Blog September 23, 2013

Common HIPAA Compliance Terms and Definitions

If you are new to healthcare IT or are looking to learn more about the subject of HIPAA compliance, here is a list of the most commonly used terms.

Business Associate (BA)-   Any person or entity working in association with or providing services to a covered entity who handles or discloses Protected Health Information (PHI). A covered health care provider, health plan, or health care clearinghouse can be a BA of another covered entity. Other examples include: managed hosting providers, billing vendors and software providers.

Business Associate Agreement (BAA)-  A contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the BA, provided that the BA will use PHI only as permitted by the contract or required by law, use appropriate safeguards, report any disclosures not permitted by the contract. In the case of a HIPAA Compliant Hosting plan, a BAA must be signed between the covered entity and the hosting provider (the BA) to ensure compliance.

Covered Entity- A healthcare provider who transmits any health information in electronic form in connection with a transaction covered by the privacy rule, a health care plan or a health care clearinghouse. Examples include: hospitals, doctor’s offices, nursing homes and etc.

Electronic Health Records (EHR)-  EHRs  go beyond the data collected in the provider’s office and include a more comprehensive patient history than EMR. It is a representation of all a patients’ data that would originally be found in the paper based record.

Electronic Medical Records (EMR)- A digital version of a paper chart that contains all of a patient’s medical history from one practice. It is mostly used by providers for diagnosis and treatment. It contains the standard medical and clinical data gathered in one provider’s office.  A part of PHI, these records must be stored, transmitted, and accessed in a manner that follows the HITECH legislation.

Electronic Protected Health Information (EPHI)- Any protected health information (PHI) that is created, stored, transmitted, or received electronically.

Health Insurance Portability and Accountability Act (HIPAA)- HIPAA was enacted in 1996. There are two sections to the Act. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems.

HIPAA Audit– The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. if the covered entity is using a hosting provider to run its application, database, or web server,  that hosting provider’s data center and processes must be audited to ensure compliance.

HIPAA Violations– Covered entities that fail to comply voluntarily with HIPAA standards may be subject to civil money penalties.  In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.  Some of these include fines up to $1.5 million and up to 10 years imprisonment.

Health Information Technology for Economic and Clinical Health (HITECH)- This legislation was created to fuel the adoption of  EHRs and supporting technology in the United States. It became law on February 17, 2009 as part of ARRA, an economic stimulus bill- stating that in 2011, healthcare providers will be offered “financial incentives for demonstrating meaningful use of EHRs”. Incentives will be offered until 2015, but after that- penalties may be given out. This legislation has pushed many healthcare providers to convert their medical records to EHR over the last several years, either using an internal data center or going with a HIPAA Compliant Hosting provider.

Health Information Trust Alliance (HITRUST)– This group is made up of healthcare, technology and information security leaders that have established something known as the Common Security Framework (CSF). This is a certifiable framework for security standards that can be used by organizations that create, access, store, or exchange personal health information. This is considered to be the most widely adopted security control framework for the healthcare industry.

NIST 800-53–  a publication that recommends security controls for federal information systems and organizations. It documents security controls for all federal information systems, except those designed for national security.

OCR- Office for Civil Rights (OCR) helps to protect you from discrimination in certain healthcare and social service programs. Some ways of doing this include educating the community and health and social service workers.

Omnibus Act– A collection of modifications to the HIPAA Privacy, Security, and Enforcement rules mandated by the HITECH Act. It includes making the BAA of Covered Entities directly liable for compliance with HIPAA privacy requirements, and strengthening the limitations on the use and disclosure of PHI.

HIPAA Privacy Rule– established national standards and safeguards for accessing and sharing individual’s medical records and any other healthcare information.

Protected Health Information (PHI)-.  This includes demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care. Hosting providers offer HIPAA Compliant Hosting plans that provide an elevated level of security for PHI in accordance with federal HIPAA regulations.

Are we missing any terms here? Do you want to get more information on HIPAA Compliant Hosting Services? Let us know at blog@connectria.com.

Sources:

HHS.govTechTarget
IU.eduPA.gov
healthit.gov

Related Resources

 
7 Signs You May Need Help With Your Azure or AWS Deployment
According to Cloud Computing Trends: 2017 State of the Cloud Survey, companies house 41% of their workloads in a public cloud like Microsoft Azure or…
 
6 Ways to Build a Better Relationship with Your MSP
Thinking of leveraging a “managed service provider” in 2019? You’re not alone! IDC’s 2017 research found that 30% of executives outsource at least some of…
 
A Short FAQ on Disaster Recovery as a Service
Disaster Recovery as a Service (DRaaS) is becoming increasingly popular as a way to ensure business continuity in the event of a natural or manmade…