The following terms, when used in this Manual, shall have the definitions provided below unless the context clearly and plainly indicates otherwise. In addition, any Capitalized term included in this Manual which is not defined in this Section 1, shall have the meaning defined in HIPAA unless the context clearly and plainly indicates otherwise.<\/p>\n\n\n\n
Authorization:<\/strong> Written permission required prior to disclosing a patient\u2019s PHI when the use or disclosure is for a purpose other than for treatment, payment, or operations. A valid authorization must contain all of the elements listed in the Privacy Standards for the specific type of disclosure and entity.<\/p>\n\n\n\n Authorized Health Care Provider<\/strong>: The Workforce members charged with providing care and directing the provision of care to the Center\u2019s patients.<\/p>\n\n\n\n Breach:<\/strong> Acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.<\/p>\n\n\n\n Breach Notification Rule:<\/strong> The requirements for Breach Notification for Unsecured Protected Health Information under the HITECH Act that mandate notice to individuals in some cases if their PHI is improperly accessed, used, or disclosed, as well as a report to HHS of such incidents. Media notice may also be required. The notice\/report contents, timing, and distribution requirements are prescribed by the Breach Notice Rule at 45 CFR Subparts D of Part 164.<\/p>\n\n\n\n Business Associate:<\/strong> A person or organization who performs a function or activity on behalf of a covered entity or who performs a specified service regardless of whether it involves performing a service on behalf of a covered entity. The specified services where disclosure of personally identifiable health information is considered routine include: legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, and financial services. When a covered entity discloses PHI to a business associate, a business associate agreement between the covered entity and the person or organization performing functions on behalf of the covered entity or specified services is required to protect the use and disclosure of PHI.<\/p>\n\n\n\n Callier Center for Communication Disorders<\/strong> or Callier Center<\/strong> or Center:<\/strong> An educational, research and treatment center within The University of Texas at Dallas that focuses on communication and communication disorders. It provides health care services to the public and which engages in transactions that make it a Covered Entity that is subject to HIPAA.<\/p>\n\n\n\n Covered Entity:<\/strong> A health care provider that performs certain electronic transactions that are subject to HIPAA, a health plan or a clearinghouse required to comply with HIPAA. The term includes Hybrid Entities.<\/p>\n\n\n\n Covered Functions:<\/strong> Operations performed by a Covered Entity or a Business Associate that require access to PHI and that subject the entity to HIPAA.<\/p>\n\n\n\n Data Use Agreement:<\/strong> An agreement required before a Covered Entity may use or disclose a limited data set so that a covered entity may obtain satisfactory assurance that the limited data set recipient will only use or disclose the PHI for limited purposes.<\/p>\n\n\n\n De-identified:<\/strong> The status of information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. Information that has been de-identified according to the methodology described in 45 C.F.R. \u00a7 164.514 is not subject to the Privacy Standards.<\/p>\n\n\n\n Designated Record Set:<\/strong> The designated record set that includes the Original Medical Record (OMR) and billing records of patients. The Callier Center\u2019s designated record set is the OMR. Additionally, the designated record set includes any records that the Callier Center or a Business Associate has used while making health care decisions. For example, medical records from non-Callier Center sources used to make health care decisions. The designated record set specifically excludes:<\/p>\n\n\n\n Disclosure:<\/strong> The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.<\/p>\n\n\n\n Health and Human Services:<\/strong> The Department of Health and Human Services (HHS) is the United States government\u2019s principal agency for protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves.<\/p>\n\n\n\n Health Care Component:<\/strong> The Health Care Component at UT Dallas consists of the Callier Center and the offices and departments that provide services to and on behalf of the Callier Center that require access to Callier Center PHI and would meet the definition of a Callier Center\u2019s Business Associate Agreement if the office or department were not part of the University. They are listed in the University\u2019s Hybrid Entity Designation, which is included in this Manual.<\/p>\n\n\n\n Health Care Operations:<\/strong> Includes, but are not limited to, any of the following activities to the extent these activities are related to the Covered Entity\u2019s functions as a health care provider:<\/p>\n\n\n\n At UT Dallas, these are functions the University provides in conjunction with operation of the Callier Center as a Health Care Provider, including general administrative and business functions necessary for the Callier Center to remain a viable health care provider and to ensure that UT Dallas meets it other compliance and legal duties as a public institution of higher education.<\/p>\n\n\n\n Health Care Provider:<\/strong> An entity or person licensed of otherwise authorized by law to provide medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who is legally authorized to furnish, bill, or be paid for health care in the normal course of business.<\/p>\n\n\n\n HIPAA<\/strong> or Health Insurance Portability and Accountability Act:<\/strong> Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 Administrative Simplification provisions and the regulations adopted by the U.S. Department of Health and Human Services (HHS) to implement HIPAA. HIPAA give the Secretary of Health & Human Services (HHS) the authority to establish standards and requirements for the electronic transfer of health care information, and for the privacy and security of PHI. A reference to HIPAA in this manual generally refers to the requirements of the statute and the regulations as interpreted by HHS.<\/p>\n\n\n\n Health Oversight Agency:<\/strong> A health oversight agency is an agency or a person or entity acting under a grant of authority from or contract with such public agency, that is authorized by law to oversee a health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.<\/p>\n\n\n\n Hybrid Entity:<\/strong> A single legal entity that is a HIPAA Covered Entity, performs business activities that include both Covered and non-Covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a Hybrid Entity, the Privacy Rule generally applies only to its designated Health Care Components. However, non-Health Care Components of a Hybrid Entity may be affected because the Health Care Component is limited in how it can share PHI with the non-health care component. The Hybrid Entity also retains certain oversight, compliance, and enforcement responsibilities on behalf of its Health Care Components.<\/p>\n\n\n\n Institutional Review Board<\/strong> or IRB:<\/strong> A board that approves proposed research projects conducted at an institution and\/or using the institutions data. The UT Dallas IRB has the authority to decide whether to waive individual authorization for the use or disclosure of University PHI for research purposes.<\/p>\n\n\n\n Limited Data Set:<\/strong> PHI that excludes the following direct identifiers of the individuals or of relatives, employers, or household members of the individuals: (i) names; (ii) postal address information other than town or city, state, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) e-mail addresses; (vi) Social Security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate\/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) Web Universal Resource Locators (\u201cURLs\u201d); (xiv) Internet Protocol (\u201cIP\u201d) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images. Identifiable information that may remain in a limited data set includes dates relating to a patient (dates of service, admission, or discharge; date of birth; date of death) and information relating to the town or city, state, and five-digit zip code of the patient, his or her employer, and the patient\u2019s household members.<\/p>\n\n\n\n Manual:<\/strong> This Policy and Procedure Manual for the Confidentiality of Health Care Information. Also, referred to as the HIPAA Privacy Manual.<\/p>\n\n\n\n Medical Media:<\/strong> Any health information in a media that cannot be scanned or filed into the OMR. Some medical media may be maintained in the original media for a period of time and then transformed into a format that can be scanned into the electronic medical record. Other types of medical media may require retention in the original media. Examples of Medical Media may include, but are not limited to, tests protocols, video tapes, compact discs, audio tapes and thumb drives.<\/p>\n\n\n\n Medical Record Administrator (MRA):<\/strong> The person appointed as the Callier Center record custodian responsible for the Medical Records Department and responsible for the maintenance, retention, access, data integrity, and data quality of PHI; including protecting patient privacy and providing information security, other duties related to access and review of PHI and complying with standards and regulations regarding PHI under the direction of the HIPAA Privacy Officer. For purposes of this policy, the MRA may also refer to individuals who have been officially designated to act in the place of the MRA.<\/p>\n\n\n\n Medical Record Department (MRD):<\/strong> The department that houses the Center\u2019s official patient care records.<\/p>\n\n\n\n Minimum Necessary Standard:<\/strong> A limitation placed on uses, disclosures, and requests for PHI. When Using or Disclosing protected health information or when requesting PHI from another Covered Entity or Business Associate, the University and its Business Associates must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.<\/p>\n\n\n\n Mitigation:<\/strong> Reasonable actions taken by a Covered Entity to lessen the damage of known wrongful use or disclosure of PHI in violation of the Covered Entity\u2019s policies and procedures or the requirements of the Privacy Standards.<\/p>\n\n\n\n Official Medical Record (OMR):<\/strong> The Callier Center medical record maintained by the Center that constitutes all significant medical\/clinical information pertaining to a Patient. Portions of the OMR may be housed at either Callier Center location until becoming scanned and filed in the electronic medical record system. The OMR has a permanent retention schedule. The OMR constitutes the Callier Center\u2019s designated record set.<\/p>\n\n\n\n Patient:<\/strong> Activities undertaken by a health provider to obtain or provide reimbursement for the provision of health care; or by a health plan to fulfill its responsibility for coverage and the provision of benefits. These activities include, but are not limited to:<\/p>\n\n\n\n Personal Representative:<\/strong> A person legally authorized to act on behalf of a Patient for purposes of exercising the Patient\u2019s rights under HIPAA or this Manual or fulfilling the Patient\u2019s responsibilities under this Manual.<\/p>\n\n\n\n Policy:<\/strong> A principle of required action adopted or proposed by this Manual.<\/p>\n\n\n\n Privacy Notice<\/strong> or Notice of Privacy Policies<\/strong> or NOPP:<\/strong> A description, provided to Patients or Personal Representatives at specific times, and to other persons upon a request concerning its uses and disclosures of PHI, which also informs them of their rights with respect to PHI.<\/p>\n\n\n\n Privacy Standards<\/strong> or Privacy Rule:<\/strong> Privacy Standards or Privacy Rule refer to the final rule \u201cStandards for Privacy of Individually Identifiable Health Information,\u201d at 45 CFR Part 160 and Subparts A and E of Part 164.<\/p>\n\n\n\n Protected Health Information<\/strong> or PHI<\/strong> Individually identifiable health information that is transmitted or maintained in any medium or form including oral, written, and electronic. Individually identifiable health information relates to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) past, present, or future payment for the provision of health care to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. Demographic information on patients is also considered PHI. PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended; in records described at 20 U.S.C. \u00a71232g(a)(4)(B)(iv) (student treatment records excepted from FERPA); and in employment records held by a covered entity in its role as an employer.<\/p>\n\n\n\n Public Health Authority:<\/strong> An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with a public agency, including the employees or agents of the public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. A public health authority can create health information as well as receive it.<\/p>\n\n\n\n Sanctions:<\/strong> Administrative actions by a Covered Entity taken against members of its Workforce who fail to comply with the entity\u2019s policies and procedures or with the requirements of the Privacy Standards. A Covered Entity must establish and apply appropriate Sanctions and must document the Sanctions that are applied.<\/p>\n\n\n\n Secretary<\/strong> or Secretary of Health and Human Services:<\/strong> The US Department of Health and Human Services (HHS) is headed by the Secretary. The Secretary or any other officer or employee of HHS to whom authority has been designated will implement and\/or enforce HIPAA rules and regulations or investigate allegations of HIPAA violations.<\/p>\n\n\n\n Security Rule:<\/strong> Refers to the final rule adopting standards for the security of electronic protected health information as required by the Administrative Simplification title of the Health Insurance Portability and Accountability Act of 1996, 45 CFR Part 160 and Subparts A and C of Part 164.<\/p>\n\n\n\n Shadow Records <\/strong>or Shadow Medical Records (Shadow MR):<\/strong> The medical record maintained by an authorized Workforce member, other than the Medical Records Department, that includes patient care information also included in the OMR. These records may be used for teaching purposes. Shadow MR information does not contain any pertinent patient care information that cannot be found in the OMR. A Shadow MR is considered a convenience copy and is destroyed as soon as it is no longer needed. The Shadow MR is sometimes referred to as Case Management Records.<\/p>\n\n\n\n Treatment:<\/strong> Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.<\/p>\n\n\n\n Treatment, Payment and Health Care Operations<\/strong> or TPO:<\/strong> The three core functions of providing health care and\/or health care coverage to patients that require access to the Patient\u2019s PHI. When performed by a Covered Entity, an Authorization is not required to use or disclose a Patient\u2019s PHI.<\/p>\n\n\n\n The University of Texas at Dallas<\/strong> or UT Dallas<\/strong> or University:<\/strong> A Texas state agency and public institution of higher education that is a Hybrid Entity which is subject to HIPAA compliance due to its operation of the Callier Center for Communications Disorders.<\/p>\n\n\n\n Use:<\/strong> Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the Health Care Component at UT Dallas which is the Callier Center.<\/p>\n\n\n\n
![\"\"](\"https:\/\/calliercenter.utdallas.edu\/wp-content\/uploads\/2022\/10\/zimmerman.png\")
<\/figure>\n\n\n\n