Penn State Privacy Office

home | hipaa glossary

HIPAA Glossary

ACE-Affiliated Covered Entity

Affilitate Covered Entity- legally separate covered entities that may designate themselves as a single affiliated covered entity.

AOD-Accounting of Disclosures

BA-Business Associate.

BAA-Business Associate Agreement

Business Associate- any individual or organization that does something on behalf of someone covered under the Privacy Rule of HIPAA and is required to have access to PHI from your organization. A BA is not a member of the covered entity workforce.

CC-Covered Component

CE-Covered Entity

CIO-Chief Information Officer

CISO-Chief Information Security Officer

Covered Component-the part(s) of a hybrid entity that must comply with HIPAA regulations. Covered Entity-a person or entity tht must comply with HIPAA regulations.

Covered Transactions-the electronic exchange of information between two parties to carry out financial or administrative activities related to health care. It includes the following: health care claims, payment and remittance advice, coordination of benefits, claim status, enrollment/disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification, first report of injury, health claims attachments, etc. See Electronic Media, below.

DHHS-Department of Health and Human Services

EDI-Electronic Data Interchange

Electronic (Media)-refers to the mode of electronic transmission. It includes the Internet, extranet, leased lines, dial-up, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk or compact disk.

EIN-Employer Identification Number

HCFA-Health Care Financing Administration

HL7-Health Level 7

HIPAA-Health Insurance Portability and Accountability Act of 1996

Hybrid Entity-any organization that performs both HIPAA covered and non-covered functions. In other words, hybrid entities provide health care in some parts of their organization, but other parts may handle health care information only incidentally, or not at all. Some examples include universities, state and local governments, and companies that have a self-insured health plan.Individually Identifiable Information-health information that is protected by HIPAA and is attributed to a unique individual. They are as follows:

Names

All address information except for the first three digits of a zip code under certain conditions with population areas over 20,000 people

All elements of dates (except year) for dates related to an individual (e,g., birth date, treatment date, discharge date, date of death, etc.)

Telephone numbers

Fax numbers

Electronic mail addresses

Social security numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web Universal Resource Locators (URLs)

Internet Protocol (IP) address numbers for your computer

Biometric identifiers, including finger and voice prints

Full face photographic images

Any other unique identifying number, characteristic or code unless the entity does not have access to the code to re-identify the patient

Minimum Necessary-Covered entitities must take reasonable steps to assure that the use or disclosure of protected health information is kept to the minimum neccessary to accomplish the intended purpose.

NIST-National Institute of Standards and Technology. The HIPAA Security Rule makes many references to the following NIST standards as a base model for the various security activities:

NIST SP 800-14, Generally Accepted Principles and Practices for Securing IT Systems

NIST SP 800-16, IT Security Training Requirements

NIST SP 800-30, Risk Management Guide for IT Systems

NIST SP 800-33, Underlying Models for IT Security

The most useful NIST standard, but not mentioned in the Security Rule because it wasn’t written yet is NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule

NPRM-Notice of Proposed Rule Making

PHI-Protected Health Information

ROI-Release of Information

TPO-Treatment, Payment, and Operations

NPI-National Provider Identifier

NPP-Notice of Privacy Practice

WEDI-Workgroup for Electronic Data Interchange

Workforce-employes, volunteers, trainees, and others whose conduct is under the direct control of a covered entity.

X12N-ANSI Accredited Standards Committee's EDI Subcommittee on Insurance Standards


	home \| hipaa glossary HIPAA Glossary ACE-Affiliated Covered Entity Affilitate Covered Entity- legally separate covered entities that may designate themselves as a single affiliated covered entity. AOD-Accounting of Disclosures BA-Business Associate. BAA-Business Associate Agreement Business Associate- any individual or organization that does something on behalf of someone covered under the Privacy Rule of HIPAA and is required to have access to PHI from your organization. A BA is not a member of the covered entity workforce. CC-Covered Component CE-Covered Entity CIO-Chief Information Officer CISO-Chief Information Security Officer Covered Component-the part(s) of a hybrid entity that must comply with HIPAA regulations. Covered Entity-a person or entity tht must comply with HIPAA regulations. Covered Transactions-the electronic exchange of information between two parties to carry out financial or administrative activities related to health care. It includes the following: health care claims, payment and remittance advice, coordination of benefits, claim status, enrollment/disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification, first report of injury, health claims attachments, etc. See Electronic Media, below. DHHS-Department of Health and Human Services EDI-Electronic Data Interchange Electronic (Media)-refers to the mode of electronic transmission. It includes the Internet, extranet, leased lines, dial-up, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk or compact disk. EIN-Employer Identification Number HCFA-Health Care Financing Administration HL7-Health Level 7 HIPAA-Health Insurance Portability and Accountability Act of 1996 Hybrid Entity-any organization that performs both HIPAA covered and non-covered functions. In other words, hybrid entities provide health care in some parts of their organization, but other parts may handle health care information only incidentally, or not at all. Some examples include universities, state and local governments, and companies that have a self-insured health plan.Individually Identifiable Information-health information that is protected by HIPAA and is attributed to a unique individual. They are as follows: Names All address information except for the first three digits of a zip code under certain conditions with population areas over 20,000 people All elements of dates (except year) for dates related to an individual (e,g., birth date, treatment date, discharge date, date of death, etc.) Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers for your computer Biometric identifiers, including finger and voice prints Full face photographic images Any other unique identifying number, characteristic or code unless the entity does not have access to the code to re-identify the patient Minimum Necessary-Covered entitities must take reasonable steps to assure that the use or disclosure of protected health information is kept to the minimum neccessary to accomplish the intended purpose. NIST-National Institute of Standards and Technology. The HIPAA Security Rule makes many references to the following NIST standards as a base model for the various security activities: NIST SP 800-14, Generally Accepted Principles and Practices for Securing IT Systems NIST SP 800-16, IT Security Training Requirements NIST SP 800-30, Risk Management Guide for IT Systems NIST SP 800-33, Underlying Models for IT Security The most useful NIST standard, but not mentioned in the Security Rule because it wasn’t written yet is NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule NPRM-Notice of Proposed Rule Making PHI-Protected Health Information ROI-Release of Information TPO-Treatment, Payment, and Operations NPI-National Provider Identifier NPP-Notice of Privacy Practice WEDI-Workgroup for Electronic Data Interchange Workforce-employes, volunteers, trainees, and others whose conduct is under the direct control of a covered entity. X12N-ANSI Accredited Standards Committee's EDI Subcommittee on Insurance Standards