|
Fundraising Under HIPAA —The Privacy Rule— From Stuart R. Smith, FAHP - Chair Definitions - Important Terms This section presents selected major terms defined in the Privacy Rule. Familiarity with these terms will greatly contribute to your understanding of HIPAA. Authorization. Authorization is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. An Authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An Authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an Authorization. Business Associate. A Business Associate is any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides service to, a covered entity. Business Associate functions and activities include claims processing or administration, data analysis processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. Business Associate services include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services. Business Associate Agreement. The Privacy Rule mandates that covered entities have a Business Associate Agreement with each of their business associates. The Business Associate Agreement must (i) describe the permitted and required uses of protected health information by the business associate, (ii) provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law, and (iii) require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Covered Functions. Covered Functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. Covered Entity. Covered Entity means (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule. Disclosure. Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. Health Care. Health Care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale of dispensing of a drug, device, equipment, or other item in accordance with a prescription. Health Care Clearinghouse. Health Care Clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. Health Care Operations. Health Care Operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Fundraising is defined to be part of a covered entity's operations. Health Care Provider. Health Care Provider is any individual or organization that furnishes, bills, or is paid for furnishing health care services in the normal course of business. Health Information. Health Information means any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. HHS. HHS stands for the Department of Health and Human Services. Within HHS, the Office of Civil Rights (“OCR”) is charged with the responsibility of enforcing the Privacy Rule. Individual. Individual means the person who is the subject of protected health information. Individually Identifiable Health Information. Individually Identifiable Health Information (“IIHI”) is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Institutionally Related Foundation. Institutionally Related Foundation is a foundation that qualifies as a nonprofit charitable foundation under § 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to the covered entity. An Institutionally Related Foundation may, as explicitly stated in its charter, support the covered entity as well as other covered entities or health care provider in its community. Marketing. Marketing means making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Generally, if the communication is marketing, and does not fall within the carve outs discussed in the Memorandum, the communication can occur only if the covered entity first obtains an individual's authorization. Minimum Necessary Standard. The Minimum Necessary Standard requires covered entities to evaluate their practice and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the Minimum Necessary to accomplish the intended purpose. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the Minimum Necessary requirements. Notice of Privacy Practices. The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and make available a Notice of Privacy Practices that provides a clear explanation of these rights and practices. The Notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. Payment. Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Privacy Officer. The Privacy Officer is the person designated by the covered entity to develop, implement, and oversee the entity's compliance with the HIPAA Privacy Rule. The Privacy Officer may also serve as the entity's Contact Person. Protected Health Information. Protected Health Information means individually identifiable health information that is (i) transmitted by electronic media; (ii) maintained in any medium described in the definition of electronic media; or (iii) transmitted or maintained in any other form or medium. Protected Health Information excludes individually identifiable health information in educational records covered by the Family Educational Rights and Privacy Act (“FERPA”) and employment records held by a covered entity in its role as employer. Required By Law. Required By Law means a mandate contained in law that compels an entity to make a use or disclosure of protected health information that is enforceable in a court of law. Required By Law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. Secretary. Secretary refers to the Secretary of Health and Human Services or his or her designee. TPO. TPO stands for treatment, payment, and health care operations. Under the regulations, fundraising is a part of health care operations.
|