The Office of Healthcare Compliance and Privacy provides the following definitions as guidance specific to HIPAA/privacy. Many of the terms below are more specifically defined in the Privacy Rule, but are abbreviated or generalized here to make them easier for the reader to understand. For additional guidance please contact the Office of Healthcare Compliance and Privacy at 860-679-7226 or firstname.lastname@example.org.
Accounting of Disclosures: A listing of all disclosures made by UConn Health of an individual’s PHI, as required by law, in the six years prior to the date on which the accounting is requested by the individual. See policy 2003-18: Accounting of Disclosures of PHI to Patients upon their Request.
Authorization: An individual's signed permission to allow UConn Health to use or disclose the individual's PHI and that describes the purpose(s) of the disclosure and states the recipient(s) of the PHI. The Privacy Rule specifies additional core elements and required statements that must be included in an Authorization. See policy 2003-16: Authorization for Release of Information and associated form.
Breach: Subject to certain exceptions, generally a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of an individual’s protected health information. See policy 2003-09: Breaches of Privacy & Security of Protected Health Information and Confidential Data.
Business Associates: Persons or entities who act on behalf of UConn Health to perform, or assist in performing, a function or activity that involves the use or disclosure of PHI and who are not employees or members of the UConn Health Workforce. See policy 2003-04: Business Associates Contracts.
Confidential Data: Includes, but is not limited to, personally identifiable information that is not in the public domain and if improperly disclosed could be used to steal an individual’s identity, violate the individual’s right to privacy or otherwise harm the individual and/or the institution.
Covered Entity: Any organization or individual that is a: (1) health plan, (2) healthcare clearinghouse, or (3) healthcare provider who conducts certain transactions in electronic form. A Covered Entity must comply with HIPAA.
De-identification: Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is de-identified.
Health information is de-identified if:
- It is stripped of all 18 direct identifiers specified in the Privacy Rule, or
- An expert in statistical and scientific principles and methods for rendering information not individually identifiable determines that there is a very small risk that the information could be used alone or in combination with other information to identify an individual and the methods and results of the analysis that justify such determination are documented. See policy 2003-29: Creation, Use and Disclosure of De-Identified Protected Health Information (Privacy and Security of Protected Health Information (PHI)) and associated form.
Designated Record Set: A group of records maintained by or for UConn Health, that is: (a) the medical records and billing records about a patient; and/or (b) used in whole or in part, by or for UConn Health, to make decisions about a patient. For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for UConn Health. See policy 2012-06: Designated Record Set.
Disclosure: The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Electronic Protected Health Information (ePHI): Individually Identifiable Health Information a Covered Entity creates, receives, maintains or transmits in electronic form.
Fundraising: The organized activity of raising funds for an organizational cause. See policy 2003-06: HIPAA Fundraising Compliance Policy.
Healthcare operations includes any of the following activities:
- Quality assessment and improvement activities, including case management and care coordination;
- Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation;
- Conducting training programs in which students, trainees, or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers and training of non-healthcare professionals;
- Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs;
- Business planning, development, management, and administration; and
- Business management and general administrative activities, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of UConn Health.
Health Insurance Portability and Accountability Act (HIPAA): A federal law, the intent of which is to protect the privacy and security of patient health information, that is created or maintained by healthcare providers, health plans, healthcare clearinghouses, and their Business Associates.
Individually Identifiable Health information (IIHI): A subset of health information, including demographic and financial information collected from an individual that:
- Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
- Relates to the physical or mental health or condition of an individual; the provision of healthcare to an individual; or payment for the provision of healthcare to an individual; and
- Identifies the individual, or might reasonably be used to identify the individual.
Legal Representative (Authorized Representative/Personal Representative): Generally, a person legally authorized by state law or court appointment to make healthcare decisions on an individual’s behalf or to act for a deceased individual or their estate. See policy 2012-05: Legal Representative for Health Care Decisions.
Limited Data Set: Protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, healthcare operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set. See policy 2003-30: Limited Data-set Creation, Use and Disclosure.
Marketing: Subject to certain exceptions set forth in the Privacy Rule, communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See policy 2003-05: HIPAA Marketing Compliance.
Minimum Necessary: The minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request. See policy 2003-21: Minimum Necessary Protected Health Information.
Notice of Privacy Practices: A document that provides an individual notice of the uses and disclosures of PHI that may be made by UConn Health, and of the individual’s rights and UConn Health’s obligations with respect to PHI. See UConn Health Notice of Privacy Practices.
Privacy Rule: The federal regulations set forth in 45 C.F.R. Part 160 and Subparts A and E of Part 164, which address the use and disclosure of individuals’ protected health information by Covered Entities, as well as standards for individuals' privacy rights to understand and control how their health information is used.
Protected Health Information (PHI): Any type of Individually Identifiable Health Information, whether electronically maintained, electronically transmitted, or in any other format or medium (i.e., discussed orally, on paper or other media, photographed or otherwise duplicated). PHI excludes Individually Identifiable Health Information in education records covered by the Family Educational Right and Privacy Act (FERPA), records described in 20 USC 1232g(a)(4)(B)(iv), employment records held by a Covered Entity in its role as employer, or related to individuals who have been deceased for more than 50 years.
Psychotherapy Notes: Notes recorded (in any medium) by a healthcare provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Record: Any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for UConn Health.
Required by Law: A mandate contained in law that compels UConn Health to make a use or disclosure of PHI and that is enforceable in a court of law. Required by law includes, but is not limited to:
- Court orders and court-ordered warrants;
- Subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information;
- A civil or an authorized investigative demand;
- Medicare conditions of participation with respect to healthcare, both medical and dental providers participating in the program; and
- Statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
Research: means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. See policy 2003-28: Use and Disclosure of PHI for Research Purposes and associated forms.
Sanctions: A consequence applied against members of UConn Health’s Workforce and other individuals with approved access to UConn Health systems and Confidential Information who fail to comply with UConn Health Privacy and Information Security policies and procedures. See policy 2014-04: Sanctions Policy for Privacy and Security Violations for Faculty and Staff.
Treatment: The provision, coordination, or management of healthcare and related services by one or more healthcare providers, including: the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.
Use: With respect to Individually Identifiable Health Information, the sharing, employment, application, utilization, examination, or analysis of such information within UConn Health.
Workforce: Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UConn Health, is under the direct control of UConn Health, whether or not they are paid by UConn Health.