium |
| Psychotherapy notes | documentation by mental health professional, that is part of counseling but which is not a part of the health record; it does not include diagnosis, treatments test results or prescriptions |
| Re-disclosure | disclosure of PHI by an entity that was received from another entity that was responsible for creating it |
| Safe Harbor method | the removal of 18 specified identifiers to assure that the identity of the subject remains unidentifiable |
| Treatment, payment, and operations (TPO) | functions that must be carried out by a covered entity in order for them to successfully conduct business; privacy rule requirements are relaxed or removed where PHI is needed |
| Use | the sharing, employment, application, utilization, examination, or analysis of PHI within a covered entity that is responsible for maintaining said information |
| Workforce | includes employees, volunteers, trainees and others who are under the direct control of the entity and who use or have access to PHI under the entity's control |
| Authorization | written permission from the individual or the individual's personal representative allowing a specific disclosure |
