WIXLIB

KEY TERMS2.0 Key TermsThe definitions below apply whenever these terms are used throughout the Manual, whether they appear with capitals(“Protected Health Information” or “PHI”) or in lowercase form (“protected health information”).2.1DEFINITIONSAuthorization: A document signed and dated by the individual consenting to certain uses and disclosures of PHI thatcontains all elements required by HIPAA (see Section 5.3).Breach: The acquisition, access, use, or disclosure of PHI in a manner that: (1) is not permitted under the HIPAA Rules; and(2) compromises the privacy or security of the PHI, as determined by a risk assessment conducted by the City HIPAAPrivacy Officer.Business Associate: Any person or entity (outside of the City workforce) that:Creates, receives, maintains, or transmits PHI on behalf of a Covered Unit to perform a function or activityregulated by HIPAA, including claims processing or administration; data analysis, processing, or administration;utilization review; quality assurance; patient safety activities; billing; benefit management; practicemanagement; or repricing;Provides services to or for the Covered Unit involving access to PHI, including legal, actuarial, accounting,consulting, data aggregation, management, administrative, accreditation, or financial services; orIs responsible for creating, receiving, maintaining, or transmitting a Covered Unit’s PHI on behalf of a SupportUnit or another Business Associate (i.e., a subcontractor that is assisting a Support Unit or other BusinessAssociate with the activities described above).City Group Health Plan: The health plans subject to HIPAA that are governed by the City of Philadelphia Flex PlanDocument, including medical, dental, vision, prescription drug, health care flex spending, and other health benefits.These health plans are listed in the City Group Health Plan Joint Notice of Privacy Practices (posted athttps://www.phila.gov/Pages/privacy.aspx). These health benefits are provided to eligible City employees and retireesthrough multiple plans that, for purposes of HIPAA compliance, operate as an organized health care arrangement.City PHI: PHI that is transmitted or maintained by a Covered Unit or by a Support Unit or business associate on behalf of aCovered Unit.Covered Entity: An entity that is subject to HIPAA because it performs certain health care functions. The City is a coveredentity for HIPAA compliance purposes. Because the City is a hybrid entity, only those departments, divisions, units, andworkforce members within the City’s designated health care component are subject to HIPAA requirements. See Table3.1.Covered Unit: Any City department, division, or unit that, if standing alone, would be a covered entity. Also referred to as a“Health Care Component” in Executive Order No. 4-17: HIPAA Compliance Directive. Covered Units are listed in Table 3.1and at www.phila.gov/privacy.Designated Health Care Component: The portion of the City that is subject to the HIPAA Rules, including all workforcemembers of Covered Units and any workforce members of Support Units who have access to City PHI.Designated Record Set: A group of records maintained by or for a covered entity that may include patient medical andbilling records; the enrollment, payment, claims, adjudication, and case or medical management record systemsmaintained by or for a health plan; or information used in whole or in part by a covered entity to make decisions aboutindividuals’ health care or health insurance benefits. As used in this definition, the term “record” means any item,collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for acovered entity.Page 5

KEY TERMSHealth Care Operations: Certain administrative, financial, legal, and quality improvement activities of a covered entity thatare necessary to run its business and to support its core functions of treatment or payment for health care. Theseactivities include:Conducting quality assessment and improvement activities; population-based activities relating to improvinghealth or reducing health care costs; and case management and care coordination;Reviewing the competence or qualifications of health care professionals; evaluating provider and health planperformance; training health care and non-health care professionals; and accreditation, certification, licensing,or credentialing activities;Underwriting and other activities relating to the creation, renewal, or replacement of a contract of healthinsurance or health benefits; and ceding, securing, or placing a contract for reinsurance of risk relating to healthcare claims;Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detectionand compliance programs;Business planning and development, such as conducting cost-management and planning analyses related tomanaging and operating the entity; andBusiness management and general administrative activities, including those related to implementing andcomplying with the HIPAA Rules, customer service, resolution of internal grievances, sale or transfer of assets,creating de-identified health information or a limited data set, and fundraising for the benefit of the coveredentity.Health Care Provider: A licensed provider of medical or health services (for example, a hospital, skilled nursing facility,home health agency, hospice program, ambulance service, physician, nurse practitioner, physician assistant, nurse,physical therapist, psychologist, or clinical social worker), and any other person or organization who furnishes, bills, or ispaid for health care in the normal course of business.Highly Confidential Information: Health information that is protected under HIPAA and more restrictive federal or stateconfidentiality laws, such as HIV-related information, substance abuse treatment records, mental health treatmentrecords, and clinical laboratory results (see Section 3.3).HIPAA Documentation: Documentation related to HIPAA compliance and administration, including but not limited to thefollowing:City HIPAA policies and procedures;Unit-specific and departmental HIPAA policies, procedures, or protocols;Any communication required by the HIPAA Rules (for example, requests by individuals and relatedcorrespondence, notices of privacy practices, etc);Any action, activity, or designation that is required to be documented by the HIPAA Rules (for example,employee disciplinary action records, risk assessment reports);Incident documentation for any privacy and security incidents, and breach notification documentation for anyprivacy or security breaches (see Section 7.0); andBusiness associate agreements with service providers and contractors.HIPAA Rules: The Privacy Rule, Security Rule, and Breach Notification Rule issued under HIPAA, set forth in 45 CFR Part 160and Part 164.Incident: Any acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Rules, other privacylaws, an applicable BAA or MOU, or City or unit-specific privacy or security policies. The term “Incident” encompassessituations that could potentially compromise the privacy or security of PHI, in addition to situations that actuallycompromise its privacy or security.Individual: The person who is the subject of protected health information.Page 6

KEY TERMSMarketing: Any communication about a product or service that encourages recipients to purchase or use the product orservice, with certain exceptions (described at 45 CFR § 164.501).Payment: The various activities of health care providers to obtain payment or be reimbursed for their services and of healthplans to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain orprovide reimbursement for the provision of health care. Examples of common payment activities include:Determining eligibility or coverage under a plan and adjudicating claims;Risk adjustments;Reviewing health care services for medical necessity, coverage, or justification of charges;Billing and collection activities; andUtilization review activities.Privacy Liaison: The designated privacy official for a Support Unit.Privacy Officer: The designated privacy official for a Covered Unit.Protected Health Information or PHI: Information transmitted or maintained in any form or medium by a covered entity ora business associate on its behalf, that:was created or received by a health care provider, health plan, employer, or health care clearinghouse;relates to the physical or mental health or condition of an individual, the provision of health care to anindividual, or the payment for the provision of health care to an individual; andidentifies the individual or might reasonably be used to identify the individual.PHI excludes: (1) education records covered by the Family Educational Right and Privacy Act (FERPA); (2) recordsdescribed at 20 U.S.C. 1232g(a)(4)(B)(iv); (3) employment records held by a covered entity in its role as employer; and (4)information related to individuals who have been deceased for more than 50 years.Social Media: Online sources that allow people to create and exchange user-generated content with others via some form ofonline or cellular network platform. Examples include, but are not limited to: Facebook, Twitter, Snapchat, YouTube,Instagram, Periscope, and Pinterest.Support Units: City departments, divisions, units, and workforce members that perform business, legal, financial, oradministrative functions involving the use or disclosure of PHI on behalf of a Covered Unit. Support Units include thoseunits listed in Table 3.1, to the extent they perform support functions for a Covered Unit.Treatment: The provision, coordination, or management of health care and related services among health care providers orby a health care provider with a third party, consultation between health care providers regarding a patient, or thereferral of a patient from one health care provider to another.Workforce Member: An employee, volunteer, trainee, or other person whose conduct, in the performance of work for theCity, is under the direct control of the City, whether or not that person is paid by the City. The terms “Covered Unitworkforce member” and “Support Unit workforce member” are also used in this policy to indicate workforce membersof those respective units.2.2ACRONYMSAHS: Ambulatory Health Services, a Covered Unit within the Philadelphia Department of Public HealthBAA: Business Associate AgreementCHPO: City HIPAA Privacy OfficerCHSO: City HIPAA Security OfficerGHP: the City Group Health Plan, administered by the Health & Welfare Benefits Unit within the Office of Human ResourcesPage 7

KEY TERMSDBHIDS: The Office of Behavioral Health & Intellectual disAbility Services, a Covered UnitDHHS: The U.S. Department of Health and Human Services (the Federal agency that enforces HIPAA)EMS: The Emergency Medical Services Division, a Covered Unit with the Philadelphia Fire DepartmentHIPAA: The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technologyfor Economic and Clinical Health Act of 2009MOU: Memorandum of UnderstandingOIT: The Office of Innovation and TechnologyPHI: Protected Health InformationPHL: Public Health Laboratory, a Covered Unit within the Philadelphia Department of Public HealthSTDCP: STD Control Program, a Covered Unit within the Philadelphia Department of Public HealthPage 8

RECOGNIZING WHAT INFORMATION IS PROTECTED3.0 Recognizing What Information Is Protected3.1THE CITY’S HYBRID STATUSA.PurposeHIPAA applies to “covered entities,” which include health care providers that conduct certain types oftransactions electronically, health plans, and health care clearinghouses.If a single covered entity has a mix of functions – some that are subject to HIPAA and some that are not – theentity may choose to designate itself a “hybrid entity” thereby limiting its compliance responsibilities to only theHIPAA-covered functions (the “health care component”). The hybrid entity must designate as part of its healthcare component:a.Any department, division, or unit that if standing alone, would be a covered entity (a “Covered Unit”); andb.Any unit and workforce member that performs business, legal, financial, or administrative services orfunctions involving the use or disclosure of PHI on behalf of a Covered Unit (a “Support Unit”).A hybrid entity is required to create adequate separation, in the form of firewalls, between the health carecomponent(s) and other components of the entity. PHI held by a Covered or Support Unit can only be disclosedto another part of the hybrid entity to the same extent HIPAA permits such a disclosure to a separate entity.B.PolicyThe City is a covered entity because some of its departments, divisions, and units perform covered functionsas health care providers or health plans.In 2002, the City designated itself a hybrid entity because only certain portions of the City perform activitiesthat make them subject to HIPAA. The City’s hybrid designation was updated and formalized in Executive OrderNo. 4-17: HIPAA Compliance Directive, available at www.phila.gov/executiveorders. The designated units arelisted in Table 3.1 below.The procedures below describe firewalls that must be implemented between departments, divisions, and unitsthat are part of the City’s health care component and those that are not.C.ProceduresThe City HIPAA Steering Committee will periodically review the City’s hybrid designation and suggest revisionsas needed. A current list of Covered Units will be posted at www.phila.gov/privacy.From time to time, Support Units may be added to the City’s health care component as follows:Page 9a.Before a Covered Unit establishes a relationship with a new Support Unit involving the use or disclosure ofPHI, the Covered Unit will notify the City HIPAA Privacy Officer (“CHPO”).b.The Covered Unit and new Support Unit will, with the assistance of the Law Department, execute amemorandum of understanding (“MOU”) outlining the services or functions that will be performed by theSupport Unit, the PHI that may be shared with, accessed by, or created by the Support Unit, and how thatPHI will be protected by the Covered Unit.c.On an ongoing basis and to the extent it performs support functions, the Support Unit is responsible forcomplying with HIPAA, this Policy, the requirements of its MOU with the Covered Unit, and securityrequirements established by the City HIPAA Security Officer (“CHSO”). The Support Unit will: (i) designatea HIPAA Liaison who will oversee HIPAA compliance and be accountable to the Covered Unit, the CHPO,and the CHSO; (ii) ensure all workforce members with access to PHI receive HIPAA training; (iii) participatein audits and other compliance activities as directed by the CHPO and CHSO; and (iv) annually documentand report to the HIPAA Steering Committee a list of all individuals or classes of individuals who functionas part of its Support Unit.

RECOGNIZING WHAT INFORMATION IS PROTECTEDCovered and Support Units will maintain operational separation from other departments, divisions, and units.In particular, each Covered or Support Unit will ensure that:D.a.It does not disclose PHI to another department, division, or unit of the City, unless HIPAA would allow suchdisclosure to a legally separate entity. See Chapter 5, “Permitted Uses and Disclosures.”b.Each unit maintains its electronic PHI separately and limits access to the PHI to that unit’s workforce(except for permitted disclosures as discussed in Chapter 5).c.Where possible, staff and office space are physically separated between covered and non-coveredfunctions.d.If a person performs duties for multiple Covered/Support Units or for a Covered/Support Unit and anotherCity department, division, or unit, he or she cannot use or disclose PHI created or received in the course ofworking for one Covered/Support Unit for his or her other job duties (except for disclosures that would bepermitted under this Manual if the two departments were separate legal entities).References: 45 CFR § 164.105TABLE 3.1: UNITS DESIGNATED AS PART OF THE CITY’S HEALTH CARE COMPONENTCovered UnitsCOVERED UNITAmbulatory Health Services (AHS)Public Health Laboratory (PHL)STD Control Program (STDCP)Philadelphia Nursing Home (PNH)Emergency Medical Services (EMS)Office of Behavioral Health and Intellectual disAbilityServices (DBHIDS)Health and Welfare Benefits (GHP)Support UnitsSUPPORT UNITOffice of Innovation and TechnologyData Management OfficeHealthITRecords DepartmentOffice of the ControllerLaw DepartmentFire DepartmentCertain departments/offices within the Health &Human Services cluster (DHS, MEO, OHS)Overdose Death Review TeamHIPAA COVERED FUNCTIONHealth care providerHealth care providerHealth care providerHealth care providerHealth care providerHealth plan (administers Health Choices program)Health plan (administers the City group health plan)*SUPPORT SERVICE OR FUNCTIONProvides security and support for systems containing ePHIAggregates, de-identifies, and stores data from Covered UnitsProvides IT support to Department of Public Health’s Covered UnitsStores records on behalf of Covered UnitsAudits the financial records of the City’s Covered and SupportUnits, which may involve access to PHIReviews legal requests for records, investigates incidents, andhandles medical malpractice claims against cliniciansProcesses requests for access to EMS health recordsProvides social services support to Philadelphia residents throughthe Health and Human Services (HHS) data sharing initiativeSupports DBHIDS in making public health and social servicesrecommendations to help reduce overdose deaths in the City*Only certain persons who are described in the official Plan documents of the City group health plan are permitted to accessPHI to the extent necessary to perform administrative functions for the City group health plan.Page 10

RECOGNIZING WHAT INFORMATION IS PROTECTED3.2DEFINING PROTECTED HEALTH INFORMATION AND DESIGNATED RECORD SETSA.PurposeProtected health information or “PHI” is health information subject to protection under the HIPAA Rules.Protected health information includes information transmitted or maintained in any form or medium by acovered entity or a business associate on its behalf, that:a.Was created or received by or on behalf of a health care provider, health plan, employer, or health careclearinghouse;b.Relates to the physical or mental health or condition of an individual, the provision of health care to anindividual, or the payment for the provision of health care to an individual; ANDc.Identifies the individual or might reaso

Covered and Support Units are also expected to develop HIPAA protocols supplementing this Manual when unit-specific procedures are needed. As a City-wide policy approved by the Mayor's Designee at the recommendation of the HIPAA Steering Committee, this Manual takes precedence over any departmental or unit-specific policies, procedures, or .