HCISPP

Affiliated Covered Entity

(ACE) legally separate covered entities that are affiliated may designate themselves as a single covered entity for the purposes of the HIPAA privacy rule. Under this affiliation, the organizations need only develop and disseminate one privacy official, administer common training programs and use one business associate contract.

Ambulatory Patient Groups

(APGs) were developed to encompass the full range of ambulatory settings, including same day surgery units, hospital emergency rooms, and outpatient clinics. They are a patient classification system designed to explain the amount and type of resources used in an ambulatory visit. Patients in each have similar clinical characteristics and similar resource use and cost. Similar resource use means that the resources used are relatively constant across the patients within each APG.

Likelihood

A Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability

Freedom of Information Act

A basis for obtaining federal stores of information that are seen as publically accessible, and is frequently used by private citizens for political or legal issues

Provider

A classical definition is a person who helps in identifying or preventing or treating illness or disability. A classical definition is a person who helps in identifying or preventing or treating illness or disability.

Business Associates Agreement

A contract with a covered entity that meets the HIPAA Privacy Rule's applicable contract requirements

American Reinvestment and Recovery Act

(ARRA) was enacted on 02/17/09 and includes many measure to modernize our nations infrastructure, one of which is the "Health Information Technology for Economic and Clinical Health" (HITECH) The HITECH act supports the concept of Meaningful Use (MU) of Health Information Technology (IT) and healthcare reform to help the healthcare organizations to meet its clinical and business objectives vial HIE. MU requirements consist of payment approaches that stress care coordination, and federal financial incentives are driving the interest and demand for HIE

Business Associates

(BA) The privacy rule, allows covered providers and health plans to disclose protected health information to services of a variety of businesses that have access to their patients' PHI. Such as billing services, attorneys, accountants and consultants.

Current Procedural Terminology

(CPT) codes are published by the American Medical Association. It is a five0digit numeric code that is used to describe medical, surgical, laboratory, anesthesiology, and evaluation management servises of physicians, hospitals, and other healthcare providers. There are approximately 7800. Two digit modifiers may be appended when appropriate to clarify or modify the description of the procedure.

Digital Imaging and Communications in Medicine

(DICOM) the international standard for medical imagesand related information. It defines the formats for medical images that can be exchanged with the data and quality necessary for clinical use. Implemented in almost every radiology, imaging, and radiotherapy device, and increasingly in devicesin other medical domains such as ophthamology and dentistry. With thousands of imaging devices in use, it is one of the nost widely deployed healthcare messaging standards in the world

Data Lifecycle Management

(DLM) is a policy-based approach to managing the flow of an information systems data through is lifecycle. DLM products automate the processes involved, typically organizing data into separate tiers according to specified policies, and automating data migration from one tier to another based on those criteria. As a rule, newer data and data tha tmust be accessed more frequently is stored on faster, but more expensive storage media, while less critical data is stored on cheaper, but slower material.

Diagnosis related groups

(DRG) is a capitation approach by focusing on hospitalization. Price is set based on categories of illnesses. The DRG classification of diseases is a nominal scale used to describe the illness leading to hospitalization.

Medicaid

Govt Funded health care: a program funded by the US federal and state govts that pays the medical expenses of people who are unable to pay some or all of their own medical expenses.

Healthcare common procedure coding system

HCPCS is used to report hospital outpatient procedures and physician services These coding systems serve an important function for physician reimbursement, hospital payments, quality review, benchmarking measurement, and the collection of general medical statistical data.

Health Information Exchange

Allows healthcare professionals and patients to appropriately access and securely share a patients vital information electronically.

Information Security Architect

An Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organizations core missions and business processes are adequately addressed in all aspects of enterprise architecture

Control

An action or practice that closes a vulnerability or a weakness that would allow a threat to protected information to be actualized. for example the protected personal information is lost or misused

Health Insurance Portability and Accountability Act of 1996

HITECH, ARRA, the privacy rule, the security rule, enforcement rule, and breach notification rule.

Authorization

An individuals permission for a covered entity to use or disclose PHI for a certain purpose, such as a research study.

Personally Identifiable Information

Any information that allows positive identification of an individual, usually as a combination of several characteristics

Head of agency

The highest level senior official or executive within an organization with the overall responsibility to provide information security protections

Informed Consent

The individuals permission to participate in the research. Provides research subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things.

Covered Entity

Any organization or corporation that directly handles PHI or PHRs. They include public clinics, nursing homes, pharmacies, specialty hospitals, homecare programs, home meal programs, hospice, and durable medical equipment suppliers.

Human Research

Any proposal relating to human subjects including healthy volunteers that cannot be considered as an element of accepted clinical management or public health practice and that involves either physical or psychological intervention or observation, or the collection, storage, and dissemination of information relation to individuals. This definition relates not only to planned trials involving human subjects but to researchin which environmental factors are manipulated in a whay that could incendentally expose indiiduals to undue risks

Hierarchal Storage Management

HSM is one type of DLM product. It represents different types of storage media, such as redundant array of independent disk (RAID) systems, optical storage, or tape, each type representing a different level of cost and speed of retrieval when access is needed. An administrator can establish state guidelines for how often different kinds of files are to be copied to a backup storage device. Once a guideline has been set, the software manages everything automatically.

Joint Commission

Has been a champion of patient safety by helping healthcare organizations to improve the quality and safety of the care they provide. Evaluates and accredits healthcare organizations and programs in the US and is the nation's predominant standards setting and accrediting body in healthcare. The National Patient Safety Goals (NPSGs) required to be implemented by all accredited organizations to improve the safety and quality of care, are updated annually.

Enterprise Content Management

Includes the technologies, tools, and methods used to capture, manage, store, preserve, and deliver content across an enterprise.

Record Creation, Capture, or Receipt

This phase includes creating, editing, and reviewing work in process as well as capture of content (e.g., through document imaging technology) or receipt of content (e.g., through a health information exchange). Every organization must establish business rules for determining when content or documents become records

Data Owners

Two types: 1) the person whom the atual data pertains, i.e. the patient receiving the treatment. this is the individual who has the final determination for how the data is used and by whom the data can be used or disclosed. 2) the healthcare organization who provides the treatment services for the patient and captures information during treatment services.

High Deductible Health Plans

Typically feature lower premiums and higher deductibles than traditional insurance plans.

Security Professionals

Use technology and human efforts to provide protection of and control access to the data and information that is considered private

Health Information Trust Alliance HITRUST Common Security Framework CSF Assurance Program

Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organization

Data Use Agreement

Very simmilar to the BAA in which the recipient of the data set would agree to limit the use of the data for the purposes for which it was given to ensure the security of the data and not to identify the information or use it to contact any individual.

Minimum necessary

When using or disclosing PHI or when requesting PHI from other covered entity, a covered entity general must make reasonable efforts to limit PHI to the _________________ to accomplish the intended purpose of the use, disclosure, or request.

HITECH

Legislation that was created to stimulate the adoption of EHR and supporting technology in the US. Signed into law on 02/17/09 as part of the American Recovery and Reinvestment Act of 2009 an economic stimulus bill. It stipulates that, beginning 2011, healthcare providers will be offered financial incentives for demonstrating meaningful se of EHR. Incentives were offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The act also establishes grants for training centers for the personnel required to support a health IT infrastructure.

Treatment

Means the provision coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare and by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one provider to another.

Healthcare Records Management

Must manage organizational information so that it is timely, accurate, complete, cost-effective, accessible, and useable. An effectove program addresses both creation control, and records retention, thus stabilizing the growth of records in all formats.

National Uniform Billing Committee

NUBC is a voluntary committee whose work is coordinated through the offices of the American Hospital Association (AHA) and includes participation of all the major national provider and payer organizations. The committee was originally formed to develop a single standard billing format and data set to be used nationwide by institutional providers and payers for handling healthcare claims. Today the committee monitors and manages the utilization of this standard (UB) and data set used throughout the industry for billing transactions.

Employer Sponsored insurance

Often called group health insurance, the employer is responsible for a significant portion of the healthcare expenses. Group health plans are also guarantee issue, meaning that a carrier must cover all applicants whose employment qualifies them for coverage. In addition, employer-sponsored plans typically are able to include a range of plan options from HMO and PPO plans to additional coverage such as dental, life, and short and long term disability.

Record Maintenance and Use

Once records are created, they must be maintained in such a way that they are accessible and retrievable. Components of this phase include functions, rules, and protocols for indexing, searching, retrieving, processing, routing, and distributing.

Due Care

Organizations leadership exercise the care which ordinarily prudent and reasonable persons would exercise under the same circumstances

NIST

Part of the US Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the US federal Govt

Risk

Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization

Federal Information Processing Standards

Publications that specifically target US federal agencies and are currently the approved standards for compliance with the Information Technology Reform Act of 1996 and FISMA of 2002

Electronic Patient Health Information

Refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form.

Confidentiality

Refers to preventing the disclosure of information to unauthorized individuals or systems. Necessary for maintaining the pricary of the peope whose personal information is helt in the system.

Security Rule

Requires physician practices to implement a number of administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI

HIPAA Privacy Rule

Restricts covered entities and business associates use and disclosure of an individual's PHI

Catastrophic Health Insurance Plan

Covers essential health benefits but has a very high deductible. This means it provides a kind of "safety net" coverage in case the patient has an accident or serious illness. Usually do not provide coverage for services such as prescription drugs or shots.

Key Performance Indicators

Create a feedback loop to measure whether the security strategy and program are on target or need refinement

Exclusive Provider Organizations

EPOs are similar to PPOs but they reimburse members for services rendered by providers in their network only. Like PPOs, the patient pays a percentage of every medicall bill up to a certain level. Some EPOs allow the patient to forgo a primary care physician and refer themself to a specialist as long as that provider is in the network. May limit coverage to providers inside their network.

Data Interoperability

Eliminates barriers to data sharing by providing direct data access; data translation tools; and the ability to build complex spatial extraction, transfromation and loading processes. Standardize data messaging facilitates __________ between health information systems regardless of database models employed by individual health care enterprises. There are three levels: Foundational, Structural, and Semantic.

Medicare

A govt program of hospitalization insurance and voluntary medical insurance for persons aged 65 and over, and for certain disabled persons under 65

Designated record set

A group of records maintained by or for a covered entity that includes the medical records and billing records about individuals maintained by or for a covered healthcare provider; the enrollment, payment, clains adjucication, and case or medical management record systems maintained by or for a health plan; or used in whole or in part, by or for the covered entity to make decisions about individuals.

OCTAVE

A methodology where an organization manages and direction an information security risk evaluation for their organization

Data Classification

A program that looks at the different typpes of data an organization handles, classifies those pieces of data based on sensitivity, and establiches procedures to make sure each of these pieces of information is treated properly. The big picture rationale of a data classification program is to reduce risk and bring enterpride wide conistency to data handling.

Healthcare Clearinghouse

A public or private entity that processes or facilitates the processing of non standard data elements of health information into standard data elements. The entity receives healthcare transactions from healthcare providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transation to appropriate payers

Capitation

Sometimes doctors reach an agreement with a managed care organization where the doctor is paid per person. Under this agreement, doctors accept members of the plan for a certain set price per member, no matter how often the member sees the doctor.

Data Quality

Standardize and verify data is to use a reference database or a defined set of business rules and corporate standards. The quality building block includes technologies that encompass parsing, transformation, verifation, and validation.

Payment Card Industry Data Security Standard

Targets merchants who accept product and service payments from customers using specific credit cards.

NIST Interagency Reports

Technical research reports targeting specialized audiences, including interim and final reports. These are for information technology and security specialists who wish to keep abreast with the latest research within the CSD

Good Clinical Research Practice

GCP is a process that incorporates established ethical and scientific quality standards for the design, conduct, recordng, and reporting of clinical research involving the participation of human subjects. Compliance provides public assurance that the rights, safety, and well-being of research subjects are protected and respected and ensures the integrity of clinical research data.

Unique user identifier

a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity

Nationwide Health Information Network Exchange

a confederation of stakeholders at the forefront of hie, including federal agencies; state, regional, and local health information organizations; integrated delivery networks, and private organizations.

Hybrid information security governance structure

a governance structure where the authority , responsibility, and decision making power are distributed between a central body and individual subordinate organizations

centralized governance structure

a governance structure where the authority, responsibility and decision-making power are vested solely within central bodies

decentralized information security governance structure

a governance structure where the authority, responsibility, and decision making power are vested in and delegated to individual subordinate organizations with the parent organization

Value-added Network (VAN)

a hosted service offering that acts as an intermediary between business partners such as hospitals and insurance payers. A VAN simplifies the communications process by reducing the number of parties with which a company needs to facilitate electronic data interchange (EDI). VANs provide a number of services, e.g., HIPAA compliance checking, acknowledgements, retransmitting documents, providing third-party audit information, acting as a gateway for different transmission methods, and handling telecommunications support.

Payment Card Industry

a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

corrective action plan

a plan that takes the output of the risk assessment and identifies tasks needing to be accomplished to mitigate

Need to know

a security principle stating that a user should have access only to the data he or she needs to perform a particular function.

authorizing official

a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations and the nation

Server

a software program, or the computer on which that program runs, that provides a specific kind of service to client software running on the computers on a network.

Pharmacy

a store where medicinal drugs are dispensed or compounded and sold. It can also be defined as a branch of health sciences that deals with the preparation, dispensing, and utilization of drugs. Involves the process through which a pharmacist cooperates with a patient and other professionals in designing, implementing, and monitoring a therapeutic plan that will produce specific therapeutic outcomes for the patient.

Exposure

a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network

classification system

a system designed to ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information

Private Health Insurance

a system in which individuals are responsible for securing their own health insurance coverage, although employers in many cases provide all or some of the funding. Supporters of the system say that it encourages freedom of choice for health insurance and provides the best possible quality of care.

Self-Pay

a type of fee-for-service because the patients or the guarantors (responsible persons such as the parents for children) pay a specific amount for each service received. The patients or guarantors make such payments themselves to the providers, such as physicians, clinics, or hospitals, then render each service. The patients or guarantors then seek reimbursement for their private health insurance or the governmental agency that covers their health benefits.

Occupational Safety and Health Administration

a unit of the US Department of Labor and addresses safety and protection of workers in organizations that involve hazards and hazardous wastes as potential sources of injuries and health related problems

Vulnerability

a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source

Breach

an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

Risk Executive

an individual or group within an organization that helps to ensure that risk related considerations for individual information systems, to include authorization decisions are viewed from an organization wide perspective

Information System Security Officer

an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner

Information System Security Engineer

an individual, group or organization responsible for conducting information system security engineering activities.

security control assessor

an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls

Information Systems Owner

an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.

Information Owner

an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal

Threat

any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service

Healthcare Operations

any of the following activities of the covered entity to the extent that the activities are related to covered functions, and : conducting quality assessment and improvement activities; reviewing the competence or qualifications of healthcare professions; underwriting premium rating; conducting or arranging for medical review; legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning; business management and general administrative activities of the entity.

Vulnerability assessments

assessment focused on the technology aspects of an organization, such as the network or applications

Agile Defense

assumes a small percentage of threats from purposeful cyber attacks will be successful by compromising organizational information systems through the supply chain by defeating the initial safeguards and counter measures

Risk avoidance

may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance

Limited data set

means PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual

Hybrid entity

means a single legal entity that is a covered entity and whos covered functions are not its primary function

Records, Inactive

means that the records are used rarely but must be retained for reference or to meet the full retention requirement. Inactive records usually involve a patient who has not sought treatment for a period of time or one who completed his or her course of treatment.

Use

means, with respect to individually identifiable health information, the sharing, employement, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Network Management

monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor restrict resource access.

Network Security

must protect the computer network and its services from unauthorized modification, destruction, or disclosure.

Taxonomy

refers to a hierarchical system. comprises vocabulary and terms; in turn, vocabulary is made up of terms, or names, at the most basic level. The major advantage is simplicity; if there is one, then there is the assumption that everyone is or will be made aware of it, understands the vocabulary and classifications, accepts it, and utilizes the known.

The HIPAA Transaction and Code Sets Standard/Rule (TCS)

regulations are divided into four Standards or Rules: (1) Privacy, (2) Security, (3) Identifiers, and (4) Transactions and Code Sets (TCS). The TCS Standard/Rule was first released in August 2000 and updated in May 2002; it took effect on 16 October 2003 for all covered entities. Regulations associated with the TCS Rule mandate uniform electronic interchange formats for all covered entities. It is this standardization along with the introduction of uniform identifiers for plans, providers, employers, and patients under the Identifier Rule that is expected to produce the efficiency savings of "administrative simplification."

Common control providers

responsible for documenting the organization identified common controls in a security plan

Institutional Review Board

review plans for research involving human subjects. Institutions that accept research funding from the federal government must have an IRB to review all research involving human subjects. The FDA and the Office for Human Research Protections (OHRP) (part of the National Institutes of Health) set the guidelines and regulations governing human subject's research and IRBs

Resource Utilization Groups

similar to DRGs in concept. Each facility is paid a daily rate based on the needs of individual Medicare patients, with an adjustment for local labor cost.

Data Processors

specific technical staff who are involved in implementing the software systems that support health information processing

Procedures

state how the policies are meant to be implemented

policies

state what needs to be done

Medical Coding

systems that assign a distinct numeric value to medical diagnosis, procedures and surgery, signs and symptoms of disease and ill-defined conditions, poisoning, adverse effects of drugs, complications of surgery, and medical care. The assigned codes and other patient data are processed by the grouper software to determine a DRG for the episode of care which is used for funding and reimbursement.

Personal Health Information

the PII involved with the healthcare and treatment of an individual

Payment

the activities undertaken by either a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or a covered healthcare provider or health plan to obtain or provide reimbursement for the provision of healthcare.

risk mitigation

the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred

Risk sharing

the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations

Risk acceptance

the appropriate risk response when the identified risk is within the organizational risk tolerance

Modality

the channel through which information is transmitted. The main forms include auditory, visual and tactile.

residual risk

the current state after applying a risk response strategies

Health Information

the data collected about a specific person potentially across a number of treatment services from a number of healthcare organizations

Due Diligance

the enforcement of due care policy and provisions to ensure that the due care steps taken to protect assets are working effectively

Primary Entity

the entity that has the relationship with the patient. That could be a doctor, hospital, pharmacy, or insurance company

Office of Civil Rights

the federal agency with HHS with oversight over HIPAA privacy, security and breach notification requirements, established a comprehensive audit protocol that physician practices may wish to consider as they review and update their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH act audit mandate.

Preferred Provider Organization

the form of managed care closest to an indemnity plan, which typically allows you to see any doctor, any tiime. Negotiates discounts with doctors, hospitals, and other providers, who then become part of the network.

Public Health Insurance

the government provides its own health insurance, but private insurance companies continue to provide insurance as another option for citizens. Proponents point to private insurance's inability to provide for every single person, often leaving people without health care coverage, which can result in avoidance of care and even bankruptcy.

Reimbursement

the health care term that refers to the compensation or repayment for health care services. Reimbursement is being repaid or compensated for expenses already incurred or, as in the case of health care, for services that have already been provided.

Impact

the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability

Administrative Controls

controls that capture things such as who is responsible for information security at the third party, what types of processes the third party has in place to request access to data, and also would include ensuring that the third party has appropriate security policies, procedures, and standards

Preventative controls

controls that deter, detect, and or reduce impacts to the system

Physical controls

controls that encompass areas such as facility access, fire protection, and visitor procedures

detective controls

controls that reduce the risk of exposing sensitive personal and health information

International Classification of Disease

the most widely recognized medical classification maintained by the World Health Organization. Its primary purpose is to categorize diseases for morbidity and mortality reporting. The united states has used a clinical modification for the additional purposes of reimbursement. The CM in the name means clinical modification. It is used by hospitals and other facilities to describe any health challenges a patient has, from his diagnosis symptoms to outcomes from treatment, to causes of death. ICD-10-CM and PCS group together similar diseases and pocedures and organize related entities for easy retrieval.

Individual

the person who is the subject of the PHI

Senior Information Security Officer

the primary liaison for the CIO to the organizations authorizing officials, information system owners, common control providers, and information system security officers.

Accountability principle

the principle that states that a data controller should be accountable for complying with measures

Security safeguards principle

the principle that states that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

Data quality principle

the principle that states that personal data should be relevant to the purposes for which it is to be used, and to the extent necessary for those purposes , should be accurate, complete, and kept up to date

use limitation principle

the principle that states that personal data should not be disclosed, made, available, or otherwise used for purposes other than those specified in accordance with the purpose specification principle

Collection Limitation Principle

the principle that states that should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and., where appropriate, with the knowledge or consent of the data subject.

Purpose specification principle

the principle that states that the purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not compatible with those purposes and as are specified on each occasion of change and purpose

security

determines what protections need to be in place to guard data based on its sensitivity and value as well as the risk of exposure

Privacy

dictates what needs to be protected

Information Access Control

formal, documented policies and procedures for granting different levels of access to healthcare information

Metadata

generated at various points in the records management lifecycle, providing underlying data to describe the document, specify access controls and rights, provide retention and disposition instructions, and maintain the record history and audit trail.

Payer

in health care generally refers to entities other than the patient that finance or reimburse the cost of health services.

Data Augmentation

includes demographic, geographic, and credit information. Can also encompass data management algorithms and methodologies that combat unique clincal data problems.

COBIT

incorporates risk management processes to ensure alignment of IT with business objectives, and a control framework

Medical billing

the process of submitting and following up on claims with health insurance companies in order to receive payment for services rendered by a healthcare provider. The same process is used for most insurance companies or govt sponsored programs. The process is an interaction between a healthcare provider and the insurance company (payer) The entirety of this interaction is known as the billing or revenue cycle. This can take anywhere from several days to several months to complete and requires several interactions before a resolution is reached.

Records Management Lifecycle

the record life cycle from creation through final disposition.

Data controller/manager

the senior person in charge of managing the data systems used in capturing storing or analyzing the PHI of patients under care of the organization. They have the responsibility for maintaining the integrity of the data system and for authorizing access of internal and external workforce members to the data system and its included PHI

Data Loss prevention

the set of activities that ensures data is not lost from an organization

Special Publications

the set of standards aimed at the general IS audience within or without the federal govt. These are the most public set of standards documents and represent outreach and collaborative efforts with information technical specialists in govt, private organizations and higher education.

Analytics

the systematic use of data and related business insights developed through applied analytical disciplines (e.g. statistcal, contextual, quantitative, cognitive, etc.) to drive fact based decision making for planning, management, measurement and learning. They may be descriptive, predictive, or prescriptive. Can provide the mechanism to sort through this torrent of complexity and data, and help healthcare organizations deliver on these demands.

Technical Safeguards

the technology, policy, and procedures for its use that safeguard electronic protected health information and control access to ePHI.

Third Parties

the uninvolved vendors, business partners, or other data sharing associates. The first party is the patient himself/herself or the person, such as the parent, responsible for the patient's health bill. The second party is the physician, clinic, hospital, nursing home, or other health care entity rendering the care. These second parties are often called providers because they provide health care.

ISO

the world's largest standards organization, with more than 30 standards addressing information security practices and audit, and each of the standards is constantly reviewed and updated, which requires consistent attention for keeping up with the latest standard changes.

quantitative assessments

typically employs a set of methods principles or rules for assessing risk based on the use of numbers

Qualitative Assessment

typically employs a set of methods, principles, or rules for assessing risk based on non numerical categories or levels

Semi quantitative assessments

typically employs a set of methods, principles, or rules for assessing risk that uses bins, scales or representative numbers whose values and meanings are not maintained in other contexts

COSO

Identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives

Health Level Seven International

Not for profit, ANSI-accredited standards developing organization dedicated to providing a comprehendive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practive and the management, delivery, and evaluation of health services.

Group Health Plan

An employee welfare benefit plan, including insured and self insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance reimbursement

Integrating the Healthcare Enterprise

An initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient

Authorizing Official Designated representative

An organizational official that acts on behalf of an authorizing official to coordinate and conduct the required day to day activities associated with the security authorization process

Intangible Assets

Assets that are not physical

Tangible Assets

Assets with a physical presence

Information Security Professionals

Assist in the organizational risk process by striving to identify and close as many vulnerabilities as possible

Data Profiling

Encompasses such activities as frequency and basic statistic reports, table relationships, phrase and element analysis and business rule discovery. It is primarily done before any data-oriented initiative and often can be used to pinpoint where further efforts need to be focused

Workflow Management Systems (WfMSs)

a tool to streamline, automate, and re-engineer business processes.

Third Party

an entity with whom the primary entity does business. In the US, this relationship would be defined under HIPAA as the covered entity, and business associate

chief information officer

an organizational official responsible for designating a senior information security officer and developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements

technical controls

controls that could include requirements such as encrypting data in transit and at rest and intrusion detection and prevention capabilities

corrective controls

controls that relate to those activities required when addressing a security incident

Generally Accepted Privacy Principles

a set of principles determined jointly by the american institute of certified public accountants (AICPA) The principles are based on commonly accepted privacy standards for protecting personal information.

IG Toolkit

a set of self- assessment steps to enable UK healthcare organizations to comply with the Department of Health Information Governance policies and standards

Medical device

is intended for the use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals. Types include self-care, electronic, diagnostic, surgical, durable medical equipment, acute care, emergency and trauma, longterm care, storage, and transport.

Integrity

means maintaining and assuring the accuracy and consistency of data over its entire life cycle. This means that data cannot be modified in an unauthorized or undetected manner. It is violated when a message is actively modified in transit.

Records, Active

means that the records are consulted or used on a routine basis. Routine functions may include activities such as release of information requests, revenue integrity audits, or quality reviews.

Governance

protects the interests of share holders and ensures that management does not act in a manner that is inconsistent with the interest of stakeholders

categorization

the process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization

Protected Health Information

individually identifiable information that is held or transmitted by a covered entity or business associate in any form or media — whether electronic, paper, or oral — that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care.

Pharmaceutical Fraud

involves activities that result in false claims to insurers or programs such as Medicare in the United States or equivalent state programs for financial gain to a pharmaceutical company.

Local Area Network

is a network that provides shared communications and resources in a relatively small area.

Integrating the Healthcare Enterprise

is an initiative by health care professionals and industry to improve the way computer systems in health care share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.

Pay for Performance

"value-based purchasing," is an emerging movement in health insurance. Providers under this arrangement are rewarded for meeting pre-established targets for delivery of health care services. This is a fundamental change from fee-for-service payment.

Common Criteria

A technical basis for an international agreement among member countries The targets of the standards, and the methodology is how the standards are achieved, all according to the arrangement among the members

Health Savings Account

A type of medical savings account that allows the patient to save money to pay for the current and future medical expenses on a tax-free basis. The patient must be covered by a high-deductible plan and nothave any other health insurance. a good option for individuals who want to protect themselves from catastrophic health care costs but don't anticipate many day to day medical costs.

Business Partners

A vendor, as a recipient of PHI from healthcare organizations. As defined in HIPAA and regulations promulgated by the US Department of health and human services (DHHS) to implement certain provisions. All must agree in writing to certain mandatory provisions regarding, among other things, the use and disclosure of PHI.

Bundled Payment

AKA episode based payment. Is defined as the reimbursement of healthcare providers (such as hospitals and physicians) "on the bases of expected costs for clinically defined episodes of care" The middle ground between fee-for-service and capitation

Standards

Define limitations or boundaries to the how

Chain of Trust Agreement

Described as a contract in which the parties agree to electronically exchange data to protect the transmitted data. The sender and receiver are required to depend on each other to maintain the integrity and confidentiality of the transmitted information.

Connection Agreement

Establishes how connectivity will occur to and from the primary entity with the third party

Fee for Service

FFS is a payment model where services are unbundled and paid for separately. Doctors and hospitals got paid for each service they performed. Itgives an incentive for physicians to provide more treatments because payment is dependent on the quantity of care, rather than the quality of care.

De- Identified Information

Health information that meets the standard and implementation specifications under 45 C.F.R. § 164.514 (a) and (b).

Data Categorization

How the organizational representatives identify the most critical data to be given the highest protection

Privacy Professionals

Individuals assigned the responsibilities involved with the privacy policy/ standard/ procedure structures

Flow Paths

Information can flow between the supplier and the recipient directly, or through and information technology. Mediated require some use of technology information to allow information to flow, while unmediated do not require information technology to transfer the information.

Summary health information

Information that may be individually identifiable health information- summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan. from which the identifiers of the individual or of relatives, employers or household members of the individuals.

Health insurance

Insurance against the rist of incuring medical expenses among individuals. By estimating the overall lrisk of healthcare and health system expenses, among a targeted group, an insurer can develop a routine finance structure, such as a monthly prenium or payroll tax, to ensure that money is available to pay for the healthcare benefits specified in the insurance agreement.

Server: Client-Server

Is an architecture that divides processing between clients and servers that can run on the same machine or on different machines on the same network. It is a major element of the modern operating system and network design. End users access workstation coputers and other physical automated equipment directly while performing healthcare functions.

Data Integration

Is necessary to obtain a true understanding of the health care organization. Can occur at the individual level, the household level, the business or corparate level, the supplier level, or some other combination of attributes. Requires powerful matching technology that can lovate less obvious members of a related group.

Electronic Records Management

Is the electronic management of digital and analog records contained in IT systems using computer equipment and software according to accepted principles and practives of records management. Is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of analog and digital records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.

National eHealth Collaborative

NeHC has convened the national HIE governance forum at the office of the national coordinator for HITs request through ONCs cooperative agreement. One of the ONCs governance goals for nationwide HIE is to increase trust among all potential exchange participants in order to mobilize trusted exchange to support patient health and care.

Health Information Exchange Organizations

Provide the capability to electronically move clinical information between disparate healthcare information systems while maintaining the meaning of the information being exchanged. HIPs also provide the infrastructure for secondary use of clinical data for purposes such as public health, clinical, biomedical, and consumer health informatics research as well as institution and provider quality assessment and improvement.

Auditor

Provides an independent view of the design, effectiveness, and implementation of controls

Health Information Technology

Provides the framework to describe the comprehendive management of health information across computerized systems and its secure exchange between consumers, providers, government and quality entities, and insurers. Computers and telecommunications are used for storing, retrieving, and sending information with the goal of bringing about an age of patient and public centered health information and services

Organized Health Care Arrangement

The HIPAA privacy rule also permits providers that typically provide health care to a common set of patients to designate themselves as an OHCA for purposes of HIPAA. For example, an academic medical center often includes university-affiliated physicians and a hospital or health system.

Electronic data Interchange

The HIPAA regulations adopted certain standard transactions for EDI of healthcare data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment, and disenrollment, referrals and authorizations, coordination of benefits, and premium payment.

Governance Framework

The Trust Taxonomy provides a conceptual framework to facilitate governance of inter-entity exchange through transparency into trust policies and practices based on Identity, Policy and Contractual attributes. When utilizing the taxonomy, all trading partners would use a consistent approach to the classification of trust attribute definitions along with consistent representations as to how these trust attributes are implemented.

Data Discovery

The activities that identify and locate the stores of organizational data on networked devices, including servers and workstations

Bandwith

The amount of information that is transmitted over a period of time. A process of learning or education could necessitate a higher _______________ than a quick status update.

Health informatics

The interdisciplinary study of the design, development, adoption, and application of IT based innovations in healthcare services delivery, management, and planning. Law deals with evolving and spmetimes complex legal principles as they applky information technology in health-related fields. It addresses the privacy, ethical, and operational issues that invariably arise when electronic tools, information, and media are used in healthcare delivery. Also applies to all matters that involve technology, health care, and the interaction of information. It deals with the circumstances under which data and records are shared with other fields or areas that support and enhance patient care

Records Retention

The life cycle of records management begins when information is created and ends when the information is destroyed.

Legal Medical Record

The organization's "health record" that meets all statutory, regulatory, and professional requirements for clinical purposes as well as for business purposes. If the record does not qualify as a legal record, it becomes hearsay and there fore is much less legally valid for business or for medical legal purposes. Unless the practice intends to maintain separate paper records that comply with legal requirements, its EHR, ,must conform to the same requirements as health records in general and for business records on computers more specifically.

Indemnity Plan

The patient can go to the doctor of his/her choice, and the patient, the patients doctor, or the patients hospital submits a claim to the patients insurance company for reimbursement.

Cloud Computing

The practive of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or personal computer. Offered indifferent forms: Public, Private and Hybrid.

Individual Participation Principle

The principle that states that an individual should have the right: • To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him • To have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him • To be given reasons if a request made under subparagraph (a) and (b) is denied, and to be able to challenge such denial • To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.

Openness Principle

The principle that states that there should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Disclosure

The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information

De-Identification

The removal of the set of characteristics so that the document, is no longer PHI. This practice is frequently associated with research projects involving health trends conducted by hospitals or universities.

Data Custodian

The staff responsible for the maintenance and integrity of the data system - software and hardware- that house and process data containing PHI. This will include keeping the systems updated, backing up stored data, and maintaining and monitoring network activity for potential vulnerabilities.

Patient Protection and Affordable Care Act of 2010

This technical report catalogs nearly 100 implemented and proposed payment reform programs, classifies each of these programs into one of 11 payment reform models, and identifies the performance measurement needs associated with each model. A synthesis of the results suggests near-term priorities for performance measure development and identifies pertinent challenges related to the use of performance measures as a basis for payment reform. The report is also intended to create a shared framework for analysis of future performance measurement opportunities. This report is intended for the many stakeholders tasked with outlining a national quality strategy in the wake of health care reform legislation.

Pharmaceutical Industry

a branch of the chemical industry that manufactures drugs. The industry comprises enterprises that produce synthetic and plant-derived preparations, antibiotics, vitamins, blood substitutes, and hormone preparations derived from animal organs, and drugs in various dosages (including injection solutions in ampuls, tablets, lozenges, capsules, pills, and suppositories), as well as ointments, emulsions, aerosols, and plasters. Are allowed to deal in generic and/or brand medications and medical devices. They are subject to a variety of laws and regulations regarding the patenting, testing, and ensuring safety and efficacy and marketing of drugs.

Fundraising

an activity of a covered entity intended to raise funds to benefit the covered entity or an institutionally related foundationn that has as its mission to benefit the covered entity

gap analysis

an assessment designed to recognize the current security posture of your organization and set realistic expectations of the targeted security posture

Meaningful Use

an effort led by CMS and the office of the National Coordinator for Health IT (ONC) is the set of standards defined by the CMS Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria.

Biometric Identification

an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual, such as hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, dna sequence characteristics, voice prints, and hand written signature

Administrative Safeguards

administrative actions, policies, and procedures to manage the selection, development, implementation and maintenance of security measures to safeguard ePHI and manage the conduct of the covered entity's workforce in relation to the protection of that information.

Compensating controls

allow for extra barriers between unauthorized users and the protected information resources

Point-of-Service Plan

combines elements of both a Health Maintenance Organization (HMO) and a Preferred Provider Organization (PPO). The plan allows you to use a primary care physician to coordinate your care, or you can self- direct your care at the "point of service."

Synchronicity

communication occurs when two parties exchange messages across a communication channel at the same time (e.g., face-to-face, telephone, online chat). The primary advantage is the ability for immediate feedback and clarification when necessary.

Threat source

either 1) intent and method targeted at the intentional exploitation of a vulnerability or 2) a situation and method that may accidentally trigger a vulnerability

Electronic Health Records

electronic systems that store a patients health information, such as the patient's history of diseases and which medications the patient is taking. Provide information even after doctor's office is closed.

Guidelines

offer suggestions or directions for satisfying the policies

Plan Administration Functions

performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor

Assiduity

persistent personal attention

Physical Safeguards

physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.

threats

predefined topical areas that can put an organization at risk

SNOMED-CT

provides a common language that enables a consistent language that enables a consistent way of capturing, sharing, and aggregating health data across specialties and sites of care. It is highly detailed terminology designed for input not reporting.