An authorization is a written form, often referred to as a “release”, that provides patient permission for a specific use or disclosure of PHI not otherwise expressly permitted or required by the Privacy Rule. The authorization describes what PHI may be disclosed, to whom, for what purpose, and how long the authority to do so lasts. The written form must meet certain requirements specified by the Privacy Rule and, in some cases, state law. See Module 3 for more details.
A use, disclosure, access, or acquisition of PHI that compromises the security or privacy of the PHI and that violates the Privacy Rule. See Module 11 for more details.
A business associate is an organization or person who receives or maintains PHI from the psychologist in order to provide services to, or on behalf of, the psychologist (e.g., billing service, cloud storage vendor, accountant, lawyer, collection agency). Members of your workforce and health care providers or plans are not considered business associates. See Module 9 for more details.
Consent is the patient’s advance permission for certain routine, anticipated uses and disclosures of PHI – such as for treatment and payment purposes. Consent is typically obtained in writing at the start of treatment or when the patient applies for health insurance. See Module 3 for more details.
We do not use this term in HIPAASmart, but we define it here because you may see it used in HIPAA rules or guidance. Covered entities include: (1) health care providers, (2) health plans (including employer-sponsored group plans, Medicaid, Medicare, Managed care plans, etc.), and (3) health care clearinghouses.
The release, transfer, provision of access to, or divulging of information outside the entity holding the information. See Module 1 for more details.
The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data without use of a confidential process or key. See Details Document for more information.
Federal Education Rights and Privacy Act (FERPA)
FERPA sets out requirements for privacy protection of parents and children attending any educational agency or institution receiving federal funds. The regulations cover privacy rights, notice, consent, authorization, disclosure, and access to student records.
Health care operations
A broad category of activities that covers an array of routine releases of PHI within the health care system. These activities include, for example: evaluating the performance of health care providers and/or health plans; quality assessment and improvement activities; fraud and abuse detection and compliance programs; population-based activities relating to improving health or reducing health care cost; case management and care coordination; legal services and auditing functions; business planning; and administrative services. See Module 3 for more details.
HHS – see U.S. Department of Health and Human Services.
Under the Privacy Rule, when using or disclosing PHI or when requesting PHI from another covered entity, a psychologist must make reasonable efforts to limit the use or disclosure, or the request, to the minimum amount of information necessary to accomplish the intended purpose. See Module 5 for more details.
For psychologists, payment refers to the activities undertaken to obtain reimbursement for health care services that have been provided. These activities include: billing, claims management, collection activities, utilization review, and determinations of eligibility or coverage. See Module 3 for more details.
HIPAA uses the term “individual” to refer to the person who is the subject of the PHI being used or disclosed. For psychologists, that person is typically their patient, so HIPAASmart uses this more intuitive word instead of “individual”. In some instances, like forensic and other third-party evaluations, you might not consider the person being evaluated to be your patient (or client). For the purposes of HIPAASmart, though, we use that term to cover them. Third-party evaluations raise a number of other unique HIPAA issues, which are covered in the Details Document.
A personal representative is a person legally authorized to make health care decisions on a patient’s behalf or to act for a deceased patient or the patient’s estate. State law determines who the personal representative is in any particular case. Often, a personal representative is the parent of a minor child, the guardian of an incapacitated adult, or the executor of a deceased patient’s will. See Module 8 for more details.
Protected Health Information (PHI)
PHI is information that:
- relates to:
- a patient’s past, present, or future physical or mental health condition;
- the provision of health care to a patient; or
- the past, present, or future payment for a patient’s health care.
- identifies a patient or could reasonably be used to identify a patient; and
- is transmitted or maintained in any form or medium.
Module 1 for more details.
Under the Privacy Rule, Psychotherapy Notes are defined as:
- notes recorded in any medium
- by a health care provider who is a mental health professional
- documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session
- that are separated from the rest of the patient’s medical record.
The following types of information are specifically excluded
from the definition of psychotherapy notes: the modalities and frequencies of treatment provided; counseling session start and stop times; results of clinical tests; medication prescription and monitoring; and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Module 6 for more details.
The provision, coordination, or management of health care and related services by one or more health care providers. This includes consultation between health care providers relating to a patient or the referral of a patient from one health care provider to another. See Module 3 for more details.
U.S. Department of Health and Human Services (HHS)
The U.S. Department of Health and Human Services, or HHS, has the authority and responsibility to implement and administer the regulations promulgated under HIPAA. The Office of Civil Rights, within HHS, is the office specifically tasked with the oversight and enforcement of the Privacy Rule, Security Rule, and Breach Notification Rule. See Module 1 for more details.
The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity (e.g., hospital, clinic, psychologist's practice) that maintains such information.
The employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a health care provider or plan covered by HIPAA or for a business associate, is under the direct control of that entity or business associate, whether or not they are paid by the entity or business associate.