Glossary of HIPAA Terms

Glossary of HIPAA Terms

AA Homecare: (American Association for Homecare) industry associations for the home care industry, including home IV therapy, home medical services and manufacturers, and home health providers. AAHomecare was created through the merger of the Health Industry Distributors Association’s Home Care Division (HIDA Home Care), the Home Health Services and Staffing Association (HHSSA), and the National Association for Medical Equipment Services (NAMES).

Ability to add attributes: One possible capability of a digital signature technology, for example, the ability to add a time stamp as part of a digital signature. (Relates to part of digital signature on the matrix.)

Academic Medical Center (AMC): Provides HIPAA guidelines for academic medical centers.

Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.

Access authorization: Information-use policies/procedures that establish the rules for granting and/or restricting access to a user, terminal, transaction, program, or process. (Relates to part of information access control on the matrix.)

Access control: A method of restricting access to resources, allowing only privileged entities access. (PGP, Inc.) (Relates to part of Media Controls on the matrix.)

Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation. (Relates to part of technical security services to control and monitor access to information on the matrix.

Access controls: The protection of sensitive communications transmissions over open or private networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient. (Relates to part of mechanisms to prevent unauthorized access to data that is transmitted over a communications network on the matrix.)

Access establishment: The security policies, and the rules established therein that determine an entity’s initial right of access to a terminal, transaction, program or process. (Relates to part of information access control on the matrix.)

Access level: A level associated with an individual who may be accessing information (for example, a clearance level) or with the information, which may be accessed (for example, a classification level). (NRC, 1991, as cited in )

Access modification: The security policies, and the rules established therein, that determine types of, and reasons for, modification to an entity’s established right of access to a terminal, transaction, program, or process. Related to part of information access control on the matrix.

Accountability: The property that ensures that the actions of an entity can be traced uniquely to that entity. (ASTM E1762—95) (Relates to part of media controls on the matrix.

Accreditation: An evaluative process in which a healthcare organization undergoes an examination of its policies, procedures and performance by an external organization ("accrediting body") to ensure that it is meeting predetermined criteria. It usually involves both on- and off-site surveys.

Accredited Standards Committee (ASC): An organization that has been accredited by ANSI for the development of American National Standards.

ACG: Ambulatory Care Group

ACH: (See Automated Clearinghouse) Under HIPAA, this is an entity that processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes or facilitates the processing of that information into nonstandard format or nonstandard data content for a receiving entity. Also see Part II, 45 CFR 160.103.

Act: 160.103. The Social Security Act

ADA: (See American Dental Association) A professional organization for dentists. The ADA maintains a hardcopy dental claim form and the associated claim submission specifications, and also maintains the Current Dental Terminology (CDTä) medical code set. The ADA and the Dental Content Committee (DeCC), which it hosts, have formal consultative roles under HIPAA.

ADG: Ambulatory Diagnostic Group

Administrative Code Sets: Code sets that characterize a general business situation rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-medical or non-clinical code sets.

Administrative Data: This refers to information that is collected, processed, and stored in automated information systems. Administrative data include enrollment or eligibility information, claims information, and managed care encounters. The claims and encounters may be for hospital and other facility services, professional services, prescription drug services, laboratory services, and so on.

Administrative procedures to guard data integrity, confidentiality, and availability: Documented, formal practices to manage (1) the selection and execution of security measures to protect date and (2) the conduct of personnel in relation to the protection of data. (Relates to a section of the matrix.)

Administrative Services Only (ASO): An arrangement whereby a self-insured entity contracts with a Third Party Administrator (TPA) to administer a health plan.

Administrative Simplification (A/S): Title II, Subtitle F, of HIPAA, which gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for healthcare patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable heath care information.

AFEHCT: (See Association for Electronic Health Care Transactions) An organization that promotes the use of EDI in the health care industry.

AHA: (See American Hospital Association): A health care industry association that represents the concerns of institutional providers. The AHA hosts the NUBC, which has a formal consultative role under HIPAA.

AHIMA: (See American Health Information Management Association) An association of health information management professionals. AHIMA sponsors some HIPAA educational seminars.

Alarm, event reporting, and audit trail:

(1) Alarm: In communications systems, any device that can sense an abnormal condition within the system and provide, either locally or remotely, a signal indication the presence of the abnormality. (188) NOTE: The signal may be in any desired form ranging from a simple contact closure (or opening) to a time-phased automatic shutdown and restart cycle. (Glossary of INFOSEC and INFOSEC Related Terms – Idaho University)

(2) Event reporting: network message indication operational irregularities in physical elements of a network or response to the occurrence of a significant task, typically the completion of a request for information. (Glossary of INFOSEC and INFOSEC Related Terms – Idaho State University)

(3) Audit trail: Data collected and potentially used to facilitate a security audit. (ISO 7498-2, as cited in )

Relates to part of mechanisms to prevent unauthorized access to data that is transmitted over a communications network on the matrix.

AMA: (See American Medical Association) A professional organization for physicians. The AMA is the secretariat of the NUCC, which has a formal consultative role under HIPAA. The AMA also maintains the Current Procedural Terminology (CPTä) medical code set.

Ambulatory Payment Class (APC): A payment type for outpatient PPS claims.

AMC: (See Academic Medical Centers)

Amendments and Corrections: In the final privacy rule, an amendment to a record would indicate that the data is in dispute while retaining the original information, whereas a correction to a record will alter or replace the original record.

American Association for Homecare (AAHomecare): An industry association for the home cares industry, including home IV therapy, home medical services and manufacturers, and home health providers. AAHomecare was created through the merger of the Health Industry Distributors Association’s Home Care Division (HIDA Home Care), the Home Health Services and Staffing Association (HHSSA), and the National Association for Medical Equipment Services (NAMES).

American Dental Association (ADA): A professional organization for dentists. The ADA maintains a hardcopy dental claim form and the associated claim submission specifications, and also maintains the Current Dental Terminology (CDTä) medical code set. The ADA and the Dental Content Committee (DeCC), which it hosts, have formal consultative roles under HIPAA.

American Health Information Management Association (AHIMA): An association of health information management professionals. AHIMA sponsors some HIPAA educational seminars.

American Hospital Association (AHA): A health care industry association that represents the concerns of institutional providers. The AHA hosts the NUBC, which has a formal consultative role under HIPAA.

American Medical Association (AMA): A professional organization for physicians. The AMA is the secretariat of the NUCC, which has a formal consultative role under HIPAA. The AMA also maintains the Current Procedural Terminology (CPTä) medical code set.

American Medical Informatics Association (AMIA): A professional organization that promotes the development and use of medical informatics for patient care, teaching, research, and health care administration.

American National Standards (ANS): Standards developed and approved by organizations accredited by ANSI.

American National Standards Institute (ANSI): An organization that accredits various standards-setting committees and monitors their compliance with the open rule-making process that they must follow to qualify for ANSI accreditation. HIPAA prescribes that the standards mandated under it be developed by ANSI-accredited bodies whenever practical.

American Society for Testing and Materials (ASTM): A standards group that has published general guidelines for the development of standards, including those for health care identifiers. ASTM Committee E31 on Healthcare Informatics develops standards on information used within healthcare.

AMIA (See American Medical Informatics Association)

ANS (See American National Standards)

ANSI: (See American National Standards Institute)

APC (See Ambulatory Payment Class)

Applications and data criticality analysis: An entity’s formal assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits. (Relates to part of contingency plan on the matrix.)

A/S, A.S., or AS (Administrative Simplification):

Title II, Subtitle F, of HIPAA, which gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for healthcare patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable heath care information.

ASC (See Accredited Standards Committee): An organization that has been accredited by ANSI for the development of American National Standards.

ASO (See Administrative Services Only):

ASPIRE: AFEHCT’s Administrative Simplification Print Image Research Effort work group.

Assigned security responsibility: Practices put in place by management to manage and supervise (1) the execution and use of security measures to protect data, and (2) the conduct of personnel in relation to the protection of data. (Relates to part of physical safeguards to guard data integrity, confidentiality, and availability on the matrix.)

Association for Electronic Health Care Transactions (AFEHCT): An organization that promotes the use of EDI in the health care industry.

Assure supervision off maintenance personnel by authorized, knowledgeable person: Documented formal procedures/instruction for the oversight of maintenance personnel when such personnel are in the vicinity of health information pertaining to an individual. (Relates to part of personnel security on the matrix.)

ASTM (See American Society for Testing and Materials)

Asymmetric encryption: Encryption and decryption performed using two different keys, one of which is referred to as the public key and one of which is referred to as the private key. Also known as public-key encryption. (Stallings)

Asymmetric key: One half of a key pair used in an asymmetric (“public-key”0 encryption system. Asymmetric encryption systems have to important properties: (1) the key used for encryption is different from the one used for decryption, (2) neither key can feasibly be derived from the other. (CORBA Security Services, 1997)

Audit controls: The mechanisms employed to record and examine system activity. (Relates to part of technical security services to control and monitor access to information on the matrix.)

Authorization control: The mechanism for obtaining consent for the use and disclosure of health information. (Relates to part of technical security services to control and monitor access to information on the matrix.)

Automated Clearinghouse (ACH): Under HIPAA, this is an entity that processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or that receives a standard transaction from another entity and processes or facilitates the processing of that information into nonstandard format or nonstandard data content for a receiving entity. Also see Part II, 45 CFR 160.103.

Automatic logoff: After a pre-determined time of inactivity (for example, 15 minutes), an electronic session is terminated. (Relates to part of entity authentication on the matrix.)

Availability: The property of being accessible and useable upon demand by an authorized entity. (ISO-7498-2, as cited in the HISB draft Glossary of Terms Related to Information Security In Health Care Information Systems)

Awareness training for all personnel: All personnel in an organization should undergo security awareness training, including, but not limited to, password maintenance, incident reporting, and an education concerning viruses and other forms of malicious software. (Relates to part of Training on the matrix)

BA (Business Associate): A person or organization that performs a function or activity on behalf of a covered entity but is not part of the covered entity’s workforce. A business associate can also be a covered entity it its own right. Also see Part II, 45 CFR 160.103.

BCBSA (See Blue Cross and Blue Shield Association)

Benchmark: A benchmark is sustained superior performance by a medical care provider, which can be used as a reference to raise the mainstream of care for Medicare beneficiaries. The relative definition of superior will vary form situation to situation. In many instances an appropriate benchmark would be a provider that appears in the top 10% of all providers for more than a year.

Biometric: A biometric identification system identifies a human from a measurement of a physical feature or repeatable action of the individual (for example, hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature). (ASTM E1762 – 95, as cited in the HISB draft Glossary of Terms Related to Information Security In Healthcare Information Systems)

Biometric Identifier: An identifier based on some physical characteristics, such as a fingerprint.

Blue Cross and Blue Shield Association (BCBSA): An association that represent the common interests of Blue Cross and Blue Shield health plans. The BCBSA serves as the administrator for the Health Care Code Maintenance Committee and also helps maintain the HCPCS Level II codes.

BP (See Business Associate)

Business Associate (BA):

(1) Except as provided in paragraph (2) of this definition, Business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims process or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.

Business Model: A model of a business organization or process.

Business Partner (BP): (See Business Associate)

Business Relationships: The term agent is often used to describe a person or organization that assumes some of the responsibilities of the other one. This term has been avoided in the final rules so that a more HIPAA-specific meaning could be used for business associate. The term business partner (BP) was originally used for business associate.

Cabulance: A taxicab that also functions as an ambulance.

CBO (See Congressional Budget Office or Cost Budget Office)

CDC (See Centers for Disease Control and Prevention)

CDT (See Current Dental Terminology)

CE (Covered Entity): Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Also see Part II, 45 CFR 164.103.

CEFACT (See United Nations Centre for Facilitation of Procedures and Practices for Administration, Commerce, and Transport UN/CEFACT)

CEN (See European Center for Standardization)

Centers for Disease Control and Prevention (CDC): An organization that maintains several code sets included in the HIPAA standards, including the ICD-9-CM codes.

Center for Healthcare Information Management (CHIM): A health information technology industry association.

Centers for Medicare and Medicaid Services: The HHS agency responsible for Medicare and parts of Medicaid. Centers for Medicare & Medicaid Services has historically maintained the UB-92 institutional EMC format specifications, the professional EMC NSF specifications, and specifications for various certifications and authorizations used by the Medicare and Medicaid programs. Centers for Medicare & Medicaid Services also maintains the HCPCS medical code set and the Medicare Remittance Advice Remark Codes administrative code set

Certification: The technical evaluation performed as part of, and in support of, the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements. This evaluation may be performed internally or by an external accrediting agency. (Relates to Part of administrative procedures to guard data integrity, confidentiality, and availability.)

CFR: Code of Federal Regulations

CHAMPUS: Civilian Health and Medical Program of the Uniformed Services (U.S.C. Title 10 Section 1072(4)

Chain of Trust: A term used in the HIPAA Security NPRM for a pattern of agreements that extend protection of health care data by requiring that each covered entity that shares health care data with another entity requires that the entity provide protections comparable to those provided by the covered entity, and that that entity, in turn, require any other entities with which it shares the data satisfy the requirements.

CHIM (See Center for Healthcare Information Management)

CHIME (See College of Healthcare Information Management Executives)

CHIP (See Child Health Insurance Program):

Claim Adjustment Reason Codes: A national administrative code set that identifies the reasons for any differences or adjustments between the provider charge for a claim or service and the payer’s payment for it. This code set is used in the X12 835 Claim Payment & Remittance Advice and the X12 837 Claim transactions and is maintained by the Health Care Code Maintenance Committee.

Claim Medicare Remark Codes: (See Medicare Remittance Advice Remark Codes)

Claim Status Codes: A national administrative code set that identifies the status of health care claims. This code set is used in the X12 277 Claim Status Notification transaction, and is maintained by the Health Care Code Maintenance Committee.

Claim Status Category Codes: A national administrative code set that indicates the general category of the status of health care claims. This code set is used in the X12 277 Claims Status Notification transaction, and is maintained by the Health Care Code Maintenance Committee.

Classification: Protection of data from unauthorized access by the designation of multiple levels of access authorization clearances to be required for access, dependent upon the sensitivity of the information. (Relates to a type of access control on the matrix.)

Clearinghouse: A public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. (HIPAA, Subtitle F, Section 262(a) Section 1171(2)

CLIA (See Clinical Laboratory Improvement Amendments)

Clinical Code Sets: (See Medical Code Sets)

CM: Clinical Modification (See ICD)

CMS: Center for Medicare and Medicaid Services of the U. S. Department of Health and Human Services

COB (See Coordination of Benefits)

Code Set: Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their description. Also see Part II, 45 CFR 162.103.

Code Set Maintaining Organization: Under HIPAA, this is an organization that creates and maintains the code sets adopted by the Secretary for use in the transactions for which standards are adopted. Also see Part II, 45 CFR 162.103

College of Healthcare Information Management Executives (CHIMES): A professional organization for health care Chief Information Officers (CIO’s).

Combination locks changed: Documented procedure for changing combinations of locking mechanisms, both on a recurring basis and when personnel knowledgeable of combinations no longer have a need to know or a requirement for access to the protected facility/system. (Relates to part of termination procedures on the matrix.)

Comment: Public commentary on the merits or appropriateness of proposed or potential regulations provided in response to the NPRM, an NIO, or other federal regulatory notice.

Common Control: See Part II, 45 CFR 164.504

Common Ownership: See Part II, 45 CFR 164.504

Compliance Date: The date by which a covered entity must comply with a standard, implementation specification, requirement, or modification adopted under this subchapter.

Component: (Covered Entity)

Computer-based Patient Record Institute (CPRI): An industry organization that promotes the use of health care information systems, including electronic healthcare records.

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities or processes. (ISO 7498-2, as cited in the HISB draft Glossary of Terms Related to Information Security in Health care Information Systems).

Consent: § 164.506 Consent for uses or disclosures to carry out treatment, payment or health care operations.

Content requirement. A consent under this section must be in plain language and:

(1) Inform the individual that protected health information may be used and disclosed to carry out treatment, payment or health care operations;

(2) Refer the individual to the notice required by §164.520 for a more complete description of such uses and disclosures and state that the individual has the right to review the notice prior to signing the consent;

(3) If the covered entity has reserved the right to change its privacy practices that are described in the notice in accordance with § 164.520 (b)(1)(v)(C), state that the terms of its notice may change and describe how the individual may obtain a revised notice;

(4) State that:

(i) The individual has a right to request that the covered entity restrict how protected health information is used or disclosed to carry out treatment, payment, or health care operations;

(ii) The covered entity is not required to agree to requested restrictions; and

(iii) If the covered entity agrees to a requested restriction, the restriction is binding on the covered entity;

(5) State that the individual has the right to revoke the consent in writing, except to the extent that the covered entity has taken action in reliance thereon; and

(6) Be signed by the individual and dated.

Context-based access: An access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of the user authentication, etc.

Contingency Plan: A plan for responding to a system emergency. The plan includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster. (O’Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security In Health care Information Systems) contingency plans should be updated routinely. (Relates to part of Administrative procedures to guard data integrity, confidentiality and availability on the matrix.)

Continuity of signature capability: The public verification of a signature shall not compromise the ability of the signer to apply additional secure signatures at a later date. (ASTM E 1762—95) (Relates to part of digital signature on matrix.)

Contrary: § 160.202: when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter, means:

(1) A covered entity would find it impossible to comply with both the State and Federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section

Coordination of Benefits (COB): A process for determining the respective responsibilities of two or more health plans that have some financial responsibility for a medical claim. Also called crossover.

CORF: Comprehensive Outpatient Rehabilitation Facility

Correctional institution: 164.501: any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.

COT (See Chain of Trust):

Counter signatures: It shall be possible to prove the order of applications of signatures. This is analogous to the normal business practice of countersignatures, where some party signs a document, which has already been signed by another party. (ASTM E1762—95) (Relates to part of digital signature on the matrix.)

Covered Entity: (1) A health plan. (2) A health clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Covered Functions: 164.501: those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.

CPRI (See Computer-based Patient Record Institute)

Cross-walk: The process of matching data elements or individual code values of one set to their closest equivalents in another set. This is sometimes called a data mapping.

Current Dental Terminology (CDT™): A medical code set, maintained and copyrighted by the ADA, that has been selected for use in the HIPAA transaction.

Current Procedural Terminology (CPT™): A medical code set, maintained and copyrighted by the AMA, that has been selected for use under HIPAA for non-institutional and non-dental professional transactions.

Data: A sequence of symbols to which meaning may be assigned. (NRC, 1991, as cited in the HISB draft Glossary of Terms Related to Information Security in Health care Information Systems)

Data Aggregation: With respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.

Data Authentication: The corroboration that data has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature. (Relates to part of technical security services to control and monitor access to information on the matrix)

Data Backup: A retrievable, exact copy of information. (Relates to part of media controls on the matrix.)

Data Backup Plan: A documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information. (Relates to part of contingency plans on the matrix.)

Data Condition: A description of the circumstances in which certain data is required. Also see Part II, 45 CFR 164.501.

Data Content: Under HIPAA, this is all of the data elements and code sets inherent to a transaction, and not related to the format of the transaction. Also see Part II, 45 CFR 162.103.

Data Content Committee (DCC): See Designated Data Content Committee.

Data Council: A coordinating body within HHS that has high-level responsibility for overseeing the implementation of the A/S provisions of HIPAA.

Data Dictionary (DD): Document or system that characterizes the data content of a system.

Data Element: Under HIPAA, this is the smallest named unit of information in a transaction. Also see Part II, 45 CFR 162.103

Data Integrity: The property that data has [sic] not been altered or destroyed in an unauthorized manner. (ASTM E1762—95)

Data Interchange Standards Association (DISA): A body that provides administrative services to X12 and several other standards-related groups.

Data Mapping: The process of matching data elements or individual code values of one set to their closest equivalents in another set. This is sometimes called a crosswalk.

Data Model: A conceptual model of the information needed to support a business function or process.

Data-related Concepts:

See Clinical or Medical Code Sets
See Data Element
See designated code set
Electronic data is data that is recorded or transmitted electronically, while non-electronic data would be everything else. Special cases would be data transmitted by fax and audio systems, which is, in principle, transmitted electronically, but which lacks the underlying structure usually needed to support automated interpretation of its contents.
Encoded data is data represented by some identification or classification scheme, such as a provider identifier or a procedure code. Non-encoded data would be more nearly free form, such as a name, a street address, or a description. Theoretically, of course, all data, including grunts and smiles, is encoded.
For HIPAA purposes, internal data, or internal code sets, are data elements that are fully specified within the HIPAA implementation guides.
Individually identifiable data is data that can be readily associated with a specific individual.
See Structural Data

Data Set: See Part II, 45 CFR 162.103

Data Storage: The retention of health care information pertaining to an individual in an electronic format. (Relates to part of media controls on the matrix.)

DCC (See Designated Data Content Committee)

DD (See Data Dictionary):

DDE (See Direct Data Entry)

DeCC (See Dental Content Committee)

De-identified Information: Health information meeting the standard and implementation specifications under section 164.514.

Department of Health and Human Services: The federal government department that has overall responsibility for implementing HIPAA.

Descriptor: The text defining a code in a code set. Also see Part II, 45 CFR 162.103

Designated Code Sets: A medical code set or an administrative code set that HHS has designated for use in one or more of the HIPAA standards.

Designated Data Consent Committee (Designated DCC): An organization, which HHS has designated for oversight of the business data content of one or more of the HIPAA-mandated transaction standards.

Designated Record Set:

(1) A group of records maintain by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

Designated Standard: A standard, which HHS has designated for use under the authority provided by HIPAA.

Designated Standard Maintenance Organization (DSMO): See Part II, 45 CFR 164.501

DHHS (See Health and Human Services):

Diagnosis Code: The first of these codes is the ICD-9-CM diagnosis code describing the principal diagnosis (i.e. The condition established after study to be chiefly responsible for causing this hospitalization). The remaining codes are the ICD-9-CM diagnosis codes corresponding to additional conditions that coexisted at the time of admission, or developed subsequently, and which had an effect on the treatment received or the length of stay.

DICOM (See Digital Imaging and Communications in Medicine)

Digital Imaging and Communications in Medicine (DICOM): A standard for communication images, such as x-rays, in a digitized form. This standard could become part of the HIPAA claim attachments standards.

Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. (FDA Electronic Record; Electronic Signatures; Final Rule) (Relates to part of electronic signature on the matrix.)

Direct Data Entry (DDE): Under HIPAA, this is the direct entry of data that is immediately transmitted into a health plan’s computer. Also see Part II, 45 CFR 164.501

Direct Treatment Relationship: A treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.

DISA (See Data Interchange Standards Association)

Disaster Recovery: The process whereby an enterprise would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. (CPRI, 1996c, as cited in ) (Relates to part of physical access controls (limited access) on the matrix.)

Disaster Recovery Plan: Part of an overall contingency plan. The plan for a process whereby an enterprise would be able to continue to operate in the event of fire, vandalism, natural disaster, or system failure.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Disclosure History: Under HIPAA, this is a list of any entities that have received personally identifiable health care information for uses unrelated to treatment and payment.

Discretionary Access Control: Discretionary Access Control (DAC) is used to control access by restricting a subject’s access to an object. It is generally used to limit a user’s access to a file. In this type of access control it is the owner of the file who controls other users’ accesses to the file. (Relates to a type of access control on the matrix.)

Disposal: The final disposition of electronic data, and/or the hardware on which electronic data is stored. (Relates to part of media controls on the matrix.)

DME: Durable Medical Equipment.

DMEPOS: Durable Medical Equipment, Prosthetics, Orthotics, and Supplies

Documentation: Written security plans, rules, procedures, and instructions concerning all components of an entity’s security. (Relates to part of security configuration mgmt on the matrix.)

Draft Standard for Trial Use (DSTU): An archaic term for any X12 standard that has been approved since the most recent release of X12 American National Standards. The current equivalent term is “X12 standard”.

DRG: Diagnosis Related Group

DSMO (See Designated Standard Maintenance Organization)

DSTU (See Draft Standard for Trial Use)

EC (See Electronic Commerce):

EDI (Electronic Data Interchange): Inter-company, computer-to-computer transmission of business information in a standard format. For EDI purists, “computer-to-computer” means direct transmission from the originating application program to the receiving, or processing, application program, and an EDI transmission consists only of business data, not any accompanying verbiage or free-form messages. Purists might also contend that a standard format is one that is approved by a national or international standards organization, as opposed to formats developed by industry groups or companies. (EDI Security, Control, and Audit.)

EDIFACT (United Nations Rules for Electronic Data Interchange for Administration, Commerce, and Transport): An international EDI format. Interactive X12 transactions use the EDIFACT message syntax.

EDI Translator: A software tool for accepting an EDI transmission and converting the data into another format or for converting a non-EDI data file into an EDI format for transmission.

Effective Date: Under HIPAA, this is the date that a final rule is effective, which is usually 60 days after it is published in the Federal Register.

EFT: Electronic Funds Transfer

EHNAC (See Electronic Healthcare Network Accreditation Commission)

EIN: Employer Identification Number

Electronic Commerce (EC): The exchange of business information by electronic means.

Electronic Data Interchange (See EDI)

Electronic Healthcare Network Accreditation Commission (EHNAC): An organization that tests transactions for consistency with the HIPAA requirements, and that accredits health care clearinghouses.

Electronic Media: See Part II, 45 CFR 162.103

Electronic Media Claims (EMC): This term usually refers to a flat file format used to transmit or transport claims, such as the 192-byte UB-92 Institutional EMC format and the 320-byte Professional EMC NSF.

Electronic Remittance Advise (ERA): Any of several electronic formats for explaining the payments of health care claims.

Electronic Signature: The attribute that is affixed to an electronic document to bind it to a particular entity. An electronic signature process secures the user authentication: proof of claimed identity, such as by biometrics (fingerprints, retinal scans, hand written signature verification, etc.), tokens or passwords at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a document and have the order of application recognized and proven) and the supplies additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability, interoperability, independent verifiability, and continuity of signature capability. Verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer. There are several technologies available for user authentication, including passwords, cryptography, and biometrics. (ASTM 1762-95, as cited in the HISB draft Glossary of Terms Related to Information Security in Health care Information Systems)

Eligibility: Refers to the process whereby an individual is determined to be eligible for health care coverage through the Medicaid program. Eligibility is determined by the State. Eligibility data are collected and managed by the State or by its Fiscal Agent. In some managed care waiver programs, eligibility records are updated by an Enrollment Broker, who assists the individual in choosing a managed care plan to enroll in.

EMC (See Electronic Media Claims)

Emergency Mode Operation: Access controls in place that enable an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure. (Relates to part of physical access controls (limited access) on the matrix.)

Emergency Mode Operation Plan: Part of an overall contingency plan. The plan for a process whereby an enterprise would be able to continue to operate in the event of fire, vandalism, natural disaster, or system failure. (Relates to part of the contingency plan on the matrix.)

EMR: Electronic Medical Record

Encounter Data: Detailed data about individual services provided by a capitated managed care entity. The level of detail about each service reported is similar to that of a standard claim form. Encounter data are also sometimes referred to as "shadow claims".

Encryption: Transforming confidential plaintext into cipher-text to protect it. Also called encipherment. An encryption algorithm combines plaintext with other values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines. (EDI Security, Control and Audit.) Decrypting data reverses the encryption algorithm process and makes the plaintext available for further processing. (Relates to part of access control on the matrix.)

Entity Assets: Assets, which the reporting entity has authority to use in its operations (i.e., management has the authority to decide how funds are used, or management is legally obligated to use funds to meet entity obligations).

Entity Authentication:

(1) The corroboration that an entity is the one claimed. (ISO 7498-2, as cited in the HISB draft Glossary of Terms Related to Information Security In health care Information Systems) (Relates to part of technical security services to control and monitor access to information on the matrix.)

(2) A communications/network mechanism to irrefutably identify authorized users, programs, and processes, and to deny access to unauthorized users, programs and processes. (Relates to part of mechanisms to prevent unauthorized access to data that is transmitted over a communications network on the matrix.)

EOB: Explanation of Benefits

EOMB: Explanation of (Medical or Medicaid or Member) Benefits

Equipment Control: Documented security procedures for bringing hardware and software into and out of a facility and for maintaining a record of that equipment. This includes, but is not limited to, the marking, handling, and disposal of hardware and storage media. (Relates to part of the physical access controls (limited access) on the matrix.)

ERA (See Electronic Remittance Advice):

ERISA: Employment Retirement Income Security Act (U.S.C. Title 29, U.S. Code sections 1001 and following)

Facility Security Plan: A plan to safeguard the premises and building(s) (exterior and interior) from unauthorized physical access, and to safeguard the equipment therein from unauthorized physical access, tampering, and theft.

FAQs: Frequently Asked Question(s)

FDA: Food and Drug Administration

FERPA: Family Educational Rights and Privacy Act

Flat File: This term usually refers to a file that consists of a series of fixed-length records that include some sort of record type code.

Formal Mechanism for Processing Records: Documented policies and procedures for the routine, and non-routine, receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information. (Relates to part of administrative procedures to guard data integrity, confidentiality, and availability on the matrix.)

Format: Under HIPAA, those data elements that provide or control the enveloping or hierarchical structure or assist in identifying data content of a transaction.

FR: Federal Register

GAO: General Accounting Office

Group Health Plan: (also see definition of health plan in this section) means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act (PHS Act), 42 U.S.C. 300gg-91(a)(2), including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:

(1) Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7); or

(2) Is administered by an entity other than the employer that established and maintains the plan.

Governmental Entity: (Covered Entity)

Guideline: A policy or rule intended to give practical guidance.

Hardware/software Installation: Formal, documented procedures for

(1) Connecting and loading new equipment and programs;

(2) Periodic review of the maintenance occurring on that equipment and programs; and

(3) Periodic security testing of the security attributes of that hardware/software. (Relates to part of security configuration mgmt on the matrix.)

HCFA: Health Care Financing Administrations within the U.S. Department of Health and Human Services, currently known as the Center for Medicare and Medicaid Services of the U.S. Department of Health and Human Services.

HCFA-1450: HCFA’s name for the institutional uniform claim form, or UB-92.

HCFA-1500: HCFA’s name for the professional uniform claim form. Also known as the UCF-1500.

HCFA Common Procedural Coding System (HCPCS): A medical code set that identifies health care procedures, equipment, and supplies for claim submission purposes. It has been selected for use in the HIPAA transactions.

HHS: The Department of Health and Human Services.

Health Care: Care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:

(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body: and

(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into a standard data elements or a standard transaction

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health Care Code Maintenance Committee: An organization administered by the BCBSA that is responsible for maintaining certain coding schemes used in the X12 transactions and elsewhere. These include the Claim Adjustment Reason Codes, the Claim Status Category Codes, and the Claim Status Codes.

Health Care Common Procedural Coding System: A medical code set that identifies health care procedures, equipment, and supplies for claim submission purposes. It has been selected for use in the HIPAA transactions.

Health Care Component: See Part II, 45 CFR 164.504.

Healthcare Financial Management Association (HFMA): An organization for the improvement of the financial management of healthcare-related organizations. The HFMA sponsors some HIPAA educational seminars.

Health Care Financing Administration (HCFA): The HHS agency responsible for Medicare and parts of Medicaid. HCFA has historically maintained the UB-92 institutional EMC format specifications, the professional EMC NSF specifications, and specifications for various certifications and authorizations used by the Medicare and Medicaid programs. HCFA also maintains the HCPCS medical code set and the Medicare Remittance Advice Remark Codes administrative code set.

Health Care Information Management Systems Society (HIMSS): A professional organization for healthcare information and management systems professionals.

Health Care Operations: Any of the following activities of the covered entity to the extent that the activities are related to covered functions, and any of the following activities of an organized health care arrangement in which the covered entity participates:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analysis related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with the requirements of this subchapter

(ii) Customer service, including the provision of data analysis for policyholders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policyholder, plan sponsor, or customer.

(iii) Resolution of internal grievances;

(iv) Due diligence in connection with the sale or transfer of assets to a potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity; and

(v) Consistent with the applicable requirements of § 164.514, creating de-identified health information, fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not required as described in § 164.514(e)(2).

Health Care Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C 1395x(u), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Care Provider Taxonomy Committee: An organization administered by the NUCC that is responsible for maintaining the Provider Taxonomy coding scheme used in the X12 transactions. The detailed code maintenance is done in coordination with X12N/TG2/WG15.

Health Industry Business Communications Council (HIBCC): A council of health care industry associations, which have developed a number of technical standards used within the health care industry.

Health Informatics Standards Board (HISB): An ANSI-accredited standards group that has developed an inventory of candidate standards for consideration as possible HIPAA standards.

Health Information: Any information, whether oral or recorded in any form or medium, that:

(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Health Insurance Association of America (HIAA): An industry association that represents the interests of commercial health care insurers. The HIAA participates in the maintenance of some code sets, including the HCPCS Level II codes.

Health Insurance Issuer: (As defined in section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2) and used in the definition of health plan in this section) An insurance company, insurance service, or insurance organization (including HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191.

Health Level Seven (HL7): An ANSI-accredited group that defines standards for the cross-platform exchange of information within a health care organizations. HL7 is responsible for specifying the Level Seven OSI standards for the health industry. The X12 275 transaction will probably incorporate the HL7 CRU message to transmit claim attachments as part of a future HIPAA claim attachments standard. The HL7 Attachment SIG is responsible for the HL7 portion of this standard.

Health Maintenance Organization (HMO): (as defined in section 2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the definition of health plan in this section) means a federally qualified HMO, an organization recognized as an HMO under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such an HMO.

Health Oversight Agency: See Part II, 45 CFR 160.501.

Health Plan: An individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(1) Health plan includes the following, single or in combination:

(i) A group health plan, as defined in this section.

(ii) A health insurance issuer, as defined in this section.

(iii) An HMO, as defined in this section.

(iv) Part A or Part B of the Medicare program under title XVIII of the Act.

(v) The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et seq.

(vi) An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).

(vii)An issuer of a long-tem care policy, excluding a nursing home fixed-indemnity policy.

(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(ix) The health care program for active military personnel under title 10 of the Unites States Code.

(x) The veterans health care program under 38 U.S.C. chapter 17.

(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).

(xii)The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.

(xiii) The Federal Employees Health Benefits Programs under 5 U.S.C. 8902, et seq.

(xiv) An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the requirements of section 2103 of the Act, 42 U.S.C. 1395w-21 through 1395w-28.

(xv) The Medicare+Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-28.

(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals.

(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(2) Health plan excludes:

(i) Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1); and

(ii) A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):

(A) Whose principal purpose is other than providing, or paying the cost of, health care; or

(B) Whose principal activity is:

(1) The direct provision of health care to persons; or

(2) The making of grants to fund the direct provision of health care to persons.

HEDIC: Healthcare EDI Coalition

HEDIS: Health Employer Data and Information Set

HFMA (See Healthcare Financial Management Association)

HHA: Home Health Agency

HIAA (See Health Insurance Association of America):

HIBCC (See Health Industry Business Communications Council)

HIMSS (See Healthcare Information Management Systems Society)

HIPAA (See Health Insurance Portability and Accountability Act of 1996)

HISB (See Health Informatics Standards Board)

HL7 (See Health Level Seven)

HMO (See Health Maintenance Organization)

HPSA: Health Professional Shortage Area

Hybrid Entity: A covered entity whose covered functions are not its primary functions. Also see Part II, 45 CFR 164.504

IAIABC (See International Association of Industrial Accident Boards and Commissions)

ICD & ICD-n-CM & ICD-n-PCs: International Classification of Diseases, with “n” = “9” for Revision 9 or “10” for Revision 10, with “CM” = “Clinical Modification”, and with “PCS” = “Procedure Coding System”.

ICF: Immediate Care Facility

IDN: Integrated Delivery Network

IIHI: See Individually Identifiable Health Information

IG (See Implementation Guide)

IHC: Internet Healthcare Coalition

Implementation Guide (IG): A document explaining the proper use of a standard for a specific business purpose. The X12N HIPPA IGs are the primary reference documents used by those implementing the associated transactions, and are incorporated into the HIPAA regulations by reference.

Implementation Specification: Specific requirements or instructions for implementing a standard.

Independent Verifiability: The capability to verify the signature without the cooperation of the signer. Technically, it is accomplished using the public key of the signatory, and it is a property of all digital signatures performed with asymmetric key encryption. (Relates to part of the digital signature on the matrix.)

Indirect Treatment Relationship: A relationship between an individual and a health care provider in which:

(1) The health care provider delivers health care to the individual based on the orders of another health care provider; and

(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

Individual: The person who is the subject of protected health information.

Individually Identifiable Health Information: Information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; or

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Information: Data to which meaning is assigned, according to context and assumed conventions. (National Security Council, 1991, as cited in the HISB draft Glossary of Terms Related to Information Security In Health care Information Systems)

Information Access Control: Formal, documented, policies and procedures for granting different levels of access to health care information. (Relates to part of administrative procedures to ensure integrity and confidentiality on the matrix.)

Inmate: A person incarcerated in or otherwise confined to a correctional institution.

Integrity Controls: Security mechanism employed to ensure the validity of the information being electronically transmitted or stored. (Relates to part of mechanisms to prevent unauthorized access to data that is transmitted over a communications network on the matrix.)

Internal Audit: The in-house review of the records of system activity (for example, logins, file accesses, security incidents) maintained by an organization. (Relates to part of administrative procedures to guard data integrity, confidentiality, and availability on the matrix.)

International Association of Industrial Accident Boards and Commissions (IAIABC): One of their standards is under consideration for use for the First Report of Injury standard under HIPAA.

International Classifications of Diseases (ICD): A medical code set maintained by the World Health Organization (WHO). The primary purpose of this code set was to classify causes of death. A US extension, maintained by the NCHS within the CDC, identifies morbidity factors, or diagnoses. The ICD-9-CM codes have been selected for use in the HIPAA transactions.

International Organization for Standardization (ISO): An organization that coordinates the development and adoption of numerous international standards. “ISO” is not an acronym, but the Greek word for “equal”.

Interoperability: The applications used on either side of a communication, between trading partners and/or between internal components of an entity, being able to read and correctly interpret the information communicated from one to the other. (Relates to part of the digital signature on the matrix.)

Inventory: Formal, documented, identification of hardware and software assets. (Relates to part of security configuration mgmt on the matrix.)

IOM: Institute of Medicine

IPA: Independent Providers Association

IRB: Institutional Review Board

ISO (See International Organization for Standardization)

JCAHO: (See Joint Commission on Accreditation of Healthcare Organizations)

J-Codes: A subset of the HCPCS Level II code set with a high-order value of “J” that has been used to identify certain drugs and other items. The final HIPAA transactions and code sets rule states that these J-codes will be dropped from the HCPCS, and the NDC codes will be used to identify the associated pharmaceuticals and supplies.

JHITA: (See Joint Healthcare Information Technology Alliance)

Joint Commission on Accreditation of Healthcare Organizations (JCAHO): A subset of the HCPCS Level II code set with a high-order value of “J” that has been used to identify certain drugs and other items. The final HIPAA transactions and code sets rule states that these J-codes will be dropped from the HCPCS, and the NDC codes will be used to identify the associated pharmaceuticals and supplies.

Joint Healthcare Information Technology Alliance (JHITA): A healthcare industry association that represents AHIMA, AMIA, CHIM, CHIME, and HIMSS on legislative and regulatory issues affecting the use of health information technology.

Key: An input that controls the transformation of data by an encryption algorithm (NRC, 1991, as cited in the HISB draft Glossary of Terms Related to Information Security in Health Care Information Systems.)

Law Enforcement Official: An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to:

(1) Investigate or conduct an official inquiry into a potential violation of law; or

(2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Local Code: A generic term for code values defined for a state or other political subdivision or for a specific payer. This term is most commonly used to describe HCPCS Level III Codes, but it also applies to state-assigned Institutional Revenue Codes, Condition Codes, Occurrence Codes, Value Codes, and so forth.

Logical Observation Identifiers, Names and Codes (LOINC): A set of universal names and ID codes that identify laboratory and clinical observations. These codes, which are maintained by the Regenstrief Institute, are expected to be used in the HIPAA claim attachments standards.

LOINC: (See Logical Observation Identifiers, Names, and Codes)

Loop: A repeating structure or process

LTC: Long Term Care

Maintenance of Record Access Authorizations: Ongoing documentation and review of the levels of access granted to a user, program, or procedure accessing health information. (Relates to part of personnel security on the matrix.)

Maintenance Records: A documentation of repairs and modifications to the physical components of a facility, for example, hardware, software, walls, doors, locks. (Relates to part of physical access controls (limited access) on the matrix.)

Mandatory Access Control (MAC): A means of restricting access to objects that is based on fixed security attributes assigned to users and to files and other objects. The controls are mandatory in the sense that users or their programs cannot modify them. (Stallings, 1995, as cited in the HISB draft Glossary of Terms Related to Information Security in Health care Information Systems.) (Relates to a type of access control on the matrix.)

Marketing: To make a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.

(1) Marketing does not include communications that meet the requirements of paragraph 2 of this definition and that are made by a covered entity:

(i) For the purpose of describing the entities participating in a health care provider network or health plan network, or for the purpose of describing if and the extent to which a product or service (or payment for such product or service) is provided by a covered entity or included in a plan of benefits; or

(ii) That are tailored to the circumstances of a particular individual and the communications are:

(A) Made by a health care provider to an individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual; or

(B) Made by a health care provider or health plan to an individual in the course of managing the treatment of that individual alternative treatments, therapies, health care providers, or settings of care.

(2) A communication described in paragraph (1) of this definition is not included in marketing if:

(i) The communication is made orally; or

(ii) The communication is in writing and the covered entity does not receive direct or indirect remuneration from a third party for making the communication.

Massachusetts Health Data Consortium (MHDC): An organization that seeks to improve healthcare in New England through improved policy development, better technology planning and implementation, and more informed financial decision-making.

Maximum Defined Data Set: Under HIPAA, this is all of the required data elements for a particular standard based on a specific implementation specification. An entity creating a transaction is free to include whatever data any receiver might want or need. The recipient is free to ignore any portion of the data that is not needed to conduct his or her part of the associated business transaction, unless the inessential data is needed for coordination of benefits. Also see Part II, 45 CFR 162.103

MCO: Managed Care Organization

M+CO: Medicare Plus Choice Organization

Media Controls: Formal, documented, policies and procedures that govern the receipt and removal of hardware/software (for example, diskettes, tapes) into and out of a facility.

Medicaid Fiscal Agent (FA): The organization responsible for administering claims for a state Medicaid program.

Medicaid State Agency: The state agency responsible for overseeing the state’s Medicaid program.

Medical Code Set: Codes that characterize a medical condition or treatment. These codes sets are usually maintained by professional societies and public health organizations.

Medical Records Institute (MRI): An organization that promotes the development and acceptance of electronic health care record systems.

Medicare Contractor: A Medicare Part A Fiscal Intermediary, a Medicare Part B Carrier, or a Medicare Durable Medical Equipment Regional Carrier (DMERC).

Medicare Durable Medical Equipment Regional Carrier (DMERC): A Medicare contractor responsible for administering Durable Medical Equipment (DME) benefits for a region.

Medicare Part A Fiscal Intermediary (FI): A Medicare contractor that administers the Medicare Part A (institutional) benefits for a given regions.

Medicare Part B Carrier: A Medicare contractor that administers the Medicare Part B (Professional) benefits for a given region.

Medicare Remittance Advice Remark Codes: A national administrative code set for providing either claim-level or service-level Medicare-related messages that cannot be expressed with a Claim Adjustment Reason Code. This code set is used in the X12 835 Claim Payment and Remittance Advice transaction and is maintained by the HCFA.

Memorandum of Understanding (MOU): A document providing a general description of the responsibilities that are to be assumed by two or more parties in their pursuit of some goal(s). More specific information may be provided in an associated SOW.

Message: A digital representation of information. (ABA Digital Signatures Guidelines)

Message Authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent. (O’Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security In Health care Information Systems.) (Relates to part of mechanisms to prevent unauthorized access to data that is transmitted over a communications network on the matrix.)

Message Authentication Code: Data associated with an authentication message that allows a receiver to verify the integrity of the message. (Glossary of INFOSEC and INFOSEC Related Terms—Idaho State University.)

Message Integrity: The assurance of unaltered transmission and receipt of a message from the sender to the intended recipient. (ABA Digital Signature Guidelines.) (Relates to part of digital signature on the matrix.)

MGMA: Medical Group Management Association

MHDC: (See Massachusetts Health Data Consortium)

MNDI: (See Minnesota Health Data Institute)

Minimum Scope of Disclosure: The principle that, to the extent practical, individually identifiable health information should only be disclosed to the extent needed to support the purpose of the disclosure.

Minnesota Health Data Institute (MHDI): A public-private partnership for improving the quality and efficiency of health care in Minnesota. MDHI includes the Minnesota Center for Healthcare Electronic commerce (MCHEC), which supports the adoption of standards of electronic commerce and also supports the Minnesota EDI Healthcare Users Group (MEHUG).

Modify or modification: A change adopted by the Secretary, through regulation, to a standard or an implementation specification.

More Stringent: In the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except of the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or

(ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; provided that, nothing in this subchapter may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian, or person acting in loco parentis of such minor.

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights and remedies, provides the greater amount of information.

(4) With respect to the form or substance of an authorization or consent for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.

(5) With respect to record keeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

MOU: (See Memorandum of Understanding)

MR: Medical Record

MRI: (See Medical Records Institute)

MSP: Medicare Secondary Payer

Multiple Signatures: It shall be possible for multiple parties to sign a document. Multiple signatures are conceptually, simply appended to the document. (ASTM E 1762-95) (Relates to part of the digital signature on the matrix.)

NAHDO: (See National Association of Health Data Organizations)

NAIC: (See National Association of Insurance Commissioners)

NANDA: North American Nursing Diagnoses Association

NASMD: (See National Association of State Medicaid Directors)

National Association of Health Data Organizations (NAHDO): A group that promotes the development and improvement of state and national health information systems.

National Association of Insurance Commissioners (NAIC): An association of the insurance commissioners of the state and territories.

National Center for Health Statistics (NCHS): A federal organization within the CDC that collects, analyzes, and distributes health care statistics. The NCHS maintains the ICD-n-CM codes.

National Committee for Quality Assurance (NCQA): An organization that accredits managed care plans, or HMOs. In the future, the NCQA may play a role in certifying these organizations’ compliance with the HIPAA Administrative Simplification requirements.

National Committee on Vital and Health Statistics (NCVHS): A Federal advisory body within HHS that advises the Secretary regarding potential changes to the HIPAA standards.

National Council for Prescription Drug Programs (NCPDP): An ANSI-accredited group that maintains a number of standard formats for use by the retail pharmacy industry, some of which are included in the HIPAA mandates.

National Drug Code (NDC): A medical code set that identifies prescription drugs and some over the counter products and that has been selected for use in the HIPAA transactions.

National Employer ID: A system for uniquely identifying all sponsors of health care benefits.

National Health Information Infrastructure (NHII): This is a healthcare-specific lane on the Information Superhighway, as described in the National Information Infrastructure (NII) initiative. Conceptually, this includes the HIPAA A/S initiatives.

National Patient ID: A system for uniquely identifying all recipients of health care services. This is sometimes referred to as the National Individual Identifier (NII) or as the Healthcare ID.

National Payer ID: A system for uniquely identifying all organizations that pay for health care services. Also known as Health Plan ID or Plan ID.

National Provider ID (NPI): A system for uniquely identifying all providers of health care services, supplies, and equipment.

National Provider File (NPF): The database envisioned for use in maintaining a national provider registry.

National Provider Registry: The organization envisioned for assigning National Provider Ids.

National Provider System (NPS): The administrative system envisioned for supporting a national provider registry.

National Standard Format (NSF): Generically, this applies to any nationally standardized data format, but it is often used in a more limited way to designate the Professional EMC NSF, a 320-byte flat file record format used to submit professional claims.

National Uniform Billing Committee (NUBC): An organization, chaired and hosted by the American Hospital Association, that maintains the UB-92 hardcopy institutional billing form and the data elements specifications for both the hardcopy form and the 192-byte UB-92 flat file EMC format. The NUBC has the formal consultative role under HIPAA for all transactions affecting institutional health care services.

National Uniform Claim Committee (NUCC): An organization, chaired and hosted by the American Medical Association, that maintains the HCFA-1500 claim form and a set of data element specifications for professional claims submission via the HCFA-1500 claim form, the Professional EMC NSF, and the X12 837. The NUCC also maintains the Provider Taxonomy Codes and has a formal consultative role under HIPAA for all transactions affecting non-dental non-institutional professional health care services.

NCHICA (North Carolina Healthcare Information and Communications Alliance): An organization that promotes the advancement and integration of information technology into the health care industry.

NCHS: (See National Center for Health Statistics)

NCPDP: (See National Council for Prescription Drug Programs)

NCPDP Batch Standard: An NCPDP standard designed for use by low-volume dispensers of pharmaceuticals, such as nursing homes. Use of version 1.0 of this standard has been mandated under HIPAA.

NCPDP Telecommunication Standard: An NCPDP standard designed for use by high-volume dispensers of pharmaceuticals, such as retail pharmacies. Use of version 5.1 of this standard has been mandated under HIPAA.

NCAQ: (See National Committee for Quality Assurance)

NCVHS: (See National Committee on Vital and Health Statistics)

NDC: (See National Drug Code)

Need-to-know Procedures: A security principle stating that a user should have access only to the data he or she needs to perform a particular function. (O’Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems) (Relates to part of physical access controls (limited access) on the matrix.)

NHII: (Se National Health Information Infrastructure)

NOC: Not Otherwise Classified or Nursing Outcomes Classification

NIO: (See Notice Of Intent)

Non-medical or non-clinical code sets: (See Administrative Code Sets)

Nonrepudiation: Strong and substantial evidence of the identity of the signer of a message and of message integrity, sufficient to prevent a party from successfully denying the origin, submission or delivery of the message and the integrity of its contents. (ABA Digital Signature Guidelines) (Relates to part of digital signature on the matrix.)

North Carolina Healthcare Information and Communications Alliance (NCHICA): An organization that promotes the advancement and integration of information technology into the health care industry.

Notice of Intent (NOI): A document that describes a subject area for which the Federal Government is considering developing regulations. It may describe the presumably relevant considerations and invite comments from interested parties. These comments can then be used in developing an NPRM or a final regulation.

Notice of Proposed Rulemaking (NPRM): A document that describes and explains regulations that the Federal Government proposes to adopt at some future date, and invites interested parties to submit comments related to them. These comments can then be used in developing a final regulation.

NPF: (See National Provider File)

NPI: (See National Provider ID)

NPRM: (See Notice of Proposed Rule-Making)

NPS: (See National Provider System)

NSF: (See National Standard Format)

NUBC: (See National Uniform Billing Committee)

NUBC EDI TAG: The NUBC EDI Technical Advisory Group, which coordinates issues affecting both the NUBC and the X12 standards.

OCR: (See Office for Civil Rights)

Office for Civil Rights (OCR): The HHS entity responsible for enforcing the HIPAA Privacy rules.

Office of Management & Budget (OMB): A Federal Government agency that has a major role in reviewing proposed Federal regulations.

OIG: Office of the Inspector General

Open System Interconnection (OSI): A multi-layer ISO data communications standard. Level Seven of this standard is industry-specific, and HL7 is responsible for specifying the level seven OSI standards for the health industry.

Operating, and in some cases, Maintenance Personnel: Formal, documented policies and procedures to be followed in determining the access level to be granted to individuals working on, or in the vicinity of, health information. (Relates to part of personnel security on the matrix.)

Organized Health Care Arrangement:

(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;

(2) An organized system of health care in which more than one covered entity participates, and in which the participation covered entities:

(i) Hold themselves out to the public as participating in a joint arrangement; and

(ii) Participate in joint activities that include at least one of the following:

(A) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;

(B) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or

(C) Payment activities, if the financial risk for delivering healthcare is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.

(3) A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;

(4) A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or

(5) The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.

OSI: (See Open System Interconnection)

PAG: (See Policy Advisory Group)

Password: Confidential authentication information composed of a string of characters. (ISO 7498-2, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems)

Payment:

(1) The activities undertaken by:

(i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or

(ii) A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities of paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v) Utilization review activities, including pre-certification and preauthorization of services, concurrent and retrospective review of services; and

(vi) Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A) Name and address;

(B) Date of birth;

(D) Payment history;

(E) Account number; and

(F) Name and address of the health care provider and/or health plan.

Payer: An entity that assumes the risk of paying for medical treatments. This can be uninsured patient, a self-insured employer, a health plan, or an HMO.

PCS: (See ICD)

Periodic Security Reminders: Employees, agents and contractors should be made aware of security concerns on an ongoing basis. (Relates to part of training on the matrix.)

Personnel Clearance Procedure: A protective measure applied to determine that an individual’s access to sensitive unclassified automated information is admissible. The need for and extent of a screening process is normally based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures in place. Effective screening processes are applied in such a way as to allow a range of implementation, from minimal procedures to more stringent procedures commensurate with the sensitivity of the data to be accessed and the magnitude of harm or loss that could be caused by the individual (DOE 1360.2A, as cited in Glossary of INFOSEC and INFORSEC Related Terms-Idaho State University) (Relates to part of personnel security on the matrix.)

Personnel Security: The procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances. (NCSC Glossary of Computer Security Terms, October 21, 1988) (Relates to part of administrative procedures to guard data integrity, confidentiality and availability on the matrix.)

Personnel Security Policy: Formal, documentation of policies and procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances. (Glossary of INFOSEC and INFORSEC Related Terms-Idaho State University)

PHI: (See Protected Health Information)

PHS: (See Public Health Service)

Physical Access Controls: Those formal, documented policies and procedures to be followed to limit physical access to an entity while ensuring that properly authorized access is allowed. (Relates to part of physical safeguards to guard data integrity, confidentiality, and availability on the matrix.)

Physical Safeguards: Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from the intrusion. Also covers the use of locks, keys and administrative measures used to control access to computer systems and facilities. (O’Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems) (Relates to a section of the matrix covering physical security requirements.)

PIN: (Personal Identification Number) A number or code assigned to an individual and used to provide verification of identity. (Relates to part of entity authentication on the matrix.)

PL: Public Law

Plan: A detailed scheme or method for the accomplishment of an object.

Plan ID: (See National Payer ID)

Plan Sponsor: Defined as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B)

Policy: A general principle or plan that guides the actions taken by an individual or group

Policy Advisory Group (PAG): A generic name for many work groups at WEDI and elsewhere.

Policy/Guidelines of Workstation Use: Documented instructions/procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings, of a specific computer terminal site or type of site, dependant upon the sensitivity of the information accessed from that site. (Relates to part of physical safeguards to guard data integrity, confidentiality, and availability on the matrix.)

POS: Place or Point of Service

PPO: Preferred Provider Organization

PPS: Prospective Payment System

PRA: Paperwork Reduction Act

PRG: Procedure-Related Group

Pricer or Repricer: A person, an organization, or a software package that reviews procedures, diagnosis, fee schedules, and other data and determines the eligible amount for a given health care service or supply. Additional criteria can then be applied to determine the actual allowance, or payment amount.

PRO: Professional or Peer Review Organization

Procedure: A way of accomplishing something; a series of steps; course of action.

Procedure for Emergency Access: Documented instructions for obtaining necessary information during a crisis. (Relates to part of access control on the matrix.)

Procedures for Verifying Access Authorizations: Formal, documented, policies and instructions for validating the access privileges of an entity prior to granting those privileges. (Relates to part of physical access controls (limited control) on the matrix.)

Process: A series of steps, actions, or operations used to bring about a desired result.

Protected Health Information (PHI): Individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i) Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and

(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).

Provider: A supplier of services as defined in section 1861(u) of the HIPAA.

Provider Taxonomy Codes: An administrative code set for identifying the provider type and area of specialization for all health care providers. A given provider can have several Provider Taxonomy Codes. This code set is used in the X12 278 Referral Certification and Authorization and the X12 837 Claim transactions, and is maintained by the NUCC.

Psychotherapy Notes: Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Public Health Authority: An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matt4ers as part of its official mandate.

Public Key: One of the two keys used in asymmetric encryption systems. The public key is made public, to be used in conjunction with a corresponding private key. (Stallings, 1995)

Quality: Quality is how well the health plan keeps its members healthy or treats them when they are sick. Good quality health care means doing the right thing at the right time, in the right way, for the right person and getting the best possible results.

RA: Remittance Advice

Recipient: An individual covered by the Medicaid program, however, now referred to as a beneficiary.

Regenstrief Institute: A research foundation for improving health care by optimizing the capture, analysis, content, and delivery of health care information, Regenstrief maintains the LOINC coding system that is being considered for use as part of the HIPAA claim attachments standard.

Relates to the Privacy of IIHI: With respect to a State law, that the State law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.

Removal from Access Lists: The physical eradication of an entity’s access privileges. (Relates to part of termination procedures on the matrix.)

Removal of User Accounts: The termination or deletion of an individual’s access privileges to the information, services, and resources for which they currently have clearance, authorization, and need-to-know when such clearance, authorization and need-to-know no longer exists. (Relates to part of termination procedures on the matrix.)

Report Procedures: The documented formal mechanism employed to document security incidents. (Relates to part of security incident procedures on the matrix.)

Required by Law: A mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court-ordered warrant; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

Research: A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge.

Response Procedures: The documented formal rules/instructions for actions to be taken as a result of the receipt of a security incident report. (Relates to part of security incident procedures on the matrix.)

Revenue Code: The recognition of income earned and the use of appropriated capital from the rendering of services in the current period.

RFA: Regulatory Flexibility Act

Rights of Individuals:

· Receive notice of information practices;

· See and copy own records;

· Request corrections; Obtain accounting of disclosures;

· Request restrictions and confidential communications;

· File complaints

Risk Analysis: Risk analysis, a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place. (Relates to part of the security management process on the matrix.)

Risk Management: Risk is the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk. (NIST Pub. 800-14) (Relates to part of the security management process on the matrix.)

Role-based Access Control: Role-based access control (RBAC) is an alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. With RBAC, rather than attempting to map an organization’s security policy to a relatively low-level set of technical controls (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. (Relates to part of the access control on the matrix and part of the authorization control on the matrix.)

RVS: Relative Value Scale

Sanction Policy: Organizations must have policies and procedures regarding disciplinary actions which are communicated to all employees, agents and contractors, for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties (ASTM E 1869). In addition to enterprise sanctions, employees, agents, and contractors must be advised of civil or criminal penalties for misuse or misappropriation of health information. Employees, agents, and contractors, must be made aware that violations may result in notification to law enforcement officials and regulatory, accreditation and licensure organizations. (ASTM) (Relates to part of the security management process on the matrix.)

Secretary: The Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.

Secure Workstation Location: Physical safeguards to eliminate or minimize the possibility of unauthorized access to information, for example, locating a terminal used to access sensitive information in a locked room and restricting access to that room to authorized personnel, not placing a terminal used to access patient information in any area of a doctor’s office where the screen contents can be viewed from the reception area. (Relates to part of physical safeguards to guard data integrity, confidentiality, and availability on the matrix.)

Security: Security encompasses all of the safeguards in an information system, including hardware, software, personnel policies, information practice policies, disaster preparedness, and the oversight of all these areas. The purpose of security is to protect both the system and the information it contains from unauthorized access from without and from misuse from within. Through various security measures, a health information system can shield confidential information from unauthorized access, disclosure and misuse, thus protecting privacy of the individuals who are the subjects of the stored data. (Privacy and Health Information Systems: A Guide to Protecting Patient Confidentiality)

Security Awareness Training: All employees, agents, and contractors must participate in information security awareness training programs. Based on job responsibilities individuals may be required to attend customized education programs that focus on issues regarding use of health information and responsibilities regarding confidentiality and security. (ASTM) (Relates to part of physical safeguards to guard data integrity, confidentiality, and availability on the matrix.)

Security Configuration Management: Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and other measures, practices and procedures of the organization so as to create a coherent system of security. (OECD Guidelines, as cited in NIST Pub 800-14) (Relates to part of administrative procedures to guard data integrity, confidentiality, and availability on the matrix.)

Security Incident Procedures: Formal, documented, instructions for reporting security breaches. (Relates to part of administrative procedures to guard data integrity, confidentiality and availability on the matrix.)

Security Management Process: A security management process encompasses the creation, administration and oversight of policies to ensure the prevention, detection, containment, and correction of security breaches. It involves risk analysis and risk management, including the establishment of accountability, management controls (policies and education), electronic controls, physical security, and penalties for the abuse and misuse of its assets, both physical and electronic. (Relates to part of administrative procedures to guard data integrity, confidentiality and availability on the matrix.)

Security Policy: The framework within which an organization establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organization commitment for a system. (OTA, 1993) The American Health Information Management Association recommends that security policies apply to all employees, medical staff members, volunteers, students, faculty, independent contractors, and agents. (AHIMA, 1996c, as cited in HISB, draft Glossary of Terms Related to Information Security in Healthcare Information Systems) (Relates to part of the security management process on the matrix.)

Security Testing: A process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed applications environment. This process includes hands-on functional testing, penetration testing, and verification. (Glossary of INFOSEC and INFOSEC Related Terms – Idaho State University) (Relates to part of security configuration mgmt on the matrix.)

Segment: Under HIPAA, this is a group of related data elements in a transaction. Also see Part II, 45 CFR 162.103

Service: Medical care and items such as medical diagnosis and treatment, drugs and biologicals, supplies, appliances, and equipment, medical social services, and use of hospital RPCH or SNF facilities. (42 CFR 400.202).

SC: Subcommittee

SCHIP: State Children’s Health Insurance Program

SCO Standards Development Organization

Secretary: Under HIPAA, this refers to the Secretary of HHS or his/her designated representatives. Also see Part II, 45 CFR 160.103

Segment: Under HIPAA, this is a group of related data elements in a transaction. Also see Part II, 45 CFR 162.103.

Self-Insured: An individual or organization that assumes the financial risk for paying for health care.

Sign-in for Visitors: Formal, documented, procedure governing the reception and hosting of visitors. (Relates to part of physical access controls (limited access) on the matrix.)

Small Health Plan: A health plan with annual receipts of $5 million or less.

SNF: Skilled Nursing Facility

SNOMED: Systematized Nomenclature of Medicine

SNIP: (See Strategic National Implementation Process)

Sponsor: (See Plan Sponsor)

SOW: (See Statement of Work)

SSN: Social Security Number

SSO: (See Standard-setting Organization)

Standard: A rule, condition, or requirement:

(1) Describing the following information for products, systems, services or practices:

(i) Classification of components.

(ii) Specification of materials, performance, or operations; or

(iii) Delineation of procedures; or

(2) With respect to the privacy of individually identifiable health information.

Standard Setting Organization (SSO): An organization accredited by the American National Standards Institute that develops and maintains standards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of, this part.

Standard Transaction: Under HIPAA, this is a transaction that complies with the applicable HIPAA standard. Also see Part II, 45 CFR 162.103

Standard Transaction Format Compliance System (STFCS): An EHNAC-sponsored WPC-hosted HIPAA compliance certification service.

State: Refers to one of the following:

(1) For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States Code for such health plan.

(2) For all other purposes, State means any of the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam.

State Law: A constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

State Uniform Billing Committee (SUBC): A state-specific affiliate of the NUBC.

Statement of Work (SOW): A document describing the specific tasks and methodologies that will be followed to satisfy the requirements of an associated contract or MOU.

STFCS: (See Standard Transaction Format Compliance System)

Strategic National Implementation Process (SNIP): A WEDI program for helping the health care industry identify and resolve HIPAA implementation issues.

Structure Data: (See Data-Related Concepts)

SUBC: (See State Uniform Billing Committee)

Subject/Object Separation: Access to a subject does not guarantee access to the objects associated with that subject. Subject is defined as an active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state. Technically, a process/domain pair. (Glossary of INFOSEC and INFOSEC Related Terms – Idaho State University) Object is defined as a passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, network nodes, etc. (Glossary of INFOSEC and INFOSEC Related Terms – Idaho State University)

Summary Health Information: See Part II, 45 CFR 164.504

SWG: Sub-workgroup

Syntax: The rules and conventions that one needs to know or follow in order to validly record information, or interpret previously recorded information, for a specific purpose. Thus, syntax is a grammar. Such rules and conventions may be either explicit or implicit. In X12 transactions, the data-element separators, the sub-element separators, the segment terminators, the segment identifiers, the loops, the loop identifiers, (when present), the repetition factors, etc., are all aspects of the X12 syntax. When explicit, such syntactical elements tend to be the structural, or format-related, data elements that are not required when direct data entry architecture is used. Ultimately, though, there is not a perfectly clear division between the syntactical elements and the business data content.

System users: See Awareness Training (including management). (Relates to part of personnel security on the matrix.)

TAG: Technical Advisory Group

Technical Security Mechanisms: The processes that are put in place to guard against unauthorized access to data that is transmitted over a communications network. (Relates to a section of the matrix.)

Technical Security Services: The processes that are put in place (1) to protect information and (2) to control and monitor individual access to information. (Relates to a section of the matrix.)

Telephone Callback: A method of authentication the identity of the receiver and sender of information through a series of “questions” and “answers” sent back and forth establishing the identity of each. For example, when the communicating systems exchange a series of identification codes as part of the initiation of a session to exchange information, or when a host computer disconnects the initial session before the authentication is complete, and the host calls the user back to establish a session at a predetermined telephone number. (Relates to part of Entity authentication on the matrix.)

Termination Procedures: Formal documented instructions, which include appropriate security measures, for the ending of an employee’s employment, or an internal/external user’s access. (Relates to part of administrative procedures to guard data integrity, confidentiality and availability on the matrix.)

Testing and Revision:

(1) Testing and revision of contingency plans refers to the documented process of periodic testing to discover weaknesses in such plans and the subsequent process of revising the documentation if necessary. (Relates to part of contingency plan on the matrix.)

(2) Testing and revision of programs should be restricted to formally authorized personnel. (Relates to part of physical access controls (limited access) on the matrix.)

TG: Task Group

Third Party Administrator (TPA): An entity that processes health care claims and performs related business functions for a health plan.

Time-of-day: Access to data is restricted to certain time fames, e.g., Monday through Friday, 8:00 a.m. to 6:00 p. m. (Relates to a type of access control on the matrix.)

Time-stamp: To create a notation that indicates, at least, the correct date and time of an action, and the identity of the person that created the notation.

Token: A physical item that’s used to provide identity. Typically, an electronic device that can be inserted in a door or a computer system to obtain access. (O’Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems) (Relates to part of entity authentication on the matrix.)

TPA: (See Third Party Administrator or Trading Partner Agreement)

Trading Partner Agreement (TPA): An agreement to exchange information in electronic transactions, whether the agreement is distinct or part of a larger agreement, between each party to the agreement. (For example, a trading partner agreement may specify, among other things, the duties and responsibilities of each party to the agreement in conduction a standard transaction.)

Training: Education concerning the vulnerabilities of the health information in an entity’s possession and ways to ensure the protection of that information. (Relates to part of administrative procedures to guard data integrity, confidentiality and availability on the matrix.)

Transaction: The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmission:

(1) Health care claims or equivalent encounter information.

(2) Health care payment and remittance advice.

(3) Coordination of benefits.

(4) Health care claim status.

(5) Enrollment and disenrollment in a health plan.

(6) Eligibility for a health plan.

(7) Health plan premium payments.

(8) Referral certification and authorization.

(9) First report of injury.

(10) Health claims attachments.

(11) Other transactions that the Secretary may prescribe by regulation.

Transaction Change Request System: A system established under HIPAA for accepting and tracking change requests for any of the HIPAA

Transportability: A signed document can be transported (over an insecure network) to another system, while maintaining the integrity of the document. (Relates to part of digital signature on the matrix.)

Treatment: The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Turn in keys, token: Formal, documented procedure to ensure all physical items that allow a terminated employee to access a property, building, or equipment are retrieved from that employee, preferably prior to termination. (Relates to part of termination procedures on the matrix.)

UB: Uniform Bill

UB-82: A uniform institutional claim form developed by the NUBC that was in general use from 1983-1993.

UB-92: A uniform institutional claim form developed by the NUBC that has been in general use since 1993.

UCF: Uniform Claim Form, as in UCF-1500

Uniform Claim Task Force (UCTF): An organization that developed the initial HCFA-1500 Professional Claim Form. The maintenance responsibilities were later assumed by the NUCC.

Unique User Identification: The combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity. (ASTM) (Relates to part of Entity authentication on the matrix.)

United Nations Centre for Facilitation of Procedures and Practices for Administration, Commerce, and Transportation (UN/CEFACT): An international organization dedicated to the elimination or simplification of procedural barriers to international commerce.

United Nations Rules for Electronic Data Interchange for Administration, Commerce, and Transport (UN/EDIFACT): An international EDI format. Interactive X12 transactions use the EDIFACT message syntax.

UNSM: United Nations Standard Messages

Unstructured Data: (See Data-related Concepts)

UPIN: Unique Physical Identification Number

UR Utilization Review

U.S.C. United States Code

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

User Authentication: The provision of assurance of the claimed identity of an entity. (ASTM E1762-5) (Relates to part of the digital signature on the matrix.)

User Education Concerning Virus: Training relative to user awareness of the potential harm that can be caused by a virus, how to prevent the introduction of a virus to a computer system, and what to do if a virus is detected. (Relates to part of training on the matrix.)

User Education in Importance of Monitoring: Training in the user’s responsibility to ensure the security of health care information. (Relates to part of training in the matrix.)

User Education in Password Management: A type of user training in the rules to be followed in creating and changing passwords and the need to keep them confidential. (Relates to part of training on the matrix.)

User-based Access: A security mechanism used to grant users of a system access based upon the identity of the user. (Relates to part of access control on the matrix and part of authorization control on the matrix.)

Utah Health Information Network (UHIN): A public-private coalition for reducing health care administrative costs through the standardization and electronic exchange of health care data.

Value-added Network (VAN): A vendor of EDI data communications and translation services.

VAN: (See Value-added Network)

Virtual Private Network (VPN): A technical strategy for creating secure connections, or tunnels, over the internet.

Virus-Checking: A computer program that identifies and disables:

(1) Another “virus” computer program, typically hidden, that attaches itself to other programs and has the ability to replicate, (Unchecked virus programs result in undesired side effects generally unanticipated by the user.)

(2) A type of programmed threat. A code fragment (not an independent program) that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over system resources, which are then not available to authorized users. (O’Reilly, 1992, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems)

(3) Code embedded within a program that causes a copy of itself to be inserted in one or more other programs. In addition to propagation, the virus usually performs some unwanted function. (Stallings, 1995, as cited in the HISB draft Glossary of Terms Related to Information Security in Healthcare Information Systems)

(Relates to part of security configuration on the matrix.)

VPN: (See Virtual Private Network)

Washington Publishing Company (WPC): The company that publishes the X12N HIPAA Implementation guides and the X12N HIPAA Data Dictionary. That also developed the X12 Data Dictionary, and that hosts the EHNAC STFCS testing program.

WEDI: (See Workforce for Electronic Data Interchange)

WG: Workgroup

WHO: (See World Health Organization)

Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Workgroup for Electronic Data Interchange (WEDI):

A health care industry group that lobbied for HIPAA Administrative Simplification, and that has a formal consultative role under the HIPAA legislation.

World Health Organization (WHO): An organization that maintains the International Classification of Diseases (ICD) medical code set.

WPC: (See Washington Publishing Company)

X12: An ANSI-accredited group that defines EDI standards for many American industries, including health care insurance. Most of the electronic transaction standards mandated or proposed under HIPAA are X12 standards.

X12-148: The X12 First Report of Injury, Illness, or Incident transaction. This standard could eventually be included in the HIPAA mandate.

X12-270: The X12 Health Care Eligibility & Benefit Inquiry transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-271: The X12 Health Care Eligibility & Benefit Response transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-274: The X12 Provider Information transaction.

X12-275: The X12 Patient Information transaction. This transaction is expected to be part of the HIPAA claim attachments standard.

X12-276: The X12 Health Care Claims Status Inquiry transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-278: The X12 Referral Certification and Authorization transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-811: The X12 Consolidated Service Invoice & Statement transaction.

X12-820: The X12 Payment Order & Remittance Advice transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-831: The X12 Application Control Totals transaction.

X12-834: The X12 Benefit Enrollment & Maintenance transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-835: The X12 health care Claim Payment & Remittance Advice transaction. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-837: The X12 Health Care Claim or Encounter transaction. This transaction can be used for institutional, professional, dental, or drug claims. Version 4010 of this transaction has been included in the HIPAA mandates.

X12-997: The X12 Functional Acknowledgement transaction.

X12F: A subcommittee of X12 that defines EDI standards for the financial industry. This group maintains the X12 811 (generic) Invoice and the X12 820 (generic) Payment & Remittance Advice transactions, although X12N maintains the associated HIPAA Implementation guides.

X12 IHCEBI & IHCEBR: The X12 Interactive Healthcare Eligibility & Benefits Inquiry (IHCEBI) and Response (IHCEBR) transactions. These are being combined and converted to UN/EDIFACT Version 5 syntax.

X12 IHCLME: The X12 Interactive Healthcare Claim transaction.

X12J: A subcommittee of X12 that reviews X12 work products for compliance with the X12 design rules.

X12N: A subcommittee of X12 that defines EDI standards for the insurance industry, including health care insurance.

X12N/SPTG4: The HIPAA Liaison Special Task Group of the Insurance Subcommittee (N) of X12. This group’s responsibilities have been assumed by the X12N/TG3/WG3.

X12N/TG1: The Property & Casualty Task Group (TG1) of the Insurance Subcommittee (N) of X12.

X12N/TG2: The Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12.

X12N/TG2/WG1: The Health Care Eligibility Work Group (WG1) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 270 Health Care Eligibility & Benefit Response transactions, and is also responsible for maintaining the IHCEBI and IHCEBR transactions.

X12N/TG2/WG2: The Health Care Claims Work Group (WG2) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 837 health Care Claim or Encounter transaction.

X12N/TG2/WG3: The Health Care Claim Payments Work Group (WG3) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 835 Health Care Claim Payment & Remittance Advice transaction.

X12N/TG2/WG4: The Health Care Enrollments Work Group (WG4) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 834 Benefit Enrollment & Maintenance transaction.

X12N/TG2/WG5: The Health Care Claims Status Work Group (WG5) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 276 Health Care Claims Status Inquiry and the X12 277 Health Care Claim Status Response transactions.

X12N/TG2/WG9: The Health Care Patient Information Work Group (WG9) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 275 Patient Information transaction.

X12N/TG2/WG10: The Health Care Services Review Work Group (WG10) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 278 Referral Certification and Authorization transactions.

X12N/TG2/WG12: The Interactive Health Care Claims Work Group (WG12) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the IHCLME Interactive Claims transactions.

X12N/TG2/WG15: The Health Care Provider Information Work Group (WG15) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of X12. This group maintains the X12 274 Provider Information transaction.

X12N/TG2/WG19: the Health Care Implementation Coordination Work Group (WG19) of the Health Care Task Group (TG2) of the Insurance Subcommittee (N) of the X12. This is now X12N/TG3/WG3.

X12N/TG3: The Business Transaction Coordination and Modeling Task Group (TG3) of the insurance Subcommittee (N) of X12. TG3 maintains the X12N Business and Data Models and the HIPAA Data Dictionary. This was formerly X12N/TG2/WG11.

X12N/TG3/WG1: The Property & Casualty Work Group (WG1) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12.

X12N/TG3/WG2: The Healthcare Business & Information Modeling Work Group (WG2) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12.

X12N/TG3/WG3: The HIPAA Implementation Coordination Work Group (WG3) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12. This was formerly X12N/TG2/WG19 and X12N/SPTG4.

X12N/TG3/WG4: The Object-Oriented Modeling and XML Liaison Work Group (WG4) of the Business Transaction Coordination and Modeling Task Group (TG3) of the Insurance Subcommittee (N) of X12.

X12N/TG4: The Implementation Guide Task Group (TG4) of the Insurance Subcommittee (N) of X12. This group supports the development and maintenance of X12 Implementation Guides, including the HIPAA X12 IG’s.

X12N/TG8: The Architecture Task Group (TG8) of the Insurance Subcommittee (N) of X12.

X12/PRB: The X12 Procedures Review Board.

X12 Standard: The term currently used for any X12 standard that has been approved since the most recent release of X12 American National Standards. Since a full set of X12 American National Standards is only released about once every five years, it is the X12 standards that are most likely to be in active use. These standards were previously called Draft Standards for Trial Use.

XML Extensible Markup Language

RETURN TO TOP OF PAGE - RETURN TO HIPAA HOME PAGE