Skip to main content

HIPAA Definitions


What is Protected Health Information (PHI)?

 

The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium. This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of medical care to an individual that is created or received by a medical care provider, health plan, employer, or medical care clearinghouse (including the individually identifiable health information of non-U.S. citizens). For purposes of the Privacy Rule, genetic information is considered to be health information.

 

What is a Designated Record Set?

 

An individual has a right to request their personal designated record set which includes any item or collection of information that includes PHI which is maintained, used, collected or distributed for or by a covered entity. Examples include medical records, billing, payment and claims records, lab results, wellness and disease management files, x-rays.

 

Information excluded from a designated records set includes but is not limited to the following:

 

Assessments

Peer Review Files

Patient Safety Activity Records

Business Planning, development and management records

Psychotherapy notes, which are the personal notes from the provider or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient's medical record

Information that is gathered in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding

 

 

What is the definition of treatment, payment and healthcare operations?

 

Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.

 

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

 

Health care operations are defined as any of the following activities of a Covered Entity or Business Associate:

 

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

 

• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

 

• Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance);

 

• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

 

• Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

 

• Business management and general administrative activities of the entity.

 

This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.