04-11-19 | References

HIPAA Glossary of Terms

References

Business Associates
Business Associate Agreement 
Covered Entities (CE)
Electronic Data Interchange (EDI)
Electronic Health Records (EHR)
Electronic Protected Health Information (EPHI)
Healthcare Clearinghouse
Health Information
Healthcare Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH)
HIPAA Audit
HIPAA Violations
Civil Penalties
Due Diligence
Reasonable Cause
Willful Neglect
Criminal Penalties
Individually Identifiable Health Information
OCR HIPAA Audit Protocol
Privacy Rule
Protected Health Information (PHI)
Security Rule

Business Associates
Anyone who has access to patient information, whether directly, indirectly, physically or virtually. Additionally, any organization that provides support in the treatment, payment or operations is considered a business associate, i.e. an IT company or a billing and claims processing company. Other examples include a document destruction company, a telephone service provider, accountant or lawyer. The business associates also have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative and technical safeguards. A business associate does not work under the covered entity’s workforce, but instead performs some type of service on their behalf.

Business Associate Agreement
The agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other key piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate administrative, physical and technical safeguards.

Covered Entities (CE)
Anyone who provides treatment, payment and operations in healthcare. It could include a doctor’s office, dental office, clinics, psychologist, nursing home, pharmacy, hospital or home healthcare agency. This also includes health plans, health insurance companies, HMOs, company health plans and government programs that pay for health care. Health clearing houses are also considered covered entities.

Electronic Data Interchange (EDI) 
The communication or exchange of business documents between companies via computer.

Electronic Health Records (EHR)
Electronic health records are any electronic record of patient health information generated within a clinical institution or environment, such as a hospital or doctor’s office. This may include medical history, laboratory results, immunizations, demographics, etc.

Electronic Protected Health Information (EPHI)
All individually identifiable health information that is created, maintained or transmitted electronically.

Healthcare Clearinghouse
An organization that standardizes health information. One example is a billing company that processes data from its initial format into a standardized billing format.

Health Information
Patient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or other organization that falls under covered entity.

Healthcare Insurance Portability and Accountability Act (HIPAA)
Developed in 1996, the acronym HIPAA stands for Healthcare Insurance Portability and Accountability Act. Initially created to help the public with insurance portability, they eventually built administrative simplifications that involved electronic, medical record technology and other components. In addition, they built a series of privacy tools to protect healthcare data.

Health Information Technology for Economic and Clinical Health (HITECH)
In 2009, as part of the American Recovery and Reinvestment Act (ARRA), there was an act within that called HITECH, short for The Health Information Technology for Economic and Clinical Health Act. The act included incentives offered to physicians in private practices, as well as institutional practices to implement and adopt electronic medical records.

In addition to incentives, the act included a series of fines to help enforce HIPAA rules. HITECH also mandated that business associates of covered entities, as well as the covered entities themselves, were responsible for the same level of HIPAA compliance.

HIPAA Audit
A HIPAA audit is based off a set of regulations, standards and implementation specifications. The audit is an analysis that helps to pinpoint the organization’s current state and what steps need to be taken to get the organization compliant.

An evaluation is part of the audit – a company must perform an evaluation and undergo periodic evaluations once a year at minimum. As technology changes, different components are added to an organization’s infrastructure and they should be re-evaluated.

While covered entities need to undergo HIPAA audits, third-party business associates also need to comply. This includes any company that might provide services for a covered entity, for example, an application hosted in a cloud and provided to a covered entity.

HIPAA Violations
If a company fails to comply with HIPAA rules, they are subject to both civil and criminal penalties.

Civil Penalties
Established by the American Recovery and Reinvestment Act of 2009 (ARRA), the tiered civil penalty structure below determines the cause and consequences of the HIPAA breaches. The Secretary of the Department of Health and Human Services has the ability to ultimately determine fines and penalties due to the extent of the violation on a case-by-case basis.

Due Diligence
An organization is in violation, but they have taken every possible step they could have foreseen to prevent that.
Minimum fine: $100 per incident with annual maximum of $25,000 for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations

Reasonable Cause
The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect.
Minimum fine: $1,000 per incident with annual maximum of $100,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations

Willful Neglect
There are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time.
Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake.
Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations

Criminal Penalties
The U.S. Department of Justice established who can be held liable for HIPAA violations due to criminal activity. This includes covered entities and any specified individual working under a covered entity. Anyone who knowingly misuses health information can be fined up to $50,000 including up to a year of imprisonment. More serious offenses call for higher fines and prison time.

Individually Identifiable Health Information
A subset of health information, this includes demographic information about an individual’s health that identifies or can be used to identify the individual. This includes name, address, date of birth, etc.

OCR HIPAA Audit Protocol
Up through early 2012, there was no federal standard for third-party auditors to conduct a HIPAA audit. With the publication of the new Office for Civil Rights audit protocol, auditors are able to gain a more consistent direction on how the OCR will conduct HIPAA audits in the future. The new protocol covers requirements found in the HIPAA Security Rule, Privacy Rule and Breach Notification Rule. Read more here.

Privacy Rule
The part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.

Protected Health Information (PHI)
This includes any individually identifiable health information collected from an individual by a healthcare provider, employer or plan that includes name, social security number, phone number, medical history, current medical condition, test results and more.

Security Rule
The part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.

 

Are you considering HIPAA compliant cloud hosting?

Related Resources

What is a HIPAA Violation? There are all kinds of HIPAA violation cases out there – whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS… (Keep Reading)

Encrypting Data to Meet HIPAA Compliance: To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA)… (Keep Reading)

Achieving compliance in a hybrid cloud: According to the 2019 Rightscale® State of the Cloud report, the number of enterprises with a hybrid cloud strategy (one that combines both public and private clouds) grew to 58 percent for 2019, up from 51 percent in 2018… (Keep Reading)

Five Questions to Ask Your HIPAA Hosting Provider: With the litany of HIPAA breaches caused by business associates/IT vendors in the news lately, covered entities need to be more proactive when it comes to vetting their HIPAA hosting provider. Protecting confidential patient health information and preventing a HIPAA violation… (Keep Reading)

About Otava

Otava provides secure, compliant hybrid cloud solutions for service providers, channel partners and enterprise clients. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers with a clear path to transformation through its highly effective solutions and broad portfolio of hybrid clouddata protectiondisaster recoverysecurity and colocation services, all championed by its exceptional support team. Learn more at www.otava.com.

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved