Definition of Terms
The following terms are used throughout these policies and procedures and are defined below to enable a better understanding of the actions necessary to be compliant with the regulation and the policies. In the event of an inconsistency between these terms and those defined by the HIPAA Administrative Simplification Rules, the HIPAA Administrative Simplification Rules terminology shall control.
Access authorization: Information-use policies/procedures that establish the rules for granting and/or restricting access to a user, terminal/workstation, transaction, program, or process.
Access control: The prevention of unauthorized use of a resource.
Access establishment: The security policies and the rules established therein, that determine an entity’s initial right of access to a terminal, transaction, program, or process.
Access modification: The security policies, and the rules established therein, that determine types of, and reasons for, modification to a person or system's established right of access to a terminal, transaction, program, or process.
Alternative means: Methods of communicating protected health information other than by common business practices, e.g., use of email, a designated phone number, or a designated address.
Alternative locations: Sites or locations identified for the receipt of protected health information that belong to more than one person.
Authorization for use and disclosure of protected health information: This is a written, signed document whereby a person provides permission for uses and disclosures of protected health information about that person. Authorizations are needed by covered entities for uses and disclosures of PHI that are not part of treatment, payment, or health care operations or are not required by law. HIPAA has several specific elements that must be in the authorization.
Business associate: A person or organization who performs a function or activity on behalf of the Missouri State University Employee Benefit Plan, and function includes access to protected health information, but is not part of its workforce.
Chain of trust partner agreement: A contract entered into by two business partners in which the partners agree to electronically exchange and/or disclose data and protect the integrity and confidentiality of the data exchanged
Code sets: Any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. Code sets include both the codes and their descriptions.
Contingency plan: A plan for preparing for and responding to an information system emergency. The plan includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.
Covered entity: Under HIPAA, this term refers to a health care plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a HIPAA transaction.
Data backup plan: A documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information.
De-identified health information: Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-identified PHI may be used for any purpose.
Designated record set: A group of records maintained by or for a covered entity that includes an individual's medical records and billing records; enrollment, payment, claims adjudication, and case or medical management record systems; or are used to make decisions about an individual. These decisions include but are not limited to decisions about health care for the individual. The term "record" in this reference means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
Disclosure: When referring to the "disclosure" of protected health information, "disclosure" refers to the process of a covered entity (e.g., Missouri State University Employee Benefit Plan) providing protected health information to a party who is not acting as a workforce member of the covered entity in receiving the information. (Compare with use).
Disposal: The act of removing from use any form of media or any component containing media such as a personal computer, external disk drive, server etc.
Diligence: The demonstration of good faith efforts on the part of Missouri State University Employee Benefit Plan to be compliant with all HIPAA rules.
Electronic media: Disk drives, diskettes, tapes, and other such electronically-based media where information can be transiently stored.
Emergency mode operation: Access controls that, when in place, enable an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
Employment Record: Written or electronic information used by the employer regarding a workforce member. Information that may be PHI in the hands of the Employee Benefit Plan may not be PHI in the records or systems of employer depending upon the purpose for which it is held.
Enrollment/Disenrollment Information: Health information regarding the individuals enrollment or disenrollment in the Employee Benefit Plan, it is not protected PHI in the records or systems of the employer but is PHI in the records or systems of the Employee Benefit Plan, e.g. when held by the insurer.
Entity Authentication: The corroboration that an entity (a person or information system) is the one it claims to be.
Health Information: Any information in any form (e.g., oral, written, electronic) that relates to the past, present, or future physical or mental health or condition or the past, present, or future payment for the provision of health care.
Health Plan: A health plan of the sponsor that is a covered entity under HIPAA’s administrative simplification rules. The Missouri State University Employee Benefit Plans covered by these Privacy Policies include the medical insurance and dental insurance employee benefit plans for Southwest Missouri State University.
Individually identifiable health information: Any information that individually identifies a person which could reasonably be used to identify a person, whether oral or recorded in any form or medium that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Information System (a.k.a Electronic Information System): any device or software that stores or transmits information electronically. This includes but is not limited to: workstations, LANs, mainframes, faxes, hand held electronic devices, servers, gateways, routers, switches, and groupings of these devices.
Marketing: The continuum of activities whereby a recipient (participant in the employee benefit plan) is made aware of products, processes or services available for purchase or subscription that benefit the Employee Benefit Plan, either directly or indirectly.
Media: Any device that stores protected health information in electronic format.
Minimum necessary: The minimum amount of protected health information reasonably necessary to accomplish the intended purpose of the permitted use or disclosure.
Personal Representative: A personal representative of a participant is a person who has the right to make decisions related to the exercise of a person's privacy rights as though they were the participant. Generally, a person qualifies as a personal representative if they have the right to make medical decisions for the person (e.g., have healthcare power of attorney, are guardian, are parent of unemancipated minor, are executor of estate of a deceased participant).
Plan Amendment: A formal written amendment to the Employee Benefit Plan by Missouri State University agreeing that the employer will protect the privacy of PHI that it receives for health plan payment or operations. The programs affected by the plan amendment are The Missouri State University medical insurance and dental insurance employee benefit plans.
Plan Sponsor: Missouri State University is the plan sponsor of The Missouri State University medical insurance and dental insurance employee benefit plans.
Privacy and security: The maintenance of health plan records in a manner which ensures that access is available only to individuals and/or agencies who have a right to the information.
Privacy Notice: The written notice delivered to Employee Benefit Plan participants informing them of their privacy rights.
Privacy Official: A person appointed by the Employee Benefit Plan whose official duties include directing the information privacy activities for the Employee Benefit Plan.
Privacy/Confidentiality Breach: The use or disclosure of protected health information for purposes other than those for which the person is authorized.
Protected health information: Individually identifiable health information in any form (paper, electronic, oral) that is transmitted and/or stored by a covered entity or business associate.
Provider (a.k.a. healthcare provider): A person or institution that provides healthcare to any person in the form of services or products. Generally, physicians, hospitals, pharmacies, medical equipment vendors, nurses, physician assistants, etc. are healthcare providers.
Role-based access: Role-based access control (RBAC) is an alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization's structure and business activities. With role-based access control rather than attempting to map an organization's security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.
Security awareness training: Training regarding use of health information and responsibilities regarding confidentiality and security.
Security Official: A person appointed by Missouri State University whose official duties include directing the information security activities for the Employee Benefit Plan.
Security incident: A security incident includes, but is not limited to, any attempted or successful breach of policy or law involving any of the following: Misuse of proprietary information; misuse of participant information; misuse of information on or about staff, faculty, students, or other members or associates (including contractors) of the entity; unauthorized use of information systems in ways that compromise system availability, performance, or integrity.
Separation of duties: The division of duties for a process among two or more persons for the purpose of improving the integrity and/or accountability of the process. For example, having the duty (and technical ability) of assigning privileges for access resides in someone other than the person who is to receive the access is good separation of duties. This practice better assures that individuals will get only the appropriate access than would be the case if individuals assigned their own access rights.
Termination procedures: Formal, documented instructions, which include appropriate security measures, for the ending of an employee’s employment, or an internal/external user’s access.
Testing and revision: Testing and revision of contingency plans refers to the documented process of periodic testing to discover weaknesses in such plans and the subsequent process of revising the plans and/or documentation if necessary.
Transaction: The transmission of information between two parties to carry out financial or administrative activities related to health care.
Treatment, Payment, or Healthcare Operations (TPO): Allowable use of PHI without a participants consent or authorization.
Use: Use refers to the process of accessing PHI within the covered entity (e.g., Missouri State University Employee Benefit Plan) by an individual who has consent (statutory or express) or authorization (written) . (Compare with Disclosure.)
User-based access: A security mechanism used to grant users of a system access based upon the identity of the user.
Valid authorization: A valid authorization under HIPAA is a document that contains the following elements:
- Description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or specific identification of the person(s), or class of persons, to whom the covered entity may make the disclosure.
- A description of each purpose of the requested use or disclosure.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- The signature of the individual and date (if the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual).
- A statement of the individual’s right to revoke the authorization.
- A statement regarding the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.
- A statement of the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer to be protected.
Workforce (members): Employees, volunteers, trainees, and other persons who, in the performance of their role, have use, receipt, or access to participant PHI, whether or not they are paid by the Employee Benefit Plan.
Workstation: Any device that might display, store, or print protected health information, such as computers, printers, faxes, or hand-held personal digital assistants.