ePHI: electronic PHI (i.e. a subset of PHI)
HIPAA: the federal Health Insurance Portability and Accountability Act. This act regulates, among other things, the maintenance and disclosure of protected health information (“PHI”), which includes ePHI, about patients treated by “covered entities”. In addition, this act prescribes a process through which researchers may obtain or create PHI about patients who are also research participants or potential research participants
Hybrid Entity: a single, legal entity that uses or discloses PHI for only a part of its business operations. The Privacy Rule applies only to the healthcare components of a hybrid entity that use or disclose PHI.
Limited Data Set: health information that a covered entity may disclose (pursuant to a data use agreement) to an investigator for research purposes based on the fact that certain direct identifiers have been removed. The investigator receiving the limited data set must submit the data use agreement signed by an authorized UM official and obtain IRB approval before obtaining the limited data set for use in his/her study
Note – direct identifiers that must be removed in order for data to be included in a limited data set are
- address information (other than city, state and zip code)
- telephone and fax numbers
- e-mail address
- Social Security number
- certificate/license numbers
- vehicle identifiers and serial numbers
- URLs and IP addresses
- full face photos and other comparable images
- medical record numbers, health plan beneficiary numbers and other account numbers
- device identifiers and serial numbers
Note – the following are allowed in a limited data set:
- admission, discharge and service dates
- birth date
- date of death
- age (including age 90 or over)
- geographical subdivisions such as state, county, city, precinct and five digit zip code
Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information. The term “privacy” applies to persons whereas the term “confidentiality” refers to the treatment of personal information.
Privacy and Security Rule: standards for Privacy of Individually Identifiable Health Information, promulgated by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and codified at part 160 and part 164 , subpart C (Security Standards for the Protection of ePHI) and subpart E of Title 45 of the U.S. Code of Federal Regulations (as amended from time to time)
Protected Health Information (PHI): identifiable information about the past, present, or future physical or mental health or condition (including the provision of his/her health care, insurance, payment status etc) of an individual obtained or managed by a covered entity. PHI may be information that is recorded electronically, on paper or orally. PHI must be protected from unauthorized use or disclosure by the Covered Entity under HIPAA regulations.
Note -- PHI must be identifiable information or information that may be linked to an identifier. PHI does not include de-identified information
Research Related Health Information—RHI: personally identifiable information used in research that is distinct from PHI by not being associated with, or derived from, the provision of health care or payment for care.
Security: the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage. Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.
Sensitive Information: private and/or health care information including information relating to an identifiable individual’s private activities or practices (e.g. sexual preferences or practices; drug or alcohol treatment history; mental health or treatment history; HIV status; diagnosis information; financial information including social security numbers or health insurance data; criminal history or background etc).