HIPAA’s Definition of Terms


Accounting for Disclosures: (We refer to this as “tracking disclosures” elsewhere on this Research Privacy web site.) Upon request, a covered entity must provide the individual with an accounting of each disclosure by date, the Protected Health Information (PHI) disclosed, the identity of the recipient of the PHI, and the disclosure. However, where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency of such disclosures.
A covered entity is not required to account for all disclosures of PHI.
An accounting is not required for disclosures made:

  • Prior to the covered entity’s compliance date;
  • For Treatment, Payment and Healthcare Operation (TPO) purposes;
  • To the individual or pursuant to the individuals written authorization; or 
  • As part of a limited data set. 


Business Associate (BA): A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity?s workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.


Covered Entity (CE): Under HIPAA, this is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction. Also see Part II, 45 CFR 160.103.

Covered Function: Functions that make an entity a health plan, a health care provider, or a health care clearinghouse. Also see Part II, 45 CFR 164.501.


Data Element: Under HIPAA, this is the smallest named unit of information in a transaction. Also see Part II, 45 CFR 162.103.
Disclosure: Release or divulgence of information by an entity to persons or organizations outside of that entity. Also see Part II, 45 CFR 164.501.


Healthcare Operations: Any of the following activities of the covered entity to the extent that the activities are related to covered functions: 1) conducting quality assessment and improvement activities, population-based activities, and related functions that do not include treatment; 2) reviewing the competence or qualifications of health care professionals, evaluating practitioner, provider, and health plan performance, conducting training programs where students learn to practice or improve their skills as health-care providers, training of nonhealth-care professionals, accreditation, certification, licensing, or credentialing activities, 3) underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits; 4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; 5) business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and 6) business management and general administrative activities of the entity.[45 CFR 164.501]

Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that makes a number of changes that have the goal of allowing persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives DHHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191. 

Hybrid Entity: A covered entity whose covered functions are not its primary functions. Also see Part II, 45 CFR 164.504.


Minimum Necessary: The Privacy Rule stipulates that covered entities limit the amount of information disclosed to the minimum necessary to achieve the specified goal [45 CFR 164.514(d)(1)]. This requirement would not apply if the disclosure were required by law, authorized by the individual, or for treatment purposes. 


Payment: 1) The activities undertaken by (i) a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) a health-care provider or health plan to obtain or provide reimbursement for the provision of health care; and 2) the activities relate to the individual to whom health care is provided and include, but are not limited to (i) determinations of eligibility or coverage and adjudication or subrogation of health benefit claims, (ii) risk adjusting amounts due based on enrollee health status and demographic characteristics; (iii) billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance) and related health-care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; (v) utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and (vi) disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement: (a) name and address; (b) date of birth; (c) social security number; (d) payment history; (e) account number; and (f) name and address of the health-care provider or health plan.

Protected Health Information (PHI): PHI is individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. See Part II, 45 CFR 164.501.


Tracking disclosures: see Accounting for Disclosures

Treatment: is the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.


Workforce: Under HIPAA, this means employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. Also see Part II, 45 CFR 160.103.



March 25, 2014
Primary teaching affiliate
of BU School of Medicine