DHHS POLICY AND PROCEDURE MANUAL Section VIII: Title: Chapter: Current Effective Date: Revision History: Original Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 April 14, 2003 Key privacy terms found in the NC Department of Health and Human Services (DHHS) Privacy Policies are defined below. Access to Health Information: Refers to the right of DHHS clients to request to inspect and copy their health information in any designated record set maintained by a DHHS agency. Accounting of Disclosures: Refers to the right of DHHS clients to a statement of the disclosures made by a DHHS agency of their health information, for a period of time not to exceed six years prior to the date of such request. Such requests may not include dates prior to April 14, 2003. Agency: An administrative unit of government. Within DHHS, an agency may be a division, office, facility, or subunit of any of these organizations. Within State Government, another department and its divisions, offices, facilities, or subunits may also be referred to as an ‘agency’. Amendment of Health Information: Refers to the right of clients to request to amend or correct information that is contained in any DHHS covered health care component’s designated record set. Authorization: Permission given to a DHHS agency by a client, or a client’s personal representative, to disclose the client’s individually identifiable health information to a specific person or entity, for a specific purpose. Although most authorizations are written, there are specific circumstances when verbal authorization is acceptable. Business Associate: A person, organization, or agency that provides specific functions, activities, or services that involve the use, creation, or disclosure of individually identifiable health information for, or on behalf of, a HIPAA covered health care component. Examples of business associate functions are activities such as claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing; and legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. DHHS Internal Business Associate: A non-covered unit within the same division or unit in another DHHS division that performs HIPAA covered functions for, or on behalf of, a covered health care component. DHHS External Business Associate: Another state government department or public/private contractor that performs HIPAA covered functions for, or on behalf of, a covered health care component. Civil Investigative Demand: 1. If the Attorney General has reasonable cause to believe that a person has information or is in possession, custody, or control of any document or other tangible object relevant to an investigation or that would lead to the discovery of relevant information in an investigation of a violation of North Carolina General Statute (NCGS) 108A 70.12, the Attorney General may serve upon the person, before bringing an action under NCGS 108A 70.12 or other false claims law, a civil investigative demand to appear and be examined under oath, to answer written interrogatories under oath, and to produce any documents or objects for their inspection and copying. 2. The civil investigative demand shall: Be served upon the person in the manner required for service of process in civil actions and may be served by the Attorney General or investigator assigned to the NC Department of Justice; Describe the nature of the conduct constituting the violation under investigation; Describe the class or classes of any documents or objects to be produced with sufficient definiteness to permit them to be fairly identified; Contain a copy of any written interrogatories to be answered; Prescribe a reasonable date and time at which the person shall appear to testify, answer any written interrogatories, or produce any document or object; Advise the person that objections to or reasons for not complying with the demand may be filed with the Attorney General on or before that date and time; Specify a place for the taking of testimony; Designate a person to whom answers to written interrogatories shall be submitted and to whom any document or object shall be produced; and Contain a copy of subsections (b) and (c) of this section. 3. The date within which to answer any written interrogatories and within which any document or object must be produced shall be more than 30 days after the civil investigative demand has been served upon the person. The date within which a person must appear to testify shall be more than 15 days after the demand has been served upon a person who resides out-ofstate or more than 10 days after the demand has been served upon a person who resides instate. Client: An individual who receives services from a DHHS agency. Any individual who makes inquiries, is interviewed, or is or has been otherwise served to some extent by DHHS may is also considered a client. ‘Client’ is synonymous with other terms used by DHHS agencies such as patient, resident, consumer, recipient, student, or customer. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 2 of 14 Consent: Permission given to a DHHS agency by a client or a client’s personal representative, prior to the client receiving health care services, participating in a research study, or prior to the client’s health information being used by staff in the agency. Written consent is required, except in emergencies situations when verbal consent is acceptable until written consent may be obtained. Contrary: When used to compare a provision of a state law to a federal standard, requirement, or implementation specification, means: 1. 2. A covered health care component would find it impossible to comply with both the state and federal requirements; or The provision of state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the federal requirement. Correctional Institution: Any facility that provides punishment, control, and rehabilitation services to inmates and is operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody (including juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial). Covered Entity: One of the following organizations that is subject to the HIPAA regulations: A health plan; A health care clearinghouse; or A health care provider who transmits any health information in electronic form in connection with a transaction that is subject to the Health Insurance Portability Accountability Act (HIPAA) of 1996. Covered Functions: Those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. Covered Health Care Component: An agency or a portion of an agency within DHHS (a hybrid entity) that performs a HIPAA covered function and is thereby considered a covered health plan, health care clearinghouse, or a health care provider; OR, a DHHS agency or portion of an agency that performs a covered function for, or on behalf of, a DHHS covered health care component and is thereby considered an internal business associate. Data Use Agreement: Refers to a documented arrangement between a covered health care component and another entity concerning the permitted uses and disclosures of a limited data set of Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 3 of 14 individually identifying health information that will be received by the entity from the covered entity. Entities that receive limited data sets can only use the information for the purposes of research, public health, or health care operations. If a data use agreement is in place, the limited data set of individually identifying health information can be used without obtaining client authorization. De-identified Information: Health information that does not specifically identify a client and there is no reasonable basis to believe that the de-identified information alone could be used to identify the client. De-identified information is not considered protected health information and can be released without patient authorization and in compliance with other federal or state laws. Department: The NC Department of Health and Human Services (DHHS). Designated Record Set: A group of records maintained, collected, used, or disseminated by or for a covered entity that contains individually identifiable health information and is used to make decisions about clients. Individually identifiable health information contained in any form of client record, operational or financial database, or billing system constitutes a designated record set. Direct Treatment Relationship: Refers to treatment received by a client directly from a health care provider. Disclosure: The dissemination of information by a covered health care component maintaining the information to entities outside the covered health care component. Extended Workforce: Contractors, volunteers, trainees, students, and other persons whose conduct, in the performance of work for a DHHS agency that maintains individually identifying health information, is under the direct control of such entity, whether or not they are paid by that agency. Extended workforce members must follow DHHS and agency policies and procedures. External Business Associate: A public/private contractor or a state government department or agency outside of DHHS that performs activities for, or on behalf of, a DHHS covered health care component that involves the use or disclosure of individually identifiable health information. For example, the NC Office of the Attorney General in the Department of Justice provides legal services, a covered function, for DHHS agencies. Family Educational Rights Privacy Act (FERPA): A federal law [20 United States Code (USC) § 1232g; 34 Code of Federal Regulations (CFR) Part 99] that sets forth the rights of a student’s parents and of students, and the correlating duties of education agencies and institutions regarding education Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 4 of 14 records. The law applies to all schools that receive funds under an applicable program of the United States (US) Department of Education. Fundraising: The organized activity of raising funds for an agency’s cause. Health Care: Services or supplies related to the health of an individual. Health care includes, but is not limited to, the following: Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care; and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, a community health management information system or community health information system, or “valid-added” networks or switches that perform or facilitate the conversion of health information in nonstandard formats to standard formats for use in standard HIPAA transactions (and vice versa). Health care clearinghouses are HIPAA covered entities. Health Care Operations: Any of the activities listed below that are performed by or for a covered entity to the extent that the activities are related to covered functions. Quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment. Reviewing the competence, qualifications, or performance of health care providers or the evaluation of a health plan performance. Training students, trainees, or health care practitioners so that they can practice or improve their skills as health care providers. Training of non-health care professionals. Accreditation, certification, licensing, or credentialing activities. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs. Business planning and development. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 5 of 14 Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that individually identifiable health information is not disclosed. Resolution of internal grievances. Due diligence in connection with the sale or transfer of assets to a potential successor in interest if the potential successor is a covered entity or, following completion of the sale or transfer, will become a covered entity. Creating de-identified health information. Performing fundraising or marketing activities for the benefit of the covered entity for which an individual authorization is not required. Health Care Plan: An individual or group that provides or pays the cost of health care. A health plan includes the following, singly or in combination: Group health plan; Health insurance issuer; Health Maintenance Organization; Part A or Part B of the Medicare program; Medicaid; Issuer of a Medicare supplemental policy; Long-term care, excluding nursing home fixed-indemnity policies; Employee welfare benefit plan established and maintained to offer or provide health benefits for employees with two or more employers; Health care for active military personnel and veterans; Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); Indian Health Service (HIS) under the Indian Health Care Improvement Act; Federal Employees Health Benefits Program; An approved state child health care plan established in accordance with the Social Security Act; Medicare+ Choice program under the Social Security Act; and A high risk pool that is a mechanism established by a state to provide health insurance coverage or comparable coverage to eligible individuals. Health care plans exclude: Any policy, plan, or program that pays for the following benefits: Coverage only for accident or disability income insurance, or any combination thereof; Coverage issued as a supplement to liability insurance; Liability insurance, including general liability insurance and automobile liability insurance; Workers' compensation or similar insurance; Automobile medical payment insurance; Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 6 of 14 Credit-only insurance; Coverage for on-site medical clinics; or Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits; and A government funded program: Whose principal purpose is other than providing or paying for the cost of health care; or Whose principal activity is the direct provision of health care to individuals or the making of grants to fund the direct provision of health care to individuals. Health Care Provider: Refers to individuals such as physicians, nurses, psychotherapists, and other persons; and entities such as hospitals, nursing homes, clinical labs, and pharmacies that furnish, bill, or are paid for health care. Health Information: Any information, whether oral or recorded in any form or medium, that: Is created, maintained, or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care services to an individual. Health Record: An official written documentary of a client’s history, illness, and treatment during a specified period of time, which is compiled and maintained by the health care provider. HHS: The United States Department of Health and Human Services HIPAA: The Health Insurance Portability and Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. HIPAA was enacted to: Improve portability and continuity of health insurance coverage in the group and individual markets; Combat waste, fraud, and abuse in health insurance and health care delivery; Promote the use of medical savings accounts; Improve access to long-term care services and coverage; Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 7 of 14 Simplify the administration of health insurance through the standardization of electronic client health, administrative and financial data, and unique health identifiers for individuals, employers, health plans, and health care providers; Create national privacy and security standards to protect the confidentiality and integrity of past, present, and future individually identifiable health information. Hybrid Entity: A single legal entity: That is a covered entity whose business functions include both covered and noncovered functions; and That identifies and designates the covered health care components within the entity. DHHS has been designated as a Hybrid Entity. Incident: Any happening that is not consistent with the routine operation of a health care provider or the routine care of a client. Incidental Access or Disclosure: An unpredictable exposure to individually identifying health information that occurs as a result of an activity taking place where individually identifying health information is created, used, received, transmitted, or stored. For example, a cleaning lady may enter the office of a health care provider while that provider is reviewing X-rays and inadvertently see the name of the client on the film. Indirect Treatment Relationship: An association between a client and a health care provider in which: The indirect provider delivers health care to the client based on the orders of a direct health care provider; and The indirect provider typically provides services or products, and reports the diagnosis or results to the direct health care provider, who in turn provides the diagnosis or results directly to the client. Individual: The person who is the subject of individually identifying health information. Individually Identifiable Health Information (IIHI): A subset of health information that is collected from a client, including demographic information, and: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 8 of 14 Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and Identifies the individual; or There is a reasonable basis to believe the information can be used to identify the individual. NOTE: According to the HHS Office of Civil Rights (OCR), the identification of a health care provider/facility is considered to be indicative of the provision of health care services; therefore, if an individual identifier for a DHHS client is combined with the name of a health care provider, such information is considered individually identifiable health information. Inmate: A person who is committed, under sentence to, or confined in a penal or correctional institution. Institutional Review Board (IRB): A board, committee, or other group formally designated by an institution to review, to approve the initiation of, and to conduct periodic review of biomedical research involving humans as subjects. The primary purpose of such review is to assure the protection of the rights and welfare of the human subjects. IRBs also have the authority to approve requests to alter or waive the HIPAA authorization requirement for research purposes. IRBs have authority to approve, require modification to, disapprove, and conduct periodic reviews of all research activities covered by the Common Rule and FDA Protection of Human Subjects Regulations (45 CFR 46, Subpart A and 21 CFR 50, respectively). Requirements concerning the composition and procedures of an IRB are defined in 45 CFR 46 (for research subject to 45 CFR 46) and in 21 CFR 56 for research subject to 21 CFR 50. Internal Business Associate: A DHHS division or office or component within a DHHS division or office that performs activities for or on behalf of a DHHS covered health care component that involves the use or disclosure of individually identifiable health information. An internal business associate can be in the same or different agency as the covered health care component. For example, the Central Billing Office in the DHHS Office of the Controller is an internal business associate of the DMH/DD/SAS facilities because the Central Billing Office provides a billing service for those facilities. Institution: Any penal or correctional facility, including but not limited to a facility for the mentally ill or mentally defective, in which inmates may lawfully be confined. In the case of DHHS mental institutions, clients may also be voluntarily admitted. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 9 of 14 Limited Data Set: A set of data to be used only in public health, health care operations or research that excludes specified direct identifiers about individuals, their relatives, their employers, or members of their households. Limited data sets may be disclosed pursuant to written “Data Use Agreements” and are exempt from the accounting of disclosure requirements. Long Term Care Ombudsman: An advocate in the DHHS Division of Aging for residents in nursing homes and adult care homes (rest homes/assisted living) throughout North Carolina. Ombudsmen receive and investigate complaints made by or on behalf of long term care residents and work for their resolution. The Ombudsman Program is an advocacy program, not a regulatory agency. Marketing: Communication about a product or service, the purpose of which encourages clients to purchase or use the product or service. The following communications are NOT considered marketing: Describing a product or service provided by the agency; Reviewing treatment of a client; Discussing case management or coordination of care; and Recommending alternative treatments. Minimum Necessary: The least amount of health information necessary to accomplish the intended purpose of a use, disclosure, or request. More Stringent: When used in the context of a comparison between a provision in a state law and a federal standard, requirement, or implementation specification, the determination of a restriction or permission as to which imposes the most rigorous standards or provides the greater privileges. Non-covered Health Care Component: A DHHS agency, or a portion of an agency, that maintains individually identifiable health information but has been exempted from complying with HIPAA requirements. Such agencies are required to comply with specific DHHS privacy policies. Notice of Privacy Practices: A document created by a covered health care component that informs clients of their privacy rights and the covered health care component’s responsibilities with respect to the use and disclosure of their health information. Office of Civil Rights (OCR): The agency within the US Department of Health and Human Services that is responsible for enforcing the HIPAA Privacy Regulations. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 10 of 14 Payment: Activities undertaken by: A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care. Payment activities relate to the client to whom health care is provided and include, but are not limited to: Determinations of eligibility or coverage (including coordination of benefits) and claims adjudication; Risk adjustments; Billing, claims management, and collection activities; Medical necessity review and/or justification of charges; Utilization review activities; and Disclosure to consumer reporting agencies of any of the following individually identifying health information relating to collection of premiums or reimbursement: Name and address; Date of birth; Social Security Number Payment history; Account number; and The name and address of the health care provider and/or health plan. Personal Representative: A person who has been granted specific authority by law or custody order to act for another individual, who is, in some manner, considered incapacitated. A personal representative is the same as a ‘legally responsible person’ as defined in NC General Statute 122C-3 (20); ‘health care power of attorney’ as defined in Article 3 of NC General Statute 32A; or ‘guardian of the person’ as defined by NC General Statute 35A-1202. Privacy: According to Webster, privacy means: “1.a. The quality or condition of being secluded from the presence or view of others. b. The state of being free from unsanctioned intrusion: a person’s right to privacy. 2. The state of being concealed; secrecy.” Privacy of health information refers to the legal right to, or public expectation of, confidentiality in the collection and sharing of an individual’s identifying health information. Privacy problems exist wherever individually identifiable health information that is collected and stored is disclosed for purposes other than that for which it was gathered or against the express wishes of the client. The challenge in health information privacy is to share data for valid purposes (e.g., state mandated health reporting, health screening, disease registries), while protecting the individually identifiable health information from improper use. In the majority of cases, individuals should retain the right to decide to whom and under what circumstances their individually identifiable health information will be disclosed. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 11 of 14 Privacy Board: A review board that has the authority to approve requests to alter or waive the HIPAA authorization requirement for a research protocol. (NOTE: all other reviews related to research on human subjects must be conducted by an Institutional Review Board). A Privacy Board must be comprised of: Members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights and related interests; At least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and No members participating in a review of any project in which the member has a conflict of interest. Protected Health Information (PHI): A term used in the HIPAA Privacy Regulations that has the same meaning as ‘individually identifiable health information’. The term ‘individually identifiable health information’ was used in the DHHS Privacy Policies to describe any information, including demographic information, that has the potential of tying the identity of a client to his/her health information. Psychotherapy Notes: Notes recorded in any medium by a mental health care provider documenting or analyzing the contents of conversation during a private or a group, joint, or family counseling session and that are separated from the rest of a client’s health record. Psychotherapy notes exclude medication prescriptions and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis; Functional status; Treatment plan; Symptoms; Prognosis; and Progress to date. Required by Law: In this context, a mandate contained in state or federal law that compels an entity to make a use or disclosure of individually identifying health information and that is enforceable in a court of law. Includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons; a civil or an authorized investigative demand; conditions for health care providers participating in the Medicare program; and statutes or regulations that require the production of the information. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 12 of 14 Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. HIPAA further defines research as the development of research repositories and research databases. Safeguards: Precautionary measures established to provide protections of individually identifiable health information from unauthorized use or disclosure and to further protect such information from tampering, loss, alteration, or damage. Such measures include development and implementation of policies and procedures, as well as the implementation of physical and technical mechanisms determined necessary to provide adequate protections. Signature: The act of signing one’s own name. A signature may also be valid by making a ‘mark’ or impressing some other sign or symbol on a paper by which the signature, though written by another for him, may be identified. Treatment: The provision, coordination, or management of health care and related services by one or more health care providers, including: The coordination or management of health care by a health care provider with a third party; Consultation between health care providers relating to a patient; or The referral of a patient for health care from one health care provider to another. Use: The sharing of individually identifiable health information about clients within an agency by the agency workforce in carrying out their roles and responsibilities. Waiver/Alteration of Authorization: The removal or modification of the requirement to obtain authorization from research subjects prior to the use or disclosure of their individually identifying health information for a particular research protocol. Workforce: Full and part time employees of a DHHS agency. Workstation: Administrative and treatment areas in a facility where individually identifiable health information is routinely used. A workstation typically includes a computer and other office equipment, as needed. References: 45 CFR 160.103; 45 CFR 164.103; 45 CFR 164.501; 45 CFR 164.512(i)(1)(i)(B); NCGS 148-120; NCGS 122C-53(a); NCGS 122C-57; 10 NCAC 14G.0102; 10A Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 13 of 14 NCAC 26B.0103; NCGS 108A-70.14; Webster's Revised Unabridged Dictionary, © 1996, 1998 MICRA, Inc. Section VIII: Title: Chapter: Current Effective Date: Security and Privacy Privacy Manual Definitions December 5, 2003 Page 14 of 14