HCISPP 2 Flashcards by Host Mom

Refers to preventing the disclosure of information to unauthorized individuals or systems. Necessary for maintaining the privacy of the people whose personal information is held in the system.

Confidentiality

How well did you know this?

Not at all

Perfectly

Two types: 1) the person whom the actual data pertains, i.e. the patient receiving the treatment. this is the individual who has the final determination for how the data is used and by whom the data can be used or disclosed. 2) the healthcare organization who provides the treatment services for the patient and captures information during treatment services.

Data Owners

How well did you know this?

Not at all

Perfectly

the principle that states that should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and., where appropriate, with the knowledge or consent of the data subject.

Collection Limitation Principle

How well did you know this?

Not at all

Perfectly

a security principle stating that a user should have access only to the data he or she needs to perform a particular function.

Need to know

How well did you know this?

Not at all

Perfectly

Assets with a physical presence

Tangible Assets

How well did you know this?

Not at all

Perfectly

(CPT) codes are published by the American Medical Association. It is a five (5) digit numeric code that is used to describe medical, surgical, laboratory, anesthesiology, and evaluation management services of physicians, hospitals, and other healthcare providers. There are approximately 7800. Two digit modifiers may be appended when appropriate to clarify or modify the description of the procedure.

Current Procedural Terminology

How well did you know this?

Not at all

Perfectly

HSM is one type of DLM product. It represents different types of storage media, such as redundant array of independent disk (RAID) systems, optical storage, or tape, each type representing a different level of cost and speed of retrieval when access is needed. An administrator can establish state guidelines for how often different kinds of files are to be copied to a backup storage device. Once a guideline has been set, the software manages everything automatically.

Hierarchal Storage Management

How well did you know this?

Not at all

Perfectly

the principle that states that personal data should not be disclosed, made, available, or otherwise used for purposes other than those specified in accordance with the purpose specification principle

use limitation principle

How well did you know this?

Not at all

Perfectly

the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred

risk mitigation

How well did you know this?

Not at all

Perfectly

controls that capture things such as who is responsible for information security at the third party, what types of processes the third party has in place to request access to data, and also would include ensuring that the third party has appropriate security policies, procedures, and standards

Administrative Controls

How well did you know this?

Not at all

Perfectly

the principle that states that a data controller should be accountable for complying with measures

Accountability principle

How well did you know this?

Not at all

Perfectly

the world’s largest standards organization, with more than 30 standards addressing information security practices and audit, and each of the standards is constantly reviewed and updated, which requires consistent attention for keeping up with the latest standard changes.

ISO

How well did you know this?

Not at all

Perfectly

Part of the US Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the US federal Govt

NIST

How well did you know this?

Not at all

Perfectly

Govt Funded health care: a program funded by the US federal and state govts that pays the medical expenses of people who are unable to pay some or all of their own medical expenses.

Medicaid

How well did you know this?

Not at all

Perfectly

the uninvolved vendors, business partners, or other data sharing associates. The first party is the patient himself/herself or the person, such as the parent, responsible for the patient’s health bill. The second party is the physician, clinic, hospital, nursing home, or other health care entity rendering the care. These second parties are often called providers because they provide health care.

Third Parties

How well did you know this?

Not at all

Perfectly

the activities undertaken by either a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or a covered healthcare provider or health plan to obtain or provide reimbursement for the provision of healthcare.

Payment

How well did you know this?

Not at all

Perfectly

a plan that takes the output of the risk assessment and identifies tasks needing to be accomplished to mitigate

corrective action plan

How well did you know this?

Not at all

Perfectly

controls that encompass areas such as facility access, fire protection, and visitor procedures

Physical controls

How well did you know this?

Not at all

Perfectly

determines what protections need to be in place to guard data based on its sensitivity and value as well as the risk of exposure

security

How well did you know this?

Not at all

Perfectly

How the organizational representatives identify the most critical data to be given the highest protection

Data Categorization

How well did you know this?

Not at all

Perfectly

systems that assign a distinct numeric value to medical diagnosis, procedures and surgery, signs and symptoms of disease and ill-defined conditions, poisoning, adverse effects of drugs, complications of surgery, and medical care. The assigned codes and other patient data are processed by the grouper software to determine a DRG for the episode of care which is used for funding and reimbursement.

Medical Coding

How well did you know this?

Not at all

Perfectly

Very similar to the BAA in which the recipient of the data set would agree to limit the use of the data for the purposes for which it was given to ensure the security of the data and not to identify the information or use it to contact any individual.

Data Use Agreement

How well did you know this?

Not at all

Perfectly

Includes the technologies, tools, and methods used to capture, manage, store, preserve, and deliver content across an enterprise.

Enterprise Content Management

How well did you know this?

Not at all

Perfectly

the primary liaison for the CIO to the organizations authorizing officials, information system owners, common control providers, and information system security officers.

Senior Information Security Officer

How well did you know this?

Not at all

Perfectly

a unit of the US Department of Labor and addresses safety and protection of workers in organizations that involve hazards and hazardous wastes as potential sources of injuries and health related problems

Occupational Safety and Health Administration

an organizational official responsible for designating a senior information security officer and developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements

chief information officer

is an initiative by health care professionals and industry to improve the way computer systems in health care share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.

Integrating the Healthcare Enterprise

generated at various points in the records management lifecycle, providing underlying data to describe the document, specify access controls and rights, provide retention and disposition instructions, and maintain the record history and audit trail.

Metadata

Means the provision coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare and by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one provider to another.

Treatment

Create a feedback loop to measure whether the security strategy and program are on target or need refinement

Key Performance Indicators

controls that deter, detect, and or reduce impacts to the system

Preventative controls

States that an individual should have the right: • To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him • To have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him • To be given reasons if a request made under subparagraph (a) and (b) is denied, and to be able to challenge such denial • To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.

Individual Participation Principle

the data collected about a specific person potentially across a number of treatment services from a number of healthcare organizations

Health Information

The activities that identify and locate the stores of organizational data on networked devices, including servers and workstations

Data Discovery

the technology, policy, and procedures for its use that safeguard electronic protected health information and control access to ePHI.

Technical Safeguards

A basis for obtaining federal stores of information that are seen as publicly accessible, and is frequently used by private citizens for political or legal issues

Freedom of Information Act

Is necessary to obtain a true understanding of the health care organization. Can occur at the individual level, the household level, the business or corporate level, the supplier level, or some other combination of attributes. Requires powerful matching technology that can locate less obvious members of a related group.

Data Integration

The HIPAA regulations adopted certain standard transactions for EDI of healthcare data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment, and disenrollment, referrals and authorizations, coordination of benefits, and premium payment.

Electronic data Interchange

the current state after applying a risk response strategies

residual risk

refers to a hierarchical system. comprises vocabulary and terms; in turn, vocabulary is made up of terms, or names, at the most basic level. The major advantage is simplicity; if there is one, then there is the assumption that everyone is or will be made aware of it, understands the vocabulary and classifications, accepts it, and utilizes the known.

Taxonomy

Any proposal relating to human subjects including healthy volunteers that cannot be considered as an element of accepted clinical management or public health practice and that involves either physical or psychological intervention or observation, or the collection, storage, and dissemination of information relation to individuals. This definition relates not only to planned trials involving human subjects but to researching which environmental factors are manipulated in a way that could incidentally expose individuals to undue risks

Human Research

Eliminates barriers to data sharing by providing direct data access; data translation tools; and the ability to build complex spatial extraction, transformation and loading processes. Standardize data messaging facilitates __________ between health information systems regardless of database models employed by individual health care enterprises. There are three levels: Foundational, Structural, and Semantic.

Data Interoperability

A vendor, as a recipient of PHI from healthcare organizations. As defined in HIPAA and regulations promulgated by the US Department of health and human services (DHHS) to implement certain provisions. All must agree in writing to certain mandatory provisions regarding, among other things, the use and disclosure of PHI.

Business Partners

the set of activities that ensures data is not lost from an organization

Data Loss prevention

A public or private entity that processes or facilitates the processing of non standard data elements of health information into standard data elements. The entity receives healthcare transactions from healthcare providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers

Healthcare Clearinghouse

Once records are created, they must be maintained in such a way that they are accessible and retrievable. Components of this phase include functions, rules, and protocols for indexing, searching, retrieving, processing, routing, and distributing.

Record Maintenance and Use

an individual, group or organization responsible for conducting information system security engineering activities.

Information System Security Engineer

(DICOM) the international standard for medical images and related information. It defines the formats for medical images that can be exchanged with the data and quality necessary for clinical use. Implemented in almost every radiology, imaging, and radiotherapy device, and increasingly in devices in other medical domains such as ophthalmology and dentistry. With thousands of imaging devices in use, it is one of the most widely deployed healthcare messaging standards in the world

Digital Imaging and Communications in Medicine

Provide the capability to electronically move clinical information between disparate healthcare information systems while maintaining the meaning of the information being exchanged. HIEs also provide the infrastructure for secondary use of clinical data for purposes such as public health, clinical, biomedical, and consumer health informatics research as well as institution and provider quality assessment and improvement.

Health Information Exchange Organizations

Any organization or corporation that directly handles PHI or PHRs. They include public clinics, nursing homes, pharmacies, specialty hospitals, homecare programs, home meal programs, hospice, and durable medical equipment suppliers.

Covered Entity

the person who is the subject of the PHI

Individual

review plans for research involving human subjects. Institutions that accept research funding from the federal government must have an IRB to review all research involving human subjects. The FDA and the Office for Human Research Protections (OHRP) (part of the National Institutes of Health) set the guidelines and regulations governing human subject's research and IRBs

Institutional Review Board

An organizational official that acts on behalf of an authorizing official to coordinate and conduct the required day to day activities associated with the security authorization process

Authorizing Official Designated representative

Health information that meets the standard and implementation specifications under 45 C.F.R. § 164.514 (a) and (b).

De- Identified Information

(BA) The privacy rule, allows covered providers and health plans to disclose protected health information to services of a variety of businesses that have access to their patients' PHI. Such as billing services, attorneys, accountants and consultants.

Business Associates

means PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual

Limited data set

the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations

Risk sharing

physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.

Physical Safeguards

a governance structure where the authority, responsibility and decision-making power are vested solely within central bodies

centralized governance structure

Assets that are not physical

Intangible Assets

dictates what needs to be protected

Privacy

HITECH, ARRA, the privacy rule, the security rule, enforcement rule, and breach notification rule.

Health Insurance Portability and Accountability Act of 1996

the senior person in charge of managing the data systems used in capturing storing or analyzing the PHI of patients under care of the organization. They have the responsibility for maintaining the integrity of the data system and for authorizing access of internal and external workforce members to the data system and its included PHI

Data controller/manager

the channel through which information is transmitted. The main forms include auditory, visual and tactile.

Modality

typically employs a set of methods, principles, or rules for assessing risk based on non numerical categories or levels

Qualitative Assessment

Covers essential health benefits but has a very high deductible. This means it provides a kind of "safety net" coverage in case the patient has an accident or serious illness. Usually do not provide coverage for services such as prescription drugs or shots.

Catastrophic Health Insurance Plan

an effort led by CMS and the office of the National Coordinator for Health IT (ONC) is the set of standards defined by the CMS Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria.

Meaningful Use

This phase includes creating, editing, and reviewing work in process as well as capture of content (e.g., through document imaging technology) or receipt of content (e.g., through a health information exchange). Every organization must establish business rules for determining when content or documents become records

Record Creation, Capture, or Receipt

the federal agency with HHS with oversight over HIPAA privacy, security and breach notification requirements, established a comprehensive audit protocol that physician practices may wish to consider as they review and update their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH act audit mandate.

Office of Civil Rights

Assist in the organizational risk process by striving to identify and close as many vulnerabilities as possible

Information Security Professionals

a governance structure where the authority , responsibility, and decision making power are distributed between a central body and individual subordinate organizations

Hybrid information security governance structure

may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance

Risk avoidance

A methodology where an organization manages and direction an information security risk evaluation for their organization

OCTAVE

in health care generally refers to entities other than the patient that finance or reimburse the cost of health services.

Payer

assessment focused on the technology aspects of an organization, such as the network or applications

Vulnerability assessments

HCPCS is used to report hospital outpatient procedures and physician services These coding systems serve an important function for physician reimbursement, hospital payments, quality review, benchmarking measurement, and the collection of general medical statistical data.

Healthcare common procedure coding system

an activity of a covered entity intended to raise funds to benefit the covered entity or an institutionally related foundation that has as its mission to benefit the covered entity

Fundraising

Use technology and human efforts to provide protection of and control access to the data and information that is considered private

Security Professionals

the process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization

categorization

An employee welfare benefit plan, including insured and self insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance reimbursement

Group Health Plan

The Trust Taxonomy provides a conceptual framework to facilitate governance of inter-entity exchange through transparency into trust policies and practices based on Identity, Policy and Contractual attributes. When utilizing the taxonomy, all trading partners would use a consistent approach to the classification of trust attribute definitions along with consistent representations as to how these trust attributes are implemented.

Governance Framework

means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Use

(ARRA) was enacted on 02/17/09 and includes many measure to modernize our nations infrastructure, one of which is the "Health Information Technology for Economic and Clinical Health" (HITECH) The HITECH act supports the concept of Meaningful Use (MU) of Health Information Technology (IT) and healthcare reform to help the healthcare organizations to meet its clinical and business objectives vial HIE. MU requirements consist of payment approaches that stress care coordination, and federal financial incentives are driving the interest and demand for HIE

American Reinvestment and Recovery Act

The patient can go to the doctor of his/her choice, and the patient, the patients doctor, or the patients hospital submits a claim to the patients insurance company for reimbursement.

Indemnity Plan

the record life cycle from creation through final disposition.

Records Management Lifecycle

Establishes how connectivity will occur to and from the primary entity with the third party

Connection Agreement

The organization's "health record" that meets all statutory, regulatory, and professional requirements for clinical purposes as well as for business purposes. If the record does not qualify as a legal record, it becomes hearsay and there fore is much less legally valid for business or for medical legal purposes. Unless the practice intends to maintain separate paper records that comply with legal requirements, its EHR, ,must conform to the same requirements as health records in general and for business records on computers more specifically.

Legal Medical Record

The principle that states that there should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Openness Principle

A technical basis for an international agreement among member countries The targets of the standards, and the methodology is how the standards are achieved, all according to the arrangement among the members

Common Criteria

predefined topical areas that can put an organization at risk

threats

NeHC has convened the national HIE governance forum at the office of the national coordinator for HITs request through ONCs cooperative agreement. One of the ONCs governance goals for nationwide HIE is to increase trust among all potential exchange participants in order to mobilize trusted exchange to support patient health and care.

National eHealth Collaborative

either 1) intent and method targeted at the intentional exploitation of a vulnerability or 2) a situation and method that may accidentally trigger a vulnerability

Threat source

incorporates risk management processes to ensure alignment of IT with business objectives, and a control framework

COBIT

means that the records are used rarely but must be retained for reference or to meet the full retention requirement. Inactive records usually involve a patient who has not sought treatment for a period of time or one who completed his or her course of treatment.

Records, Inactive

Described as a contract in which the parties agree to electronically exchange data to protect the transmitted data. The sender and receiver are required to depend on each other to maintain the integrity and confidentiality of the transmitted information.

Chain of Trust Agreement

administrative actions, policies, and procedures to manage the selection, development, implementation and maintenance of security measures to safeguard ePHI and manage the conduct of the covered entity's workforce in relation to the protection of that information.

Administrative Safeguards

Targets merchants who accept product and service payments from customers using specific credit cards.

Payment Card Industry Data Security Standard

a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source

Vulnerability

Has been a champion of patient safety by helping healthcare organizations to improve the quality and safety of the care they provide. Evaluates and accredits healthcare organizations and programs in the US and is the nation's predominant standards setting and accrediting body in healthcare. The National Patient Safety Goals (NPSGs) required to be implemented by all accredited organizations to improve the safety and quality of care, are updated annually.

Joint Commission

A type of medical savings account that allows the patient to save money to pay for the current and future medical expenses on a tax-free basis. The patient must be covered by a high-deductible plan and not have any other health insurance. a good option for individuals who want to protect themselves from catastrophic health care costs but don't anticipate many day to day medical costs.

Health Savings Account

assumes a small percentage of threats from purposeful cyber attacks will be successful by compromising organizational information systems through the supply chain by defeating the initial safeguards and counter measures

Agile Defense

state what needs to be done

policies

typically employs a set of methods principles or rules for assessing risk based on the use of numbers

quantitative assessments

typically employs a set of methods, principles, or rules for assessing risk that uses bins, scales or representative numbers whose values and meanings are not maintained in other contexts

Semi quantitative assessments

a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations and the nation

authorizing official

any of the following activities of the covered entity to the extent that the activities are related to covered functions, and : conducting quality assessment and improvement activities; reviewing the competence or qualifications of healthcare professions; underwriting premium rating; conducting or arranging for medical review; legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning; business management and general administrative activities of the entity.

Healthcare Operations

the health care term that refers to the compensation or repayment for health care services. Reimbursement is being repaid or compensated for expenses already incurred or, as in the case of health care, for services that have already been provided.

Reimbursement

GCP is a process that incorporates established ethical and scientific quality standards for the design, conduct, recording, and reporting of clinical research involving the participation of human subjects. Compliance provides public assurance that the rights, safety, and well-being of research subjects are protected and respected and ensures the integrity of clinical research data.

Good Clinical Research Practice

The HIPAA privacy rule also permits providers that typically provide health care to a common set of patients to designate themselves as an OHCA for purposes of HIPAA. For example, an academic medical center often includes university-affiliated physicians and a hospital or health system.

Organized Health Care Arrangement

means that the records are consulted or used on a routine basis. Routine functions may include activities such as release of information requests, revenue integrity audits, or quality reviews.

Records, Active

a governance structure where the authority, responsibility, and decision making power are vested in and delegated to individual subordinate organizations with the parent organization

decentralized information security governance structure

controls that reduce the risk of exposing sensitive personal and health information

detective controls

The amount of information that is transmitted over a period of time. A process of learning or education could necessitate a higher _______________ than a quick status update.

Bandwidth

Individuals assigned the responsibilities involved with the privacy policy/ standard/ procedure structures

Privacy Professionals

(DLM) is a policy-based approach to managing the flow of an information systems data through is lifecycle. DLM products automate the processes involved, typically organizing data into separate tiers according to specified policies, and automating data migration from one tier to another based on those criteria. As a rule, newer data and data that must be accessed more frequently is stored on faster, but more expensive storage media, while less critical data is stored on cheaper, but slower material.

Data Lifecycle Management

an assessment designed to recognize the current security posture of your organization and set realistic expectations of the targeted security posture

gap analysis

Requires physician practices to implement a number of administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI

Security Rule

A group of records maintained by or for a covered entity that includes the medical records and billing records about individuals maintained by or for a covered healthcare provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used in whole or in part, by or for the covered entity to make decisions about individuals.

Designated record set

any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service

Threat

offer suggestions or directions for satisfying the policies

Guidelines

protects the interests of share holders and ensures that management does not act in a manner that is inconsistent with the interest of stakeholders

Governance

the enforcement of due care policy and provisions to ensure that the due care steps taken to protect assets are working effectively

Due Diligence

The removal of the set of characteristics so that the document, is no longer PHI. This practice is frequently associated with research projects involving health trends conducted by hospitals or universities.

De-Identification

responsible for documenting the organization identified common controls in a security plan

Common control providers

(APGs) were developed to encompass the full range of ambulatory settings, including same day surgery units, hospital emergency rooms, and outpatient clinics. They are a patient classification system designed to explain the amount and type of resources used in an ambulatory visit. Patients in each have similar clinical characteristics and similar resource use and cost. Similar resource use means that the resources used are relatively constant across the patients within each APG.

Ambulatory Patient Groups

The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information

Disclosure

Provides an independent view of the design, effectiveness, and implementation of controls

Auditor

Insurance against the risk of incurring medical expenses among individuals. By estimating the overall risk of healthcare and health system expenses, among a targeted group, an insurer can develop a routine finance structure, such as a monthly premium or payroll tax, to ensure that money is available to pay for the healthcare benefits specified in the insurance agreement.

Health insurance

a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network

Exposure

EPOs are similar to PPOs but they reimburse members for services rendered by providers in their network only. Like PPOs, the patient pays a percentage of every medical bill up to a certain level. Some EPOs allow the patient to forgo a primary care physician and refer themselves to a specialist as long as that provider is in the network. May limit coverage to providers inside their network.

Exclusive Provider Organizations

Provides the framework to describe the comprehensive management of health information across computerized systems and its secure exchange between consumers, providers, government and quality entities, and insurers. Computers and telecommunications are used for storing, retrieving, and sending information with the goal of bringing about an age of patient and public centered health information and services

Health Information Technology

An Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organizations core missions and business processes are adequately addressed in all aspects of enterprise architecture

Information Security Architect

Encompasses such activities as frequency and basic statistic reports, table relationships, phrase and element analysis and business rule discovery. It is primarily done before any data-oriented initiative and often can be used to pinpoint where further efforts need to be focused

Data Profiling

A classical definition is a person who helps in identifying or preventing or treating illness or disability. A classical definition is a person who helps in identifying or preventing or treating illness or disability.

Provider

Identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives

COSO

Any information that allows positive identification of an individual, usually as a combination of several characteristics

Personally Identifiable Information

a software program, or the computer on which that program runs, that provides a specific kind of service to client software running on the computers on a network.

Server

provides a common language that enables a consistent language that enables a consistent way of capturing, sharing, and aggregating health data across specialties and sites of care. It is highly detailed terminology designed for input, not reporting.

SNOMED-CT

the entity that has the relationship with the patient. That could be a doctor, hospital, pharmacy, or insurance company

Primary Entity

Information that may be individually identifiable health information- summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan. from which the identifiers of the individual or of relatives, employers or household members of the individuals.

Summary health information

an entity with whom the primary entity does business. In the US, this relationship would be defined under HIPAA as the covered entity, and business associate

Third Party

means maintaining and assuring the accuracy and consistency of data over its entire life cycle. This means that data cannot be modified in an unauthorized or undetected manner. It is violated when a message is actively modified in transit.

Integrity

performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor

Plan Administration Functions

Not for profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services.

Health Level Seven International

communication occurs when two parties exchange messages across a communication channel at the same time (e.g., face-to-face, telephone, online chat). The primary advantage is the ability for immediate feedback and clarification when necessary.

Synchronicity

NUBC is a voluntary committee whose work is coordinated through the offices of the American Hospital Association (AHA) and includes participation of all the major national provider and payer organizations. The committee was originally formed to develop a single standard billing format and data set to be used nationwide by institutional providers and payers for handling healthcare claims. Today the committee monitors and manages the utilization of this standard (UB) and data set used throughout the industry for billing transactions.

National Uniform Billing Committee

persistent personal attention

Assiduity

Legislation that was created to stimulate the adoption of EHR and supporting technology in the US. Signed into law on 02/17/09 as part of the American Recovery and Reinvestment Act of 2009 an economic stimulus bill. It stipulates that, beginning 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of EHR. Incentives were offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The act also establishes grants for training centers for the personnel required to support a health IT infrastructure.

HITECH

controls that could include requirements such as encrypting data in transit and at rest and intrusion detection and prevention capabilities

technical controls

the appropriate risk response when the identified risk is within the organizational risk tolerance

Risk acceptance

Is an architecture that divides processing between clients and servers that can run on the same machine or on different machines on the same network. It is a major element of the modern operating system and network design. End users access workstation computers and other physical automated equipment directly while performing healthcare functions.

Server: Client-Server

AKA episode based payment. Is defined as the reimbursement of healthcare providers (such as hospitals and physicians) "on the bases of expected costs for clinically defined episodes of care" The middle ground between fee-for-service and capitation

Bundled Payment

An individuals permission for a covered entity to use or disclose PHI for a certain purpose, such as a research study.

Authorization

Technical research reports targeting specialized audiences, including interim and final reports. These are for information technology and security specialists who wish to keep abreast with the latest research within the CSD

NIST Interagency Reports

A govt program of hospitalization insurance and voluntary medical insurance for persons aged 65 and over, and for certain disabled persons under 65

Medicare

An action or practice that closes a vulnerability or a weakness that would allow a threat to protected information to be actualized. for example the protected personal information is lost or misused

Control

A contract with a covered entity that meets the HIPAA Privacy Rule's applicable contract requirements

Business Associates Agreement

the process of submitting and following up on claims with health insurance companies in order to receive payment for services rendered by a healthcare provider. The same process is used for most insurance companies or govt sponsored programs. The process is an interaction between a healthcare provider and the insurance company (payer) The entirety of this interaction is known as the billing or revenue cycle. This can take anywhere from several days to several months to complete and requires several interactions before a resolution is reached.

Medical billing

Standardize and verify data is to use a reference database or a defined set of business rules and corporate standards. The quality building block includes technologies that encompass parsing, transformation, verification, and validation.

Data Quality

a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

Payment Card Industry

a branch of the chemical industry that manufactures drugs. The industry comprises enterprises that produce synthetic and plant-derived preparations, antibiotics, vitamins, blood substitutes, and hormone preparations derived from animal organs, and drugs in various dosages (including injection solutions in ampules, tablets, lozenges, capsules, pills, and suppositories), as well as ointments, emulsions, aerosols, and plasters. Are allowed to deal in generic and/or brand medications and medical devices. They are subject to a variety of laws and regulations regarding the patenting, testing, and ensuring safety and efficacy and marketing of drugs.

Pharmaceutical Industry

a system designed to ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information

classification system

FFS is a payment model where services are unbundled and paid for separately. Doctors and hospitals got paid for each service they performed. It gives an incentive for physicians to provide more treatments because payment is dependent on the quantity of care, rather than the quality of care.

Fee for Service

the most widely recognized medical classification maintained by the World Health Organization. Its primary purpose is to categorize diseases for morbidity and mortality reporting. The united states has used a clinical modification for the additional purposes of reimbursement. The CM in the name means clinical modification. It is used by hospitals and other facilities to describe any health challenges a patient has, from his diagnosis symptoms to outcomes from treatment, to causes of death. ICD-10-CM and PCS group together similar diseases and procedures and organize related entities for easy retrieval.

International Classification of Disease

"value-based purchasing," is an emerging movement in health insurance. Providers under this arrangement are rewarded for meeting pre-established targets for delivery of health care services. This is a fundamental change from fee-for-service payment.

Pay for Performance

an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.

Information Systems Owner

a set of self- assessment steps to enable UK healthcare organizations to comply with the Department of Health Information Governance policies and standards

IG Toolkit

Is the electronic management of digital and analog records contained in IT systems using computer equipment and software according to accepted principles and practices of records management. Is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of analog and digital records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.

Electronic Records Management

Refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form.

Electronic Patient Health Information

the government provides its own health insurance, but private insurance companies continue to provide insurance as another option for citizens. Proponents point to private insurance's inability to provide for every single person, often leaving people without health care coverage, which can result in avoidance of care and even bankruptcy.

Public Health Insurance

a confederation of stakeholders at the forefront of HIE, including federal agencies; state, regional, and local health information organizations; integrated delivery networks, and private organizations.

Nationwide Health Information Network Exchange

An initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient

Integrating the Healthcare Enterprise

individually identifiable information that is held or transmitted by a covered entity or business associate in any form or media — whether electronic, paper, or oral — that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care.

Protected Health Information

Typically feature lower premiums and higher deductibles than traditional insurance plans.

High Deductible Health Plans

a hosted service offering that acts as an intermediary between business partners such as hospitals and insurance payers. A VAN simplifies the communications process by reducing the number of parties with which a company needs to facilitate electronic data interchange (EDI). VANs provide a number of services, e.g., HIPAA compliance checking, acknowledgements, retransmitting documents, providing third-party audit information, acting as a gateway for different transmission methods, and handling telecommunications support.

Value-added Network (VAN)

Define limitations or boundaries to the how

Standards

the form of managed care closest to an indemnity plan, which typically allows you to see any doctor, any time. Negotiates discounts with doctors, hospitals, and other providers, who then become part of the network.

Preferred Provider Organization

involves activities that result in false claims to insurers or programs such as Medicare in the United States or equivalent state programs for financial gain to a pharmaceutical company.

Pharmaceutical Fraud

(ACE) legally separate covered entities that are affiliated may designate themselves as a single covered entity for the purposes of the HIPAA privacy rule. Under this affiliation, the organizations need only develop and disseminate one privacy official, administer common training programs and use one business associate contract.

Affiliated Covered Entity

Sometimes doctors reach an agreement with a managed care organization where the doctor is paid per person. Under this agreement, doctors accept members of the plan for a certain set price per member, no matter how often the member sees the doctor.

Capitation

the systematic use of data and related business insights developed through applied analytical disciplines (e.g. statistical, contextual, quantitative, cognitive, etc.) to drive fact based decision making for planning, management, measurement and learning. They may be descriptive, predictive, or prescriptive. Can provide the mechanism to sort through this torrent of complexity and data, and help healthcare organizations deliver on these demands.

Analytics

When using or disclosing PHI or when requesting PHI from other covered entity, a covered entity general must make reasonable efforts to limit PHI to the _________________ to accomplish the intended purpose of the use, disclosure, or request.

Minimum necessary

regulations are divided into four Standards or Rules: (1) Privacy, (2) Security, (3) Identifiers, and (4) Transactions and Code Sets (TCS). The TCS Standard/Rule was first released in August 2000 and updated in May 2002; it took effect on 16 October 2003 for all covered entities. Regulations associated with the TCS Rule mandate uniform electronic interchange formats for all covered entities. It is this standardization along with the introduction of uniform identifiers for plans, providers, employers, and patients under the Identifier Rule that is expected to produce the efficiency savings of "administrative simplification."

The HIPAA Transaction and Code Sets Standard/Rule (TCS)

must protect the computer network and its services from unauthorized modification, destruction, or disclosure.

Network Security

the principle that states that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

Security safeguards principle

electronic systems that store a patients health information, such as the patient's history of diseases and which medications the patient is taking. Provide information even after doctor's office is closed.

Electronic Health Records

the principle that states that the purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not compatible with those purposes and as are specified on each occasion of change and purpose

Purpose specification principle

controls that relate to those activities required when addressing a security incident

corrective controls

The highest level senior official or executive within an organization with the overall responsibility to provide information security protections

Head of agency

Publications that specifically target US federal agencies and are currently the approved standards for compliance with the Information Technology Reform Act of 1996 and FISMA of 2002

Federal Information Processing Standards

formal, documented policies and procedures for granting different levels of access to healthcare information

Information Access Control

combines elements of both a Health Maintenance Organization (HMO) and a Preferred Provider Organization (PPO). The plan allows you to use a primary care physician to coordinate your care, or you can self- direct your care at the "point of service."

Point-of-Service Plan

an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual, such as hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, dna sequence characteristics, voice prints, and hand written signature

Biometric Identification

state how the policies are meant to be implemented

Procedures

is a network that provides shared communications and resources in a relatively small area.

Local Area Network

Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization

Risk

includes demographic, geographic, and credit information. Can also encompass data management algorithms and methodologies that combat unique clinical data problems.

Data Augmentation

The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or personal computer. Offered indifferent forms: Public, Private and Hybrid.

Cloud Computing

the principle that states that personal data should be relevant to the purposes for which it is to be used, and to the extent necessary for those purposes , should be accurate, complete, and kept up to date

Data quality principle

A Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability

Likelihood

The life cycle of records management begins when information is created and ends when the information is destroyed.

Records Retention

means a single legal entity that is a covered entity and who's covered functions are not its primary function

Hybrid entity

The interdisciplinary study of the design, development, adoption, and application of IT based innovations in healthcare services delivery, management, and planning. Law deals with evolving and sometimes complex legal principles as they apply information technology in health-related fields. It addresses the privacy, ethical, and operational issues that invariably arise when electronic tools, information, and media are used in healthcare delivery. Also applies to all matters that involve technology, health care, and the interaction of information. It deals with the circumstances under which data and records are shared with other fields or areas that support and enhance patient care

Health informatics

specific technical staff who are involved in implementing the software systems that support health information processing

Data Processors

a type of fee-for-service because the patients or the guarantors (responsible persons such as the parents for children) pay a specific amount for each service received. The patients or guarantors make such payments themselves to the providers, such as physicians, clinics, or hospitals, then render each service. The patients or guarantors then seek reimbursement for their private health insurance or the governmental agency that covers their health benefits.

Self-Pay

similar to DRGs in concept. Each facility is paid a daily rate based on the needs of individual Medicare patients, with an adjustment for local labor cost.

Resource Utilization Groups

Organizations leadership exercise the care which ordinarily prudent and reasonable persons would exercise under the same circumstances

Due Care

The staff responsible for the maintenance and integrity of the data system - software and hardware- that house and process data containing PHI. This will include keeping the systems updated, backing up stored data, and maintaining and monitoring network activity for potential vulnerabilities.

Data Custodian

Restricts covered entities and business associates use and disclosure of an individual's PHI

HIPAA Privacy Rule

(DRG) is a capitation approach by focusing on hospitalization. Price is set based on categories of illnesses. The DRG classification of diseases is a nominal scale used to describe the illness leading to hospitalization.

Diagnosis related groups

is intended for the use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals. Types include self-care, electronic, diagnostic, surgical, durable medical equipment, acute care, emergency and trauma, long-term care, storage, and transport.

Medical device

an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

Breach

allow for extra barriers between unauthorized users and the protected information resources

Compensating controls

Often called group health insurance, the employer is responsible for a significant portion of the healthcare expenses. Group health plans are also guarantee issue, meaning that a carrier must cover all applicants whose employment qualifies them for coverage. In addition, employer-sponsored plans typically are able to include a range of plan options from HMO and PPO plans to additional coverage such as dental, life, and short and long term disability.

Employer Sponsored insurance

the set of standards aimed at the general IS audience within or without the federal govt. These are the most public set of standards documents and represent outreach and collaborative efforts with information technical specialists in govt, private organizations and higher education.

Special Publications

Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organization

Health Information Trust Alliance HITRUST Common Security Framework CSF Assurance Program

Must manage organizational information so that it is timely, accurate, complete, cost-effective, accessible, and useable. An effective program addresses both creation control, and records retention, thus stabilizing the growth of records in all formats.

Healthcare Records Management

a store where medicinal drugs are dispensed or compounded and sold. It can also be defined as a branch of health sciences that deals with the preparation, dispensing, and utilization of drugs. Involves the process through which a pharmacist cooperates with a patient and other professionals in designing, implementing, and monitoring a therapeutic plan that will produce specific therapeutic outcomes for the patient.

Pharmacy

This technical report catalogs nearly 100 implemented and proposed payment reform programs, classifies each of these programs into one of 11 payment reform models, and identifies the performance measurement needs associated with each model. A synthesis of the results suggests near-term priorities for performance measure development and identifies pertinent challenges related to the use of performance measures as a basis for payment reform. The report is also intended to create a shared framework for analysis of future performance measurement opportunities. This report is intended for the many stakeholders tasked with outlining a national quality strategy in the wake of health care reform legislation.

Patient Protection and Affordable Care Act of 2010

monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor restrict resource access.

Network Management

the PII involved with the healthcare and treatment of an individual

Personal Health Information

an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner

Information System Security Officer

Information can flow between the supplier and the recipient directly, or through and information technology. Mediated require some use of technology information to allow information to flow, while unmediated do not require information technology to transfer the information.

Flow Paths

The individuals permission to participate in the research. Provides research subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things.

Informed Consent

a set of principles determined jointly by the American institute of certified public accountants (AICPA) The principles are based on commonly accepted privacy standards for protecting personal information.

Generally Accepted Privacy Principles

A program that looks at the different types of data an organization handles, classifies those pieces of data based on sensitivity, and establishes procedures to make sure each of these pieces of information is treated properly. The big picture rationale of a data classification program is to reduce risk and bring enterprise wide consistency to data handling.

Data Classification

an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal

Information Owner

an individual or group within an organization that helps to ensure that risk related considerations for individual information systems, to include authorization decisions are viewed from an organization wide perspective

Risk Executive

a tool to streamline, automate, and re-engineer business processes.

Workflow Management Systems (WfMSs)

an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls

security control assessor

a system in which individuals are responsible for securing their own health insurance coverage, although employers in many cases provide all or some of the funding. Supporters of the system say that it encourages freedom of choice for health insurance and provides the best possible quality of care.

Private Health Insurance

a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity

Unique user identifier

Allows healthcare professionals and patients to appropriately access and securely share a patients vital information electronically.

Health Information Exchange

the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability

Impact