Industry Glossary

All | # A B C D E F G H I J K L M N O P Q R S T U V W X Y Z | Submit a name
There are currently 62 names in this directory
Administrative Safeguards
Administrative Safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations. Administrative safeguards involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information.

American Health Information Management Association (A.H.I.M.A.)
The American Health Information Management Association is a professional organization for the field of effective management of health data and medical record needed to deliver quality healthcare to the public management. Source =

Affirm in an Official fashion. In regards to HIPAA Policy and Procedure(s) this means one has agreed to the terms set before them in writing and understands them.

An official examination and verification of accounts and records.

Managed Care Organization approval necessary prior to the receipt of care. Generally, this is different from a referral in that, an authorization can be a verbal or written approval from the Managed Care Organization whereas a referral is generally a written document that must be received by a doctor before giving care to the beneficiary.

The measurement of performance against 'best practice' standards. Source = Compliance 101, 3rd Ed., published by HCCA, pg. 134

Best Practice Standards
Generally recognized superior performance by organizations in operational and/or financial processes. Source = Compliance 101, 3rd Ed., published by HCCA, pg. 134

Means the acquisition, access, use, or disclosure of protected health information in a manner not permitted that compromises the security or privacy of the PHI.

Business Associate (B.A.)
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate. Source =

Business Associate Agreement (B.A.A.)
A written agreement between a Covered Entity and a Business Associate which states that both sides will do all they can to maintain safety of PHI and that minimal information to complete a job will be disseminated to the Business Associate. As per Omnibus in 2013 the Business Associate agrees to also be HIPAA Compliant and the Covered Entity assumes risk if the Business Associate has a breach.

Centers for Medicaid and Medicare Services (C.M.S.)
The Centers for Medicare & Medicaid Services, CMS, is part of the Department of Health and Human Services (HHS). The programs they administer include: Medicare, Medicaid, the Children’s Health Insurance Program (CHIP), and the Health Insurance Marketplace. Source =

Civil Monetary Penalties Law (C.M.P.L.)
Regulations which apply to any claim for an item or service that was not provided as claimed or that was knowingly submitted as false and which provides guidelines for the levying of fines for such offenses. Source = Compliance 101, 3rd Ed., published by HCCA, Pg. 135

Clean Desk Policy
A Clean Desk Policy means that you have instituted a rule that anything which may potentially contain a Patient’s PHI is removed from an Employee’s workstation when they are no longer near it.

Code of Federal Regulations (C.F.R.)
The Code of Federal Regulations (CFR) is an annual codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the Federal Government. Source =

Computerized Provider Order Entry (C.P.O.E.)
Refers to any system in which clinicians directly enter medication orders (and, increasingly, tests and procedures) into a computer system, which then transmits the order directly to the pharmacy.

Corporate Integrity Agreement (C.I.A.)
A negotiated settlement between an organization and the government in which the provider accepts no liability but must agree to implement a strict plan of government-supervised corrective action. Source = Compliance 101, 3rd Ed., published by HCCA, pg. 135

Covered Entity
A Covered Entity is one of the following -

Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes and Pharmacies are all Covered Entities but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Health Plans are also Covered Entities and include; Insurance Companies, HMOs, Company Health Plans, and Government Programs that pay for health care, such as Medicare, Medicaid and the Military/Veterans health care programs.

Also, a Health Care Clearinghouse would be considered a Covered Entity and includes establishments that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Designated Record Set
1. - A group of records maintained by or for a covered entity, that is: i - The Medical and Billing records about individuals maintained by or for the covered health care provider - ii - The enrollment, payment, claims adjudication and case or medical management records systems maintained by or for a health plan - iii - Used, in whole or in part, by or for the covered entity to make decisions about individuals. - 2. - For purposes of the paragraph above, the term record means any item that includes protected health information and is maintained, collected, used or disseminated by or for a covered entity. Source = Compliance 101, 3rd Ed., published by HCCA, Pg. 136

The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information. Source = Compliance 101, 3rd Ed., published by HCCA, Pg. 137

Effective Date
Under HIPAA, this is the date that a final rule is effective, which is usually 60 days after it is published in the Federal Register. Source =

Electronic Health Record (E.H.R.)
An electronic version of a patients medical history.

Electronic Protected Health Information (ePHI)
Refers to any PHI that is covered under HIPAA security regulations and is produced, saved, transferred or received in an electronic form.

False Claims Act
Originally adopted by the US Congress in 1863 during the Civil War to discourage suppliers for overcharging the federal government, legislation that prohibits anyone from knowingly submitting or causing to be submitted a false or fraudulent claim. Source = Compliance 101, 3rd Ed., published by HCCA, Pg. 137

Family Educational Rights and Privacy Act (F.E.R.P.A.)
FERPA gives parents access to their child's education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records. The HIPAA Rules do not apply to individually identifiable health information in your practice’s employment records or in records covered by the Family Educational Rights and Privacy Act (FERPA), as amended.

Federal Register
The 'Federal Register' is the official daily publication for rules, proposed rules and notices of federal agencies and organizations, as well as Executive Orders and other Presidential documents. Source =

Genetic Information Nondiscrimination Act (G.I.N.A.)
The Act prohibits group health plans and health insurers from denying coverage to a healthy individual or charging that person higher premiums based solely on a genetic predisposition to developing a disease in the future.

Health and Human Services (H.H.S.)
HHS is the Cabinet-level department of the Federal executive branch most involved with the Nation's human concerns. They are the over-arching Governmental body who manages and enforces the HIPAA rule (sic). Source =

Health Information Exchange (H.I.E.)
Health Information Exchange allows health care professionals and patients to appropriately access and securely share a patient’s vital medical information electronically. There are many health care delivery scenarios driving the technology behind the different forms of health information exchange available today. Source =

Health Information Organization (H.I.O.)

Health Information Technology
Health Information Technology (Health IT) makes it possible for health care providers to better manage patient care through secure use and sharing of health information. Health IT includes the use of electronic health records (EHRs) instead of paper medical records to maintain people's health information. Source =

Health Information Technology for Economic and Clinical Health Act (H.I.T.E.C.H.)
Enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH is designed to encourage health care providers to adopt health information technology that establishes electronic health records in a standardized manner that protects patients' private health information. In addition, it the requires the Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen health information privacy and security protections. Source = Compliance 101, 3rd Ed., Published by the HCCA, Pg. 140

Health Insurance Portability and Accountability Act (H.I.P.A.A.)
A regulation to guarantee patients new rights and protections against the misuse or disclosure of their health records.

Healthcare Clearinghouse
A public or private entity that does either of the following (Entities, including but not limited to, billing services, repricing companies, community health management information systems or community health information systems, and "value-added" networks and switches are health care clearinghouses if they perform these functions): 1) Processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; 2) Receives a standard transaction from another entity and processes or facilitates the processing of information into nonstandard format or nonstandard data content for a receiving entity. Source =

Healthcare Information and Management Systems Society (H.I.M.S.S.)
HIMSS is a global, cause-based, not-for-profit organization focused on better health through information technology (IT). HIMSS leads efforts to optimize health engagements and care outcomes using information technology. Source =

A common reporting system, administered in-house or by outside consultants, giving anonymous telephone accessto employees seeking to report possible instances or wrongdoing. Source = Compliance 101, 3rd Ed., Published by the HCCA, Pg. 142

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Inspector General
An officer of a federal agency whose primary function is to conduct and supervise audits and investigations relating to operations and procedures over which the agency has jurisdiction. Source = Compliance 101, Ed. 3, Published by HCCA, Pg. 142

Managed Care Organization (M.C.O.)
An organization that combines the functions of health insurance, delivery of care, and administration.

Meaningful Use
An incentive program for Provider's accepting Medicare and Medicaid who are also using an EHR platform. To receive an EHR incentive payment, providers have to show that they are “meaningfully using” their certified EHR technology by meeting certain measurement thresholds that range from recording patient information as structured data to exchanging summary care records.

Minimum Necessary Standard
Except for disclosures to other health care providers for treatment purposes, you must make reasonable efforts to use or disclose only the minimum amount of PHI needed to accomplish the intended purpose of the use or disclosure.

National Instant Criminal Background Check System (N.I.S.C.)
On January 4, 2016, the Department of Health and Human Services (HHS) moved forward on the Administration’s commitment to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm. Source =

Notice of Privacy Practices
The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals rights with respect to their personal health information and the privacy practices of health plans and health care providers.

Notice of Proposed Rulemaking (N.P.R.M.)
A public notice issued by law when one of the independent agencies of the United States government wishes to add, remove, or change a rule or regulation as part of the rulemaking process. The HITECH Act is an example of where the NPRM was used to change the HIPAA Rule.

Office of Civil Rights (O.C.R.)
Through the federal civil rights laws and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, OCR protects your fundamental nondiscrimination and health information privacy rights by; A) Teaching health and social service workers about civil rights, health information privacy, and patient safety confidentiality laws, B) Educating communities about civil rights and health information privacy rights, and C) Investigating civil rights, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and take action to correct problems. Source =

Organizational Standards
These standards require a CE to have contracts or other arrangements with BAs that will have access to the CE’s ePHI. The standards provide the specific criteria required for written contracts or other arrangements.

Personal Health Record (P.H.R.)
An individual may request that you transmit PHI in your records to his or her Personal Health Record (PHR) or to another physician. Your EHR developers, as your BAs, must cooperate in this obligation.

Personally Identifiable Information (P.I.I.)
Information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number, biometric records, etc. Alone or when combined with other personal or identifying info which is linked or linkable to a specific individual, such as date and place of birth, Mother’s maiden name, etc. Source =

Physical Safeguards
These safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings / equipment from natural and environmental hazards / unauthorized intrusion. These safeguards are the technology and the policies and procedures for its use that protect ePHI and control access to it.

Policies and Procedures

Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Source =

Protected Health Information (P.H.I.)
Individually identifiable health information held or transmitted by a CE or its BA, in any form or media, whether electronic, paper, or oral.

Regional Extension Center (R.E.C.)
The Office of the National Coordinator for Health Information technology (ONC) has funded 62 Regional Extension Centers (RECs) to help more than 100,000 primary care providers adopt and use electronic health records (EHRs). Providers do not have to become technology experts to achieve meaningful use of EHRs; RECs will provide them with on-the-ground assistance. REC services include outreach and education, EHR support (such as working with vendors, or helping providers choose a certified EHR system), and technical assistance in implementing health IT and using it in a meaningful way to improve care. Source =

Risk Analysis

Risk Assessment

The Safeguards Principle in the Privacy and Security Framework emphasizes that trust in electronic health information exchange can only be achieved if reasonable administrative, technical, and physical safeguards are in place. The HIPAA Privacy Rule supports the Safeguards Principle by requiring covered entities to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). See 45 C.F.R. § 164.530(c). Source =

Security Risk Assessment (S.R.A.)
Will guide you through a systematic examination of many aspects of your health care practice to identify potential security weaknesses and flaws.

Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Source =

Technical Safeguards
The Security Rule defines technical safeguards in § 164.304 as, “The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Source =

Treatment, Payment and healthcare Operations (T.P.O.)
The primary areas where health care workers will need to use patients' protected health information. Source = Compliance 101, Ed. 3, Published by HCCA, Pg. 147

United States Code (U.S.C.)
The United States Code is a consolidation and codification by subject matter of the general and permanent laws of the United States. It is prepared by the Office of the Law Revision Counsel of the United States House of Representatives. Source =

A main focus of the OIG (Office of Inspector General) is on preventing fraud such as Upcoding. Upcoding is the act of using billing codes that provide a higher rate than the services performed. Recently, under the HIPAA rule, Civil/Monetary penalties have been introduced for acts such as Upcoding.

Any person or organization that you pay money to for a specific task that is not a member of your direct staff. Vendors may include 'regular' vendors, such as members of a Cleaning Crew, or Business Associates (such as your Clearinghouse, or IT Specialist).

Submit a name