Regulations, Forms & Other Useful Documents
Am I a Covered Entity and Does the Transactions and Code Sets Rule Apply to Me?
Sponsoring organization: Centers for Medicare and Medicaid Services
Explores the issues involved in determining whether a health care provider is covered by HIPAA and the requirements for covered standard transactions.
Date: 12 / 2002
Appendix A: Selected Privacy Rule Concepts and Definitions
Sponsoring organization: Centers for Disease Control and Prevention
Lists concepts and definitions adapted from the regulatory language of the Privacy Rule.
Date: 04 / 2003
Appendix B: Sample Text That Can Be Used to Clarify Public Health Issues Under the Privacy Rule
Sponsoring organization: Centers for Disease Control and Prevention
Provides sample letters that may be used to help clarify Privacy Rule issues among covered entities and public health authorities.
Date: 04 / 2003
Ethics Conflicts in Rural Communities: Patient-Provider Relationships
Author(s): Rachel Davis, Laura Weiss Roberts
Sponsoring organization: Board of Trustees of Dartmouth College
This fifth chapter of "Handbook for Rural Health Care Ethics," explores potential ethics issues in the rural patient-provider relationship, approaches and methods for resolving issues, plus steps that rural health care providers can take to anticipate and prepare for ethics conflicts.
Date: 2009
Ethics Conflicts in Rural Communities: Privacy and Confidentiality
Author(s): Tom Townsend
Sponsoring organization: Board of Trustees of Dartmouth College
This seventh chapter of "Handbook for Rural Health Care Ethics," explores the ethical challenges involving privacy and confidentiality in rural health care relationships due to overlapping relationships and familiarity with patients and communities.
Date: 2009
Ethics Conflicts in Rural Communities: Stigma and Illness
Author(s): Aruna Tummala, Laura Weiss Roberts
Sponsoring organization: Board of Trustees of Dartmouth College
This tenth chapter of "Handbook for Rural Health Care Ethics", discusses the negative perception associated with some illnesses and how health care providers can serve as patient advocates in counteracting stigma by educating the public and protecting patient privacy.
Date: 2009
Handbook for Rural Health Care Ethics: A Practical Guide for Professionals
Sponsoring organization: Board of Trustees of Dartmouth College
Analyzes, solves, and anticipates health care ethics dilemmas to provide general ethics information and related guidance for clinicians and administrators of rural health care facilities.
Date: 2009
HIPAA 101 for Health Care Providers' Offices
Sponsoring organization: Centers for Medicare and Medicaid Services
Designed to help educate health care professionals on the realities of HIPAA.
Date: 03 / 2003
HIPAA Administrative Simplification: Enforcement; Final Rule
Sponsoring organization: U.S. Department of Health and Human Services
Provides information on the final rules for the imposition of civil money penalties on entities that violate rules adopted by the Secretary to implement the Administrative Simplification
provisions of the HIPAA Act.
Date: 02 / 2006
HIPAA Glossary
Sponsoring organization: Workgroup for Electronic Data Interchange
Offers a list of HIPAA-related terms, acronyms, and final rule definitions.
Date: 01 / 2001
HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services
Author(s): Stephen B. Thacker
Sponsoring organization: Centers for Disease Control and Prevention
Contains information designed to help public health agencies and others understand and interpret their responsibilities under the Privacy Rule.
Date: 04 / 2003
HIPAA Privacy Rule's Right of Access and Health Information Technology
Sponsoring organization: U.S. Department of Health and Human Services
Describes how HIPAA's right to access rules apply to health information technology and electronic health records (EHRs).
Date: 01 / 2009
HIPAA Security Standards Final Rule
Sponsoring organization: Centers for Disease Control and Prevention
Contains the final rule, published in the Federal Register, adopting HIPAA standards for the security of electronic health information.
Date: 02 / 2003
Practical Strategies for Addressing and Preventing Ethics Issues in Rural Settings
Author(s): William A. Nelson, Karen E. Schifferdecker
Sponsoring organization: Board of Trustees of Dartmouth College
This fifteenth chapter of "Handbook for Rural Health Care Ethics", presents strategies that health care professionals can explore to help anticipate, eliminate ethics conflicts, enhance the quality of care, and decrease the negative impact of such conflicts.
Date: 2009
Privacy, Security, and the Regional Health Information Organization
Author(s): Sheera Rosenfeld, Shannah Koss, Sharon Siler
Sponsoring organization: California HealthCare Foundation
Examines key privacy and security issues that RHIOs encounter, the policies and practices they adopt to manage these issues, and common emerging strategies.
Date: 06 / 2007
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
Sponsoring organization: U.S. Department of Health and Human Services
Provides researchers with an understanding of the Privacy Rule and how it may affect health research.
Date: 04 / 2003
Public Law 104-191: Health Insurance Portability and Accountability Act of 1996
Contains the entire HIPAA law of August 21, 1996.
Date: 08 / 1996
Rural Health Care Ethics: A Selected Bibliography
Author(s): Mary Ann Greene
Sponsoring organization: Board of Trustees of Dartmouth College
This seventeenth and final chapter of "Handbook for Rural Health Care Ethics", serves as a bibliography of articles, journals, and Web sites that contain information about the theory and practice of ethics in rural health care.
Date: 2009
Rural Hospital HIPAA Readiness and Resource Needs
Author(s): J. Patrick Hart, Wanqing Zhang, Jane L. Meza, Keith J. Mueller
Sponsoring organization: RUPRI Center for Rural Health Policy Analysis
Presents a survey of rural hospitals regarding
the extent of their preparation for HIPAA
requirements and their need for resources to implement HIPAA requirements. Results shown by hospital size. Also includes information on financial and staff commitment levels.
Journal citation: RUPRI Rural Policy Brief Volume 8 Issue 6
Date: 05 / 2003
Rural Hospitals' Strategies for Achieving Compliance with HIPAA Privacy Requirements
Sponsoring organization: NORC Walsh Center for Rural Health Analysis
Discusses a survey of hospital administrators in rural areas regarding the Health Insurance Portability and Accountability Act (HIPAA). Includes an overview of HIPAA compliance efforts in rural hospitals, as well as examples of specific strategies to meet HIPAA requirements.
Date: 03 / 2004
Summary of the HIPAA Privacy Rule
Sponsoring organization: U.S. Department of Health and Human Services
Provides a summary of the key elements of the HIPAA Privacy Rule.
Date: 05 / 2003
Summary of the HIPAA Security Rule
Sponsoring organization: HHS Office for Civil Rights: Health Information Privacy
Summarizes key elements of the HIPAA Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.
Terms & Acronyms
Access Ability or the means necessary to read, write, modify or communicate data/information or otherwise make use of any system resource.
Access Control Method of restricting access to resources, allowing only privileged entities access. Types of access control include mandatory access, discretionary access, time-of-day, and classification.
American National Standards Institute (ANSI) United States government body responsible for approving U.S. standards in many areas, including computers and communications.
Authentication Confirmation that a fact or statement is true.
Authorization Document that allows use and disclosure of protected health information for purposes other than treatment, payment, or health care operations.
Business Associate (BA) Those systems impacted by HIPAA regulations but not directly regulated. Third parties who perform a function or activity involving the use or disclosure of individually identifiable information or provides certain services to or for a covered entity, where the services involve the covered entity disclosing protected information to the third party.
Business Associate Agreement (BAA) Contract or other arrangement between the covered entity and the business associate that establishes the permitted and required uses and disclosures of protected information by the business associate.
Certification Technical evaluation performed as part of, and in support of the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements. This evaluation may be performed internally or by an external accrediting agency.
Clearinghouse Public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
CMS (Centers for Medicare and Medicaid Services) Federal agency responsible for the Medicare and Medicaid programs. Part of the U.S. Department of Health & Human Services.
Consent Document signed by an individual that allows use and disclosure of the individuals protected health information for treatment, payment, and health care operations, only. The consent allows use and disclosure of protected health information only by the Covered Entity seeking the consent, not by other parties.
Contingency Plan Plan for responding to a system emergency. Includes performing backups, preparing critical facilities that can be used to facilitate the continuity of operations in the event of an emergency, and recovering from a disaster.
Covered Entity Those systems covered by the HIPAA regulations. Examples are Health Plans, Health Care Clearinghouses, and Health Care Providers who transmit any health information in electronic form in connection with a covered transaction. Health care providers who do not submit HIPAA transactions may be covered entities when other entities, such as a billing service, transmit standard electronic transactions on their behalf.
Department of Health and Human Services (DHHS) The United States government's principal and largest grant-making agency, including more than 300 programs. Often referred to as HHS.
Designated Record Sets Group of records maintained by or for a covered entity. Examples are the medical records and billing records about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health care plan; or records used in whole or in part by or for the covered entity to make decisions about individuals.
Designated Standard Maintenance Organization (DSMO) Category for organizations that agree to maintain the national standards adopted in the final HIPAA rule titled "Standards for Electronic Transactions."
Direct Treatment Relationship Treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.
Disaster Recovery Plan Part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of a fire, vandalism, natural disaster, or system failure.
Disposal Final disposition of electronic data and/or the hardware on which the electronic data is stored.
Electronic Data Interchange (EDI) Inter-company, computer-to-computer direct transmission of business information in a standard format.
Electronic File Interchange (EFI) Also referred to as "bulk enumeration," is a process by which a health care provider or group of providers can have a particular organization apply for National Provider Identifiers on their behalf.
Emergency Mode Operation Plan Part of an overall contingency plan that contains a process enabling an enterprise to continue to operate in the event of a fire, vandalism, natural disaster, or system failure.
Encryption Transforming confidential plaintext into ciphertext to protect it so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines.
Health Care Care, services or supplies related to the health of an individual. Examples of health care are preventive, diagnostic, therapeutic, rehabilitative, maintenance palliative care, counseling, sale or dispensing of a drug or other device in accordance with a prescription.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA is a privacy rule that creates national standards to protect individuals' medical records and other personal health information.
Health Plan An individual or group plan that provides, or pays the cost of, medical care.
Indirect Treatment Relationship Relationship between an individual and a health care provider in which the health care provider delivers health care to the individual based on the orders of another health care provider and the health care provider provides services or products or reports the diagnosis or results associated with the health care directly to another health care provider, who provides the services or products or reports to the individual.
Individually Identifiable Health Information (IIHI) Information that is a subset of health information, including demographic information collected from an individual.
Minimum Necessary When using or disclosing protected health information or when requesting protected health information from another covered entity, efforts must be made to limit this information to the minimum necessary to accomplish the intended purpose.
National Council for Prescription Drug Programs (NCPDP) Creates standards for the pharmacy services sector of the health care industry.
National Drug Code (NDC) Standard medical data code set for reporting drugs and biologics.
National Provider Identifiers (NPI) Numeric identifiers required for use by all health care providers under HIPAA's Administrative Simplification regulations.
Office for Civil Rights (OCR) Agency of the Department of Health and Human Services charged with enforcing HIPAA civil penalties and handling complaints. The agency to contact regarding discrimination complaints associated with federal health care and social service programs, and LEP services.
Password Confidential authentication information composed of a string of characters.
Personal Identifiable Information (PII) Any confidential or sensitive information that can be related to an individual. Examples are name, address, email address, social security number, passwords, bank account information, credit card information, or any combination of data such as birth date, zip code, and gender.
Privacy Officer (PO) Has the responsibility for the creation, implementation and maintenance of the company's privacy compliance related activities.
Protected Health Information (PHI) All individually identifiable health information that is transmitted or maintained regardless of form or medium.
Right of Privacy The claim of individuals to determine for themselves when, how and to what extent information about them is communicated, such as what kind of information is being given out, how it's used, and who it's being shared with.
Small Health Plan Health plan with annual receipts of $5 million or less.
Standard Rule, condition or requirement.
Transaction Transmission of information between two parties to carry out activities related to health care. Examples are health care claims information, health care payment advice, coordination of benefits, enrollment and disenrollment in a health plan, health plan eligibility, health care premium payments, and first report of injury.
Transactions and Code Sets Assessments (T&CS) Standardized code sets used for encoding data elements. Examples are health care claims or equivalent encounter information, health care payment and remittance advice, benefit coordination, enrollment and disenrollment in health plan, eligibility for a health plan, health plan premium payments, first report of injury, and health claims attachments.
Treatment Provision, coordination, or management of health care and related services by one or more health care providers.
Version 5010 Also referred to as HIPAA X12 Version 5010. This is a new set of standards that regulates the electronic transmission of specific healthcare transactions. Covered entities, such as health plans, health care clearinghouses, and health care providers, are required to conform to these standards. The deadline date for this change has been changed several times. Currently, the deadline is after June 20, 2012.
