Exploring HIPAA and HITECH Act Definitions: Part 14

From now through December, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate.

Exploring HIPAA and HITECH Act Definitions:  Parts 11-15, include definitions from:

American Recovery and Reinvestment Act of 2009 (February 17, 2009, pp.258-259),

Health Information Technology for Economic and Clinical Health Act,

Title XIII—Health Information Technology,

Subtitle D—Privacy,

Section 13400—Definitions.

Payment

Has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations [CFR]:

“(1) The activities undertaken by:

(i)             A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan;

or

(ii)            A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i)             Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii)            Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii)           Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv)            Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v)             Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and

(vi)            Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A)             Name and Address;

(B)             Date of birth’

(C)             Social Security number;

(D)             Payment history;

(E)             Account number; and

(F)             Name and address of the health care provider and/or health plan.”

Personal Health Record

An electronic record of PHR identifiable health information (as defined in section 13407(f)(2)[1] on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

Protected Health Information

Has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations [CFR]:

“Individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i)             Transmitted by electronic media;

(ii)            Maintained in electronic media; or

(iii)           Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information in:

(i)             Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii)            Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii)           Employment records held by a covered entity in its role as employer.”

[1] PHR Identifiable Health Information “means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information—(A) that is provided or on behalf of the individual; and (B) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”  [HITECH Act, p.156]