Glossary of Common Terms
Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Affiliated Covered Entity- Legally separate health care providers (or health plans or clearinghouses) that are under common ownership or control and that choose to comply with HIPAA privacy regulations as one affiliated entity. Partners has designated itself as one affiliated covered entity, which includes all Partners hospitals, affiliated physician organizations, PCHI, and owned or managed PCHI practices. This designation permits easier sharing of individually identifiable health care information within the system and avoids the need for some "business associate" agreements. [See Business Associate]

Amending PHI - Individuals have the right to amend protected health information (PHI) in the designated record set. This does not include research notes outside of the designated record set (information that would not be used for clinical or billing decisions). [See Designated Record Set]

Anonymized - Previously identifiable data that have been deidentified and for which a code or other link no longer exists. An investigator would not be able to link anonymized information back to a specific individual. [See Anonymous, Coded, Linked, Directly Identifiable, Indirectly Identifiable]

Anonymous - Data that were collected without identifiers and that were never linked to an individual. Coded data are not anonymous. [See Anonymized, Coded, Linked, Directly Identifiable, Indirectly Identifiable]

Authorization - Document designating permission. The HIPAA Privacy Rule requires authorization or waiver of authorization for the use or disclosure of identifiable health information for research (among other activities). The authorization must indicate if the health information used or disclosed is existing information and/or new information that will be created during the research. The authorization form may be combined with the informed consent form, so that a subject need sign only one form. An authorization must include the following specific elements: a description of what information will be used and disclosed and for what purposes; a description of any information that will not be disclosed, if applicable; a list of who will disclose the information and to whom it will be disclosed; an expiration date for the disclosure; a statement that the authorization can be revoked; a statement that disclosed information may be redisclosed and no longer protected; a statement that if the individual does not provide an authorization, s/he cannot receive research-related treatment; the subject's signature and date. [See HIPAA, Consent, Privacy Notice, Use, Disclosure, Waiver of Authorization]

Biometric Identifier - Identifying information based on a physical characteristic (e.g., a fingerprint).

Business Associate - An outside person/entity that performs a service on behalf of the health care provider (including a researcher) or the health care institution during which individually identifiable health information is created, used, or disclosed. Certain exceptions apply. Anyone within the Partners affiliated covered entity is not a business associate. Outside researchers and coordinating or statistical centers that participate in conducting the research or third parties that sponsor research are generally not business associates. Third parties that perform a function on the hospitals' or researchers' behalf that is not itself research may be business associates if they receive protected health information. For example, web hosting or data storage companies will be business associates if they receive protected health information. In addition, third parties that handle billing for a research study, or recruitment and screening, will also be business associates.

Coded - Data are separated from personal identifiers through use of a code. As long as a link exists, data are considered indirectly identifiable and not anonymous or anonymized. Coded data are not covered by the HIPAA Privacy Rule, but are protected under the Common Rule. [See Anonymous, Anonymized, Linked, Directly Identifiable, Indirectly Identifiable]

Common Rule - Also known as 45 CFR 46. Outlines requirements of federally supported research with regards to human subjects protections and places the responsibility of these protections on institutions, their Institutional Review Boards (IRBs), and investigators. Among other requirements, the Common Rule mandates that all researchers obtain informed consent from human subjects to participate in research, unless the IRB has approved a waiver of the requirement for informed consent. Partners policy and assurances to the government require all research (not just federally supported studies) to adhere to the Common Rule. [See Consent, Authorization, HIPAA]

Compliance Date - Covered entities must comply with the HIPAA Privacy Rule by April 14, 2003.

Confidentiality - The protection of individually identifiable information as required by state and federal legal requirements and Partners policies. [See Privacy, Privacy Notice]

Consent, Informed - Required by the Common Rule. Refers to the requirement that all researchers explain the purposes, risks, benefits, confidentiality protections, and other relevant aspects of a research study to potential human subjects so that they may make an informed decision regarding their participation in the research. IRBs review the informed consent process and form documenting the consent to ensure compliance with research regulations and policies. The HIPAA Privacy Rule permits entities to include in the informed consent form for research an "authorization" for use or disclosure of individually identifiable health care information. Please see the Partners' Requirements for Informed Consent. [See Common Rule, HIPAA, Authorization]

Covered Entity - Refers to three types of entities that must comply with the HIPAA Privacy Rule: health care providers; health plans; and health care clearinghouses. For purposes of the HIPAA Privacy Rule, health care providers include hospitals, physicians, and other caregivers, as well as researchers who provide health care and receive, access or generate individually identifiable health care information. [See Health Care, Health Care Clearinghouses, Health Care Providers]

Data Aggregation - Combining of sets of protected health information by a business associate to permit data analyses. [See Business Associate]

Data Use Agreement - A satisfactory assurance between the covered entity and a researcher using a limited data set that the data will only be used for specific uses and disclosures. The data use agreement is required to include the following information: to establish that the data will be used for research, public health or health care operations (further uses or disclosure are not permitted); to establish who is permitted to use or receive the limited data set; and to provide that the limited data set recipient will: (1) not use or further disclose the information other than as permitted by the data use agreement or as required by law; (2) use appropriate safeguards to prevent use or disclosure of the information other than as provided in the agreement; (3) report to the covered entity any identified use or disclosure not provided for in the agreement; (4) ensure that any agents, including a subcontractor, to whom the limited data sets are provided agree to the same restrictions and conditions that apply to the recipient; and (5) not identify the information or contact the individuals. [See Limited Data Set]

Decedents - Deceased individuals. Afforded privacy rights under the HIPAA Privacy Rule, even though not considered "human subjects" protected under the Common Rule. As is the current practice, all research protocols involving the review of medical records of deceased subjects or of living and deceased subjects require review and approval by the HRC/IRB and can be conducted without informed consent and authorization only if the protocol satisfies the criteria for a waiver. If the research includes access to the records of decedents, the investigator will be asked to document that the decedents PHI will only be used for research and that the information is necessary for the research. The covered entity may require the investigator to provide proof of death.

Deidentified - Under the HIPAA Privacy Rule, data are deidentified if either (1) an experienced expert determines that the risk that certain information could be used to identify an individual is "very small" and documents and justifies the determination, or (2) the data do not include any of the following eighteen identifiers (of the individual or his/her relatives, household members, or employers) which could be used alone or in combination with other information to identify the subject: names, geographic subdivisions smaller than a state (including zip code), all elements of dates except year (unless the subject is greater than 89 years old), telephone numbers, FAX numbers, email address, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers including license plates, device identifiers and serial numbers, URLs, internet protocol addresses, biometric identifiers, full face photos and comparable images, and any unique identifying number, characteristic or code; note that even if these identifiers are removed, the Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined.

Designated Record Set - A health care provider's medical and billing records about individuals and any records used by the provider to make decisions about individuals. Individuals, including research subjects, have the right under the HIPAA Privacy Rule to access and amend protected health information in a Designated Record Set.

Directly Identifiable - Any information that includes personal identifiers. To determine what data may be considered identifiable, please see items that must be removed under the HIPAA Privacy Rule's definition of deidentified. [See Anonymous, Anonymized, Coded, Linked, Indirectly Identifiable]

Disclosure - A release of identifiable health information to anyone or any entity outside of the Partners affiliated covered entity. [Compare Use]

Electronic Medical Record - A computer-based record containing health care information. This record may contain some, but not necessarily all, of the information that is in an individual's paper-based medical record. One goal of HIPAA is to protect identifiable health information as the system moves from a paper-based to an electronic medical record system.

Genetics - The study of how particular traits are passed from parents to children. Identifiable genetic information receives the same level of protection as other health care information under the HIPAA Privacy Rule. Of note for genetic researchers, the rule defines "identifiable" information to include information from the individual as well as relatives. Thus researchers considering whether to deidentify data should review the definition of deidentified information closely.

Health Care - Care, services, and supplies related to the health of an individual. Health care includes preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, among other services. Health care also includes the sale and dispensing of prescription drugs or devices.

Health Care Clearinghouse - An entity that standardizes health information (e.g., a billing service that processes or facilitates the processing of data from one format into a standardized billing format). Partners and PCHI are considered clearinghouses, because part of their activities meet this definition (note: they are not health care providers).

Health Care Operations - Institutional activities that are necessary to maintain and monitor the operations of the institution. Examples include but are not limited to: conducting quality assessment and improvement activities; developing clinical guidelines; case management; reviewing the competence or qualifications of health care professionals; education and training of students, trainees and practitioners; fraud and abuse programs; business planning and management; and customer service. Under the HIPAA Privacy Rule, these are allowable uses and disclosures of identifiable information "without specific authorization." Research is not considered part of health care operations.

Health Care Provider - Providers of medical or health care. Researchers who provide health care are health care providers. [See Health Care]

Health Information - Information in any form (oral, written or otherwise) that relates to the past, present or future physical or mental health of an individual. That information could be created or received by a health care provider, a health plan, a public health authority, an employer, a life insurer, a school or university or a health care clearinghouse.

Health Oversight Agency - A person or entity at any level of the federal, state, local or tribal government that oversees the health care system or requires health information to determine eligibility or compliance or to enforce civil rights laws.

HIPAA - [pr: hip'-ah] The Health Insurance Portability and Accountability Act of 1996. HIPAA is a federal law that was designed to allow portability of health insurance between jobs. In addition, it required the creation of a federal law to protect personally identifiable health information; if that did not occur by a specific date (which it did not), HIPAA directed the Department of Health and Human Services (DHHS) to issue federal regulations with the same purpose. DHHS has issued HIPAA privacy regulations (the HIPAA Privacy Rule) as well as other regulations under HIPAA.

Human Subject - A living subject participating in research about whom directly or indirectly identifiable health information or data are obtained or created.

Indirectly Identifiable - Data that do not include personal identifiers, but link the identifying information to the data through use of a code. These data are still considered identifiable by the Common Rule. To determine what data may be considered identifiable, please see deidentified. [See Anonymous, Anonymized, Coded, Linked, Indirectly Identifiable]

Individually Identifiable Health Information - A subset of health information that identifies the individual or can reasonably be used to identify the individual.

Institutional Review Board (IRB) - Common Rule-mandated method of peer review to protect human subjects. HIPAA privacy regulations require an IRB also to protect the privacy rights of research subjects in specific ways. At Partners, the IRB will now review all HIPAA-required authorizations and waiver of authorizations for research use of identifiable health information. [See Common Rule, HIPAA, Authorizations, Consent, Waiver of Authorizations]

Limited Data Set - Set of data that may be used for research, public health or health care operations without an authorization or waiver of authorization. The limited data set is defined as PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual: names; postal address information, (other than town or city, State and zip code); telephone and FAX numbers; electronic mail addresses; SSN; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plates; device identifiers and serial numbers; web universal resource locators (URLs); internet protocol (IP) address; biometric identifiers, including finger and voice prints; full face photos, and comparable images. A covered entity must enter into a data use agreement with the recipient of a limited data set.
It should be noted that although a limited data set is subject to only select provisions of the HIPAA Privacy Rule, it may be covered by the Common Rule. Therefore, the Partners policy will be that a request for use or disclosure of a limited data set must be submitted to the IRB. [See Data Use Agreement]

Linked - See Coded.

Minimum Necessary - A HIPAA Privacy Rule standard requiring that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the health care provider or other covered entity. This standard does not apply to uses and disclosures for treatment purposes (so as not to interfere with treatment) or to uses and disclosures that an individual has authorized, among other limited exceptions. Justification regarding what constitutes the minimum necessary will be required in some situations (e.g., disclosures with a waiver of authorization and non-routine disclosures).

Personal Representative - A person authorized under state or other law to act on behalf of the individual in making health-related decisions. Examples include a court-appointed guardian with medical authority, a health care agent under a health care proxy, and a parent acting on behalf of an unemancipated minor (with exceptions where state law gives minors the right to make health decisions). For a decedent, the personal representative may be an executor, administrator, or other authorized person for matters concerning PHI.

Privacy - For purposes of the HIPAA Privacy Rule, privacy means an individual's interest in limiting who has access to personal health care information.

Privacy Board - A board of members authorized by the HIPAA Privacy Rule to approve a waiver of authorization for use and/or disclosure of identifiable health information. For research purposes, the Institutional Review Board will function as the Privacy Board.

Privacy Notice - Institution-wide notice describing the practices of the covered entity regarding protected health information. Health care providers and other covered entities must give the notice to patients and research subjects and should obtain signed acknowledgements of receipt. Internal and external uses of protected health information are explained. It is the responsibility of the researcher to provide a copy of the Privacy Notice to any subject who has not already received one. If the researcher does provide the notice, the researcher should also obtain the subject's written acknowledgement of receipt.

Protected Health Information - Individually identifiable health information transmitted or maintained in any form. [See Individually Identifiable Health Information]

Psychotherapy Notes - These include notes recorded by the health care provider who is a mental health professional during a counseling session, either in a private session or in a group. These notes are separate from documentation placed in the medical chart and do not include prescriptions. Specific patient authorization is required for use and disclosure of psychotherapy notes.

Public Health Authority - A federal, state, local or tribal person or organization that is required to conduct public health activities.

Research - A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.

Tracking of Disclosures - The HIPAA Privacy Rule gives individuals the right to request an accounting of disclosures of protected health information over the previous six years. If an individual authorizes uses or disclosures for research, the disclosures do not need to be tracked, but disclosures must be tracked if the researcher receives an IRB-approved waiver of authorization. The accounting of disclosures generally must include: the date of the disclosure, the name of the entity or person (and address if known) who received the protected health information, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure. The Rule allows for an alternative tracking option is available for research involving 50 or more people. This alternative tracking option will not be used by Partners.

Transaction - The exchange of information for administrative or financial purposes such as health insurance claims or payment.

Treatment - The provision of health care by one or more health care providers. Treatment includes any consultation, referral or other exchanges of information to manage a patient's care. The Privacy Notice explains that the HIPAA Privacy Rule allows Partners and its affiliates to use and disclose protected health information for treatment purposes without specific authorization.

Use - The sharing of individually identifiable health information within a covered entity. For Partners' purposes, a use is the sharing of such information within the Partners affiliated covered entity [See Affiliated Covered Entity; Compare Disclosure]

Waiver of Authorization - Under limited circumstances, a waiver of the requirement for authorization for use or disclosure of private health information may be obtained from the IRB by the researcher. A waiver of authorization can be approved only if specific criteria have been met. [See Authorization]