Policy/Memo 112
Number: Policy Memo 112
Date Issued: April 14, 2003
Policy File Ref: A1810
Subject: HIPAA Privacy Policies and Administrative Requirements
PURPOSE:
To define terms used throughout policies for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification requirements.
Terms:
Authorization means an expression of permission by an individual or his/her personal representative that allows the use or disclosure of PHI for purposes other than treatment, payment, or health care operations, or public responsibility. Authorizations must satisfy very specific requirements established at 45 CFR 164.506 (c), as discussed further in Policy Memorandum #117.
Business Associate (BA) means a person or organization that, on behalf of a covered entity or an organized health care arrangement, other than as a member of the workforce of the covered entity or organized health care arrangement, assists in the performance of a function or activity that involves the use or disclosure of individually identifiable health information from the covered entity or organized health care arrangement. A covered entity may be the business associate of another covered entity. A covered entity participating in an organized health care arrangement does not become a business associate of another covered entity participating in the same organized health care arrangement as long as the use and disclosure of individually identifiable health information remains within the limits of the organized health care arrangement’s operations.
Covered Entity means a health plan, health care clearinghouse, or a health care provider that transmits any health information in electronic form relating to any transaction which is required to comply with the HIPAA Privacy Regulations. The Department of Civil Service is a covered entity under HIPAA, as are the insurance carriers and Health Maintenance Organizations with whom we conduct business.
Covered functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. For EBD, covered functions include those functions we perform in the administration of NYSHIP, the NYS Dental and Vision plans, and the Long Term Care Program.
Designated record set means any enrollment, payment, claims adjudication, and case or medical management record systems maintained about an individual, which is used by a covered entity to make decisions about the individual. In the case of the various health plans, the designated record set is the set of information about an individual contained in the New York Benefits Eligibility and Accounting System (NYBEAS).
DHHS stands for the United States Department of Health and Human Services. Disclose means to release, transfer, provide access to, divulge in any manner, or otherwise share protected health information with a person, organization, or entity that is not part of the Employee Benefits Division’s health care component.
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
Health care component means a component (or combination of components) of a hybrid entity that has been designated by the hybrid entity as being involved in performing covered functions. For example, EBD and other select Department staff form a health care component of the Department, which is a hybrid entity.
Health Care Operations means and includes functions such as quality assessment and improvement activities; reviewing competence and qualifications of health care professionals; underwriting, premium rating and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review; legal services and auditing functions; planning and development, such as conducting costmanagement and planning-related analyses related to managing and operating the covered entity, including the development or improvement of methods of payment or coverage policies. It also includes general business and administration activities, including management activities relating to compliance with HIPAA privacy requirements; customer service, including providing data analyses for plan sponsors and other customers, as long as protected health information is not disclosed to the plan sponsor or other customer; resolution of internal grievances, and creating de-identified health information or limited data sets consistent with 45 CFR 164.514.
Health Oversight Agency means a governmental agency or authority, or a person or entity acting under a grant of authority from or a contract with such public agency, including the employees or agents of the public agency, its contractors and those to whom it has granted authority, that is authorized by law to oversee the public or private health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights for which health information is relevant. For example, the DHHS, the NYS Department of Health, and the Office of the State Comptroller each may be considered a health oversight agency.
Hybrid entity means a single legal entity that is a HIPAA covered entity and whose business activities include both covered and non-covered functions, and which designates health care components as being involved in performing those covered functions.
Individual means the person who is the subject of protected health information.
Individually Identifiable Health Information means information that relates to the past, present or future physical or mental health of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that has been created or received by a health plan, health care provider, or employer, and which identifies the individual or to which there is a reasonable basis to believe that the information can be used to identify the individual.
Organized health care arrangement means an organized system of health care in which more than one covered entity participates, in which the participating covered entities hold themselves out to the public as participating in a joint arrangement. For example, the Empire Plan is an organized health care arrangement, and the other health plans and the arrangements with the health maintenance organizations also may be characterized as organized health care arrangements.
Payment means, in the case of the health plans, activities undertaken to obtain premiums or to determine or fulfill the health plan’s responsibility for coverage and the provision of benefits. This includes but is not limited to determinations of eligibility, coordination of benefits, and adjudication or subrogation of claims; risk adjusting amounts due based on enrollee health status and demographic characteristics; billing, claims management, collection activities, and related health care data processing; review of health care services with respect to medical necessity, coverage, appropriateness of care, or justification of charges; utilization review activities; and disclosure to consumer reporting agencies of specific PHI relating to the collection of premiums or reimbursement.
Personal Representative means a person who has authority under applicable law to make decisions related to health care on behalf of an adult or an emancipated minor, or the parent, guardian, or other person acting in loco parentis (i.e., acting as a temporary guardian of a child), who is authorized under law to make health care decisions on behalf of an unemancipated minor, except where the minor is authorized by law to consent, on his/her own or via court approval, to a health care service, or where the parent, guardian or person acting in loco parentis has assented to an agreement of confidentiality between the provider and the minor. Uses and disclosures or PHI to personal representatives is discussed in Policy Memorandum # 116.
Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan, and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan offered by the plan sponsor. Plan sponsor means the employer in the case of an employee benefit plan established or maintained by a single employer; or, in the case of a plan established or maintained by two or more employers, the committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan. Each of the various health plans administered by EBD has a Plan Sponsor.
Protected Health Information (PHI) means Individually Identifiable Health Information that is transmitted by electronic media, maintained by electronic media, or transmitted or maintained in any other form of medium.
Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Summary health information means information, which may be individually identifiable health information, that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and from which certain identifying information has been deleted.
Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. Use means the sharing, application, utilization, examination, or analysis of protected health information within the Employee Benefits Division health care component.
Workforce Members means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for EBD is under the direct control of EBD, regardless of whether or not they are paid by EBD.