A

Is the collection of information from the medical record via hard copy or electronic instrument.

A range of the following improper behaviors or billing practices including, but not limited to:billing for a non-covered service; misusing codes on the claim (i.e., the way the service is coded on the claim does not comply with national or local coding guidelines or is not billed as rendered); or inappropriately allocating costs on a cost report

When another person does something on purpose that causes you mental or physical harm or pain.

Your ability to get needed medical care and services. The process of obtaining data from, or placing into a computer system or storage device. It refers to such actions by any individual or entity who has the appropriate authorization for such actions.

Your ability to get medical care and services when you need them.

Some States use the findings of private accreditation organizations, in part or in whole, to supplement or substitute for State oversight of some quality related standards. This is referred to as "deemed compliance" with a standard.

An arrangement whereby a self-insured entity contracts with a Third Party Administrator (TPA) to administer a health plan.

Title II, Subtitle F, of HIPAA which authorizes HHS to: (1) adopt standards for transactions and code sets that are used to exchange health data; (2) adopt standard identifiers for health plans, health care providers, employers, and individuals for use on standard transactions; and (3) adopt standards to protect the security and privacy of personally identifiable health information.

This Act (Public Law 107-105) provides a one-year extension to HIPAA "covered entities" (except small health plans, which already have until October 16, 2003) to meet HIPAA electronic and code set transaction requirements. Also, allows the Secretary of HHS to exclude providers from Medicare if they are not compliant with the HIPAA electronic and code set transaction requirements and to prohibit Medicare payment of paper claims received after October 16, 2003, except under certain situations.

Code sets that characterize a general business situation, rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-clinical or non-medical code sets. Compare to medical code sets.

A professional organization for physicians. The AMA is the secretariat of the NUCC, which has a formal consultative role under HIPAA. The AMA also maintains the Current Procedural Terminology (CPT .) medical code set.

ANSI is a broad based agency charged with overseeing voluntary standards development for everything from computers to household products. ANSI accredits standards development organizations (SDO) based on their consensus process, then reviews and officially approves the SDO recommendations.

American Society for Testing and Materials develops standards on characteristics and performance of materials, products, systems, and services. There are numerous standards-writing technical committees. E31 is the Committee on Computerized Systems and E31.28 is the subcommittee on Healthcare Informatics responsible for the Continuity of Care (CCR) standard.

Costs that are typically 15-20% of the software license costs. Where the actual license is normally a one- time fee, the support and maintenance costs are renewed on a yearly basis. This yearly fee basically covers two areas: 1) any upgrades or new releases; and 2) customer service and support. It should be noted that both vendor EHR software and third party software will need support, so it is important to determine which components the support costs cover. Also, some vendors might have more than one service level agreement representing different support options at different costs.

Online, we can use an Internet site called a remailer that reposts a message from the site's own address, thus concealing the originator of the message.

This privacy service lets a user visit Web sites while preventing those sites from gathering information about the user (including IP address, browser and operating system identification, and cookie-stored data) or which sites he has visited

The orderly arrangement of parts; structure.

See American Society for Testing and Materials.

A system that uses different keys for encryption and decryption. Within such a system, it is computationally infeasible to determine the decryption key (which is kept private) from the encryption key (which is made publicly available).

A characteristic or property.

Chronological record of system activity which enables the reconstruction of information regarding the creation, distribution, modification, and deletion of data.

Verification of the identity of a person or process.

The role or set of permissions for information system activity assigned to an individual.

What the health plans make people sign at the start of the year as a condition of being in the plan-its NOT informed consent, because it says that you agree to release ALL past and future medical records (that is the blanket part) to the health plan or insurer if they request them, as a condition of being covered by the plan (that is the coercion part).

Technology that uses some human biological feature (e.g. fingerprint, voice pattern, retina scan, or signature dynamics) to uniquely identify an individual.

A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.

The term agent is often used to describe a person or organization that assumes some of the responsibilities of another one. This term has been avoided in the final rules so that a more HIPAA-specific meaning could be used for business associate.

The entity providing third party trust within PKI.

The HHS agency responsible for Medicare and parts of Medicaid.CMS is responsible for oversight of HIPAA administrative simplification transaction and code sets, health identifiers, and security standards.

Testing a product for the existence of specific features, functions, or characteristics required by a standard in order to determine the extent to which that product satisfies the standard requirements.

Contract needed to extend the responsibility to protect health care data across a series of sub-contractual relationships.

A software product that maps chief complaints, captured as text, and transforms them into useful digital data that can be used in functions such as public health outbreak surveillance.

A national administrative code set that identifies the status of health care claims. This code set is used in the X12N 277 Claim Status Inquiry and Response transaction, and is maintained by the Health Care Code Maintenance Committee.

A method of grouping clinical concepts in order to represent classes that support the generation of indicators of health status and health statistics.

The data warehouse that contains clinical data (HL7 messages) centrally.

The process used by the HIE to determine the identity of the person accessing the system with adequate certainty to maintain security and confidentiality of personal health information and to administer with certainty of identity a regulated process such as e-prescribing and chart signing.

The uniform institutional claim form.

The uniform professional claim form.

The official compilation of federal rules and requirements.

Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions. Also see Part II, 45 CFR 162.103.

Under HIPAA, this is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective data of the associated final rule for most entities, but 36 months after the effective data for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective data, but can be longer for small health plans and for complex changes.

Information from different RHIO Participants is combined and integrated into a single record to form a Community Health Record System.

A 3rd party's obligation to protect the personal information with which it has been entrusted.

The expectation that personal information will be held in confidence.

A system of standardizing the terms used in describing client-centered health and health service-related concepts.

Consulting services offered by the vendor. These services will take your original data, either in paper or electronic form, and transfer the data into the EHR system database.

Process for determining the respective responsibilities of two or more health plans that have some financial responsibility for a medical claim. Also called cross-over.

Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

A medical code set of dental procedures, maintained and copyrighted by the American Dental Association (ADA), and adopted by the Secretary of HHS as the standard for reporting dental services on standard transactions.

A medical code set of physician and other services, maintained and copyrighted by the American Medical Association (AMA), and adopted by the Secretary of HHS as the standard for reporting physician and other services on standard transactions.

Subset of the HCPCS Level II medical codes identifying certain dental procedures. It replicates many of the CDT codes and will be replaced by the CDT. Descriptor: The text defining a code in a code set.

The physical space and hardware used by the HIE to house its operations if these assets are kept within the HIE.

A description of the circumstances in which certain data is required.

Under HIPAA, this is all the data elements and code sets inherent to a transaction, and not related to the format of the transaction.

Under HIPAA, this is the smallest named unit of information in a transaction.

The accuracy and completeness of data, to be maintained by appropriate security measures and controls. Preservation of the original quality and accuracy of data, in written or in electronic form.

The process of matching one set of data elements or individual code values to their closest equivalents in another set of them. This is sometimes called a cross-walk.

A mechanism and process to safely store duplicate databases and recreate the data should a disaster occur.

The RHIO holds each RHIO Participant's information in separate silos, but pulls information from applicable silos when information about a particular patient is requested. This is a 'hub and spoke' arrangement.

Computerized functions that assist users in making decisions in their job functions. In the practice of medicine, these functions include providing electronic access to medical literature, alerting the user to potential adverse drug interactions, and suggesting alternative treatment plans for a certain diagnosis.

The technique of using mathematical procedures to "unscramble" data so that an unintelligible (encrypted) message becomes intelligible.

Information about name, address, age, gender, and role used to link patient records from multiple sources in the absence of a unique patient identifier.

The federal government department that has overall responsibility for implementing HIPAA.

The text defining a code in a code set.

A medical code set or an administrative code set that is required to be used by the adopted implementation specification for a standard transaction.

A standard which HHS has designated for use under the authority provided by HIPAA.

An organization, designated by the Secretary of the U.S. Department of Health & Human Services, to maintain standards adopted under Subpart I of 45 CFR Part 162. A DSMO may receive and process requests for adopting a new standard or modifying an adopted standard.

A standard which defines protocols for the exchange of medical images and associated information (such as patient identification details and technique information) between instruments, information systems, and health care providers. It establishes a common language that enables medical images produced on one system to be processed and displayed on another.

A string of binary digits which is computed using an encryption algorithm. Digital signatures enable signatory authentication, confirmation of data integrity, and non-repudiation of messages.

Under HIPAA, this is the direct entry of data that is immediately transmitted into a health plan's computer.

The sharing of PHI outside of the institution (i.e., from principal investigator to study sponsor).

The process of cross-linking the multiple provider identifiers in a community from a variety of provider identifier sources and creating a master doctor identifier with a key for cross-referencing the various community identifiers.

A software process that allows for the secure review, editing, and signature through electronic, distributed technology of electronic health record components, such as operative reports, discharge summaries, and consultations.

A software tool for accepting an EDI transmission and converting the data into another format, or for converting a non-EDI data file into an EDI format for transmission.

Under HIPAA, this is the date that a final rule is effective, which is usually 60 days after it is published in the Federal Register.

The electronic delivery of laboratory results to practices so that such data may be integrated into electronic patient records in a full EHR system, or used by a dedicated application to view structured, context-rich, and/or longitudinal laboratory results on a patient. eLaboratory includes closing the orders loop, documenting the review of results by clinicians, and documenting that the results have been communicated to the patient. The full benefits of eLaboratory are not achieved until the results are used as input into clinical decision support systems (CDSS).

The ability to contact the payer before the patient is seen and get a response that indicates whether or not the services to be rendered will be covered by the payer. Reference: eHealth Initiative Foundation. "Second Annual Survey of State, Regional and Community-based Health Information Exchange Initiatives and Organizations." Washington: eHealth Initiative, 2005.

Refers to the exchange of routine business transactions from one computer to another in a standard format, using standard communications protocols.

Health records kept in electronic form, as opposed to health records kept on paper.

Electronically maintained information about an individual's lifetime health status and health care.

A flat file format used to transmit or transport claims.

Medical records kept in electronic form (as opposed to medical records kept on paper).

Support the capture and reporting of quality, performance, and accountability measures to which providers/facilities/delivery.

Any of several electronic formats for explaining the payments of health care claims.

A digital signature, which serves as a unique identifier for an individual.

A standard adopted by the Secretary of HHS to identify employers in standard transactions. The IRS' EIN is the adopted standard.

The process of enciphering or encoding a message so as to render it unintelligible without a key to decrypt (unscramble) the message.

"The consent provisions (in the Original Rule)...are replaced with a new provision...that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations." 67 Fed. Reg. at 53,211

A federal act that allows banks, financial institutions and all their affiliates and non-affiliates to share sensative financial and medical records without consent or notice (and affiliates are typically insurers).

A health plan that provides health coverage to employees, former employees, and their families, and is supported by an employer or employee organization.

A public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

Assures the clear and reliable communication of meaning by providing the correct context and exact meaning of the shared information as approved by designated communities of practice. This adds value by allowing the information to be accurately linked to related information, further developed and applied by computer systems and by care providers for the real-time delivery of optimal patient care.

Activities that are related to the general business and administrative functions of the covered entity regardless of whether they are connected to the treatment or payment of an individual. This may include quality assessment, accreditation and training, business planning and development, general administrative activities and due diligence in connection with the sale of a covered entity to another covered entity.

A provider of services (as defined in section 1861(u)), a provider of medical or other health services (as defined in section 1861(s)), and any other person furnishing health care services or supplies.

Any information, whether oral or recorded in any form or medium, that-"(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and"(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

The mobilization of healthcare information electronically across organizations within a region or community.HIE provides the capability to electronically move clinical information between disparate healthcare information systems while maintaining the meaning of the information being exchanged. The goal of HIE is to facilitate access to and retrieval of clinical data to provide safer, more timely, efficient, effective, equitable, patient-centered care.

Formal organizations are now emerging to provide both form and function for health information exchange efforts. These organizations (often called Regional Health Information Organizations, or RHIOs) are ordinarily geographically-defined entities which develop and manage a set of contractual conventions and terms, arrange for the means of electronic exchange of information, and develop and maintain HIE standards.

Although HIE initiatives differ in many ways, survey results and eHI experiences with states, regions and communities indicate that those who are experiencing the most success share the following characteristics. They are:

• Governed by a diverse and broad set of community stakeholders;
• Develop and assure adherence to a common set of principles and standards for the technical and policy aspects of information sharing, addressing the needs of every stakeholder;
• Develop and implement a technical infrastructure based on national standards to facilitate interoperability;
• Develop and maintain a model for sustainability that aligns the costs with the benefits related to HIE; and
• Use metrics to measure performance from the perspective of: patient care, public health, provider value, and economic value.

Reference: eHealth Initiative. "Second Annual Survey of State, Regional and Community-based Health Information Exchange Initiatives and Organizations." Washington: eHealth Initiative, 2005.

A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships.

An ANSI approved American National Standard for electronic data exchange in health care. It enables disparate computer applications to exchange key sets of clinical and administrative information.

A health maintenance organization (HMO) contracts with doctors, hospitals, and health care providers to provide medical care to a group of consumers. Generally, HMOs will not pay for your care unless you receive it from one of their health care providers. The HMO usually receives a fixed amount of money per patient for each enrollee. Enrollees of the HMO generally do not have any significant out-of-pocket expenses.

An entity that assumes the risk of paying for medical treatments, i.e. uninsured patient, self-insured employer, payer, or HMO.

An individual or group plan that provides, or pays the cost of, medical care.

An administrative code set that classifies health care providers by type and area of specialization.

A covered entity whose covered functions are not its primary functions.

The 1972 revision of the international disease classification system developed by the World Health Organization.

The American modification of the ICD-9 classification system for both diagnoses and procedures.

The 1992 revision of the international disease classification system developed by the World Health Organization.

The American modification of the ICD-10 classification system, for field review release in 1998.

A classification system for reporting clinical procedures, to accompany ICD-10-CM, developed in the US, for 1998 field review release.

A document explaining the proper use of a standard for a specific business purpose. The X12N HIPAA IGs are the primary reference documents used by those implementing the associated transactions, and are incorporated into the HIPAA regulations by reference.

Consulting services offered by the vendor. These services will provide planning and actual implementation of an EHR system. It is important when comparing quoted implementation costs that physicians understand which detailed cost line items a particular vendor will be supplying. Also, make sure and take a look at their project plans.

The application of computer science and information science to the management and processing of data, information, and knowledge.

Any information, including demographic information collected from an individual, that- "(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and "(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and- "(i) identifies the individual; or "(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Informed consent is a process of information exchange that may include, in addition to reading and signing the informed consent documents, subject recruitment materials, verbal instructions, question/answer sessions and measures of subject understanding. The clinical investigator is responsible for ensuring that informed consent is obtained from each research subject before that subject participates in the research study.

The ethical standard in medicine is informed (meaning you know exactly what info you are consenting to release) contemporaneous (at the time the info is being requested or is needed, NOT before) consent. Informed also means that you can comprehend the effects of releasing the info, ie you are of sound mind and capable of understanding what is going on.

Shared boundary between two functional units defined by various characteristics pertaining to the functions, physical interconnections, signal changes, and other characteristics as appropriate.

The interface between an HIE and the systems that are sources for admission, discharge and transfer (ADT) of patients in the care delivery setting and that are resident within care delivery institution.

The interface between an HIE and Electronic Health Records (EHRs) that are maintained on ASP platforms (i.e. NexGen, AllScripts).

The interface between an HIE and the systems that are sources for or routing pathways for claims data that are resident within health plans and claims clearinghouses.

The interface between an HIE and the systems that are sources for EKG results that are resident within dispensing physician offices and hospitals.

The interface between an HIE and the source data of which people have eligibility for which type of benefits that are resident within health plans and are not infrequently web-enabled.

The interface between an HIE and the systems that are sources for formulary status of specific drugs for specific health benefit designs and that are resident within pharmacy benefit management companies and hospitals.

The interface between an HIE and systems that are sources of laboratory data.

The interface between an HIE and the systems that are sources for prescription data or that are resident within dispensing pharmacies, pharmacy benefit management companies and hospitals.

The interface between an HIE and the systems that are sources for the financial management systems of physician practices.

The interface between an HIE and the systems that track the multiple providers and their identifying data that are resident within health plans, dispensing pharmacies, pharmacy benefit management companies laboratories, physician practices, and hospitals.

The interface between an HIE and EHRs that are maintained in practice-specific systems (e.g. EPIC).

The interface between an HIE and systems that are sources for radiological data.

The interface between an HIE and the systems that are sources for transcribed reports. Typically these systems are based at a transcription service or at a hospital and contain admission and discharge notes and consultations, operative reports, and pathology and radiology results.

Within the context of the Internet, the right to privacy is still being defined.Generally, it involves a person's right to control what information about himself is revealed and to whom, as well as what others may do with that information. It's not the same thing as secrecy, but the distinction is sometimes murky. Privacy isn't an absolute right, since it's often trumped by laws and overriding social needs. For example, law enforcement officials may obtain warrants that allow them to intercept communications or search physical areas, activities that otherwise would be forbidden.

The ability of two or more systems or components to exchange information and to use the information that has been exchanged accurately, securely, and verifiably, when and where needed.

The ability of two or more systems or components to exchange information and to use the information that has been exchanged accurately, securely, and verifiably, when and where needed.

A subset of the HCPCS Level II code set with a high-order value of "J" that has been used to identify certain drugs and other items.

The Supreme Court has found that the "reason and experience" of the country shows that effective psychotherapy can only be provided if there is a privilege that permits the disclosure of psychotherapy communications, in most instances, only with the patient's permission.

A sequence of symbols that controls the operations of encryption and decryption.

A data record that authenticates the owner of a public key for an asymmetric algorithm. It is issued by a certification authority and is protected by a digital signature allowing the certificate to be verified widely. The certificate may also contain other fields beside the value to the key and the name of the owner, for example an expiration date.

A generic term for code values that are defined for a State or other local division or for a specific payer. Commonly used to describe HCPCS Level III Codes.

The LOINC databases provide sets of universal names and ID codes for identifying laboratory and clinical test results. The purpose is to facilitate the exchange and pooling of results, such as blood hemoglobin, serum potassium, or vital signs, for clinical care, outcomes management, and research.

Managed care organizations have arrangements with doctors, hospitals, and other health care providers for their services. These doctors, hospitals, and health care providers form a network. Examples of managed care organizations include: Health MaintenanceOrganizations (HMOs) and Preferred Provider Organizations (PPOs)

Under HIPAA, this is all of the required data elements for a particular standard based on a specific implementation specification.

Codes that characterize a medical condition or treatment.

The process of cross-linking the multiple possible medication identifiers naming conventions in a community from a variety of systems housing medication information and creating a master medication identifier with a key for cross-referencing the various community identifiers. For example there are hundreds of NDC codes for identical drugs as well as HCPCS codes that identify the same drug as NDC codes.

As explained in the original HIPAA health privacy rule, the right of individuals to medical privacy means the right "to determine for themselves when, how, and to what extent information about them is communicated".

A Medicare Part A Fiscal Intermediary (institutional), a Medicare Part B Carrier (professional), or a Medicare Durable Medical Equipment Regional Carrier (DMERC)

Protecting a message against its unauthorized modification, often by the originator of the message generating a digital signature.

The process of communicating electronically with pharmacies. This typically includes the cost of communication lines and processes between the HIE and pharmacies. This is necessary to support the e-prescribing function when that function includes the process of electronically sending a digital prescription to the pharmacy.

The process of communicating electronically with providers. This typically includes the cost of communication lines and processes between the HIE and provider terminals.

The least amount of information required to achieve the purpose of the use, disclosure or request.

Under HIPAA, this is a change adopted by the Secretary(HHS Secretary, Tommy Thompson), through regulation, to a standard or an implementation specification.

When combinations of data tidbits produce a picture that wasn't apparent from the individual pieces.

It serves as the statutory [42 U.S.C. 242k(k)] public advisory body to the Secretary of Health and Human Services in the area of health data and statistics. The Committee provides advice and assistance to the Department and serves as a forum for interaction with interested private sector groups on a variety of key health data issues.

An ANSI-accredited group that maintains a number of standard formats for use by the retail pharmacy industry, some of which have been adopted as HIPAA standards.

A medical code set maintained by the Food and Drug Administration that contains codes for drugs that are FDA-approved.

The name of the federal government's program to implement a national interoperable system for sharing electronic medical records or EMRs (AKA electronic health records or EHRs).

A system for uniquely identifying all providers of health care services, supplies, and equipment. A term proposed by the Secretary of HHS as the standard identifier for health care providers.

Generically, this applies to any nationally standardized data format, but it is often used in a more limited way to designate the Professional EMC NSF, a 320-byte flat file record format used to submit professional claims.

A NCPDP format for use by low-volume dispensers of pharmaceuticals, such as nursing homes. The Secretary of HHS adopted Version 1.0 of this format as a standard transaction.

A NCPDP format designed for use by high-volume dispensers of pharmaceuticals, such as retail pharmacies. The Secretary of HHS adopted Version 5.1 of this format as a standard transaction.

A set of connected elements. For computers, any collection of computers connected together so that they are able to communicate, permitting the sharing of data or programs.

The process used for maintaining connection for communication between the HIE and a data source (laboratory, radiology practice, physician practice, or hospital) and data user (physician practice or hospital).

A non-routine use or disclosure is a use or disclosure other than for treatment, payment, or health care operations purposes that is not otherwise permitted or required by law. For example, an authorization would be required in connection with a pre-employment medical exam or the release of information to the patient's attorney. The Privacy Rule requires that patients sign an Authorization form for most non-routine uses and disclosures of patient health information.

HIPAA requires all covered entities to give patients a notice of their privacy practices, which must include how information about how their medical records will be shared.

A document that describes and explains regulations that the Federal Government proposes to adopt at some future date, and invites interested parties to submit comments related to them. These comments can then be used in developing a final regulation.

A term used by CMS for a proposed standard identifier for health plans. CMS had previously used the terms PayerID and PlanID for the health plan identifier.

This office is part of HHS. Its HIPAA responsibilities include oversight of the privacy requirements.

An important distinction in the privacy debate concerns the terms under which e-mail marketers (legitimate ones, not spammers that ignore ethical and legal concerns) can contact users, and how users can add or remove themselves from databases.

The process of communicating health care provider orders through electronic, computerized processes.

The process of communicating health care provider orders through electronic, computerized processes.

eHI has developed a set of principles and framework for alignment of incentives with both quality and efficiency goals as well as HIT capabilities within the physician practice and health information exchange capabilities across markets. This Framework—entitled “Parallel Pathways for Quality Healthcare” offers significant guidance to states, regions and communities who are exploring health information exchange as a foundation to address quality, safety and efficiency challenges.

• Provider
• Governor
• Manager
• Recipient
• Researcher
• Educator
• Worker
• Family Member

Roles may be used to authorize an individual's access to information system functionality.

The process of cross-linking the multiple patient identifiers in a community from a variety of patient identifier sources and creating a master patient identifier with a key for cross-referencing the various community identifiers. This is also referred to as a record locator service.

A person's identifable medical or health records.

Typically a health record that is initiated and maintained by an individual. An ideal PHR would provide a complete and accurate summary of the health and medical history of an individual by gathering data from many sources and making this information accessible online to anyone who has the necessary electronic credentials to view the information.From HITECH Act (page 145): The term "personal health record" means an electronic record of PHR identifiable health information (as defined in section 13407(f)(2)) on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

From HHS OCR: In general, a PHR is an electronic record of an individual's health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his or her own heath care.

An entity that sponsors a health plan. This can be an employer, a union, or some other entity.

This is a standard XML format adopted by the World Wide Web Consortium for Web sites to use to encode their privacy policies [see QuickLink 33484].

The RHIO identifies where each patient's information is located and serves as a master patient index. All RHIO Participants interact with each other to exchange information, although an intermediary may facilitate the exchange of information.

Preferred provider organizations have contracts with doctors, hospitals, and other health care providers and have negotiated certain fees. As long as you get your care from these providers, you will only have to make your co-payment. If you go to a provider outside of the PPO, your care may still be covered, but you may have to pay more.

A person, an organization, or a software package that reviews procedures, diagnoses, fee schedules, and other data and determines the eligible amount for a given health care service or supply. Additional criteria can then be applied to determine the actual allowance, or payment, amount.

Right of an individual to control the circulation of information about him-/herself within social relationships; freedom from unreasonable interference in an individual's private life; an individual's right to protection of data regarding him/her against misuse or unjustified publication.

The U.S. government must not conceal the existence of any personal data record-keeping system by any agency.

Most Web sites have a page describing in detail the site's privacy practices and what the site's owners will do with any information they collect.

"The right of privacy is: 'the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated'." 65 Fed. Reg. at 82,465

In asymmetric cryptography, the key which is held only by the user for signing and decrypting messages.

Individually identifiable information transmitted or maintained in any form (electronic means, on paper, or through oral communication) that relates to the past, present or future physical or mental health or conditions that can reasonably be used to identify an individual.

Pseudonymity is the ability to prove a consistent identity without revealing one's actual name, instead using an alias or pseudonym.

A software product that processes extracted data from health care provider systems for the purpose of tracking, trending, and reporting for public health reasons.

In asymmetric cryptography, the key which is published by the user to encrypt messages and so that others may verify his/her signature.

A data record that authenticates the owner of a public key for an asymmetrical key system. It is issued by a CA and is protected by a digital signature, allowing the certificate to be verified widely.

A conceptual framework that enables the encryption, decryption and electronic "signing" of data transmissions in a secure fashion within an open network environment.

Now on the verge of becoming a widespread supply chain tool, radio frequency identification tags are getting smaller and cheaper, and privacy concerns are being raised. It may not be long before such tags are built into individual items (such as clothing), not just shipping pallets, allowing an unprecedented amount of automated monitoring of people's habits, behaviors and locations.

RHIO Participants may include both covered and non-covered entities.

The government's preferred approach to building a National Health Information Network (NHIN) is to build and link Regional Health Information Organizations. RHIOs will interact with each other to exchange patient information.

An entity (group or agency) that has been delegated by a CA to perform a specific set of ‘trusted authority’ functions within PKI.

"The consent provisions (in the Original Rule)...are replaced with a new provision...that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations." 67 Fed. Reg. at 53,211

The process of cross-linking the multiple possible answers to asking for a given result. For instance, asking for the results of a chest x-ray could yield a dictated report or a digital image of an x-ray. In any case, the case received must be matched across the type of result to a term identifying a common result.

The process of cross-linking the multiple possible names of data results that can contain the same information. For instance a blood glucose reading can be called up by a blood glucose test, an SMA panel, or a glucometer result.

The ability to interpret the clinical data that is entered about a patient using a set of rules or algorithms which will generate warnings or alerts at various levels of severity to a clinician. These are intended to make the clinician aware of potentially harmful events, such as drug interactions, patient allergies, and abnormal results, which may affect how a patient is treated, with the intention of speeding the clinical decision process while reducing medical errors.

"The right of privacy is: 'the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated'." 65 Fed. Reg. at 82,465

Protects Americans in their beliefs, their thoughts, their emotions and their sensations - the most comprehensive of rights and the right most valued by civilized men.

If in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words and emotions." 65 Fed. Reg. at 82,464/3.

The right to privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated.

The chance of a vulnerability being exploited.

An evaluation of the chance of vulnerabilities being exploited based on the effectiveness of existing or proposed safeguards or countermeasures.

Routine purposes are defined as treatment, payment and health care operations.

A set of rules defined within a software process that converts clinical and administrative data streams into a meaningful representation of clinical quality markers to be used in functions such as pay for performance/quality data reporting.

In information systems, the degree to which data, databases, or other assets are protected from exposure to accidental or malicious disclosure, interruption, unauthorized access, modification, removal or destruction.

Under HIPAA, this is a group of related data elements in a transaction.

An individual or organization that assumes the financial risk of paying for health care.

A documented track record of how well the vendor is meeting it’s customer support commitments.

The steps that the customer needs to take in order to ensure that the vendor has all the information they need to resolve an issue.

Methods that will be used for communicating and resolving issues. Typical methods are email, phone, and online chat. Ask whether remote diagnostics and/or on site visits by support analysts are available.

Will be used for communicating and resolving issues. Typical methods are email, phone, and online chat. Remote diagnostics can be available and, in some instances, it might be necessary to have a support analyst come on site.

The mechanism that defines how a problem migrates through the support system and the different resources that get involved along the way. If a problem can’t be resolved in a certain amount of time, then it escalates until it is resolved.

Different functions of the system might warrant different response times based on severity level. There should be a schedule of response times for different types of problems, and the service level agreement should define this accountability.

Different types of problems have different levels of urgency and importance. The severity level of a problem is usually noted when a support ticket is opened up. Resolution guarantees are based on severity levels. For example, CPOE down would be a high severity level while a patient education database not working might be a lower level of severity.

Under HIPAA, this is a health plan with annual receipts of $5 million or less.

A nomenclature for use by all health services professionals developed in the US and updated at least semi-annually.

Any technology that aids in gathering information about persons or organizations without their knowledge.

• Stage One: Recognition of the need for HIE among multiple stakeholders in your state, region, or community
• Stage Two: Getting organized by defining shared vision, goals, & objectives, identifying funding sources, and setting up legal & governance structures
• Stage Three: Transferring vision, goals, & objectives to tactics and business plan, defining needs and requirements and securing funding
• Stage Four: Well under-way with implementation technical, financial, and legal
• Stage Five: Fully operational health information organization. Transmitting data that is being used by healthcare stakeholders Sustainable business model.
• Stage Six: Demonstration of expansion of organization to encompass a broader coalition of stakeholders than present in the initial operational model

Reference: eHealth Initiative Foundation. "Second Annual Survey of State, Regional and Community-based Health Information Exchange Initiatives and Organizations." Washington: eHealth Initiative Foundation, 2005.

The term 'standard', when used with reference to a data element of health information or a transaction referred to in section 1173(a)(1), means any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary (of HHS) with respect to the data element or transaction under sections 1172 through 1174.

• Has been agreed upon by a group of experts
• Has been publicly vetted
• Provides rules, guidelines, or characteristics
• Helps to ensure that materials, products, processes and services are fit for their intended purpose
• Available in an accessible format
• Subject to ongoing review and revision process

*This differs from the healthcare industry's traditional definition of "standard of care."

A standard setting organization accredited by the American National Standards Institute, including the National Council for Prescription Drug Programs, that develops standards for information transactions, data elements, or any other standard that is necessary to, or will facilitate, the implementation of this part.

A standard transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care, including health care claims, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, and health claims attachments.

Identifies variances from patient-specific and standard care plans, guidelines, and protocols.

A national WEDI effort for helping the health care industry identify and resolve HIPAA implementation issues.

It is a worldwide federation of national standards bodies from some 130 countries, one from each country. ISO's work results in international agreements which are published as International Standards.

Business associate that performs claims administration and related business functions for a self-insured entity.

Applications that are essential to the basic infrastructure of the system. They are the building blocks, such as the technical platform upon which the EHR system is built (e.g.,Windows, Linux, or MacIntosh, etc.) Also what kind of database structure controls the system (e.g, SQL, Oracle, etc.). When comparing license costs, note if there are separate general system license costs or if these are rolled into the main cost. Also, ask whether there will be additional costs when the vendor upgrades their software and it becomes necessary to install a new version of the database or operating system. Make sure your infrastructure software will support any features you wish to add later on.

Applications that are essential to the basic infrastructure of the system. They are the building blocks such as the technical platform the EHR system is built on such as, Windows, Linux, or MacIntosh, etc. Also what kind of database structure controls the system SQL, Oracle, etc. When comparing license costs note if there are separate general system license costs or if these are rolled into the main cost. Also, will there be additional costs when the vendor upgrades their software and it is necessary to install a new version of the database or operating system. Make sure your infrastructure software will support any features you wish to add later on.

External entity with whom business is conducted, i.e. customer. This relationship can be formalized via a trading partner agreement. (Note: a trading partner of an entity for some purposes, may be a business associate of that same entity for other purposes.)

Consulting services offered by the vendor. They provide hands on training for all aspects of the system.

Under HIPAA, this is the exchange of information between two parties to carry out financial or administrative activities related to health care.

A system established under HIPAA for accepting and tracking change requests for any of the adopted HIPAA transaction standards via a single web site. See www.hipaa-dsmo.org.

An electronic format of the CMS-1450 paper claim form that has been in general use since 1993.

A long-term research project developed by the US National Library of Medicine to assist health professionals and researchers to retrieve and integrate clinical vocabularies from a wide variety of information sources. The goal is to link information from scientific literature, patient records, factual databases, knowledge-based expert systems, and directories of institutions and individuals in health and health services.

An international EDI format. Interactive X12 transactions use the EDIFACT message syntax.

The sharing of PHI within the institution (i.e., from nurse to doctor)

A vendor of EDI data communications and translation services.

License cost of various modules. Typically, modules will be licensed on a concurrent or named user basis. For example, with a concurrent license, if there are 4 providers and 8 employees, a minimum of 12 concurrent licenses would be needed. However, if the providers were halftime [meaning, they only used the system half time] (and all 4 never used the system at any one time, only 10 licenses would be needed). If using a named user license under the same circumstances, 12 licenses would always be needed as licenses are not shared among different people. There can be a provision though for “active” and “inactive” providers (which means they could look at information, but not enter it in the system). Under an ASP (monthly rental agreement), software licenses are not being purchased, but rented However, the same issues exist for determining number of ASP licenses as with a license purchase.

A technical strategy for creating secure connections, or tunnels, over the Internet.

The company that publishes the X12N HIPAA Implementation Guides and the X12N HIPAA Data Dictionary. It developed the X12 Data Dictionary, and that hosts the EHNAC STFCS testing program.

This privacy service lets a user visit Web sites while preventing those sites from gathering information about the user (including IP address, browser and operating system identification, and cookie-stored data) or which sites he has visited.

Pixel tags or clear GIFs, these file objects (typically a single transparent pixel invisible to the user) are used along with cookies to help track the behavior of Web site visitors.

Under HIPAA, this means employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. Also see Part II, 45 CFR 160.103.

A health care industry group that has a formal consultative role under the HIPAA legislation (also sponsors SNIP).

A committee chartered by the American National Standards Institute (ANSI) to develop uniform standards for inter-industry electronic interchange of business transactions—electronic data interchange (EDI).

The principle responsibilities of ASC X12N Insurance Subcommittee are development and maintenance of X12 standards, standards interpretations, and guidelines for the insurance industry, including health insurance. Most electronic transactions regarding health insurance claims are conducted using these standards, many of which are mandated by HIPAA.

A

Is the collection of information from the medical record via hard copy or electronic instrument.

A range of the following improper behaviors or billing practices including, but not limited to:billing for a non-covered service; misusing codes on the claim (i.e., the way the service is coded on the claim does not comply with national or local coding guidelines or is not billed as rendered); or inappropriately allocating costs on a cost report

When another person does something on purpose that causes you mental or physical harm or pain.

Your ability to get needed medical care and services. The process of obtaining data from, or placing into a computer system or storage device. It refers to such actions by any individual or entity who has the appropriate authorization for such actions.

Your ability to get medical care and services when you need them.

Some States use the findings of private accreditation organizations, in part or in whole, to supplement or substitute for State oversight of some quality related standards. This is referred to as "deemed compliance" with a standard.

An arrangement whereby a self-insured entity contracts with a Third Party Administrator (TPA) to administer a health plan.

Title II, Subtitle F, of HIPAA which authorizes HHS to: (1) adopt standards for transactions and code sets that are used to exchange health data; (2) adopt standard identifiers for health plans, health care providers, employers, and individuals for use on standard transactions; and (3) adopt standards to protect the security and privacy of personally identifiable health information.

This Act (Public Law 107-105) provides a one-year extension to HIPAA "covered entities" (except small health plans, which already have until October 16, 2003) to meet HIPAA electronic and code set transaction requirements. Also, allows the Secretary of HHS to exclude providers from Medicare if they are not compliant with the HIPAA electronic and code set transaction requirements and to prohibit Medicare payment of paper claims received after October 16, 2003, except under certain situations.

Code sets that characterize a general business situation, rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-clinical or non-medical code sets. Compare to medical code sets.

A professional organization for physicians. The AMA is the secretariat of the NUCC, which has a formal consultative role under HIPAA. The AMA also maintains the Current Procedural Terminology (CPT .) medical code set.

ANSI is a broad based agency charged with overseeing voluntary standards development for everything from computers to household products. ANSI accredits standards development organizations (SDO) based on their consensus process, then reviews and officially approves the SDO recommendations.

American Society for Testing and Materials develops standards on characteristics and performance of materials, products, systems, and services. There are numerous standards-writing technical committees. E31 is the Committee on Computerized Systems and E31.28 is the subcommittee on Healthcare Informatics responsible for the Continuity of Care (CCR) standard.

Costs that are typically 15-20% of the software license costs. Where the actual license is normally a one- time fee, the support and maintenance costs are renewed on a yearly basis. This yearly fee basically covers two areas: 1) any upgrades or new releases; and 2) customer service and support. It should be noted that both vendor EHR software and third party software will need support, so it is important to determine which components the support costs cover. Also, some vendors might have more than one service level agreement representing different support options at different costs.

Online, we can use an Internet site called a remailer that reposts a message from the site's own address, thus concealing the originator of the message.

This privacy service lets a user visit Web sites while preventing those sites from gathering information about the user (including IP address, browser and operating system identification, and cookie-stored data) or which sites he has visited

The orderly arrangement of parts; structure.

See American Society for Testing and Materials.

A system that uses different keys for encryption and decryption. Within such a system, it is computationally infeasible to determine the decryption key (which is kept private) from the encryption key (which is made publicly available).

A characteristic or property.

Chronological record of system activity which enables the reconstruction of information regarding the creation, distribution, modification, and deletion of data.

Verification of the identity of a person or process.

The role or set of permissions for information system activity assigned to an individual.

What the health plans make people sign at the start of the year as a condition of being in the plan-its NOT informed consent, because it says that you agree to release ALL past and future medical records (that is the blanket part) to the health plan or insurer if they request them, as a condition of being covered by the plan (that is the coercion part).

Technology that uses some human biological feature (e.g. fingerprint, voice pattern, retina scan, or signature dynamics) to uniquely identify an individual.

A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.

The term agent is often used to describe a person or organization that assumes some of the responsibilities of another one. This term has been avoided in the final rules so that a more HIPAA-specific meaning could be used for business associate.

The entity providing third party trust within PKI.

The HHS agency responsible for Medicare and parts of Medicaid.CMS is responsible for oversight of HIPAA administrative simplification transaction and code sets, health identifiers, and security standards.

Testing a product for the existence of specific features, functions, or characteristics required by a standard in order to determine the extent to which that product satisfies the standard requirements.

Contract needed to extend the responsibility to protect health care data across a series of sub-contractual relationships.

A software product that maps chief complaints, captured as text, and transforms them into useful digital data that can be used in functions such as public health outbreak surveillance.

A national administrative code set that identifies the status of health care claims. This code set is used in the X12N 277 Claim Status Inquiry and Response transaction, and is maintained by the Health Care Code Maintenance Committee.

A method of grouping clinical concepts in order to represent classes that support the generation of indicators of health status and health statistics.

The data warehouse that contains clinical data (HL7 messages) centrally.

The process used by the HIE to determine the identity of the person accessing the system with adequate certainty to maintain security and confidentiality of personal health information and to administer with certainty of identity a regulated process such as e-prescribing and chart signing.

The uniform institutional claim form.

The uniform professional claim form.

The official compilation of federal rules and requirements.

Under HIPAA, this is any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions. Also see Part II, 45 CFR 162.103.

Under HIPAA, this is the date by which a covered entity must comply with a standard, an implementation specification, or a modification. This is usually 24 months after the effective data of the associated final rule for most entities, but 36 months after the effective data for small health plans. For future changes in the standards, the compliance date would be at least 180 days after the effective data, but can be longer for small health plans and for complex changes.

Information from different RHIO Participants is combined and integrated into a single record to form a Community Health Record System.

A 3rd party's obligation to protect the personal information with which it has been entrusted.

The expectation that personal information will be held in confidence.

A system of standardizing the terms used in describing client-centered health and health service-related concepts.

Consulting services offered by the vendor. These services will take your original data, either in paper or electronic form, and transfer the data into the EHR system database.

Process for determining the respective responsibilities of two or more health plans that have some financial responsibility for a medical claim. Also called cross-over.

Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

A medical code set of dental procedures, maintained and copyrighted by the American Dental Association (ADA), and adopted by the Secretary of HHS as the standard for reporting dental services on standard transactions.

A medical code set of physician and other services, maintained and copyrighted by the American Medical Association (AMA), and adopted by the Secretary of HHS as the standard for reporting physician and other services on standard transactions.

Subset of the HCPCS Level II medical codes identifying certain dental procedures. It replicates many of the CDT codes and will be replaced by the CDT. Descriptor: The text defining a code in a code set.

The physical space and hardware used by the HIE to house its operations if these assets are kept within the HIE.

A description of the circumstances in which certain data is required.

Under HIPAA, this is all the data elements and code sets inherent to a transaction, and not related to the format of the transaction.

Under HIPAA, this is the smallest named unit of information in a transaction.

The accuracy and completeness of data, to be maintained by appropriate security measures and controls. Preservation of the original quality and accuracy of data, in written or in electronic form.

The process of matching one set of data elements or individual code values to their closest equivalents in another set of them. This is sometimes called a cross-walk.

A mechanism and process to safely store duplicate databases and recreate the data should a disaster occur.

The RHIO holds each RHIO Participant's information in separate silos, but pulls information from applicable silos when information about a particular patient is requested. This is a 'hub and spoke' arrangement.

Computerized functions that assist users in making decisions in their job functions. In the practice of medicine, these functions include providing electronic access to medical literature, alerting the user to potential adverse drug interactions, and suggesting alternative treatment plans for a certain diagnosis.

The technique of using mathematical procedures to "unscramble" data so that an unintelligible (encrypted) message becomes intelligible.

Information about name, address, age, gender, and role used to link patient records from multiple sources in the absence of a unique patient identifier.

The federal government department that has overall responsibility for implementing HIPAA.

The text defining a code in a code set.

A medical code set or an administrative code set that is required to be used by the adopted implementation specification for a standard transaction.

A standard which HHS has designated for use under the authority provided by HIPAA.

An organization, designated by the Secretary of the U.S. Department of Health & Human Services, to maintain standards adopted under Subpart I of 45 CFR Part 162. A DSMO may receive and process requests for adopting a new standard or modifying an adopted standard.

A standard which defines protocols for the exchange of medical images and associated information (such as patient identification details and technique information) between instruments, information systems, and health care providers. It establishes a common language that enables medical images produced on one system to be processed and displayed on another.

A string of binary digits which is computed using an encryption algorithm. Digital signatures enable signatory authentication, confirmation of data integrity, and non-repudiation of messages.

Under HIPAA, this is the direct entry of data that is immediately transmitted into a health plan's computer.

The sharing of PHI outside of the institution (i.e., from principal investigator to study sponsor).

The process of cross-linking the multiple provider identifiers in a community from a variety of provider identifier sources and creating a master doctor identifier with a key for cross-referencing the various community identifiers.

A software process that allows for the secure review, editing, and signature through electronic, distributed technology of electronic health record components, such as operative reports, discharge summaries, and consultations.

A software tool for accepting an EDI transmission and converting the data into another format, or for converting a non-EDI data file into an EDI format for transmission.

Under HIPAA, this is the date that a final rule is effective, which is usually 60 days after it is published in the Federal Register.

The electronic delivery of laboratory results to practices so that such data may be integrated into electronic patient records in a full EHR system, or used by a dedicated application to view structured, context-rich, and/or longitudinal laboratory results on a patient. eLaboratory includes closing the orders loop, documenting the review of results by clinicians, and documenting that the results have been communicated to the patient. The full benefits of eLaboratory are not achieved until the results are used as input into clinical decision support systems (CDSS).

The ability to contact the payer before the patient is seen and get a response that indicates whether or not the services to be rendered will be covered by the payer. Reference: eHealth Initiative Foundation. "Second Annual Survey of State, Regional and Community-based Health Information Exchange Initiatives and Organizations." Washington: eHealth Initiative, 2005.

Refers to the exchange of routine business transactions from one computer to another in a standard format, using standard communications protocols.

Health records kept in electronic form, as opposed to health records kept on paper.

Electronically maintained information about an individual's lifetime health status and health care.

A flat file format used to transmit or transport claims.

Medical records kept in electronic form (as opposed to medical records kept on paper).

Support the capture and reporting of quality, performance, and accountability measures to which providers/facilities/delivery.

Any of several electronic formats for explaining the payments of health care claims.

A digital signature, which serves as a unique identifier for an individual.

A standard adopted by the Secretary of HHS to identify employers in standard transactions. The IRS' EIN is the adopted standard.

The process of enciphering or encoding a message so as to render it unintelligible without a key to decrypt (unscramble) the message.

"The consent provisions (in the Original Rule)...are replaced with a new provision...that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations." 67 Fed. Reg. at 53,211

A federal act that allows banks, financial institutions and all their affiliates and non-affiliates to share sensative financial and medical records without consent or notice (and affiliates are typically insurers).

A health plan that provides health coverage to employees, former employees, and their families, and is supported by an employer or employee organization.

A public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

Assures the clear and reliable communication of meaning by providing the correct context and exact meaning of the shared information as approved by designated communities of practice. This adds value by allowing the information to be accurately linked to related information, further developed and applied by computer systems and by care providers for the real-time delivery of optimal patient care.

Activities that are related to the general business and administrative functions of the covered entity regardless of whether they are connected to the treatment or payment of an individual. This may include quality assessment, accreditation and training, business planning and development, general administrative activities and due diligence in connection with the sale of a covered entity to another covered entity.

A provider of services (as defined in section 1861(u)), a provider of medical or other health services (as defined in section 1861(s)), and any other person furnishing health care services or supplies.

Any information, whether oral or recorded in any form or medium, that-"(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and"(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

The mobilization of healthcare information electronically across organizations within a region or community.HIE provides the capability to electronically move clinical information between disparate healthcare information systems while maintaining the meaning of the information being exchanged. The goal of HIE is to facilitate access to and retrieval of clinical data to provide safer, more timely, efficient, effective, equitable, patient-centered care.

Formal organizations are now emerging to provide both form and function for health information exchange efforts. These organizations (often called Regional Health Information Organizations, or RHIOs) are ordinarily geographically-defined entities which develop and manage a set of contractual conventions and terms, arrange for the means of electronic exchange of information, and develop and maintain HIE standards.

Although HIE initiatives differ in many ways, survey results and eHI experiences with states, regions and communities indicate that those who are experiencing the most success share the following characteristics. They are:

• Governed by a diverse and broad set of community stakeholders;
• Develop and assure adherence to a common set of principles and standards for the technical and policy aspects of information sharing, addressing the needs of every stakeholder;
• Develop and implement a technical infrastructure based on national standards to facilitate interoperability;
• Develop and maintain a model for sustainability that aligns the costs with the benefits related to HIE; and
• Use metrics to measure performance from the perspective of: patient care, public health, provider value, and economic value.

Reference: eHealth Initiative. "Second Annual Survey of State, Regional and Community-based Health Information Exchange Initiatives and Organizations." Washington: eHealth Initiative, 2005.

A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships.

An ANSI approved American National Standard for electronic data exchange in health care. It enables disparate computer applications to exchange key sets of clinical and administrative information.

A health maintenance organization (HMO) contracts with doctors, hospitals, and health care providers to provide medical care to a group of consumers. Generally, HMOs will not pay for your care unless you receive it from one of their health care providers. The HMO usually receives a fixed amount of money per patient for each enrollee. Enrollees of the HMO generally do not have any significant out-of-pocket expenses.

An entity that assumes the risk of paying for medical treatments, i.e. uninsured patient, self-insured employer, payer, or HMO.

An individual or group plan that provides, or pays the cost of, medical care.

An administrative code set that classifies health care providers by type and area of specialization.

A covered entity whose covered functions are not its primary functions.

The 1972 revision of the international disease classification system developed by the World Health Organization.

The American modification of the ICD-9 classification system for both diagnoses and procedures.

The 1992 revision of the international disease classification system developed by the World Health Organization.

The American modification of the ICD-10 classification system, for field review release in 1998.

A classification system for reporting clinical procedures, to accompany ICD-10-CM, developed in the US, for 1998 field review release.

A document explaining the proper use of a standard for a specific business purpose. The X12N HIPAA IGs are the primary reference documents used by those implementing the associated transactions, and are incorporated into the HIPAA regulations by reference.

Consulting services offered by the vendor. These services will provide planning and actual implementation of an EHR system. It is important when comparing quoted implementation costs that physicians understand which detailed cost line items a particular vendor will be supplying. Also, make sure and take a look at their project plans.

The application of computer science and information science to the management and processing of data, information, and knowledge.

Any information, including demographic information collected from an individual, that- "(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and "(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and- "(i) identifies the individual; or "(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Informed consent is a process of information exchange that may include, in addition to reading and signing the informed consent documents, subject recruitment materials, verbal instructions, question/answer sessions and measures of subject understanding. The clinical investigator is responsible for ensuring that informed consent is obtained from each research subject before that subject participates in the research study.

The ethical standard in medicine is informed (meaning you know exactly what info you are consenting to release) contemporaneous (at the time the info is being requested or is needed, NOT before) consent. Informed also means that you can comprehend the effects of releasing the info, ie you are of sound mind and capable of understanding what is going on.

An institutional review board (IRB) is an independent committee made up of medical and nonmedical members, such as physicians, statisticians, and community advocates. It ensures that a clinical trial is ethical and that the rights of study participants are protected.All institutions that conduct or support biomedical research involving people, by U.S. government regulation, must have an IRB that initially approves and periodically reviews the research.

An IRB reviews and approves protocols, informed-consent forms, physician credentials and eligibility, and other patient materials. The role of an IRB is to work closely with the U.S. Food and Drug Administration (FDA) to make sure that patient safety is the main priority of a clinical trial.

Shared boundary between two functional units defined by various characteristics pertaining to the functions, physical interconnections, signal changes, and other characteristics as appropriate.

The interface between an HIE and the systems that are sources for admission, discharge and transfer (ADT) of patients in the care delivery setting and that are resident within care delivery institution.

The interface between an HIE and Electronic Health Records (EHRs) that are maintained on ASP platforms (i.e. NexGen, AllScripts).

The interface between an HIE and the systems that are sources for or routing pathways for claims data that are resident within health plans and claims clearinghouses.

The interface between an HIE and the systems that are sources for EKG results that are resident within dispensing physician offices and hospitals.

The interface between an HIE and the source data of which people have eligibility for which type of benefits that are resident within health plans and are not infrequently web-enabled.

The interface between an HIE and the systems that are sources for formulary status of specific drugs for specific health benefit designs and that are resident within pharmacy benefit management companies and hospitals.

The interface between an HIE and systems that are sources of laboratory data.

The interface between an HIE and the systems that are sources for prescription data or that are resident within dispensing pharmacies, pharmacy benefit management companies and hospitals.

The interface between an HIE and the systems that are sources for the financial management systems of physician practices.

The interface between an HIE and the systems that track the multiple providers and their identifying data that are resident within health plans, dispensing pharmacies, pharmacy benefit management companies laboratories, physician practices, and hospitals.

The interface between an HIE and EHRs that are maintained in practice-specific systems (e.g. EPIC).

The interface between an HIE and systems that are sources for radiological data.

The interface between an HIE and the systems that are sources for transcribed reports. Typically these systems are based at a transcription service or at a hospital and contain admission and discharge notes and consultations, operative reports, and pathology and radiology results.

Within the context of the Internet, the right to privacy is still being defined.Generally, it involves a person's right to control what information about himself is revealed and to whom, as well as what others may do with that information. It's not the same thing as secrecy, but the distinction is sometimes murky. Privacy isn't an absolute right, since it's often trumped by laws and overriding social needs. For example, law enforcement officials may obtain warrants that allow them to intercept communications or search physical areas, activities that otherwise would be forbidden.

The ability of two or more systems or components to exchange information and to use the information that has been exchanged accurately, securely, and verifiably, when and where needed.

The ability of two or more systems or components to exchange information and to use the information that has been exchanged accurately, securely, and verifiably, when and where needed.

A subset of the HCPCS Level II code set with a high-order value of "J" that has been used to identify certain drugs and other items.

The Supreme Court has found that the "reason and experience" of the country shows that effective psychotherapy can only be provided if there is a privilege that permits the disclosure of psychotherapy communications, in most instances, only with the patient's permission.

A sequence of symbols that controls the operations of encryption and decryption.

A data record that authenticates the owner of a public key for an asymmetric algorithm. It is issued by a certification authority and is protected by a digital signature allowing the certificate to be verified widely. The certificate may also contain other fields beside the value to the key and the name of the owner, for example an expiration date.

A generic term for code values that are defined for a State or other local division or for a specific payer. Commonly used to describe HCPCS Level III Codes.

The LOINC databases provide sets of universal names and ID codes for identifying laboratory and clinical test results. The purpose is to facilitate the exchange and pooling of results, such as blood hemoglobin, serum potassium, or vital signs, for clinical care, outcomes management, and research.

Managed care organizations have arrangements with doctors, hospitals, and other health care providers for their services. These doctors, hospitals, and health care providers form a network. Examples of managed care organizations include: Health MaintenanceOrganizations (HMOs) and Preferred Provider Organizations (PPOs)

Under HIPAA, this is all of the required data elements for a particular standard based on a specific implementation specification.

Codes that characterize a medical condition or treatment.

The process of cross-linking the multiple possible medication identifiers naming conventions in a community from a variety of systems housing medication information and creating a master medication identifier with a key for cross-referencing the various community identifiers. For example there are hundreds of NDC codes for identical drugs as well as HCPCS codes that identify the same drug as NDC codes.

As explained in the original HIPAA health privacy rule, the right of individuals to medical privacy means the right "to determine for themselves when, how, and to what extent information about them is communicated".

A Medicare Part A Fiscal Intermediary (institutional), a Medicare Part B Carrier (professional), or a Medicare Durable Medical Equipment Regional Carrier (DMERC)

Protecting a message against its unauthorized modification, often by the originator of the message generating a digital signature.

The process of communicating electronically with pharmacies. This typically includes the cost of communication lines and processes between the HIE and pharmacies. This is necessary to support the e-prescribing function when that function includes the process of electronically sending a digital prescription to the pharmacy.

The process of communicating electronically with providers. This typically includes the cost of communication lines and processes between the HIE and provider terminals.

The least amount of information required to achieve the purpose of the use, disclosure or request.

Under HIPAA, this is a change adopted by the Secretary(HHS Secretary, Tommy Thompson), through regulation, to a standard or an implementation specification.

When combinations of data tidbits produce a picture that wasn't apparent from the individual pieces.

It serves as the statutory [42 U.S.C. 242k(k)] public advisory body to the Secretary of Health and Human Services in the area of health data and statistics. The Committee provides advice and assistance to the Department and serves as a forum for interaction with interested private sector groups on a variety of key health data issues.

An ANSI-accredited group that maintains a number of standard formats for use by the retail pharmacy industry, some of which have been adopted as HIPAA standards.

A medical code set maintained by the Food and Drug Administration that contains codes for drugs that are FDA-approved.

The name of the federal government's program to implement a national interoperable system for sharing electronic medical records or EMRs (AKA electronic health records or EHRs).

A system for uniquely identifying all providers of health care services, supplies, and equipment. A term proposed by the Secretary of HHS as the standard identifier for health care providers.

Generically, this applies to any nationally standardized data format, but it is often used in a more limited way to designate the Professional EMC NSF, a 320-byte flat file record format used to submit professional claims.

A NCPDP format for use by low-volume dispensers of pharmaceuticals, such as nursing homes. The Secretary of HHS adopted Version 1.0 of this format as a standard transaction.

A NCPDP format designed for use by high-volume dispensers of pharmaceuticals, such as retail pharmacies. The Secretary of HHS adopted Version 5.1 of this format as a standard transaction.

A set of connected elements. For computers, any collection of computers connected together so that they are able to communicate, permitting the sharing of data or programs.

The process used for maintaining connection for communication between the HIE and a data source (laboratory, radiology practice, physician practice, or hospital) and data user (physician practice or hospital).

A non-routine use or disclosure is a use or disclosure other than for treatment, payment, or health care operations purposes that is not otherwise permitted or required by law. For example, an authorization would be required in connection with a pre-employment medical exam or the release of information to the patient's attorney. The Privacy Rule requires that patients sign an Authorization form for most non-routine uses and disclosures of patient health information.

HIPAA requires all covered entities to give patients a notice of their privacy practices, which must include how information about how their medical records will be shared.

A document that describes and explains regulations that the Federal Government proposes to adopt at some future date, and invites interested parties to submit comments related to them. These comments can then be used in developing a final regulation.

A term used by CMS for a proposed standard identifier for health plans. CMS had previously used the terms PayerID and PlanID for the health plan identifier.

This office is part of HHS. Its HIPAA responsibilities include oversight of the privacy requirements.

An important distinction in the privacy debate concerns the terms under which e-mail marketers (legitimate ones, not spammers that ignore ethical and legal concerns) can contact users, and how users can add or remove themselves from databases.

The process of communicating health care provider orders through electronic, computerized processes.

The process of communicating health care provider orders through electronic, computerized processes.

eHI has developed a set of principles and framework for alignment of incentives with both quality and efficiency goals as well as HIT capabilities within the physician practice and health information exchange capabilities across markets. This Framework—entitled “Parallel Pathways for Quality Healthcare” offers significant guidance to states, regions and communities who are exploring health information exchange as a foundation to address quality, safety and efficiency challenges.

• Provider
• Governor
• Manager
• Recipient
• Researcher
• Educator
• Worker
• Family Member

Roles may be used to authorize an individual's access to information system functionality.

The process of cross-linking the multiple patient identifiers in a community from a variety of patient identifier sources and creating a master patient identifier with a key for cross-referencing the various community identifiers. This is also referred to as a record locator service.

A person's identifable medical or health records.

Typically a health record that is initiated and maintained by an individual.  An ideal PHR would provide a complete and accurate summary of the health and medical history of an individual by gathering data from many sources and making this information accessible online to anyone who has the necessary electronic credentials to view the information.From HITECH Act (page 145): The term "personal health record" means an electronic record of PHR identifiable health information (as defined in section 13407(f)(2)) on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

From HHS OCR: In general, a PHR is an electronic record of an individual's health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his or her own heath care.

An entity that sponsors a health plan. This can be an employer, a union, or some other entity.

This is a standard XML format adopted by the World Wide Web Consortium for Web sites to use to encode their privacy policies [see QuickLink 33484].

The RHIO identifies where each patient's information is located and serves as a master patient index. All RHIO Participants interact with each other to exchange information, although an intermediary may facilitate the exchange of information.

Preferred provider organizations have contracts with doctors, hospitals, and other health care providers and have negotiated certain fees. As long as you get your care from these providers, you will only have to make your co-payment. If you go to a provider outside of the PPO, your care may still be covered, but you may have to pay more.

A person, an organization, or a software package that reviews procedures, diagnoses, fee schedules, and other data and determines the eligible amount for a given health care service or supply. Additional criteria can then be applied to determine the actual allowance, or payment, amount.

Right of an individual to control the circulation of information about him-/herself within social relationships; freedom from unreasonable interference in an individual's private life; an individual's right to protection of data regarding him/her against misuse or unjustified publication.

The U.S. government must not conceal the existence of any personal data record-keeping system by nay agency.

Most Web sites have a page describing in detail the site's privacy practices and what the site's owners will do with any information they collect.

"The right of privacy is: 'the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated'." 65 Fed. Reg. at 82,465

In asymmetric cryptography, the key which is held only by the user for signing and decrypting messages.

Individually identifiable information transmitted or maintained in any form (electronic means, on paper, or through oral communication) that relates to the past, present or future physical or mental health or conditions that can reasonably be used to identify an individual.

Pseudonymity is the ability to prove a consistent identity without revealing one's actual name, instead using an alias or pseudonym.

A software product that processes extracted data from health care provider systems for the purpose of tracking, trending, and reporting for public health reasons.

In asymmetric cryptography, the key which is published by the user to encrypt messages and so that others may verify his/her signature.

A data record that authenticates the owner of a public key for an asymmetrical key system. It is issued by a CA and is protected by a digital signature, allowing the certificate to be verified widely.

A conceptual framework that enables the encryption, decryption and electronic "signing" of data transmissions in a secure fashion within an open network environment.

Now on the verge of becoming a widespread supply chain tool, radio frequency identification tags are getting smaller and cheaper, and privacy concerns are being raised. It may not be long before such tags are built into individual items (such as clothing), not just shipping pallets, allowing an unprecedented amount of automated monitoring of people's habits, behaviors and locations.

RHIO Participants may include both covered and non-covered entities.

The government's preferred approach to building a National Health Information Network (NHIN) is to build and link Regional Health Information Organizations. RHIOs will interact with each other to exchange patient information.

An entity (group or agency) that has been delegated by a CA to perform a specific set of ‘trusted authority’ functions within PKI.

"The consent provisions (in the Original Rule)...are replaced with a new provision...that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations." 67 Fed. Reg. at 53,211

The process of cross-linking the multiple possible answers to asking for a given result. For instance, asking for the results of a chest x-ray could yield a dictated report or a digital image of an x-ray. In any case, the case received must be matched across the type of result to a term identifying a common result.

The process of cross-linking the multiple possible names of data results that can contain the same information. For instance a blood glucose reading can be called up by a blood glucose test, an SMA panel, or a glucometer result.

The ability to interpret the clinical data that is entered about a patient using a set of rules or algorithms which will generate warnings or alerts at various levels of severity to a clinician. These are intended to make the clinician aware of potentially harmful events, such as drug interactions, patient allergies, and abnormal results, which may affect how a patient is treated, with the intention of speeding the clinical decision process while reducing medical errors.

"The right of privacy is: 'the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated'." 65 Fed. Reg. at 82,465

Protects Americans in their beliefs, their thoughts, their emotions and their sensations - the most comprehensive of rights and the right most valued by civilized men.

If in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words and emotions." 65 Fed. Reg. at 82,464/3.

The right to privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated.

The chance of a vulnerability being exploited.