For Hipaa Purposes A Business Associate Is

1. Information sought is relevant and material to a legitimate law enforcement inquiry 2. Request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought 3. De-identified information could not reasonably be used

1. HIPAA 2. COBRA 3. ERISA 4. FMLA

A rule, promulgated under HITECH, requiring vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, among other objectives, further addresses privacy and security issues involving PHI as defined by HIPAA. The HITECH privacy provisions include the introduction of categories of violations based on culpability that, in turn, are tied to tiered ranges of civil monetary penalties. Its most noteworthy elements elaborate upon breach notifications resulting from the use or disclosure of information that compromises its security or privacy.

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt-in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

Under HIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose.

Under HIPAA, this rule establishes U.S. national standards to protect individuals' medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Any individually identifiable health information transmitted or maintained in any form or medium that is: 1) held by a covered entity or its business associate; 2) identifies the individual or offers a reasonable basis for identification; 3) is created or received by a covered entity or an employer, and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.

A business associate is a person or entity not part of the covered entity's workforce that provides services to a covered entity involving the use or disclosure of protected health information. Examples of BA activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing. Services BAs may provide a covered entity include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial.

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges.

Privacy Rule. HIPAA required the Department of Health and Human Services (HHS) to promulgate regulations to protect the privacy and security of healthcare information, and HHS issued the Privacy Rule in December 2000 (revised in 2002) and the Security Rule in February 2003. HHS also promulgated the Transactions Rule, but this related not to privacy or data security but to standard electronic formats to fulfill another important reason for the legislation—to improve the efficiency of healthcare delivery. There is no "operations rule" under HIPAA. U.S. Private-sector Privacy, p. 46-47.

1. Health & Human Services 2. Office of Civil Rights

1. Health plans 2. Health care clearinghouses 3. Health care provider who transmits health info electronically

1. Individual and group health plans 2. Employer sponsored group health plans 3. government and church sponsored health plans 4. multi-employer plan

1. to individuals specifically when they request access to, or an account of disclosures of their PHI 2. to HHS as part of a compliance investigation or enforcement action

1. to the individual (unless required) 2. Treatment, Payment and Health Care Operations 3. Opportunity to agree or object 4. Incident to an otherwise permitted use 5. Public interest and benefit activities 6. Limited data set for the purposes of research, public health or health care operations.

1. Required by law 2. Public health activities 3. Victims of abuse, neglect or domestic violence 4. Health oversight activities 5. Judicial and administrative proceedings 6. Law enforcement purposes 7. Decedents 8. Cadaveric organ, eye or tissue donation 9. Serious threat to health or safety 10. Essential government functions 11. Workers' Compensation 12. Limited data set with identifiers removed

$100 to $50,000 or more per violation, $1,500,000 calendar year cap.