Definitions (courtesy of the UCLA Office of Human Research Protections Program)
Authorization: Under HIPAA, the granting of rights to access PHI. Authorization is required by HIPAA for disclosures or uses other than for Treatment Payment Operations (TPO), which are covered in the Notice of Privacy Practices. Treatment cannot be conditioned on granting of an authorization. An authorization is a specific, detailed document requesting patient-subject permission for the use of covered PHI.
Covered Entity: A covered entity is a health plan, a health care clearinghouse, or a health care provider transmitting health information, and is, therefore, subject to the HIPAA regulations.
Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information. Disclosure of PHI requires a specific authorization under HIPAA except if disclosure is related to the provision of TPO (Treatment Payment Operations) of the entity responsible for the PHI or under a limited set of other circumstances, such as public health purposes.
Health Information: Any information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Hybrid Entity: A single legal covered entity with health care and non-health care functions, where the former are covered functions but are not its primary functions. The University of California is a hybrid entity.
Individually Identifiable Health Information is any information created, used, or received by a health care provider that relates to:
- The past, present, or future physical or mental heath or condition of an individual,
- The provision of health care to an individual, or
- The past, present, or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual. The collection of individually-identifiable health information for research constitutes human subjects research.
Minimum Necessary Standard: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
Notice of Privacy Practices: The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides clear explanations of these rights and practices. The Notice of Privacy Practices is intended to focus individual on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. Note: Sometimes the Notice of Privacy Practices is interchangeable with PHI.
Personal Health Information is used on the University of California HIPAA Authorization form in order to (1) capture the meaning of both protected health information (HIPAA term) and medical information (California Health & Safety Code: California Confidentiality of Medical Information term), (2) communicate to the research subject that information is “personal”, and (3) convey information at an eighth-grade reading level.
Protected Health Information (PHI) is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.