HCISPP 2 Flashcards
Refers to preventing the disclosure of information to unauthorized individuals or systems. Necessary for maintaining the privacy of the people whose personal information is held in the system.
Confidentiality
Two types: 1) the person whom the actual data pertains, i.e. the patient receiving the treatment. this is the individual who has the final determination for how the data is used and by whom the data can be used or disclosed. 2) the healthcare organization who provides the treatment services for the patient and captures information during treatment services.
Data Owners
the principle that states that should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and., where appropriate, with the knowledge or consent of the data subject.
Collection Limitation Principle
a security principle stating that a user should have access only to the data he or she needs to perform a particular function.
Need to know
Assets with a physical presence
Tangible Assets
(CPT) codes are published by the American Medical Association. It is a five (5) digit numeric code that is used to describe medical, surgical, laboratory, anesthesiology, and evaluation management services of physicians, hospitals, and other healthcare providers. There are approximately 7800. Two digit modifiers may be appended when appropriate to clarify or modify the description of the procedure.
Current Procedural Terminology
HSM is one type of DLM product. It represents different types of storage media, such as redundant array of independent disk (RAID) systems, optical storage, or tape, each type representing a different level of cost and speed of retrieval when access is needed. An administrator can establish state guidelines for how often different kinds of files are to be copied to a backup storage device. Once a guideline has been set, the software manages everything automatically.
Hierarchal Storage Management
the principle that states that personal data should not be disclosed, made, available, or otherwise used for purposes other than those specified in accordance with the purpose specification principle
use limitation principle
the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred
risk mitigation
controls that capture things such as who is responsible for information security at the third party, what types of processes the third party has in place to request access to data, and also would include ensuring that the third party has appropriate security policies, procedures, and standards
Administrative Controls
the principle that states that a data controller should be accountable for complying with measures
Accountability principle
the world’s largest standards organization, with more than 30 standards addressing information security practices and audit, and each of the standards is constantly reviewed and updated, which requires consistent attention for keeping up with the latest standard changes.
ISO
Part of the US Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the US federal Govt
NIST
Govt Funded health care: a program funded by the US federal and state govts that pays the medical expenses of people who are unable to pay some or all of their own medical expenses.
Medicaid
the uninvolved vendors, business partners, or other data sharing associates. The first party is the patient himself/herself or the person, such as the parent, responsible for the patient’s health bill. The second party is the physician, clinic, hospital, nursing home, or other health care entity rendering the care. These second parties are often called providers because they provide health care.
Third Parties
the activities undertaken by either a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or a covered healthcare provider or health plan to obtain or provide reimbursement for the provision of healthcare.
Payment
a plan that takes the output of the risk assessment and identifies tasks needing to be accomplished to mitigate
corrective action plan
controls that encompass areas such as facility access, fire protection, and visitor procedures
Physical controls
determines what protections need to be in place to guard data based on its sensitivity and value as well as the risk of exposure
security
How the organizational representatives identify the most critical data to be given the highest protection
Data Categorization
systems that assign a distinct numeric value to medical diagnosis, procedures and surgery, signs and symptoms of disease and ill-defined conditions, poisoning, adverse effects of drugs, complications of surgery, and medical care. The assigned codes and other patient data are processed by the grouper software to determine a DRG for the episode of care which is used for funding and reimbursement.
Medical Coding
Very similar to the BAA in which the recipient of the data set would agree to limit the use of the data for the purposes for which it was given to ensure the security of the data and not to identify the information or use it to contact any individual.
Data Use Agreement
Includes the technologies, tools, and methods used to capture, manage, store, preserve, and deliver content across an enterprise.
Enterprise Content Management
the primary liaison for the CIO to the organizations authorizing officials, information system owners, common control providers, and information system security officers.
Senior Information Security Officer
a unit of the US Department of Labor and addresses safety and protection of workers in organizations that involve hazards and hazardous wastes as potential sources of injuries and health related problems
Occupational Safety and Health Administration
an organizational official responsible for designating a senior information security officer and developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements
chief information officer
is an initiative by health care professionals and industry to improve the way computer systems in health care share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.
Integrating the Healthcare Enterprise
generated at various points in the records management lifecycle, providing underlying data to describe the document, specify access controls and rights, provide retention and disposition instructions, and maintain the record history and audit trail.
Metadata
Means the provision coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare and by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one provider to another.
Treatment
Create a feedback loop to measure whether the security strategy and program are on target or need refinement
Key Performance Indicators
controls that deter, detect, and or reduce impacts to the system
Preventative controls
States that an individual should have the right: • To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him • To have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him • To be given reasons if a request made under subparagraph (a) and (b) is denied, and to be able to challenge such denial • To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.
Individual Participation Principle
the data collected about a specific person potentially across a number of treatment services from a number of healthcare organizations
Health Information
The activities that identify and locate the stores of organizational data on networked devices, including servers and workstations
Data Discovery
the technology, policy, and procedures for its use that safeguard electronic protected health information and control access to ePHI.
Technical Safeguards
A basis for obtaining federal stores of information that are seen as publicly accessible, and is frequently used by private citizens for political or legal issues
Freedom of Information Act
Is necessary to obtain a true understanding of the health care organization. Can occur at the individual level, the household level, the business or corporate level, the supplier level, or some other combination of attributes. Requires powerful matching technology that can locate less obvious members of a related group.
Data Integration
The HIPAA regulations adopted certain standard transactions for EDI of healthcare data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment, and disenrollment, referrals and authorizations, coordination of benefits, and premium payment.
Electronic data Interchange
the current state after applying a risk response strategies
residual risk
refers to a hierarchical system. comprises vocabulary and terms; in turn, vocabulary is made up of terms, or names, at the most basic level. The major advantage is simplicity; if there is one, then there is the assumption that everyone is or will be made aware of it, understands the vocabulary and classifications, accepts it, and utilizes the known.
Taxonomy
Any proposal relating to human subjects including healthy volunteers that cannot be considered as an element of accepted clinical management or public health practice and that involves either physical or psychological intervention or observation, or the collection, storage, and dissemination of information relation to individuals. This definition relates not only to planned trials involving human subjects but to researching which environmental factors are manipulated in a way that could incidentally expose individuals to undue risks
Human Research
Eliminates barriers to data sharing by providing direct data access; data translation tools; and the ability to build complex spatial extraction, transformation and loading processes. Standardize data messaging facilitates __________ between health information systems regardless of database models employed by individual health care enterprises. There are three levels: Foundational, Structural, and Semantic.
Data Interoperability
A vendor, as a recipient of PHI from healthcare organizations. As defined in HIPAA and regulations promulgated by the US Department of health and human services (DHHS) to implement certain provisions. All must agree in writing to certain mandatory provisions regarding, among other things, the use and disclosure of PHI.
Business Partners
the set of activities that ensures data is not lost from an organization
Data Loss prevention
A public or private entity that processes or facilitates the processing of non standard data elements of health information into standard data elements. The entity receives healthcare transactions from healthcare providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers
Healthcare Clearinghouse
Once records are created, they must be maintained in such a way that they are accessible and retrievable. Components of this phase include functions, rules, and protocols for indexing, searching, retrieving, processing, routing, and distributing.
Record Maintenance and Use
an individual, group or organization responsible for conducting information system security engineering activities.
Information System Security Engineer
(DICOM) the international standard for medical images and related information. It defines the formats for medical images that can be exchanged with the data and quality necessary for clinical use. Implemented in almost every radiology, imaging, and radiotherapy device, and increasingly in devices in other medical domains such as ophthalmology and dentistry. With thousands of imaging devices in use, it is one of the most widely deployed healthcare messaging standards in the world
Digital Imaging and Communications in Medicine
Provide the capability to electronically move clinical information between disparate healthcare information systems while maintaining the meaning of the information being exchanged. HIEs also provide the infrastructure for secondary use of clinical data for purposes such as public health, clinical, biomedical, and consumer health informatics research as well as institution and provider quality assessment and improvement.
Health Information Exchange Organizations
Any organization or corporation that directly handles PHI or PHRs. They include public clinics, nursing homes, pharmacies, specialty hospitals, homecare programs, home meal programs, hospice, and durable medical equipment suppliers.
Covered Entity
the person who is the subject of the PHI
Individual
review plans for research involving human subjects. Institutions that accept research funding from the federal government must have an IRB to review all research involving human subjects. The FDA and the Office for Human Research Protections (OHRP) (part of the National Institutes of Health) set the guidelines and regulations governing human subject’s research and IRBs
Institutional Review Board
An organizational official that acts on behalf of an authorizing official to coordinate and conduct the required day to day activities associated with the security authorization process
Authorizing Official Designated representative
Health information that meets the standard and implementation specifications under 45 C.F.R. § 164.514 (a) and (b).
De- Identified Information
(BA) The privacy rule, allows covered providers and health plans to disclose protected health information to services of a variety of businesses that have access to their patients’ PHI. Such as billing services, attorneys, accountants and consultants.
Business Associates
means PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual
Limited data set
the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations
Risk sharing
physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
Physical Safeguards
a governance structure where the authority, responsibility and decision-making power are vested solely within central bodies
centralized governance structure
Assets that are not physical
Intangible Assets
dictates what needs to be protected
Privacy
HITECH, ARRA, the privacy rule, the security rule, enforcement rule, and breach notification rule.
Health Insurance Portability and Accountability Act of 1996
the senior person in charge of managing the data systems used in capturing storing or analyzing the PHI of patients under care of the organization. They have the responsibility for maintaining the integrity of the data system and for authorizing access of internal and external workforce members to the data system and its included PHI
Data controller/manager
the channel through which information is transmitted. The main forms include auditory, visual and tactile.
Modality
typically employs a set of methods, principles, or rules for assessing risk based on non numerical categories or levels
Qualitative Assessment
Covers essential health benefits but has a very high deductible. This means it provides a kind of “safety net” coverage in case the patient has an accident or serious illness. Usually do not provide coverage for services such as prescription drugs or shots.
Catastrophic Health Insurance Plan
an effort led by CMS and the office of the National Coordinator for Health IT (ONC) is the set of standards defined by the CMS Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria.
Meaningful Use
This phase includes creating, editing, and reviewing work in process as well as capture of content (e.g., through document imaging technology) or receipt of content (e.g., through a health information exchange). Every organization must establish business rules for determining when content or documents become records
Record Creation, Capture, or Receipt
the federal agency with HHS with oversight over HIPAA privacy, security and breach notification requirements, established a comprehensive audit protocol that physician practices may wish to consider as they review and update their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH act audit mandate.
Office of Civil Rights
Assist in the organizational risk process by striving to identify and close as many vulnerabilities as possible
Information Security Professionals
a governance structure where the authority , responsibility, and decision making power are distributed between a central body and individual subordinate organizations
Hybrid information security governance structure
may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance
Risk avoidance
A methodology where an organization manages and direction an information security risk evaluation for their organization
OCTAVE
in health care generally refers to entities other than the patient that finance or reimburse the cost of health services.
Payer
assessment focused on the technology aspects of an organization, such as the network or applications
Vulnerability assessments
HCPCS is used to report hospital outpatient procedures and physician services These coding systems serve an important function for physician reimbursement, hospital payments, quality review, benchmarking measurement, and the collection of general medical statistical data.
Healthcare common procedure coding system
an activity of a covered entity intended to raise funds to benefit the covered entity or an institutionally related foundation that has as its mission to benefit the covered entity
Fundraising
Use technology and human efforts to provide protection of and control access to the data and information that is considered private
Security Professionals
the process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization
categorization
An employee welfare benefit plan, including insured and self insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance reimbursement
Group Health Plan
The Trust Taxonomy provides a conceptual framework to facilitate governance of inter-entity exchange through transparency into trust policies and practices based on Identity, Policy and Contractual attributes. When utilizing the taxonomy, all trading partners would use a consistent approach to the classification of trust attribute definitions along with consistent representations as to how these trust attributes are implemented.
Governance Framework
means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
Use
(ARRA) was enacted on 02/17/09 and includes many measure to modernize our nations infrastructure, one of which is the “Health Information Technology for Economic and Clinical Health” (HITECH) The HITECH act supports the concept of Meaningful Use (MU) of Health Information Technology (IT) and healthcare reform to help the healthcare organizations to meet its clinical and business objectives vial HIE. MU requirements consist of payment approaches that stress care coordination, and federal financial incentives are driving the interest and demand for HIE
American Reinvestment and Recovery Act
The patient can go to the doctor of his/her choice, and the patient, the patients doctor, or the patients hospital submits a claim to the patients insurance company for reimbursement.
Indemnity Plan
the record life cycle from creation through final disposition.
Records Management Lifecycle
Establishes how connectivity will occur to and from the primary entity with the third party
Connection Agreement
The organization’s “health record” that meets all statutory, regulatory, and professional requirements for clinical purposes as well as for business purposes. If the record does not qualify as a legal record, it becomes hearsay and there fore is much less legally valid for business or for medical legal purposes. Unless the practice intends to maintain separate paper records that comply with legal requirements, its EHR, ,must conform to the same requirements as health records in general and for business records on computers more specifically.
Legal Medical Record
The principle that states that there should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller
Openness Principle
A technical basis for an international agreement among member countries The targets of the standards, and the methodology is how the standards are achieved, all according to the arrangement among the members
Common Criteria
predefined topical areas that can put an organization at risk
threats
NeHC has convened the national HIE governance forum at the office of the national coordinator for HITs request through ONCs cooperative agreement. One of the ONCs governance goals for nationwide HIE is to increase trust among all potential exchange participants in order to mobilize trusted exchange to support patient health and care.
National eHealth Collaborative
either 1) intent and method targeted at the intentional exploitation of a vulnerability or 2) a situation and method that may accidentally trigger a vulnerability
Threat source
incorporates risk management processes to ensure alignment of IT with business objectives, and a control framework
COBIT
means that the records are used rarely but must be retained for reference or to meet the full retention requirement. Inactive records usually involve a patient who has not sought treatment for a period of time or one who completed his or her course of treatment.
Records, Inactive
Described as a contract in which the parties agree to electronically exchange data to protect the transmitted data. The sender and receiver are required to depend on each other to maintain the integrity and confidentiality of the transmitted information.
Chain of Trust Agreement
administrative actions, policies, and procedures to manage the selection, development, implementation and maintenance of security measures to safeguard ePHI and manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Administrative Safeguards
Targets merchants who accept product and service payments from customers using specific credit cards.
Payment Card Industry Data Security Standard
a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source
Vulnerability
Has been a champion of patient safety by helping healthcare organizations to improve the quality and safety of the care they provide. Evaluates and accredits healthcare organizations and programs in the US and is the nation’s predominant standards setting and accrediting body in healthcare. The National Patient Safety Goals (NPSGs) required to be implemented by all accredited organizations to improve the safety and quality of care, are updated annually.
Joint Commission
A type of medical savings account that allows the patient to save money to pay for the current and future medical expenses on a tax-free basis. The patient must be covered by a high-deductible plan and not have any other health insurance. a good option for individuals who want to protect themselves from catastrophic health care costs but don’t anticipate many day to day medical costs.
Health Savings Account
assumes a small percentage of threats from purposeful cyber attacks will be successful by compromising organizational information systems through the supply chain by defeating the initial safeguards and counter measures
Agile Defense
state what needs to be done
policies
typically employs a set of methods principles or rules for assessing risk based on the use of numbers
quantitative assessments
typically employs a set of methods, principles, or rules for assessing risk that uses bins, scales or representative numbers whose values and meanings are not maintained in other contexts
Semi quantitative assessments
a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations and the nation
authorizing official
any of the following activities of the covered entity to the extent that the activities are related to covered functions, and : conducting quality assessment and improvement activities; reviewing the competence or qualifications of healthcare professions; underwriting premium rating; conducting or arranging for medical review; legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning; business management and general administrative activities of the entity.
Healthcare Operations
the health care term that refers to the compensation or repayment for health care services. Reimbursement is being repaid or compensated for expenses already incurred or, as in the case of health care, for services that have already been provided.
Reimbursement
GCP is a process that incorporates established ethical and scientific quality standards for the design, conduct, recording, and reporting of clinical research involving the participation of human subjects. Compliance provides public assurance that the rights, safety, and well-being of research subjects are protected and respected and ensures the integrity of clinical research data.
Good Clinical Research Practice
The HIPAA privacy rule also permits providers that typically provide health care to a common set of patients to designate themselves as an OHCA for purposes of HIPAA. For example, an academic medical center often includes university-affiliated physicians and a hospital or health system.
Organized Health Care Arrangement
means that the records are consulted or used on a routine basis. Routine functions may include activities such as release of information requests, revenue integrity audits, or quality reviews.
Records, Active
a governance structure where the authority, responsibility, and decision making power are vested in and delegated to individual subordinate organizations with the parent organization
decentralized information security governance structure
controls that reduce the risk of exposing sensitive personal and health information
detective controls
The amount of information that is transmitted over a period of time. A process of learning or education could necessitate a higher _______________ than a quick status update.
Bandwidth
Individuals assigned the responsibilities involved with the privacy policy/ standard/ procedure structures
Privacy Professionals
(DLM) is a policy-based approach to managing the flow of an information systems data through is lifecycle. DLM products automate the processes involved, typically organizing data into separate tiers according to specified policies, and automating data migration from one tier to another based on those criteria. As a rule, newer data and data that must be accessed more frequently is stored on faster, but more expensive storage media, while less critical data is stored on cheaper, but slower material.
Data Lifecycle Management
an assessment designed to recognize the current security posture of your organization and set realistic expectations of the targeted security posture
gap analysis
Requires physician practices to implement a number of administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI
Security Rule
A group of records maintained by or for a covered entity that includes the medical records and billing records about individuals maintained by or for a covered healthcare provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used in whole or in part, by or for the covered entity to make decisions about individuals.
Designated record set
any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service
Threat
offer suggestions or directions for satisfying the policies
Guidelines
protects the interests of share holders and ensures that management does not act in a manner that is inconsistent with the interest of stakeholders
Governance
the enforcement of due care policy and provisions to ensure that the due care steps taken to protect assets are working effectively
Due Diligence
The removal of the set of characteristics so that the document, is no longer PHI. This practice is frequently associated with research projects involving health trends conducted by hospitals or universities.
De-Identification
responsible for documenting the organization identified common controls in a security plan
Common control providers
(APGs) were developed to encompass the full range of ambulatory settings, including same day surgery units, hospital emergency rooms, and outpatient clinics. They are a patient classification system designed to explain the amount and type of resources used in an ambulatory visit. Patients in each have similar clinical characteristics and similar resource use and cost. Similar resource use means that the resources used are relatively constant across the patients within each APG.
Ambulatory Patient Groups
The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information
Disclosure
Provides an independent view of the design, effectiveness, and implementation of controls
Auditor
Insurance against the risk of incurring medical expenses among individuals. By estimating the overall risk of healthcare and health system expenses, among a targeted group, an insurer can develop a routine finance structure, such as a monthly premium or payroll tax, to ensure that money is available to pay for the healthcare benefits specified in the insurance agreement.
Health insurance
a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network
Exposure
EPOs are similar to PPOs but they reimburse members for services rendered by providers in their network only. Like PPOs, the patient pays a percentage of every medical bill up to a certain level. Some EPOs allow the patient to forgo a primary care physician and refer themselves to a specialist as long as that provider is in the network. May limit coverage to providers inside their network.
Exclusive Provider Organizations
Provides the framework to describe the comprehensive management of health information across computerized systems and its secure exchange between consumers, providers, government and quality entities, and insurers. Computers and telecommunications are used for storing, retrieving, and sending information with the goal of bringing about an age of patient and public centered health information and services
Health Information Technology
An Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organizations core missions and business processes are adequately addressed in all aspects of enterprise architecture
Information Security Architect
Encompasses such activities as frequency and basic statistic reports, table relationships, phrase and element analysis and business rule discovery. It is primarily done before any data-oriented initiative and often can be used to pinpoint where further efforts need to be focused
Data Profiling
A classical definition is a person who helps in identifying or preventing or treating illness or disability. A classical definition is a person who helps in identifying or preventing or treating illness or disability.
Provider
Identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives
COSO
Any information that allows positive identification of an individual, usually as a combination of several characteristics
Personally Identifiable Information
a software program, or the computer on which that program runs, that provides a specific kind of service to client software running on the computers on a network.
Server
provides a common language that enables a consistent language that enables a consistent way of capturing, sharing, and aggregating health data across specialties and sites of care. It is highly detailed terminology designed for input, not reporting.
SNOMED-CT
the entity that has the relationship with the patient. That could be a doctor, hospital, pharmacy, or insurance company
Primary Entity
Information that may be individually identifiable health information- summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan. from which the identifiers of the individual or of relatives, employers or household members of the individuals.
Summary health information
an entity with whom the primary entity does business. In the US, this relationship would be defined under HIPAA as the covered entity, and business associate
Third Party
means maintaining and assuring the accuracy and consistency of data over its entire life cycle. This means that data cannot be modified in an unauthorized or undetected manner. It is violated when a message is actively modified in transit.
Integrity
performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor
Plan Administration Functions
Not for profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services.
Health Level Seven International
communication occurs when two parties exchange messages across a communication channel at the same time (e.g., face-to-face, telephone, online chat). The primary advantage is the ability for immediate feedback and clarification when necessary.
Synchronicity
NUBC is a voluntary committee whose work is coordinated through the offices of the American Hospital Association (AHA) and includes participation of all the major national provider and payer organizations. The committee was originally formed to develop a single standard billing format and data set to be used nationwide by institutional providers and payers for handling healthcare claims. Today the committee monitors and manages the utilization of this standard (UB) and data set used throughout the industry for billing transactions.
National Uniform Billing Committee
persistent personal attention
Assiduity
Legislation that was created to stimulate the adoption of EHR and supporting technology in the US. Signed into law on 02/17/09 as part of the American Recovery and Reinvestment Act of 2009 an economic stimulus bill. It stipulates that, beginning 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of EHR. Incentives were offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The act also establishes grants for training centers for the personnel required to support a health IT infrastructure.
HITECH
controls that could include requirements such as encrypting data in transit and at rest and intrusion detection and prevention capabilities
technical controls
the appropriate risk response when the identified risk is within the organizational risk tolerance
Risk acceptance
Is an architecture that divides processing between clients and servers that can run on the same machine or on different machines on the same network. It is a major element of the modern operating system and network design. End users access workstation computers and other physical automated equipment directly while performing healthcare functions.
Server: Client-Server
AKA episode based payment. Is defined as the reimbursement of healthcare providers (such as hospitals and physicians) “on the bases of expected costs for clinically defined episodes of care” The middle ground between fee-for-service and capitation
Bundled Payment
An individuals permission for a covered entity to use or disclose PHI for a certain purpose, such as a research study.
Authorization
Technical research reports targeting specialized audiences, including interim and final reports. These are for information technology and security specialists who wish to keep abreast with the latest research within the CSD
NIST Interagency Reports
A govt program of hospitalization insurance and voluntary medical insurance for persons aged 65 and over, and for certain disabled persons under 65
Medicare
An action or practice that closes a vulnerability or a weakness that would allow a threat to protected information to be actualized. for example the protected personal information is lost or misused
Control
A contract with a covered entity that meets the HIPAA Privacy Rule’s applicable contract requirements
Business Associates Agreement
the process of submitting and following up on claims with health insurance companies in order to receive payment for services rendered by a healthcare provider. The same process is used for most insurance companies or govt sponsored programs. The process is an interaction between a healthcare provider and the insurance company (payer) The entirety of this interaction is known as the billing or revenue cycle. This can take anywhere from several days to several months to complete and requires several interactions before a resolution is reached.
Medical billing
Standardize and verify data is to use a reference database or a defined set of business rules and corporate standards. The quality building block includes technologies that encompass parsing, transformation, verification, and validation.
Data Quality
a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
Payment Card Industry
a branch of the chemical industry that manufactures drugs. The industry comprises enterprises that produce synthetic and plant-derived preparations, antibiotics, vitamins, blood substitutes, and hormone preparations derived from animal organs, and drugs in various dosages (including injection solutions in ampules, tablets, lozenges, capsules, pills, and suppositories), as well as ointments, emulsions, aerosols, and plasters. Are allowed to deal in generic and/or brand medications and medical devices. They are subject to a variety of laws and regulations regarding the patenting, testing, and ensuring safety and efficacy and marketing of drugs.
Pharmaceutical Industry
a system designed to ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information
classification system
FFS is a payment model where services are unbundled and paid for separately. Doctors and hospitals got paid for each service they performed. It gives an incentive for physicians to provide more treatments because payment is dependent on the quantity of care, rather than the quality of care.
Fee for Service
the most widely recognized medical classification maintained by the World Health Organization. Its primary purpose is to categorize diseases for morbidity and mortality reporting. The united states has used a clinical modification for the additional purposes of reimbursement. The CM in the name means clinical modification. It is used by hospitals and other facilities to describe any health challenges a patient has, from his diagnosis symptoms to outcomes from treatment, to causes of death. ICD-10-CM and PCS group together similar diseases and procedures and organize related entities for easy retrieval.
International Classification of Disease
“value-based purchasing,” is an emerging movement in health insurance. Providers under this arrangement are rewarded for meeting pre-established targets for delivery of health care services. This is a fundamental change from fee-for-service payment.
Pay for Performance
an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.
Information Systems Owner
a set of self- assessment steps to enable UK healthcare organizations to comply with the Department of Health Information Governance policies and standards
IG Toolkit
Is the electronic management of digital and analog records contained in IT systems using computer equipment and software according to accepted principles and practices of records management. Is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of analog and digital records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.
Electronic Records Management
Refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form.
Electronic Patient Health Information
the government provides its own health insurance, but private insurance companies continue to provide insurance as another option for citizens. Proponents point to private insurance’s inability to provide for every single person, often leaving people without health care coverage, which can result in avoidance of care and even bankruptcy.
Public Health Insurance
a confederation of stakeholders at the forefront of HIE, including federal agencies; state, regional, and local health information organizations; integrated delivery networks, and private organizations.
Nationwide Health Information Network Exchange
An initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient
Integrating the Healthcare Enterprise
individually identifiable information that is held or transmitted by a covered entity or business associate in any form or media — whether electronic, paper, or oral — that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care.
Protected Health Information
Typically feature lower premiums and higher deductibles than traditional insurance plans.
High Deductible Health Plans
a hosted service offering that acts as an intermediary between business partners such as hospitals and insurance payers. A VAN simplifies the communications process by reducing the number of parties with which a company needs to facilitate electronic data interchange (EDI). VANs provide a number of services, e.g., HIPAA compliance checking, acknowledgements, retransmitting documents, providing third-party audit information, acting as a gateway for different transmission methods, and handling telecommunications support.
Value-added Network (VAN)
Define limitations or boundaries to the how
Standards
the form of managed care closest to an indemnity plan, which typically allows you to see any doctor, any time. Negotiates discounts with doctors, hospitals, and other providers, who then become part of the network.
Preferred Provider Organization
involves activities that result in false claims to insurers or programs such as Medicare in the United States or equivalent state programs for financial gain to a pharmaceutical company.
Pharmaceutical Fraud
(ACE) legally separate covered entities that are affiliated may designate themselves as a single covered entity for the purposes of the HIPAA privacy rule. Under this affiliation, the organizations need only develop and disseminate one privacy official, administer common training programs and use one business associate contract.
Affiliated Covered Entity
Sometimes doctors reach an agreement with a managed care organization where the doctor is paid per person. Under this agreement, doctors accept members of the plan for a certain set price per member, no matter how often the member sees the doctor.
Capitation
the systematic use of data and related business insights developed through applied analytical disciplines (e.g. statistical, contextual, quantitative, cognitive, etc.) to drive fact based decision making for planning, management, measurement and learning. They may be descriptive, predictive, or prescriptive. Can provide the mechanism to sort through this torrent of complexity and data, and help healthcare organizations deliver on these demands.
Analytics
When using or disclosing PHI or when requesting PHI from other covered entity, a covered entity general must make reasonable efforts to limit PHI to the _________________ to accomplish the intended purpose of the use, disclosure, or request.
Minimum necessary
regulations are divided into four Standards or Rules: (1) Privacy, (2) Security, (3) Identifiers, and (4) Transactions and Code Sets (TCS). The TCS Standard/Rule was first released in August 2000 and updated in May 2002; it took effect on 16 October 2003 for all covered entities. Regulations associated with the TCS Rule mandate uniform electronic interchange formats for all covered entities. It is this standardization along with the introduction of uniform identifiers for plans, providers, employers, and patients under the Identifier Rule that is expected to produce the efficiency savings of “administrative simplification.”
The HIPAA Transaction and Code Sets Standard/Rule (TCS)
must protect the computer network and its services from unauthorized modification, destruction, or disclosure.
Network Security
the principle that states that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data
Security safeguards principle
electronic systems that store a patients health information, such as the patient’s history of diseases and which medications the patient is taking. Provide information even after doctor’s office is closed.
Electronic Health Records
the principle that states that the purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not compatible with those purposes and as are specified on each occasion of change and purpose
Purpose specification principle
controls that relate to those activities required when addressing a security incident
corrective controls
The highest level senior official or executive within an organization with the overall responsibility to provide information security protections
Head of agency
Publications that specifically target US federal agencies and are currently the approved standards for compliance with the Information Technology Reform Act of 1996 and FISMA of 2002
Federal Information Processing Standards
formal, documented policies and procedures for granting different levels of access to healthcare information
Information Access Control
combines elements of both a Health Maintenance Organization (HMO) and a Preferred Provider Organization (PPO). The plan allows you to use a primary care physician to coordinate your care, or you can self- direct your care at the “point of service.”
Point-of-Service Plan
an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual, such as hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, dna sequence characteristics, voice prints, and hand written signature
Biometric Identification
state how the policies are meant to be implemented
Procedures
is a network that provides shared communications and resources in a relatively small area.
Local Area Network
Potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
Risk
includes demographic, geographic, and credit information. Can also encompass data management algorithms and methodologies that combat unique clinical data problems.
Data Augmentation
The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or personal computer. Offered indifferent forms: Public, Private and Hybrid.
Cloud Computing
the principle that states that personal data should be relevant to the purposes for which it is to be used, and to the extent necessary for those purposes , should be accurate, complete, and kept up to date
Data quality principle
A Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability
Likelihood
The life cycle of records management begins when information is created and ends when the information is destroyed.
Records Retention
means a single legal entity that is a covered entity and who’s covered functions are not its primary function
Hybrid entity
The interdisciplinary study of the design, development, adoption, and application of IT based innovations in healthcare services delivery, management, and planning. Law deals with evolving and sometimes complex legal principles as they apply information technology in health-related fields. It addresses the privacy, ethical, and operational issues that invariably arise when electronic tools, information, and media are used in healthcare delivery. Also applies to all matters that involve technology, health care, and the interaction of information. It deals with the circumstances under which data and records are shared with other fields or areas that support and enhance patient care
Health informatics
specific technical staff who are involved in implementing the software systems that support health information processing
Data Processors
a type of fee-for-service because the patients or the guarantors (responsible persons such as the parents for children) pay a specific amount for each service received. The patients or guarantors make such payments themselves to the providers, such as physicians, clinics, or hospitals, then render each service. The patients or guarantors then seek reimbursement for their private health insurance or the governmental agency that covers their health benefits.
Self-Pay
similar to DRGs in concept. Each facility is paid a daily rate based on the needs of individual Medicare patients, with an adjustment for local labor cost.
Resource Utilization Groups
Organizations leadership exercise the care which ordinarily prudent and reasonable persons would exercise under the same circumstances
Due Care
The staff responsible for the maintenance and integrity of the data system - software and hardware- that house and process data containing PHI. This will include keeping the systems updated, backing up stored data, and maintaining and monitoring network activity for potential vulnerabilities.
Data Custodian
Restricts covered entities and business associates use and disclosure of an individual’s PHI
HIPAA Privacy Rule
(DRG) is a capitation approach by focusing on hospitalization. Price is set based on categories of illnesses. The DRG classification of diseases is a nominal scale used to describe the illness leading to hospitalization.
Diagnosis related groups
is intended for the use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals. Types include self-care, electronic, diagnostic, surgical, durable medical equipment, acute care, emergency and trauma, long-term care, storage, and transport.
Medical device
an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Breach
allow for extra barriers between unauthorized users and the protected information resources
Compensating controls
Often called group health insurance, the employer is responsible for a significant portion of the healthcare expenses. Group health plans are also guarantee issue, meaning that a carrier must cover all applicants whose employment qualifies them for coverage. In addition, employer-sponsored plans typically are able to include a range of plan options from HMO and PPO plans to additional coverage such as dental, life, and short and long term disability.
Employer Sponsored insurance
the set of standards aimed at the general IS audience within or without the federal govt. These are the most public set of standards documents and represent outreach and collaborative efforts with information technical specialists in govt, private organizations and higher education.
Special Publications
Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organization
Health Information Trust Alliance HITRUST Common Security Framework CSF Assurance Program
Must manage organizational information so that it is timely, accurate, complete, cost-effective, accessible, and useable. An effective program addresses both creation control, and records retention, thus stabilizing the growth of records in all formats.
Healthcare Records Management
a store where medicinal drugs are dispensed or compounded and sold. It can also be defined as a branch of health sciences that deals with the preparation, dispensing, and utilization of drugs. Involves the process through which a pharmacist cooperates with a patient and other professionals in designing, implementing, and monitoring a therapeutic plan that will produce specific therapeutic outcomes for the patient.
Pharmacy
This technical report catalogs nearly 100 implemented and proposed payment reform programs, classifies each of these programs into one of 11 payment reform models, and identifies the performance measurement needs associated with each model. A synthesis of the results suggests near-term priorities for performance measure development and identifies pertinent challenges related to the use of performance measures as a basis for payment reform. The report is also intended to create a shared framework for analysis of future performance measurement opportunities. This report is intended for the many stakeholders tasked with outlining a national quality strategy in the wake of health care reform legislation.
Patient Protection and Affordable Care Act of 2010
monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor restrict resource access.
Network Management
the PII involved with the healthcare and treatment of an individual
Personal Health Information
an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner
Information System Security Officer
Information can flow between the supplier and the recipient directly, or through and information technology. Mediated require some use of technology information to allow information to flow, while unmediated do not require information technology to transfer the information.
Flow Paths
The individuals permission to participate in the research. Provides research subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things.
Informed Consent
a set of principles determined jointly by the American institute of certified public accountants (AICPA) The principles are based on commonly accepted privacy standards for protecting personal information.
Generally Accepted Privacy Principles
A program that looks at the different types of data an organization handles, classifies those pieces of data based on sensitivity, and establishes procedures to make sure each of these pieces of information is treated properly. The big picture rationale of a data classification program is to reduce risk and bring enterprise wide consistency to data handling.
Data Classification
an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal
Information Owner
an individual or group within an organization that helps to ensure that risk related considerations for individual information systems, to include authorization decisions are viewed from an organization wide perspective
Risk Executive
a tool to streamline, automate, and re-engineer business processes.
Workflow Management Systems (WfMSs)
an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls
security control assessor
a system in which individuals are responsible for securing their own health insurance coverage, although employers in many cases provide all or some of the funding. Supporters of the system say that it encourages freedom of choice for health insurance and provides the best possible quality of care.
Private Health Insurance
a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity
Unique user identifier
Allows healthcare professionals and patients to appropriately access and securely share a patients vital information electronically.
Health Information Exchange
the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability
Impact
