Blog September 23, 2013

Common HIPAA Compliance Terms and Definitions

If you are new to healthcare IT or are looking to learn more about the subject of HIPAA compliance, here is a list of the most commonly used terms.

Business Associate (BA)-   Any person or entity working in association with or providing services to a covered entity who handles or discloses Protected Health Information (PHI). A covered health care provider, health plan, or health care clearinghouse can be a BA of another covered entity. Other examples include: managed hosting providers, billing vendors and software providers.

Business Associate Agreement (BAA)-  A contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the BA, provided that the BA will use PHI only as permitted by the contract or required by law, use appropriate safeguards, report any disclosures not permitted by the contract. In the case of a HIPAA Compliant Hosting plan, a BAA must be signed between the covered entity and the hosting provider (the BA) to ensure compliance.

Covered Entity- A healthcare provider who transmits any health information in electronic form in connection with a transaction covered by the privacy rule, a health care plan or a health care clearinghouse. Examples include: hospitals, doctor’s offices, nursing homes and etc.

Electronic Health Records (EHR)-  EHRs  go beyond the data collected in the provider’s office and include a more comprehensive patient history than EMR. It is a representation of all a patients’ data that would originally be found in the paper based record.

Electronic Medical Records (EMR)- A digital version of a paper chart that contains all of a patient’s medical history from one practice. It is mostly used by providers for diagnosis and treatment. It contains the standard medical and clinical data gathered in one provider’s office.  A part of PHI, these records must be stored, transmitted, and accessed in a manner that follows the HITECH legislation.

Electronic Protected Health Information (EPHI)- Any protected health information (PHI) that is created, stored, transmitted, or received electronically.

Health Insurance Portability and Accountability Act (HIPAA)- HIPAA was enacted in 1996. There are two sections to the Act. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems.

HIPAA Audit– The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. if the covered entity is using a hosting provider to run its application, database, or web server,  that hosting provider’s data center and processes must be audited to ensure compliance.

HIPAA Violations– Covered entities that fail to comply voluntarily with HIPAA standards may be subject to civil money penalties.  In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.  Some of these include fines up to $1.5 million and up to 10 years imprisonment.

Health Information Technology for Economic and Clinical Health (HITECH)- This legislation was created to fuel the adoption of  EHRs and supporting technology in the United States. It became law on February 17, 2009 as part of ARRA, an economic stimulus bill- stating that in 2011, healthcare providers will be offered “financial incentives for demonstrating meaningful use of EHRs”. Incentives will be offered until 2015, but after that- penalties may be given out. This legislation has pushed many healthcare providers to convert their medical records to EHR over the last several years, either using an internal data center or going with a HIPAA Compliant Hosting provider.

Health Information Trust Alliance (HITRUST)– This group is made up of healthcare, technology and information security leaders that have established something known as the Common Security Framework (CSF). This is a certifiable framework for security standards that can be used by organizations that create, access, store, or exchange personal health information. This is considered to be the most widely adopted security control framework for the healthcare industry.

NIST 800-53–  a publication that recommends security controls for federal information systems and organizations. It documents security controls for all federal information systems, except those designed for national security.

OCR- Office for Civil Rights (OCR) helps to protect you from discrimination in certain healthcare and social service programs. Some ways of doing this include educating the community and health and social service workers.

Omnibus Act– A collection of modifications to the HIPAA Privacy, Security, and Enforcement rules mandated by the HITECH Act. It includes making the BAA of Covered Entities directly liable for compliance with HIPAA privacy requirements, and strengthening the limitations on the use and disclosure of PHI.

HIPAA Privacy Rule– established national standards and safeguards for accessing and sharing individual’s medical records and any other healthcare information.

Protected Health Information (PHI)-.  This includes demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care. Hosting providers offer HIPAA Compliant Hosting plans that provide an elevated level of security for PHI in accordance with federal HIPAA regulations.

Are we missing any terms here? Do you want to get more information on HIPAA Compliant Hosting Services? Let us know at blog@connectria.com.

Sources:

HHS.govTechTarget
IU.eduPA.gov
healthit.gov

Related Resources

 
What’s the Difference Between HIPAA and HITECH?
HIPAA is a regulation that’s gets talked about a lot. But there are other industry regulations that healthcare providers – as well as those that…
 
Size Isn’t Everything – How Smaller VARs are Driving Big Business
Value added resellers, or “VARs”, play an important role in the information technology ecosystem. As the name implies, a VAR takes a product like software…
 
Why Multi-Cloud Strategy Beats Single Cloud Almost Every Time
Our economy is an increasingly digital one, which not only means more pressure on infrastructure, but also higher user demands when it comes to things…