Glossary of the terms used within the HIPAA business areas.

The CalOHI glossary includes all definitions and acronyms for General HIPAA, Privacy and Transactions and Code Sets. We will post EIN and Security terms and definitions in the near future. If you would like to see the definitions for a specific Rule, see the links below:

• If you would like to see only General definitions, they can be found in Policy Memorandum 2004-46, Exhibit 1

• If you would like to see only Privacy definitions, they can be found in Policy Memorandum 2004-46, Exhibit 2

• If you would like to see only Transactions and Code Sets definitions, they can be found in Policy Memorandum 2004-53, Transactions and Code Sets Terms and Definitions

Browse HIPAA Glossary by Alphabet:
A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

HIPAA Glossary Help

 

ACCESS

Access is the inspection or copying of Protected Health Information (PHI) by the individual who is the subject of the PHI or by an individual's personal representative. Personal representatives are allowed access to the information that is relevant to their role as personal representatives.

[For more information, see 45 C.F.R. § 164.524]


ACCOUNTING OF DISCLOSURES

An accounting of disclosures is a report to an individual made upon their request that provides information about the disclosures (for which HIPAA requires an accounting) of the individual's Protected Health Information (PHI) that a covered entity has made. The report includes:

• The date of the disclosures,
• The name of the person or organization to whom the PHI was disclosed,
• A brief description of the PHI, and
• A brief statement of the purposes for the disclosure(s).

An accounting is not required for disclosures made:

• Prior to the covered entity's compliance date,
• For treatment, payment, or health care operations (TPO),
• To the individual pursuant to the individual's written authorization, or
• As part of a limited data set.

[For more information, see 45 C.F.R. § 164.528]


ACCREDITED STANDARDS COMMITTEE (ASC) X12

The Accredited Standards Committee (ASC) X12 is an organization accredited and chartered by the American National Standards Institute (ANSI) to develop inter-industry electronic standards for a wide range of business applications.

For example, ASC X12 has been named a Designated Standards Maintenance Organization (DSMO) in the HIPAA Transactions and Code Sets (TCS) Rule.

[45 C.F.R. § 142.103]

For more information: www.x12.org


ACT

The Social Security Act.

[45 C.F.R. § 160.103 (definition of Act)]


ADMINISTRATIVE CODE SETS

Administrative Code Sets are code sets that characterize a general business situation rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-clinical or non-medical code sets. For a comparison, see medical code sets.

For more information: Center for Medicare and Medicaid Services Glossary or www.cms.hhs.gov/glossary


ADMINISTRATIVE SIMPLIFICATION (A/S)

Administrative simplification is the aspect of HIPAA that requires one national standard for transactions and code sets, unique identifiers, and the privacy and security of health information. Aspects of administrative simplification give the Secretary of the U.S. Department of Health and Human Services (HHS) the authority to mandate standardized Electronic Data Interchange (EDI) to reduce the administrative costs associated with health care operations.


AFFILIATED ENTITIES

Affiliated covered entities (see covered entity) are legally distinct entities that share common control or common ownership that opt to designate themselves as one affiliated covered entity for the purposes of complying with HIPAA privacy standard. HIPAA allows these legally distinct covered entities that share common control or ownership to designate themselves, or their health care components, as a single covered entity. Affiliated entities are held to the same requirements as covered entities, but are allowed to provide one Notice of Privacy Practices (NPP) as long as it reflects the Privacy Policies and Procedures of all of the covered entities that make up the affiliated entity.

[45 C.F.R. § 164.504(d)(1)]


AMEND OR AMENDMENTS

An amendment is the request by an individual to make an addendum, alternation, or attachment to a designated record set containing their Protected Health Information (PHI).

[45 C.F.R. § 164.526]


AMERICAN DENTAL ASSOICATION (ADA)

The American Dental Association (ADA) is a professional organization for dentists responsible for maintenance of the hardcopy dental claim form, the associated submission specifications, and the Current Dental Terminology (CDT) code set. The ADA has a formal consultative role under HIPAA and hosts the Dental Content Committee.

 

For more information: www.ada.org/public/index.asp


AMERICAN HOSPITAL ASSOCIATION (AHA)

The American Hospital Association (AHA) is a health care industry association that represents the concerns of institutional providers. The AHA hosts the National Uniform Billing Committee (NUBC).

For more information: www.aha.org/aha/index.jsp


AMERICAN MEDICAL ASSOCIATION (AMA)

The American Medical Association (AMA) is a professional organization for physicians. The National Uniform Claim Committee (NUCC) is an AMA committee that has a formal consultative role under HIPAA. The AMA is responsible for the maintenance of the Current Procedural Terminology (CPT) code set.

For more information: www.ama-assn.org


AMERICAN NATIONAL STANDARDS (ANS)

The American National Standards (ANS) are guidelines for coordinating and developing consensus that include:

• Clarification and consistency of language on a proposed standard,
• Broad-based public review and comment, and
• Incorporation of approved changes.

The American National Standards Institute (ANSI) facilitates the development and these standards.

For more information: www.ansi.org


AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI)

The American National Standards Institute (ANSI) is a private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system. It promotes and facilitates voluntary consensus standards and conformity assessment systems. It facilitates the development of the American National Standards (ANS).

 

For more information: www.ansi.org


ASC X12N

ASC X12N is the ASC X12 Subcommittee chartered to develop electronic standards specific to the insurance industry including healthcare.

[45 C.F.R. § 142.103]

For more information: www.x12.org


ASSOCIATION FOR ELECTRONIC HEALTH CARE TRANSACTIONS (AFEHCT)

The Association for Electronic Health Care Transactions (AFEHCT) promotes efficient, secure, and cost-effective health information data exchanges in an open electronic environment utilizing industry standards for the health care vendor community. AFEHCT communicates usable and timely information about opportunities and obstacles in relevant federal and state health care policy formulation to the health care vendor community and others who share the association's goals and interests. Through informed advocacy, the association influences legislative and regulatory policy-making that may impact health care Information Technology solutions associated with the delivery, financing, and administration of health care.

For more information: www.afehct.org


AUTHORIZATION

An authorization is a valid document providing an individual's permission to a covered entity to disclose the individual's Protected Health Information (PHI). An authorization limits the amount of PHI a covered entity may release to that which is relevant to the purpose of the disclosure.

[45 C.F.R. § 164.508]


BENEFIT ENROLLMENT AND MAINTENANCE (834)

The Benefit Enrollment/Disenrollment and Maintenance (834) is an X12 standard format for enrollment data. This transaction is used to transfer enrollment information from the sponsor of the insurance coverage, benefits, or policy to a payer (e.g. health plan).

For more information on the 834 see the ASC X12N Insurance Subcommittee Implementation Guides at: www.wpc-edi.com/Default_40.asp


BUSINESS ASSOCIATE (BA)

A Business Associate is a person or organization, other than a member of the covered entity's workforce, that performs or assists in the performance of:

• A function or activity involving the use or disclosure of Individually Identifiable Health Information (IIHI) including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing, or
• Any other function or activity regulated by the HIPAA Privacy Rule, or
• Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Business associates perform these functions on behalf of covered entities (See covered entity) or to an Organized Health Care Arrangement (OHCA). A covered entity can be a Business Associate of another covered entity.

[45 C.F.R. § 160.103 (Definition of Business Associate) and 164.504(e)]


BUSINESS ASSOCIATE AGREEMENT

A business associate agreement is a contract, written agreement, interagency agreement, Memorandum of Understanding (MOU), regulatory or statutorily binding relationship, or other legally binding document between two parties where one is performing a service for the other. When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Privacy Rule requires that the covered entity include certain protections for the Protected Health Information (PHI) in a Business Associate Agreement (in certain circumstances, governmental entities may use alternative means to achieve the same protections, such as an MOU.

In a Business Associate contract, a covered entity must impose specified written safeguards on the Individually Identifiable Health Information (IIHI) used or disclosed (See disclosure) by its Business Associate (BA). Moreover, a covered entity may not contractually authorize its Business Associate to make any uses or disclosures of PHI that would violate the HIPAA Privacy Rule.

[For more information, see 45 C.F.R. §§ 160.103 (definition of a business associate), 164.502(e), & 164.504(e)]


BUSINESS PARTNER (BP)
See Business Associate (BA).


CENTERS FOR MEDICARE AND MEDICAID SERVICES (CMS)-1500

The Center for Medicare and Medicaid Services (CMS)-1500 is the Centers for Medicare and Medicaid Services' hardcopy claim form. This form may also be known as the Health Care Financing Administration (HCFA)-1500.

For more information: Center for Medicare and Medicaid Services Medicare Paper Claim Forms and Instructions, http://www.cms.hhs.gov/providers/edi/edi5.asp#Form%20CMS-1500 or www.cms.hhs.gov/glossary


CLAIM ADJUSTMENT REASON CODES

 

Claim Adjustment Reason Codes is a national standard administrative code set that identifies reasons for differences or adjustments between the original provider charge for a claim or service and the payer's payment for it. This code set is used for X12 Health Care Claim Payment and Advice (835) and X12 Health Care Claim (837), formats, maintained by the Health Care Code Maintenance Committee.


CLAIM ATTACHMENT

A Claim Attachment can be one of a variety of hardcopy forms or electronic records used to provide supplemental information to electronic records for approval/payment of a claim itself.

For more information: Center for Medicare and Medicaid Services Glossary or www.cms.hhs.gov/glossary


CLAIM STATUS CATEGORY CODES

Claim Status Category Codes are a national administrative code set that indicate the general status of health care claims when they are accepted, rejected or additional information is needed. The Health Care Code Maintenance Committee is responsible for the maintenance of these codes.

For more information: www.wpc-edi.com


CLAIM STATUS CODES

Claim Status Codes are a standard national administrative code set used to provide details about claim being received, pended or paid. The Health Care Code Maintenance Committee is responsible for the maintenance of these codes.

For more information: www.wpc-edi.com


CLEARINGHOUSE

See Health Care Clearinghouse.

CODE SET MAINTAINING ORGANIZATION

A Code Set Maintaining Organization is an organization under HIPAA that creates and maintains the code sets adopted by the Secretary of the U.S. Department of Health and Human Services (HHS) for use in transactions for which HIPAA standards are adopted. They are:

• American Medical Association (AMA),
• American Dental Association (ADA),
• National Center for Health Statistics (NCHS),
• Centers for Medicare and Medicaid Services (CMS),
• HCPCS National Editorial Panel, and
• Food and Drug Administration.

[45 C.F.R. § 162.103]


CODE SETS

Under HIPAA, code sets are sets of codes used to encode data elements, such as terms, medical concepts, medical diagnostic codes, or medical procedures. A code set consists of the codes and descriptors.

The Administrative Simplification (A/S) provisions of HIPAA require the Secretary of the U.S. Department of Health and Human Services (HHS) to adopt standard code sets for administrative and financial transactions.

The codes specified in the Transactions and Code Sets Rule and their applications are:

• International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volumes 1 and 2, Diagnosis
  
  • Diseases,
  • Injuries,
  • Impairments,
  • Other health problems and their manifestations, and
  • Causes of injury, disease, impairment, or other health problems.
• International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volume 3, Procedures
  
  • Prevention,
  • Diagnosis,
  • Treatment, and
  • Management.
• National Drug Codes (NDC) or Health Care Common Procedure Coding System (HCPCS)
  
  • Prevention, and
  • Diagnosis.
• Code on Dental Procedures and Nomenclature (CDT)
  
  • Prevention.
• Combination of Healthcare Common Procedure Coding System (HCPCS - Level II) and Current Procedural Terminology, Fourth Edition (CPT - 4)
  
  • Â Physician services,
  • Physical and occupational therapy services,
  • Radiologic procedures,
  • Clinical laboratory tests,
  • Other medical diagnostic procedures,
  • Hearing and vision services, and
  • Transportation services including ambulance.
• Healthcare Common Procedure Coding System (HCPCS - Level II)
  
  • Medical supplies,
  • Orthotic and prosthetic devices, and
  • Durable medical equipment.

[45 C.F.R. §§ 162.103 & 162.1002]


COMPLIANCE DATE

The dates by which a covered entity must comply with a standard, an implementation specification, or an adopted modification (See modify or modification). The compliance dates are usually 24 months after the effective date of the final rule, but can be up to 36 months for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective date, but can be longer for small health plans and for complex changes.

[45 C.F.R. § 160.103 (definition of compliance date)]


CONFIDENTIALITY OF MEDICAL INFORMATION ACT (CMIA)

The CMIA is the State law that governs individually identifiable health information (IIHI) that is created or maintained by health care providers, health plans, or their contractors.

[California Civil Code § 56 et seq.]


CONTRARY TO

"Contrary to" is a term used to compare a provision of State law to a HIPAA standard, requirement, or implementation specification that means:

• A covered entity would find it impossible to comply with both the State and federal requirements, or
• The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the HIPAA Privacy Rule. [Part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable]

[45 C.F.R. § 160.202]


COORDINATION OF BENEFITS (COB)

Coordination of Benefits (COB) is a process for determining the financial responsibilities of two or more health plans with financial responsibility for a medical claim (i.e. pharmacy, dental, professional and institutional claims).

[Federal Register, Vol. 65, No. 160, Thursday, August 17, 2000, pages 50335 - 50336]


CORRECTIONAL INSTITUTION

A correctional institution is any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center:

• Operated by, or under contract to, the United States, a state, a territory, political subdivision of a state or territory, or an Indian tribe, and
• Used for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody.

Other persons held in lawful custody includes:

• Juvenile offenders and adjudicated delinquents;
• Aliens detained awaiting deportation;
• Persons committed in a Mental Institution through the criminal justice system;
• Witnesses; and
• Others awaiting charges or trial.

[45 C.F.R. § 164.501 (definition of correctional institution), 45 C.F.R. § 164.512 (k)(5) & 45 C.F.R. § 164.520(a)(3)]


COVERED ENTITY

A covered entity is a health plan, a health care clearinghouse, or a health care provider that conducts any standard electronic transaction. The standard electronic transactions are those provided in the Transactions and Code Sets Rule.

[45 C.F.R. § 160.103 (definition of covered entity)]


COVERED FUNCTIONS

Covered functions are those functions performed by a covered entity or its Business Associate (BA) that make the entity a health plan, a health care clearinghouse, or a health care provider and that utilize Protected Health Information (PHI).

[45 C.F.R. §§ 164.103 (definition of covered functions) & 164.503 (definition of covered function)]


CROSS-WALK

Cross-Walk is the conversion of a non-standard code set to the best corresponding code set of the National Code Sets (e.g. HCPCS, CPT, etc).

For converting transactions, see Data Mapping.

[45 C.F.R. Part 162. (Exhibit 1a)]


CURRENT DENTAL TERMINOLOGY (CDT)

Current Dental Terminology (CDT) is a dental procedure code set used in reporting dental services. These codes are included in the Health Care Common Procedure Coding System (HCPCS), maintained by the American Dental Association (ADA) and selected for use in HIPAA transactions.

For more Information: www.ADA.org


CURRENT PROCEDURAL TERMINOLOGY (CPT)

Current Procedural Terminology (CPT) is a medical code set of physician and other services, maintained and copyrighted by the American Medical Association (AMA), and adopted by the U.S. Department of Health and Human Services (HHS) as the standard for reporting physician and other services on standard transactions.

 

For more information: www.ama-assn.org/ama/pub/category/3113.html


DATA AGGREGATION

The creation, receipt, or combining of Protected Health Information (PHI) by a Business Associate (BA), that permits data analysis related to the health care operations of the respective covered entities. Data aggregation gives rise to a business associate relationship if the performance of the service involves the disclosure of PHI to the business associate.

[45 C.F.R. § 164.501 (definition of data aggregation)]


DATA CONDITION

Data Condition is a guideline that describes the circumstances under which a covered entity must use a particular data element or segment.

For example: A physician (the billing provider) has seen a patient, but the payment for the physician's services must go to the clinic for which the physician works part time. In this situation, a Health Care Claim (837) Professional would require a "pay to provider name" segment when the payment is made to the clinic, which is a provider that is different than the billing provider (per ASC X12N Insurance Subcommittee Implementation Guide). In this case, the requirement for a "pay to provider name" is a data condition.

[45 C.F.R. § 162.103 definition]


DATA CONTENT

Data Content are all data elements and code sets inherent in a transaction not related to the format of the transaction. There are two types of data content:

1. Standardization of data elements, including their formats and definition. For example: a data element may define a field's maximum size to be eight characters, or that the field is required or situational.
2. Standardization of the code sets or values that may appear in selected data elements. For example: a code set could be zip codes or procedure codes.

[45 C.F.R. § 162.103]


DATA DICTIONARY

A Data Dictionary is a document or system that lists the data, and their definitions, of a system.

For more information: Center for Medicare and Medicaid Services Glossary or www.cms.hhs.gov/glossary


DATA ELEMENT

A Data Element is the smallest named unit of information in a transaction under HIPAA. Data elements are identified as either simple or compound. Each data element has a name, description, type, minimum, and maximum length.

For example: Submitter Last Name or Organization Name is a data element that requires a maximum of 35 characters and a minimum of one character.

[45 C.F.R. § 162.103]


DATA INTERCHANGE STANDARDS ASSOCIATION (DISA)

The Data Interchange Standards Association (DISA) is an organization that provides administrative services to ASC X12 and several other standards-related groups.

Examples of administrative services the DISA provides are:Specification Development:

• Manage the specification setting process,
• Publish approved specifications, and
• Provide technical guidance.

Organization Administration:

• Provide corporate and general administration,
• Manage finances and accounting procedures,
• Offer membership recruitment, accounting, and retention services, and
• Provide communications, marketing, and meeting support.

For more information: www.disa.org


DATA MAPPING

Data Mapping is the process of matching one data element to its closest equivalent data element within a transaction. The term "Data Mapping" is interchangeable with the term "Cross-Walk".

For converting local codes look up cross-walk.


DATA MODEL

A Data Model is a conceptual model of the information needed to support a business function or process.

For more information: Center for Medicare and Medicaid Services Glossary or www.cms.hhs.gov/glossary


DATA SET

A Data Set is meaningful unit of information exchanged between two parties in a transaction.

For example: A data set is similar to a computer file that contains information that can be processed by software programs. A data set is a computer file of raw claims, as well as, a computer file of approved claims.

[45 C.F.R. § 162.103]


DATA USE AGREEMENT

An agreement between a researcher and a covered entity that limits the use of Protected Health Information (PHI) that is part of a limited data set. The agreement:

• Establishes what information is disclosed (See disclosure),
• Establishes who is permitted to use or receive the data,
• Ensures that the data will not be used or further disclosed,
• Ensures that appropriate safeguards exist to protect the data,
• Ensures that the researcher will report any breaches in the security of the data,
• Ensures that any contractors of the researcher will meet these requirements, and
• Ensures that the researcher will not identify the information or contact the individual

[45 C.F.R. § 164.514(e)]


DE-IDENTIFIED HEALTH INFORMATION

De-Identified Health Information neither identifies, nor provides a reasonable basis to identify, the individual. As such, there are no restrictions on the use and disclosure of de-identified health information. Because the de-identified data does not identify the subject of the information it is neither Protected Health Information (PHI) nor Individually Identifiable Health Information (IIHI).

 

There are two ways to de-identify health information:

• A formal determination of de-identification by a qualified statistician and the statistician's documentation of the analysis justifying the determination, or
• The removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

[45 C.F.R. §§ 164.514(a) & (b)]


DECEDENTS

Decedents are deceased individuals; however, they still retain the rights to the privacy of their health information under HIPAA. Covered entities (See covered entity) may disclose (See disclosure) Protected Health Information (PHI) to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.

[45 C.F.R. § 164.502(f)]


DENTAL CONTENT COMMITTEE

Dental Content Committee is the organization hosted by the American Dental Association (ADA) responsible for the maintenance of the data element specifications for dental billing. The ADA has a formal consultative role under HIPAA for all transactions affecting dental health care services.

The Dental Content Committee of the ADA was named a Designated Standards Maintenance Organization (DSMO) in the HIPAA Transactions and Code Sets (TCS) Rule .

 

For more information: www.ada.org/goto/decc/index.html


DESCRIPTOR

Descriptor is the text defining a code in a code set.

[45 C.F.R. § 162.103]


DESIGNATED CODE SET

Designated Code Set is a medical code set or an administrative code set the U.S. Department of Health and Human Services (HHS) has designated for use in one or more of the HIPAA standards.

For more information check CMS Glossary: www.cms.hhs.gov/glossary


DESIGNATED DATA CONTENT COMMITTEE (DESIGNATED DCC)

Designated Standards Maintenance Organization (DSMO) is the term used in the Transactions and Code Sets (TCS) Rule to identify the organizations designated by the Secretary of the U.S. Department of Health and Human Services (HHS) to:

• Be responsible for maintenance of the standards for health care.
• Receive and process requests to adopt new standards or modify adopted standards.

All six organizations named in the TCS Rule as DSMOs signed a Memorandum of Understanding (MOU) agreeing to undertake the functions specified in the TCS regulations and to follow a framework of cooperation with each other and HHS. These named organizations are:

• Accredited Standards Committee,
• Health Level Seven (HL7),
• National Council for Prescription Drug Programs (NCPDP),
• National Uniform Billing Committee (NUBC),
• National Uniform Claim Committee (NUCC), and
• Dental Content Committee of the American Dental Association (ADA).

[45 C.F.R. §§ 162.103 & 162.910]

For more information: www.hipaa-dsmo.org


DESIGNATED RECORD SET

A group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, etc. and which is used by the covered entity to make decisions about the individual.

[45 C.F.R. § 164.501 (definition of designated record set)]

In the final Privacy Rule, the definition of Designated Record Set was modified to specify certain records maintained by or for a covered entity that are always part of the covered entity's designated record sets and to include other records that are used to make decisions about individuals. Examples of Designated Record Sets include:

• For health plans
  
  • Enrollment,
  • Payment,
  • Claims adjudication, and
  • Case and medical management record systems of the plan.
• For covered health care providers:
  
  • Medical record and billing record about individuals maintained by or for the provider,
  • In addition to these records, designated record sets include any other group of records that are used, in whole or in part, by or for a covered entity to make decisions about individuals.
• For clearinghouses, when not acting as a Business Associate (BA):
  
  • No particular specified functions; however, it would include a group of records that a clearinghouse uses, in whole or in part, to make decisions about individuals.

[For more information, see 45 C.F.R. § 164.524(a)]


DESIGNATED STANDARDS MAINTENANCE ORGANIZATION (DSMO)

 

Designated Standards Maintenance Organization (DSMO) is the term used in the Transactions and Code Sets (TCS) Rule to identify the organizations designated by the Secretary of the US Department of Health and Human Services (HHS) to:

• Be responsible for maintenance of the standards for health care.
• Receive and process requests to adopt new standards or modify adopted standards.

All six organizations named in the TCS Rule as DSMOs signed a Memorandum of Understanding (MOU) agreeing to undertake the functions specified in the TCS regulations and to follow a framework of cooperation with each other and HHS. These named organizations are:

• Accredited Standards Committee - designs national electronic standards for a wide range of business applications;
• Health Level Seven (HL7) - produces standards for clinical and administrative data;
• National Council for Prescription Drug Programs (NCPDP) - maintains a number of standard formats for use by the retail pharmacy industry;
• National Uniform Billing Committee (NUBC) - maintains institutional claims and formats;
• National Uniform Claim Committee (NUCC) - maintains the professional uniform claim form; and
• Dental Content Committee of the American Dental Association (ADA) - maintains the hardcopy dental claim form.

[45 C.F.R. § 162.103 & 164.910]

 

For more information:www.hipaa-dsmo.org


DIRECT DATA ENTRY

Direct Data Entry is the process of entering data into a database through a display monitor that has no processing capabilities. The data is then transmitted electronically to a health plan's computer.

[45 C.F.R. § 162.103]


DIRECT TREATMENT RELATIONSHIP

A relationship between a health care provider and an individual that is not an indirect treatment relationship. This includes direct provision of health care by the provider.

For example, a direct treatment relationship would be when a physician examines and discusses treatment options with patient during an office visit. A sample indirect provider would be a physician who reads a sonogram taken by a technician and reports the results to the physician who ordered the test.

[45 C.F.R. § 164.501 (definition of direct treatment relationship)]


DISCLOSURE

The release, transfer, provision of access to, or the divulging in any other manner of information outside of the entity holding the information. This is different from the use of Protected Health Information (PHI). "Disclosure" applies to persons or organizations who receive PHI from covered entities (See Covered Entity) or the covered entity's Business Associate (BA)s.

The transfer of PHI from a covered entity to a business associate without a business associate agreement would also be considered a disclosure for the purposes of HIPAA. The only disclosures not limited by HIPAA are those made an individual who is the subject of the PHI or those made to the Secretary of the U.S. Department of Health and Human Services (HHS).

[45 C.F.R. § 160.103 (definition of disclosure)]


EFFECTIVE DATE

The effective date is the date that a final rule to amend the Code of Federal Regulations (CFR) and become effective.


ELECTRONIC DATA INTERCHANGE (EDI)

Electronic Data Interchange (EDI) is the electronic transfer of information, such as electronic media health claims, in a standard format between trading partners. EDI allows entities within the health care system to exchange medical, billing, and other information and to process transactions. EDI is sometimes used more broadly to mean any electronic change of formatted data.

For more information: www.wedi.org


ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC)

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a private organization that tests transactions for consistency with HIPAA requirements and accredits health care clearinghouses. EHNAC accredits entities engaged in e-health activities (electronic health care transactions and management of health care information) based on their ability to meet high quality performance standards in the areas of privacy, security, technical performance, and business practice. Covered entities may choose to perform EHNAC's self-assessment and site review processes which assists in meeting industry-defined performance standards, which include, but are not limited to, Administrative Simplification (A/S) provisions of HIPAA. EHNAC accreditation informs health care industry organizations that entities engaged in e-health activities with which they may contract have been found HIPAA compliant by EHNAC.

For more information: www.ehnac.org


ELECTRONIC MEDIA

• Electronic storage media including memory devices in computers (hard drives) and any removable / transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dialup lines, private networks, and the physical movement of removable / transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

[45 C.F.R. § 160.103 (definition of electronic media)]


ELECTRONIC MEDIA CLAIMS (EMC)

Electronic Media Claims (EMC) is an electronic format used to transmit or transport claims.

For more information: www.cms.hhs.gov


ELECTRONIC PROTECTED HEALTH INFORMATION

Electronic Protected Health Information (EPHI) means Individually Identifiable Health Information (IIHI) transmitted by electronic media; maintained by electronic media; or transmitted or maintained in any form or medium.

[45 C.F.R. § 160.103 (definition of electronic protected health information)]


EMPLOYER

A person or an entity for whom an individual performs or has performed any service, of any nature, as the employee of that person or that entity except for the following:

• If the entity for which the individual performs or has performed the services does not have control of the payment of the wages for the services, the term “employer” means the entity having control of the payment of the wages.
• If the entity pays wages on behalf of a nonresident alien individual, foreign partnership, or foreign corporation, not engaged in trade or business within the United States, the term ”employer” means the entity that pays the wages.

[45 C.F.R. § 160.103 (definition of employer) & 26 U.S.C. 3401(d) of the Internal Revenue Code]


EMPLOYER IDENTIFICATION NUMBER (EIN)

The employer identification number, as assigned by the Internal Revenue Service. The EIN is the taxpayer identifying number of an individual or other entity (whether or not an employer) assigned under one of the following:

• 26 U.S.C. 6011(b), which is the portion of the Internal Revenue Service Code dealing with identifying the taxpayer in tax returns and statements, or corresponding provisions of prior law.
• 26 U.S.C. 6109, which is the portion of the Internal Revenue Code dealing with identifying numbers in tax returns, statements and other required documents.

[45 C.F.R. § 160.103]


ENTITY

A legal person. This term is intended to include all manner of organizations, such as corporations, associations, partnerships, and other entities that have a legal existence, other than a natural person. The term "entity" should not be confused with the regulatory term "covered entity".

[45 C.F.R. § 160.502 (definition of entity)]


EXCEPTION DETERMINATION

A determination made by the Secretary excepting a provision of state law from preemption by HIPAA standards, requirements, or implementation specifications because the provision:

• Is necessary:
  
  • To prevent fraud and abuse,
  • To ensure appropriate state regulation of insurance and health plans,
  • For state reporting on health care delivery or costs, or
  • For serving a compelling need related to public health, safety, or welfare; or
• Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined under federal or state law).

A request to except a provision of state law from preemption may be submitted to the Secretary. A request by a state must be submitted through its chief elected official, or his or her designee. Until the Secretary's determination is made, the HIPAA standard, requirement, or implementation specification remains in effect. The Secretary may revoke the exception, based on a determination that the ground for the exception no longer exists.

[45 C.F.R. §§ 160.203 and 160.204]


GLOSSARY HELP

Definitions found in this glossary have been adapted from HIPAA regulations or developed by California Statewide HIPAA Work Groups, which are subject matter collaborative working groups of State and county representatives.

How to use CalOHI's HIPAA Glossary:

Accessing the HIPAA Glossary
The CalOHI HIPAA Glossary can be accessed two different ways:

• All Pages Text Link
  Click on the "HIPAA Glossary", link provided at the bottom of each Web page

• Sitemap Link
  Click on the "HIPAA Glossary", link in the “General” section of the CalOHI Sitemap

Searching the HIPAA Glossary
Visitors can search the glossary using several methods:

• CalOHI Site Search Box
  Enter a glossary term in the site search box, in the upper right side of the page and click on the "search" button.
  
  Note: Ensure the "CalOHI" button is selected when searching.
  
  
  • CalOHI Site Search – Result
    On the Search Result for “access” page, for example, locate and click on the link at the top of the returned results, labeled: "If you were searching for the HIPAA glossary term access, click here." This will direct you to the Glossary page.
  • CalOHI Site Search – No Result
    If your search results did not find the term, locate and click on the link at the top of the returned results, labeled: "Click here to search the HIPAA Glossary ."
  • CalOHI Site Search Box – Using Partial Glossary Terms
    The CalOHI Site Search box cannot locate partial glossary terms such as using "acc" for "access". However, if you click on the HIPAA glossary link provided in the results of your search, the glossary term "access" and others containing "acc" will be displayed.
• HIPAA Glossary Search Box
  After accessing the Glossary, you can search for a Glossary term using the Glossary search box.
  
  
  • HIPAA Glossary Search Box - Results
    If your search results found the Glossary term, the definition will be presented.
  • HIPAA Glossary Search Box – No Results
    If your search results did not find the term, a message will be presented stating: "Glossary term not found."

Browsing the HIPAA Glossary
The CalOHI HIPAA Glossary can be browsed two different ways:

• Alpha-based (A – Z) Navigation Menu
  After accessing the Glossary, you can browse for Glossary terms using the A – Z navigation menu. Clicking on any one of the letters will present you with all glossary terms that begin with the letter you selected.
• The "(All)" option
  After accessing the Glossary, you can browse all Glossary terms on one page using the "All" option.

If you would like to suggest a term be added to the glossary, please attend any of the Statewide HIPAA Work Group events.

HIPAA Work Group event dates and location can be viewed by clicking on the following link: California Event calendars.


GROUP HEALTH PLAN

An employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care, including terms and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:

• Has 50 or more participants; or
• Is administered by an entity other than the employer that established and maintains the plan.

[45 C.F.R. § 160.103 (definition of group health plan) & 45 C.F.R. § 164.504(f)]


HEALTH AND HUMAN SERVICES (HHS)

The U.S. Department of Health and Human Services. May be referred to as DHHS in some CalOHI documents.

[45 C.F.R. § 160.103 (definition of HHS)]

The HHS is the federal agency responsible for the implementation of the HIPAA Rule and for verifying the compliance of covered entities (See covered entity). Within DHHS exists two offices responsible for the implementation of specific aspects of HIPAA. These two offices are the Office of Civil Rights (OCR), which is responsible for the implementation of the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (CMS), which is responsible for the implementation of the remainder of Administrative Simplification in HIPAA.


HEALTH CARE

Health care refers to care, services, or supplies related to the health of an individual.

It includes, but is not limited to:

• Preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling service, assessment, or procedure:
  
  • With respect to the physical or mental condition, or functional status of an individual, or
  • That affects the structure or function of the body, and
• The sale or dispensing of a drug, device, equipment or other item in accordance with a prescription.

This definition is based on the underlying activities that constitute health care. Providing these services is considered treatment.

Health care does not include:

• Procurement or banking of blood, sperm, organs, or any other tissue for administration to patients. Persons who make such donations are not seeking health care for themselves, but are seeking to contribute to the health care of others.

[45 C.F.R. § 160.103 (definition of health care)]


HEALTH CARE ACTIVITIES

Health care activities include the provision of medical or health services including:

• Physician's services,
• Services or supplies commonly furnished in a physician's office, whether rendered without charge or included in a physician's bill,
• Diagnostic services that are:
  
  • Furnished to an individual as an outpatient by a hospital,
  • Furnished to an individual as an outpatient by another entity under arrangements made by a hospital, or
  • Ordinarily furnished by a hospital to its outpatients for the purposes of diagnostic study.
• Outpatient physical therapy and health care services,
• Rural health clinic services and federally qualified health care services,
• Home dialysis supplies and equipment, self-care home dialysis support services, and institutional dialysis services and supplies,
• Antigens prepared by physicians for a particular patient,
• Services furnished by a contract to a member of an eligible organization by a physician assistant or by a nurse practitioner,
• Services furnished pursuant to a risk-sharing contract to members of an eligible organization by a clinical psychologist or clinical social worker and furnished as an incident to such clinical psychologist's or clinical social worker's services,
• Blood clotting factors for hemophilia patients,
• Prescription drugs used in immunosuppressive therapy furnished to an individual who receives an organ transplant, but only in the case of certain drugs,
• Services furnished by a nurse that would be a physician's services,
• Certified nurse-midwife services,
• Qualified psychologist services,
• Clinical social workers services,
• Erythropoietin for dialysis patients,
• Prostate cancer screening tests,
• Colorectal cancer screening tests,
• Diabetes outpatient self-management training screening,
• An oral drug prescribed for use as an acute anti-emetic used as part of an anti-cancer chemotherapeutic regimen,
• Oral drug prescribed for use as an anti-cancer chemotherapeutic agent for a given indication and containing an active ingredient(s),
• Diagnostic x-ray tests furnished in a place of residence used as the patient's home,
• X-ray, radium, and radioactive isotope therapy, including materials and services of technicians,
• Surgical dressings, splints, casts, and other devices used for reduction of fractures and dislocations,
• Durable medical equipment,
• Ambulance service where the use of other methods of transportation is contraindicated by the individual's condition,
• Prosthetic devices (other than dental) which replace all or part of an internal body organ, including one pair of conventional eyeglasses or contact lenses furnished subsequent to cataract surgery,
• Leg, arm, back and neck braces and artificial legs, arms, and eyes, including replacements, if required,
• Pneumococcal vaccine and its administration,
• Hepatitis vaccine and its administration,
• Services of a certified registered nurse anesthetist,
• Extra-depth or custom molded shoes with inserts for an individual with diabetes,
• Screening mammography,
• Screening pap smear and screening pelvic exam, and
• Bone mass measurement.

Health care activities do not include:

• Companies that conduct:
  
  • Cost-effective reviews,
  • Risk management, and
  • Benchmarking studies unless they perform other functions that meet the definition, or
• Procurement or banking of:
  
  • Blood,
  • Sperm,
  • Organs, or
  • Any other tissue for administration to patients.

[42 U.S.C. § 1395x(u), & 1395x(s)]


HEALTH CARE CLAIM (837): DENTAL, INSTITUTIONAL, AND PROFESSIONAL

The Health Care Claim (837) has three standard formats:

• Dental is primarily for use by dentists for claims and/or encounters.
• Institutional is primarily used by hospitals or clinics for claims and/or encounters, i.e., the UB-92 form.
• Professional is primarily for use by physicians for claims and/or encounters, i.e., the CMS 1500 form.

For more information see ASC X12N Insurance Subcommittee Implementation Guide: ww.wpc-edi.com/Default_40.asp


HEALTH CARE CLAIM PAYMENT AND ADVICE (835)

The Health Care Claim Payment and Advice (835) is a standard format for payment and advice. Payers send 835s to providers.

• Health care providers receiving 835s include, but are not limited to, hospitals, nursing homes, laboratories, physicians, dentists, and allied professional groups.
• Organizations sending 835s include insurance companies, Third Party Administrators (TPAs), service corporations, state and federal agencies and their contractors, health plan purchasers, and any other entities that process health care reimbursements.
• Business partners affiliated with 835s include Depository Financial Institutions (DFIs), billing services, consulting services, vendors of systems, software and Electronic Data Interchange (EDI) translators, EDI network intermediaries, such as Automated Clearing Houses (ACHs), Value-Added Networks (VANs) and telecommunication services.

For more information see ASC X12N Insurance Subcommittee Implementation Guide: ww.wpc-edi.com/Default_40.asp


HEALTH CARE CLAIM STATUS REQUEST AND RESPONSE (276/277)

The Health Care Claim Status Request and Response (276/277) are used for checking the status of health care claims. The 276 is the standard format used by health care providers or health plans to request the status of claims. The 277 is the standard format used by the responding entity to transmit the answers to the requests about the status of claims.

• Entities requesting claim status information include but are not limited to: hospitals, nursing homes, laboratories, physicians, dentists, allied professional groups, employers, and supplemental (i.e., other than primary payer) health care claims adjudication processors.
• Organizations responding to claim status requests include: payers who may be insurance companies, third party administrators, service corporations, state and federal agencies and their contractors, health plan purchasers, and any other entities that process health care reimbursements.

For more information see ASC X12N Insurance Subcommittee Implementation Guide: ww.wpc-edi.com/Default_40.asp


HEALTH CARE CLEARINGHOUSE

A public or private entity, including a billing service, repricing company, community health management information system, and “value-added” networks and switches, that does either of the following functions:

• Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data into standard data elements or a standard transaction.
• Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

In most instances, health care clearinghouses will receive Individually Identifiable Health Information (IIHI) only when they are providing these processing services to a health plan or health care provider as a Business Associate (BA). In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of Protected Health Information (PHI).

 

[45 C.F.R. §§ 142.103 & 160.103 (definition of a health care clearinghouse)]


HEALTH CARE CODE MAINTENANCE COMMITTEE

The Health Care Code Maintenance Committee is an organization administered by the Blue Cross and Blue Shield of America (BCBSA) responsible for maintaining the Claim Adjustment Reason Codes, the Claim Status Category Codes, and the Claim Status Codes used in the X12 standard transactions and elsewhere.

For members of this committee: www.wpc-edi.com/AdjustmentStatusCodes/contacts.html


HEALTH CARE COMPONENT

A health care component is a part or combination of parts of a hybrid entity that performs health care activities within an organization that performs other non-health care related functions.

[45 C.F.R. §§ 164.504(a) (definition of health care component)]


HEALTH CARE ELIGIBILITY BENEFIT INQUIRY AND RESPONSE (270/271)

The Health Care Eligibility Benefit Inquiry (270) and Response (271) are two standard formats: for requesting information and responding with answers on coverage, eligibility, and benefits.

For more information see ASC X12N Insurance Subcommittee Implementation Guide: www.wpc-edi.com/Default_40.asp


HEALTH CARE FINANCING ADMINISTRATION (HCFA) - 1500

See Center for Medicare and Medicaid Services-1500.

For more information: Center for Medicare and Medicaid Services Medicare Paper Claim Forms and Instructions, http://www.cms.hhs.gov/providers/edi/edi5.asp#Form%20CMS-1500 or www.cms.hhs.gov/glossary


HEALTH CARE OPERATIONS

Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. The activities include:

Quality Assessment and Improvement Activities where the primary purpose does not obtain generalized knowledge, including:

• Population-based activities including outcomes evaluation and development of clinical guidelines relating to:
  
  
  1. Improving health or reducing costs,
  2. Developing protocol, case management and care coordination,
  3. Contacting health care providers and patients with information about alternative treatments, or
• Related functions not including treatment.
  NOTE: If the above activities are for the purpose of generalized knowledge, then it is under the HIPAA definition of research.  

  Staff Evaluation

• Reviewing the competence or qualifications of health care professionals,
• Evaluating practitioner and provider performance,
• Health plan performance,
• Conducting training programs in which students, trainees or practitioners learn to practice or improve skills as health care providers,
• Training of non-health care professionals,
• Accreditation,
• Certification,
• Licensing, or
• Credentialing activities.

Insurance-Related Activities

• Underwriting,
• Premium rating,
• Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits,
• Ceding, securing or placing a contract for:
  
  
  1. Reinsurance of risk related to claims for health care,
  2. Stop-loss insurance, or
  3. Excess of loss insurance.

As long as the above are not placed with the health plan, the health plan may not use the PHI for any purpose, except as may be required by law.

 

[45 C.F.R. § 164.514(g)]

Administrative Functions – conducting or arranging for:

• Medical review,
• Legal services,
• Auditing functions,
• Fraud and abuse detection, or
• Compliance programs.

Business Planning and Development, such as:

• Conducting cost-management and planning-related analysis related to managing and operating the entity,
• Formulary development and administration, or
• Development or improvement of methods of payment or coverage policies.

Business Management and General Administrative Activities, including but not limited to:

• Management activities related to becoming HIPAA compliant,
• Use for customer service, including provision of data analysis (with no PHI) for policy holders, plan sponsors and other customers,
• Use or disclosure for resolution of internal grievances, including;
  
  • Disclosures to an employee and/or employee representative to demonstrate allegations,
  • Disputes from patients or enrollees regarding the quality of care or similar matters,
• Sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity, or an entity that will become a covered entity and due diligence related to such activity:
  
  • Mergers,
  • Acquisitions,
  • Consolidations,
  • Corporate restructuring, or
  • Division of a covered entity,
• Consistent with 45 C.F.R. § 164.514 (Other requirements relating to uses and disclosures of PHI):
  
  • Creating de-identified health information or a limited data set,
  • Fundraising for benefit of the covered entity to the extent permitted by HIPAA rules [45 C.F.R. § 164.512(f)] , or
  • Disclosures for the enumerated activities of an organized health care arrangement (OHCA).

[45 C.F.R. § 164.501 (definition of health care operations)]


HEALTH CARE PROVIDER

A health care provider is a person or organization that furnishes, bills, or is paid for health care services in the normal course of business. As such, a health care provider is defined by the activities performed, not by the titles or labels of the profession.

A health care provider is only a covered entity governed by HIPAA if they conduct one or more of the standard electronic transactions defined in the Transactions and Code Sets regulations. However, health care providers who do not submit HIPAA transactions in standard form are covered by this rule when other entities, such as a billing service or a hospital transmit standard electronic transactions on their behalf. This may include:

• Pharmacists and online internet companies who meet this definition,
• Manufacturers and health care suppliers who are considered providers by Medicare,
• Researchers who provide health care to subjects in clinical research studies and who otherwise meet this definition,
• Employers who provide health care services to their employees, and
• Employee Assistance Programs (EAP) that provide direct treatment to individuals.

Persons covered under the rule in one role may not necessarily be covered by HIPAA when they participate in other activities in another role.

 

For example, a person could be a covered health care provider in a hospital one day but the next day read research records for a different employer. In the role of a researcher, the person is not covered and the HIPAA protections do not apply to the research records.

A person providing health care services that meets this definition and conducts standard transactions is a covered entity no matter how much time they spend performing these services, even if it is only several hours a week.

[45 C.F.R. § 160.103 (definition of health care provider)]

All health care providers who meet the criteria of the definition of health care provider in § 160.103 (regardless of whether they conduct transactions electronically or on paper or whether they conduct any covered transactions) are eligible to apply for health care provider identifiers.

The fact that a health care provider obtains a National Provider Identifier does not impose covered entity status on that health care provider. Only those providers that:

• Meet the definition of health care provider above, and
• Transmit health information in electronic form in connection with a standard transaction contained within the HIPAA Regulations, are covered entities.

HEALTH CARE SERVICES REVIEW (278)

The Health Care Services Review (278) - Request for Review and Response is a standard format for review of specialty care, treatment, and admission (i.e. prior authorization).

For more information see ASC X12N Insurance Subcommittee Implementation Guide: www.wpc-edi.com/Default_40.asp


HEALTH INFORMATION

Health information is any information, whether oral or recorded in any form or medium, that:

• Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and
• Relates to the past, present, or future physical or mental health or condition of an individual.

This includes:

• The provision of health care to an individual, or
• The past, present, or future payment for the provision of health care to an individual.

[45 C.F.R. § 160.103 (definition of health information)]


HEALTH INSURANCE ISSUER

A health insurer is an insurance company, insurance service, or insurance organization, including a Health Maintenance Organization (HMO), licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

This definition does not include a group health plan.

[45 C.F.R. § 160.103 (definition of health insurance issuer), section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2)]


HEALTH LEVEL SEVEN (HL7)

Health Level Seven (HL7) is one of several American National Standards Institute (ANSI) -accredited Standards Developing Organizations (SDOs) operating in the health care arena. Most SDOs produce standards (sometimes called specifications or protocols) for a particular health care domain such as pharmacy, medical devices, imaging or insurance (claims processing) transactions. The HL7 domain is clinical and administrative data. HL7 develops specifications; the most widely used being a messaging standard that enables disparate health care applications to exchange key sets of clinical and administrative data.

For more information: www.hl7.org


HEALTH MAINTENANCE ORGANIZATION (HMO)

An HMO is a federally qualified HMO, an organization recognized as an HMO under State law, or a similar organization regulated for solvency under State law in the same manner to the same extent as an HMO. HMOs are a form of health insurance.

[45 C.F.R. § 160.103 (definition of health maintenance organization, & 2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-92(b)(3))]


HEALTH OVERSIGHT AGENCY

A health oversight agency is a person representing a government entity or a government entity:

• Acting under a grant of authority from or contract with such public agency or authority of the United States,
• Authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary, and
• Who determines eligibility or compliance, or
• Who enforces civil rights laws for which health information is relevant.

A covered entity may provide access to or disclose (See disclosure) Protected Health Information (PHI) to health oversight agencies for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.

[45 C.F.R. § 164.501 (definition of health oversight agency) & for more information see 45 C.F.R. § 164.512(d)]


HEALTH PLAN

A health plan is an individual or group health plan that provides for the cost, or pays the cost of medical care. This includes church and government plans that meet this definition.

Health plans include the following, alone or in combinations:

• A group health plan,
• A health insurance issuer,
• A Health Maintenance Organization (HMO),
• Medicare Program, Parts A or B under Title XVIII,
• Medicaid Program, under Title XIX,
• An issuer of Medicare supplemental policies,
• An issuer of long-term care policies, not including a nursing home fixed-indemnity policy,
• An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers,
• The health care program for active military personnel,
• The veterans health care program,
• The Civil Health and Medical Program of the Uniformed Services (CHAMPUS),
• The Indian Health Services Program under the Indian Health Care Improvement Act,
• Federal Employees Health Benefits Program,
• An approved State child care plan under Title XIX that provides benefits for child health assistance,
• Medicare+Choice program,
• A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals whether or not it meets the definition of a qualified high risk pool under Section 2744 of HIPAA, and
• Any other individual or group plan, combination of individual or group plans, that provide or pays for the cost of medical care.

Health plans also include:

• 24-Hour coverage plans, to the extent that they have a health care component, and
• Limited scope dental or vision benefits, not offered separately, if they meet the definition of a health plan because they directly and exclusively provide health insurance, even if limited in scope.

Health plans DO NOT include:

• A nursing home fixed-indemnity policy, and
• Property and casualty insurance.

U.S Department of Health and Human Services (HHS) does not consider government programs that do not have their principal purpose to be the provision of, or payment for, the cost of health care to be health plans. This includes programs such as:

• Special Supplemental Nutrition Program for Women, Infants and Children (WIC), and
• The Food Stamp Program.

Both of these programs provide nutritional services.

Some government programs that have their principal purpose being the provision of health care, either directly or by grant, are also not considered to be health plans. These are not health plans because their purpose is to provide grants to fund the direct provision of health care to persons, and would include programs such as:

• The Ryan White Comprehensive AIDS Resources Emergency Act,
• Government-funded health centers and immunization programs, and
• Federal Family Planning under Title X of the Public Health Services Act.

Government agencies that determine eligibility and enroll individuals into government programs that provide public benefits such as Medi-Cal (Medicaid) are not considered health plans or Business Associate (BA)s of health plans.

For example, county welfare departments determine eligibility for Medi-Cal, but are not considered business associates to the California Department of Health Services.

While on-site medical clinics are excluded from the definition of "health plans", such clinics may meet the definition of "health care provider" and persons who work in the clinic may meet the definition of "health care providers."

For example, an occupational health clinic provided by a hospital for its employees is not a health plan, but may be considered a provider of health care and its workforce may be considered health care providers.

Programs that are not considered health plans under HIPAA include those listed below, but only to the extent that they do not provide health insurance payments directly to the health care provider as reimbursement for health care services provided to individual patients for health care services provided. Some of these may meet the rules definition of "health care provider".

• To the extent the program provides or pays for the cost of, except benefits it may not be considered a health plan: [that are listed in 42 U.S.C. § 300gg-91(c)(1)]:
  
  • Payment insurance,
  • Coverage only for accident,
  • Disability income insurance,
  • Supplements to liability insurance,
  • Liability insurance, including general liability or automobile,
  • Workers' compensation or similar insurance,
  • Automobile medical Credit-only insurance,
  • Coverage for on-site medical clinics,
  • Other similar coverage where medical care is secondary or incidental to other insurance benefits,
  • If offered as a separate insurance policy - Medicare supplemental health insurance and supplemental coverage provided to coverage under a group health plan, and
  • Other property and casualty insurers,
• If offered separately:[42 U.S.C. § 300gg-91(c)(1)]
  
  • Limited scope dental or vision benefits, and
  • Benefits for long-term care, nursing home care, home health care, community-based care, or any combination thereof,
• If offered as independent, non-coordinated benefits:
  
  • Coverage only for a specified disease or illness, and
  • Hospital indemnity or other fixed indemnity insurance.
• A government-funded program:
  
  • Whose principal purpose is not providing, or paying the cost of health care, or
  • Whose principal activity is the direct provision of health care to persons or making grants to fund the direct provision of health care to persons (health care provider s),
• A high risk pool, not including any program established under State law solely to provide excepted benefit,
• Stop-loss and re-insurers,
• Employee Retirement Income Security Act (ERISA) plans,
• Where less than 50 employees are served and the plan self administered, or [S.S.A. § 1171(5)(A)]
• Employee discount or membership incentives that are not employee welfare benefit plan

[45 C.F.R. § 160.102 (definition of health plan) & 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)]


HEALTHCARE COMMON PROCEDURE CODING SYSTEM (HCPCS)

The Healthcare Common Procedure Coding System (HCPCS) is a medical code set for all substances, equipment, supplies or other items used in health care services except drugs and biologics. The items include, but are not limited to, the following:

1. Medical supplies,
2. Orthotic and prosthetic devices, and
3. Durable medical equipment.

HCPCS may also identify health care procedures, equipment and supplies. It has been selected for use in HIPAA transactions. HCPCS has three levels (Healthcare Common Procedure Coding System (HCPCS) Level 1, Healthcare Common Procedure Coding System (HCPCS) Level II and Healthcare Common Procedure Coding System (HCPCS) Level III with Healthcare Common Procedure Coding System (HCPCS) Procedure Modifier Codes).

[45 C.F.R. § 162.103 definition of HCPCS]

For more information: www.cms.hhs.gov/medicare/hcpcs


HEALTHCARE COMMON PROCEDURE CODING SYSTEM (HCPCS) LEVEL I

HCPCS Level I contains numeric Current Procedural Terminology (CPT) codes, which are maintained by the American Medical Association (AMA).

For more information: www.cms.hhs.gov/medicare/hcpcs


HEALTHCARE COMMON PROCEDURE CODING SYSTEM (HCPCS) LEVEL II

HCPCS Level II contains codes used to identify various items and services not included in the Current Procedural Terminology (CPT) medical code set, such as medical supplies, orthotic and prosthetic devices and durable medical equipment. The Centers for Medicare and Medicaid Services (CMS), Blue Cross and Blue Shield of America (BCBSA), and the Health Insurance Association of America (HIAA) maintain these codes.

For more information: www.cms.hhs.gov/medicare/hcpcs


HEALTHCARE COMMON PROCEDURE CODING SYSTEM (HCPCS) LEVEL III

HCPCS Level III contains codes assigned by Medicaid state agencies to identify additional items and services not included in HCPCS Levels I or II. These are usually called "local codes" and must have "W," "X," "Y," or "Z" in the first position. HIPAA does not allow use of these codes.

For more information: www.cms.hhs.gov/medicare/hcpcs


HEALTHCARE COMMON PROCEDURE CODING SYSTEM (HCPCS) PROCEDURE MODIFIER CODES

HCPCS Procedure Modifier Codes, which is part of Level II, may be used to identify circumstances that alter or enhance the description of a service or supply.

For more information: www.cms.hhs.gov/medicare/hcpcs


HIPAA

HIPAA is the Health Insurance Portability and Accountability Act, the federal law passed in 1996 that provides national standards and privacy protections for health information. It allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships.

HIPAA establishes standards for privacy and security, unique health identifiers, as well as standards for Electronic Data Interchange (EDI). The two main goals of HIPAA are:

• Making health insurance more portable when persons change employers, and
• Through Administrative Simplification (A/S), making the health care system more accountable for costs, trying especially to reduce waste and fraud.

HYBRID ENTITY
A hybrid entity is a single legal entity:

• That is a covered entity;
• Whose business activities include both covered and non-covered functions; and
• That designates health care components in accordance with paragraph (c)(3)(iii) of this section.

[45 C.F.R. § 164.103(a) (definition of hybrid entity)]


ICD

The International Classification of Diseases (ICD) is a medical code set maintained by the World Health Organization (WHO). The primary purpose of these codes is to classify causes of death. A U.S. extension of this coding system, maintained by the National Committee on Vital and Health Statistics (NCVHS) within the Centers for Disease Control (CDC), is used to identify morbidity factors, or diagnoses. (There are other ICDs; see ICD-9-CM or ICD-10-CM).

For more information: For more information: N C H S - Classification of Diseases , Functioning, and Disability..


ICD-10-CM

The International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM) is used in assigning codes to diagnoses associated with inpatient, outpatient, and physician office utilization in the U.S. In addition, it is used in assigning codes associated with inpatient procedures. The ICD-9-CM is based on the ICD but provides for additional morbidity detail and is annually updated. This medical code set is published and maintained by National Center for Health Statistics (NCHS) for United States usage.

For more information: www.cdc.gov/nchs


ICD-9-CM

The International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM) is used in assigning codes to diagnoses associated with inpatient, outpatient, and physician office utilization in the U.S. In addition, it is used in assigning codes associated with inpatient procedures. The ICD-9-CM is based on the ICD but provides for additional morbidity detail and is annually updated. This medical code set is published and maintained by National Center for Health Statistics (NCHS) for United States usage.

For more information: www.cdc.gov/nchs


IMPLEMENTATION GUIDE (IG)

The Implementation Guide (IG) is a document issued by the ASC X12N Insurance Subcommittee explaining the proper use of a standard for a specific business purpose.

For example: The ASC X12N HIPAA IGs are the primary reference documents used by those implementing the associated transactions, and are part of the HIPAA regulations by reference.

For more information on the Implementation Guides: www.wpc-edi.com/Default_40.asp


IMPLEMENTATION SPECIFICATION

Under HIPAA, this is the specific instruction prescribed in the law for implementing a standard.

[45 C.F.R. § 160.103 (definition of implementation specification)]


INCIDENTAL DISCLOSURES

Incidental disclosures are uses or disclosures of Protected Health Information (PHI) where it is accidentally or not intentionally disclosed, where the covered entity has used or disclosed only the minimum necessary and where the covered entity has safeguards in place.

[For more information, see 45 C.F.R. § 164.512(a)(iii)]


INDIRECT TREATMENT RELATIONSHIP

An indirect relationship is a relationship between a health care provider and an individual in which the provider delivers health care services, products, diagnoses, or results that are typically furnished to the patient through another provider, rather than directly.

• The health care provider delivers health care to the individual based on the orders of another health care provider, and
• The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services, products, or reports to the individual.

For example, radiologists and pathologists generally have indirect treatment relationships with patients because they deliver diagnostic services based on the orders of other providers and the results of those services are furnished to the patient through the direct treating provider.

[45 C.F.R. § 164.501 (definition of indirect treatment relationship)]


INDIVIDUAL

The person who is the subject of Protected Health Information (PHI).

[45 C.F.R. § 164.103 (definition of individual)]


INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI)

Individually Identifiable Health Information (IIHI) is information that is a subset of health information, including demographic information collected from an individual that:

• Is created or received by a health care provider, health plan, employer, or health care clearinghouse, and
• Relates to:
  
  • The past, present, or future physical or mental health condition of an individual,
  • The provision of health care to an individual, or
  • The past, present, or future payment or the provision of payment of health care to an individual, and
• Identifies the individual, or
• Has a basis to believe the information can be used to identify the individual.

[45 C.F.R. § 160.103 (definition of individually identifiable health information)]


INFORMATION PRACTICES ACT (IPA)

The IPA is the state law that governs the protection and privacy of Individually Identifiable Health Information (IIHI) that is created or maintained by State entities.

[California Civil Code § 1798 et seq.]


INMATE

An inmate is a person incarcerated in or otherwise confined to a correctional institution.

[45 C.F.R. § 164.501 (definition of inmate)]


INTERNATIONAL STANDARDS ORGANIZATION (ISO)

The International Organization for Standardization (ISO) is a network of international standards institutes from 148 countries working in partnership with international organizations, governments, industry, and business and consumer representatives. The ISO serves as a bridge between the public and private sectors.

For more information: www.iso.org/iso/en/ISOOnline.openerpage


JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

Judicial and administrative proceedings are legal proceedings that issue orders, warrants, subpoenas, discoveries, etc. Covered entities (See covered entity) may disclose (See disclosure) Protected Health Information (PHI) in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.

[For more information, see 45 C.F.R. § 164.512(e)]


LAW ENFORCEMENT OFFICIAL

A law enforcement official is an official of any agency or authority of the United States or a political subdivision (i.e., State, County, etc.) thereof, who is empowered to:

• Investigate or conduct an inquiry into a potential violation of law, or
• Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

[45 C.F.R. § 164.501 (definition of law enforcement official) & for more information see 45 C.F.R. § 164.512(f)]


LAW ENFORCEMENT PURPOSES

Law enforcement purposes are those activities where covered entities (See covered entity)may disclose (See disclosure) Protected Health Information (PHI) to law enforcement officials in the following six situations, and subject to specified conditions:

1. As required by law (including court orders, court-ordered warrants, subpoenas, etc.) and administrative requests;
2. To identify or locate a suspect, fugitive, material witness, or missing person;
3. In response to a law enforcement official's request for information about a victim or suspected victim of a crime;
4. To alert law enforcement of a person's death, if the covered entity suspect's that criminal activity caused the death;
5. When a covered entity believes that PHI is evidence of a crime that occurred on its premises; and
6. By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

[For more information, see 45 C.F.R. § 164.512(f)]


LIMITED DATA SET

A limited data set is Protected Health Information (PHI) from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. This information may be used and disclosed (See disclosure) for research, health care operations, and public policy purposes, provided that the recipient enters into a data use agreement agreeing to specified safeguards of the PHI within the limited data set.

[For more information, see 45 C.F.R. § 164.514(e)]


LOCAL CODES

Local Codes are proprietary codes used by a state or other political subdivision, or by a payer to identify a specific product. This term is most commonly used to describe Healthcare Common Procedure Coding System (HCPCS) Level III Codes, but also applies to state-assigned Institutional Review Codes, Condition Codes, Occurrence Codes, Value Codes, etc. HIPAA does not allow use of these codes.

For more information: Center for Medicare and Medicaid Services Glossary or www.cms.hhs.gov/glossary.


LOGICAL OBSERVATION IDENTIFIERS, NAMES AND CODES (LOINC)

Logical Observation Identifiers, Names and Codes (LOINC) are a set of universal names and identifier codes that identify lab and clinical observations. LOINC codes are maintained by the Regenstrief Institute (U.S.) and are expected to be used in the HIPAA claims attachments standard.

For more information: www.loinc.org or www.regenstrief.org/loinc/loinc.htm (for LOINC codes)


MAPPING

See Data Mapping.


MARKETING

Marketing includes communications, by any means, about a product or service that encourages the recipients of the communica