The following terms appear in HIPAA guidelines and are used in determining when and how to store and release health information.

Business Associate

A person who, on behalf of the covered entity, performs or assists in the performance of a function or activity involving the use of individually identifiable health information (IIHI). (Does not include members of the covered entity’s workforce.) Examples include legal, actuarial, accounting, consulting, and auditing firms.

De-Identified Information (DII)

Health information that has had all personal identifiers removed from the data set. May be disclosed without consent of the individual.

Disclosure

Releasing, transferring, providing access to, or divulging in any manner information outside the entity holding the information.

Health Care Operations

Refers to using protected health information (PHI) to support business activities of a practice. This may include employee training, marketing, fund-raising, licensing, and quality assessments.

Individually Identifiable Health Information (IIHI)

Created by a health care organization, relates to past, present, or future condition of an individual, and could be used to identify that individual.

Patient Identifiable Information (PII)

Identifiers within health information that could be used to identify an individual.

Payment

Refers to using PHI to obtain payment of health care services. This may include the operations a health insurance plan undertakes before paying for services.

Privacy Standard

Having policies and procedures in place to control who has access to protected health information (PHI).

Protected Health Information (PHI)

Any patient identifiable information regardless of the media form it is in, whether at rest or in transit.

Security Standard

Protect the Confidentiality, Integrity, and Availability of PHI

• Confidentiality is the prevention of unauthorized disclosure of data.
• Integrity is the prevention of unauthorized modification of data.
• Availability is the prevention of loss of access to resources and data.

Treatment

Refers to using PHI to provide, coordinate, or manage health care and related services.

Use

Refers to sharing, employing, applying, utilizing, examining, or analyzing individually identifiable health information by employees or other members of an organization’s workforce.

Workforce

Employees, volunteers, trainees, and other people under the direct control of a covered entity.