Glossary of essential HIPAA terms used in
Yale’s HIPAA related policies & procedures

This glossary is provided as a convenience; only the definitions in the Regulations are authoritative for compliance purposes. Please see: Privacy Regulations || Security Regulations.

Above-Threshold ePHI System - A system that creates accesses, transmits or receives: 1) primary source ePHI, 2) ePHI critical for treatment, payment or health care operations or 3) any form of ePHI and the host system is configured to allow access by multiple people.

Examples include:

• A personal computer with a Microsoft Access database containing ePHI that is configured to allow access by more than one person.
• A departmental server with file shares containing ePHI
• A computer system used to create, access, transmit or receive ePHI that is configured to allow access by a non-Yale vendor/contractor.
• A clinical care system which contains primary source ePHI, and
• A billing system that is critical to clinical care operations

See also: Basic ePHI systems.

Accounting of Disclosures – The provision of a list of disclosures made by a covered component of Yale according to Policy 5003.

Administrative Safeguards – Administrative actions and policies and procedures (1) to manage the selection, development, implementation, and maintenance of security measures, and (2) to protect ePHI and to manage the conduct of the Covered Components' workforce in relation to the protection of ePHI.

Authorization (HIPAA Authorization) - a specific type of permission given by the individual to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations. Yale recommends use of the Yale authorization form in Policy 5031 for patient requests, or the research authorization form in Policy 5032. Use of a modified form other than addition of required information requires review and approval by the privacy office.

Basic ePHI System - A system that is typically used by a single individual and is used to create, access, transmit or receive ePHI. However, s System, even if used only by a single user, which supports primary source ePHI or ePHI critical for treatment, payment or health care operations is an Above threshold System. See also Above-Threshold ePHI systems.

Business Associate – Generally an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a covered entity that require the disclosure of PHI (such as legal, actuarial, accounting, accreditation). Determinations as to whether an entity is serving as a business associate will be made in accordance with the HIPAA definition and Policy 5033.

Confidential Communications - Refers to the ability of an individual to request that their health information be protected through the use of an alias or by using a different mailing address.

Contingency Plan (CP) - Sets out a course of action that is maintained for emergency response, backup operations, and post-disaster recovery. The purpose of the plan is to ensure availability of critical resources and facilitate the continuity of operations in an emergency. The plan includes procedures for performing backups, preparing critical facilities that can be used to facilitate continuity of critical operations in the event of an emergency and recovering from a disaster.

Covered Component – Components of the University designated by Yale that are required to comply with the Administrative Simplification provisions of HIPAA because the component performs a covered function. There are two covered components at Yale: the Covered Employer Group Health Plan Component and the Covered Health Care Component.

Covered Health Care Component – The components of the University designated by Yale that is required to comply with the Administrative Simplification provisions of HIPAA because it performs covered health care functions. The Covered Health Care Component at Yale University is comprised of the School of Medicine , School of Nursing , Department of Psychology clinics and Yale University Health Services.

Covered Employer Group Health Plan Component – {definition to be provided}

Covered Entity – Covered entity means an entity that is subject to HIPAA. Yale University is the covered entity for HIPAA compliance purposes. Because Yale is a Hybrid Entity, only Yale's designated Covered Components are subject to HIPAA requirements.

Data Use Agreement - An agreement between a covered entity (the holder of the PHI) and the recipient of the PHI (such as a research investigator) in which the covered entity discloses a limited data set for purposes of research, public health or healthcare operations in accordance with Policy 5039. Data use agreements are required to restrict the use of the PHI in the limited data set to a specified purpose, to safeguard the PHI, and to assure that the individuals whose PHI is included in the limited data set will not be identified by the recipient.

De-identified data - Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is de-identified. Health information is considered de-identified (1) if stripped of all of the 18 direct identifiers defined under HIPAA (see the full list), or (2) if an expert in statistical and scientific method determines that there is a very small risk that the information could be used alone or in combination with other information to identify an individual. See Policy 5039. HIPAA does not apply to de-identified data.

Designated Record Set - Medical, clinical research and billing records about an individual maintained or used to make decisions about the individual and the individual's treatment. and subject to an individual's right to request access and amendment.

DHHS - US Department of Health and Human Services

Direct Treatment Relationships – means a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.

Disaster Recovery Plan (DRP) - The part of a Contingency Plan that documents the process to restore any loss of data and to recover computer systems if a disaster occurs (i.e., fire, vandalism, natural disaster, or System failure). The document defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process to attain the stated disaster recovery goals.

Disclosure - The release, transfer, provision of access to, or divulging in any other manner of protected health information outside of the entity holding the information.

Electronic Protected Heath Information (ePHI) is PHI in electronic form. See PHI.

Emancipated Minor - A minor who is to be treated as an adult for purposes of this policy. An emancipation order allows a minor to consent to "medical, dental or psychiatric care, without parental consent, knowledge or liability." In Connecticut , minors above age sixteen or their parents may petition the Superior Court for Juvenile Matters or the Probate Court for emancipation orders. The court may declare the minor emancipated if (1) the minor has been married, (2) the minor actively serves in the U.S. armed forces, (3) the minor willingly lives away from home and manages his or her own finances, or (4) the court determines "for good cause" that emancipation is in the "best interest" of the minor. A minor may also be considered emancipated under common law under similar circumstances.

Emergency Mode Operation (EMO) plan is a subset of a disaster recovery plan that documents processes that support continued operation in case of an emergency. Emergency mode operations documentation includes emergency management/crisis management guidelines and procedures to maintain the integrity, availability and confidentiality of protected health information.

Group Health Plan – means an employee welfare benefit plan (as defined in the Employee Retirement Income and Security Act of 1974 (ERISA), 29 USC 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that has 50 or more participants; or is administered by an entity other than the employer that established and maintains the plan.

Health Care – care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health Care Component – means a component of a hybrid entity designated by the hybrid entity that functions as a health care provider, as defined by HIPAA.

Health Care Operations – any of the following activities of a covered entity that relate to its covered functions (i.e., acting as a health care provider and an employer group health plan): conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities of the entity.

Health Care Provider – a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Information – any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Health Plan – an individual or group plan as defined in HIPAA that provides, or pays the cost of, medical care, such as the Yale University Health Plan

HIC - Human Investigation Committee

HIPAA - Health Insurance Portability and Accountability Act of 1996

Hybrid Entity – a single legal entity such as Yale that is a covered entity whose business activities include both covered and non-covered functions.

In loco parentis - A person or institution acting in lieu of a parent.

Indirect Treatment Relationship – a relationship between an individual and a health care provider in which the health care provider delivers health care to the individual based on the orders of another health care provider; and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

Individual – the person who is the subject of PHI.

Individually Identifiable Health Information – a subset of “health information,” including demographic information, (1) that is created or received by a health care provider, health plan, employer, or health care clearinghouse; 2) that relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and (3) that identifies the individual, or might reasonably be used to identify the individual.

Information Security Office (ISO) is the Yale University Information Security Office with offices on Yale's central campus at Information Technology Services (ITS) and at the Yale Medical School at Information Technology Services – Medicine (ITS-Med)

IRB - Institutional Review Board

IT Security Incident (‘Incident') is any activity that harms or represents a serious threat to the whole or part of Yale's computer, telephone and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources. Routine detection and remediation of a ‘virus', ‘malware' or similar issue that has little impact on the day-to-day business of the University is not considered an Incident under this policy.

Legally Authorized Representative - A person authorized either by state law or by court appointment to make decisions, including decisions related to health care, on behalf of another person, including someone who is authorized under applicable law to consent on behalf of a prospective subject to the subject's participation in the procedure involved in the research.

Limited Data Set – Protected health information that excludes all of the 16 HIPAA specified direct identifiers of the individual or of relatives, employers, or household members of the individual, but retains geographic subdivisions larger than the postal address and elements of dates. Limited data sets may only be used for research, public health or for health care operations; and only with a data use agreement that limits the use of the data by the recipient.

Marketing – means, (1) to communicate about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made (a) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication (including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits); or (b) for treatment of the individual; or (c) for case management or care coordination for that individual, or to direct or recommend alternative treatments, therapies, providers, or settings of care to that individual; Or (2) An arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.

Minimum Necessary – refers to reasonable efforts made to limit use, disclosure, or requests for PHI to the minimum necessary to accomplish the intended purpose. See Policy 5037.

OCR - Office of Civil Rights, the branch of the DHHS that is responsible for federal oversight of the privacy regulations.

OHCA - Organized Health Care Arrangement, a clinically integrated care setting where individuals typically receive health care from more than one health care provider. Members of an OHCA may agree to abide by the terms of a joint notice of privacy practices and to share PHI as necessary to carry out treatment, payment, or operations relating to the OHCA.

Operations – see Health Care Operations

Payment – the activities undertaken by (1) a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, including determinations of eligibility and adjudication of claims; risk adjusting; billing, claims management, and collection activities; review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; utilization review activities; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; or (2) a covered health care provider or health plan to obtain or provide reimbursement for the provision of health care.

Personal Representative - Someone with the legal authority to act on behalf of an incompetent adult patient, a minor patient or a deceased patient or the patient's estate in making health care decisions or in exercising the patient's rights related to the individual's protected health information.

Physical safeguards are measures, policies, and procedures to physically protect the Covered Components' Systems and related buildings and equipment that contain ePHI, from natural and environmental hazards and unauthorized intrusion.

PHI – Protected Health Information (see below).

Privacy Board - A review board that is responsible for approving HIPAA waivers of authorization. At Yale the IRB's serve as the privacy board.

Privacy Rule - The regulations at 45 CFR 160 and 164, which detail the requirements for complying with the standards for privacy under the administrative simplification provisions of HIPAA.

Protected Heath Information (PHI) is any information, whether oral or recorded in any form or medium that is created or received by a covered entity (Yale School of Medicine, Yale School of Nursing, Yale University Health Services, The Department of Psychology Clinics and the Flexible Benefits Plan) that identifies an individual or might reasonably be used to identify an individual and relates to:

   * The individual's past, present or future physical or mental health; OR
   * The provision of health care to the individual; OR
   * The past, present or future payment for health care.

Information is deemed to identify an individual if it includes either the patient's name or any other information that taken together or used with other information could enable someone to determine an individual's identity. (For example: date of birth, medical records number, health plan beneficiary numbers, address, zip code, phone number, email address, fax number, IP address, license numbers, full face photographic images or Social Security Number see Policy 5039 for a list of HIPAA Identifiers)

PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer.  (see also definitions of "health information" and "individually identifiable health information")

Psychotherapy Notes - Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. See Policy 5031.

Remote Access - Any access to a device on the Yale University data network through a non-Yale controlled network, device, or medium, for example by DSL, cable modem or dial-up connection.

Research - Research is any systematic investigation (including research development, testing, and evaluation) that is designed to contribute to generalizable knowledge.
Summary Health Information –information that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and from which identifying information has been deleted, except that the geographic information need only be aggregated to the level of a five digit zip code.

Risk Analysis - A documented assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, and an estimation of the security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level.  Risk analysis involves determining what requires protection, what it should be protected from, and how to protect it. 

System is any electronic computing or communications device or the applications running thereon which can create, access, transmit or receive data. Systems are typically connected to digital networks. Examples of Systems include:

• A computer system whether or not connected to a data network,
• A database application used by an individual or a set of clients,
• A computer system used to connect over a network to another computer system,
• An analog or digital voice mail system,
• Data network segments including wireless data networks, and
• Portable digital assistants.

System Administrator is the technical custodian of a System. This individual provides the technology and processes to implement the decisions of the System Owner. In some circumstances, e.g. small systems, typically Basic ePHI Systems, the System Administrator and the System Owner may be the same person. System Administrators are responsible for the technical operation, maintenance, and monitoring of the System. These duties include implementing appropriate technical, physical and administrative safeguards. See also System Owner.

System Owner is the authority, individual, or organization head who has final responsibility for Systems which create, access, transmit or receive ePHI and including responsibility for the ePHI data. In some complex Systems, the functional responsibility for the System and the responsibility for the data may lie with more than one individual. Decisions regarding who has access to the System and related ePHI data and responsibility for the Risk Analysis rest solely with the System Owner. The System Owner usually delegates responsibility for the technical management of a System to a qualified System Administrator or staff who are capable of implementing appropriate technical, physical and administrative safeguards. See also 'System Administrator'.

Technical safeguards are the technology, and the policy and procedures for its use that protect electronic protected health information and control access to it.

Telecommuting - using telecommunications (all types of data transmission) technology to replace traditional forms of commuting. Employees work all or part of the time outside the traditional office at remote work locations, which may include the home.

TPO - Treatment, Payment, Health Care Operations

Transaction – the transmission of information between two parties to carry out financial or administrative activities related to health care.

Treatment – the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Unemancipated Minor - A person under 18 years of age and not previously married; not in the Armed Services; not previously emancipated by court proceedings initiated by the parents or the State and in the care and control of the parents.

Use – the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that holds such information.

Workforce – employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

YHP Yale University Health Plan

YHS or YUHS Yale University Health Services

YSM Yale University School of Medicine

YSN Yale University School of Nursing

NOTE: The privacy rule definitions in this glossary are based on the original definitions in the HIPAA Privacy Regulations and a version from Margret Amatayakal of B.I.G., but have been edited to help clarify them for Yale readers.