Correctional
institution means any penal or correctional
facility, jail, reformatory, detention center, work farm, halfway house, or
residential community program center operated by, or under contract to, the
United States, a State, a territory, a political subdivision of a
State or
territory, or an Indian tribe, for the confinement or rehabilitation of
persons charged with or convicted of a criminal offense or other persons held
in lawful custody. Other persons held in lawful custody includes
juvenile offenders adjudicated delinquent, aliens detained awaiting
deportation, persons committed to mental institutions through the criminal
justice system, witnesses, or others awaiting charges or trial.
Covered
functions means those functions of a covered
entity the performance of which makes the entity a health
plan, health care
provider, or health care
clearinghouse.
Data
aggregation means, with respect to protected
health information created or received by a business associate in its capacity
as the business associate of a
covered entity, the combining of such protected
health information by the business associate with the protected health
information received by the business associate in its capacity as a
business
associate of another covered
entity, to permit data analyses that relate to the
health care operations of the respective covered entities.
Designated
record set means:
(1)
A group of records maintained by or for a covered entity that is:
(i)
The medical records and billing records about individuals maintained by or
for a covered health care
provider;
(ii)
The enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health
plan; or
(iii)
Used, in whole or in part, by or for the covered entity to make decisions
about individuals.
(2)
For purposes of this paragraph, the term record means any item,
collection, or grouping of information that includes protected health
information and is maintained, collected, used, or disseminated by or for a
covered entity.
Direct
treatment relationship means a treatment
relationship between an individual and a health care provider that is not an
indirect treatment relationship.
Disclosure
means the release, transfer, provision of access to, or divulging in any other
manner of information outside the entity holding the information.
Health
care operations means any of the following
activities of the covered entity to the extent that the activities are related
to covered functions, and any of the following activities of an
organized health
care arrangement in which the covered entity participates:
(1)
Conducting quality assessment and improvement activities, including outcomes
evaluation and development of clinical guidelines, provided that the obtaining
of generalizable knowledge is not the primary purpose of any studies resulting
from such activities; population-based activities relating to improving health
or reducing health care costs, protocol development, case management and care
coordination, contacting of health care providers and patients with
information about treatment alternatives; and related functions that do not
include treatment;
(2)
Reviewing the competence or qualifications of health care professionals,
evaluating practitioner and provider performance, health plan performance,
conducting training programs in which students, trainees, or practitioners in
areas of health care learn under supervision to practice or improve their
skills as health care
providers, training of non-health care professionals,
accreditation, certification, licensing, or credentialing activities;
(3)
Underwriting, premium rating, and other activities relating to the creation,
renewal or replacement of a contract of health insurance or health benefits,
and ceding, securing, or placing a contract for reinsurance of risk relating
to claims for health care (including stop-loss insurance and excess of loss
insurance), provided that the requirements of § 164.514(g) are met, if
applicable;
(4)
Conducting or arranging for medical review, legal services, and auditing
functions, including fraud and abuse detection and compliance programs;
(5)
Business planning and development, such as conducting cost-management and
planning-related analyses related to managing and operating the entity,
including formulary development and administration, development or improvement
of methods of payment or coverage policies; and
(6)
Business management and general administrative activities of the entity,
including, but not limited to:
(i)
Management activities relating to implementation of and compliance with the
requirements of this subchapter;
(ii)
Customer service, including the provision of data analyses for policy
holders, plan sponsors, or other customers, provided that
protected health
information is not disclosed to such policy holder, plan
sponsor, or
customer.
(iii)
Resolution of internal grievances;
(iv)
Due diligence in connection with the sale or transfer of assets to a
potential successor in interest, if the potential successor in interest is a
covered entity or, following completion of the sale or transfer, will become
a covered entity; and
(v)
Consistent with the applicable requirements of § 164.514, creating de-
identified health
information, fundraising for the benefit of the covered
entity, and marketing for which an individual authorization is not required
as described in § 164.514(e)(2).
Health
oversight agency means an agency or authority of
the United States, a State, a territory, a political subdivision of a
State or
territory, or an Indian tribe, or a person or entity acting under a grant of
authority from or contract with such public agency, including the employees or
agents of such public agency or its contractors or persons or entities to whom
it has granted authority, that is authorized by law to oversee the health care
system (whether public or private) or government programs in which health
information is necessary to determine eligibility or compliance, or to enforce
civil rights laws for which health information is relevant.
Indirect
treatment relationship means a relationship
between an individual and a health care provider in which:
(1)
The health care provider delivers
health care to the individual based on the
orders of another health care
provider; and
(2)
The health care provider typically provides services or products, or reports
the diagnosis or results associated with the health
care, directly to another
health care provider, who provides the services or products or reports to the individual.
Individual
means the person who is the subject of protected health
information.
Individually
identifiable health information is information
that is a subset of health
information, including demographic information
collected from an individual, and:
(1)
Is created or received by a health care
provider, health plan, employer, or
health care clearinghouse; and
(2)
Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an
individual; or the past,
present, or future payment for the provision of health care to an individual;
and
(i)
That identifies the individual; or
(ii)
With respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
Inmate
means a person incarcerated in or otherwise confined to a correctional
institution.
Law
enforcement official means an officer or employee
of any agency or authority of the United States, a State, a territory, a
political subdivision of a State or territory, or an Indian tribe, who is
empowered by law to:
(1)
Investigate or conduct an official inquiry into a potential violation of law;
or
(2)
Prosecute or otherwise conduct a criminal, civil, or administrative proceeding
arising from an alleged violation of law.
Marketing
means to make a communication about a product or service a purpose of which is
to encourage recipients of the communication to purchase or use the product or
service.
(1)
Marketing does not include communications that meet the requirements of
paragraph (2) of this definition and that are made by a covered
entity:
(i)
For the purpose of describing the entities participating in a health care
provider network or health plan network, or for the purpose of describing if
and the extent to which a product or service (or payment for such product or
service) is provided by a covered entity or included in a plan of benefits;
or
(ii)
That are tailored to the circumstances of a particular individual and the
communications are:
(A)
Made by a health care provider to an individual as part of the
treatment
of the individual, and for the purpose of furthering the
treatment of that
individual; or
(B)
Made by a health care provider or
health plan to an individual in the
course of managing the treatment of that individual, or for the purpose of
directing or recommending to that individual alternative
treatments,
therapies, health care
providers, or settings of care.
(2)
A communication described in paragraph (1) of this definition is not included
in marketing if:
(i)
The communication is made orally; or
(ii)
The communication is in writing and the covered entity does not receive
direct or indirect remuneration from a third party for making the
communication.
Organized
health care arrangement means:
(1)
A clinically integrated care setting in which individuals typically receive
health care from more than one health care
provider;
(2)
An organized system of health care in which more than one covered entity
participates, and in which the participating covered entities:
(i)
Hold themselves out to the public as participating in a joint arrangement;
and
(ii)
Participate in joint activities that include at least one of the following:
(A)
Utilization review, in which health care decisions by participating
covered entities are reviewed by other participating covered entities or
by a third party on their behalf;
(B)
Quality assessment and improvement activities, in which treatment provided
by participating covered entities is assessed by other participating
covered entities or by a third party on their behalf; or
(C)
Payment activities, if the financial risk for delivering health care is
shared, in part or in whole, by participating covered entities through the
joint arrangement and if protected health information created or received
by a covered entity is reviewed by other participating covered entities or
by a third party on their behalf for the purpose of administering the
sharing of financial risk.
(3)
A group health plan and a
health insurance issuer or
HMO with respect to such
group health plan, but only with respect to protected health information
created or received by such health insurance issuer or
HMO that relates to
individuals who are or who have been participants or beneficiaries in such
group health plan;
(4)
A group health plan and one or more other
group health plans each of which are
maintained by the same plan sponsor; or
(5)
The group health plans described in paragraph (4) of this definition and
health insurance issuers or HMOs with respect to such group health
plans, but
only with respect to protected health information created or received by such
health insurance issuers or HMOs that relates to individuals who are or have
been participants or beneficiaries in any of such group health
plans.
Payment
means:
(1)
The activities undertaken by:
(i)
A health plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the health
plan;
or
(ii)
A covered health care provider or
health plan to obtain or provide
reimbursement for the provision of health
care; and
(2)
The activities in paragraph (1) of this definition relate to the individual to
whom health care is provided and include, but are not limited to:
(i)
Determinations of eligibility or coverage (including coordination of
benefits or the determination of cost sharing amounts), and adjudication or
subrogation of health benefit claims;
(ii)
Risk adjusting amounts due based on enrollee health status and demographic
characteristics;
(iii)
Billing, claims management, collection activities, obtaining payment under a
contract for reinsurance (including stop-loss insurance and excess of loss
insurance), and related health care data processing;
(iv)
Review of health care services with respect to medical necessity, coverage
under a health plan, appropriateness of care, or justification of charges;
(v)
Utilization review activities, including precertification and
preauthorization of services, concurrent and retrospective review of
services; and
(vi)
Disclosure to consumer reporting agencies of any of the following protected
health information relating to collection of premiums or reimbursement:
(A)
Name and address;
(B)
Date of birth;
(C)
Social security number;
(D)
Payment history;
(E)
Account number; and
(F)
Name and address of the health care provider and/or
health plan.
Plan
sponsor is defined as defined at section 3(16)(B)
of ERISA, 29 U.S.C. 1002(16)(B).
Protected
health information means individually identifiable
health information:
(1)
Except as provided in paragraph (2) of this definition, that is:
(i)
Transmitted by electronic media;
(ii)
Maintained in any medium described in the definition of electronic media
at § 162.103 of this subchapter; or
(iii)
Transmitted or maintained in any other form or medium.
(2)
Protected health information excludes individually identifiable health
information in:
(i)
Education records covered by the Family Educational Right and Privacy Act,
as amended, 20 U.S.C. 1232g; and
(ii)
Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
Psychotherapy
notes means notes recorded (in any medium) by a
health care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling session or a
group, joint, or family counseling session and that are separated from the rest
of the individual’s medical record. Psychotherapy notes excludes
medication prescription and monitoring, counseling session start and stop times,
the modalities and frequencies of treatment furnished, results of clinical
tests, and any summary of the following items: diagnosis, functional status, the
treatment plan, symptoms, prognosis, and progress to date.
Public
health authority means an agency or authority of
the United States, a State, a territory, a political subdivision of a
State or
territory, or an Indian tribe, or a person or entity acting under a grant of
authority from or contract with such public agency, including the employees or
agents of such public agency or its contractors or persons or entities to whom
it has granted authority, that is responsible for public health matters as part
of its official mandate.
Required
by law means a mandate contained in law that
compels a covered entity to make a use or disclosure of
protected health
information and that is enforceable in a court of law. Required by law
includes, but is not limited to, court orders and court- ordered warrants;
subpoenas or summons issued by a court, grand jury, a governmental or tribal
inspector general, or an administrative body authorized to require the
production of information; a civil or an authorized investigative demand;
Medicare conditions of participation with respect to health care providers
participating in the program; and statutes or regulations that require the
production of information, including statutes or regulations that require such
information if payment is sought under a government program providing public
benefits.
Research
means a systematic investigation, including research development, testing, and
evaluation, designed to develop or contribute to generalizable knowledge.
Treatment
means the provision, coordination, or management of health care and related
services by one or more health care
providers, including the coordination or
management of health care by a
health care provider with a third party;
consultation between health care providers relating to a patient; or the
referral of a patient for health care from one
health care provider to another.
Use
means, with respect to individually identifiable health
information, the
sharing, employment, application, utilization, examination, or analysis of such
information within an entity that maintains such information.
