Glossary of Terms


Security Rule defines access as the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Administrative Safeguards

Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.


The corroboration that a person is the one claimed.


The property that data or information is accessible an useable upon demand by an authorized person.


The acquisiton, access, use or disclosure of protected health information in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the protected health information.

Business Associate

A person or entity who (1) on behalf of a covered entity performs or assists in a function or activity involving the Use or Disclosure of Individually Identifiable Health Information, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; repricing; and other functions and activities; or (2) provides legal, actuarial, accounting, consulting, Data Aggregation, management, administrative, accreditation or financial services that involves the disclosure of Individually Identifiable Health Information.

Business Unit

One or more Workforce members who are subject to the HIPAA regulations and who are engaged in providing a specific product or service that involves Protected Health Information on behalf of the Covered Entity. (As applied to the University, a business unit may be a department, a program or school, a support service or central administration function within the University. A business unit may extend across multiple locations.)


The property that data or information is not made available or disclosed to unauthorized persons or processes.

Correctional Institution

Any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.

Covered Entity

Entities to which the HIPAA rules apply and includes Health Plans, Health Care Clearinghouses and Health Care Providers who transmit any health information in electronic form in connection with a Transaction covered by HIPAA laws and regulations. Washington University is a Covered Entity.

De-Identified Health Information

“Health information that is not individually identifiable health information. A covered entity may determine that health information is not individually identifiable health information only if: (1) a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other available information, to identify an individual, and documents the methods and results of the analysis; or (2) the following identifiers of the individual, relatives, employers or household members of the individual are removed:
(1) Name;
(2) Street address, city, county, precinct, zip code and equivalent geocodes;
(3) All elements of dates (except year) for dates directly related to an individual and all ages over 89;
(4) Telephone number;
(5) Fax number;
(6) Electronic mail address;
(7) Social Security Number;
(8) Medical record numbers;
(9) Health plan ID numbers;
(10) Account numbers
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers, including license plate numbers;
(13) Device identifiers and serial numbers
(14) Web addresses (URLs);
(15) Internet IP addresses;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photographic images and any comparable images; and
(18) Any other unique identifying number, characteristic or code.

Electronic Media

“( 1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.

Certain transmission, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.


The physical premises and the interior and exterior of a building(s).

Group Health Plan

“(not to be confused with the St. Louis managed care plan of the same name) means an employee welfare benefit plan (as defined by ERISA) or insured and self-insured plans that provides medical care (as defined by the Public Health Service Act) to employees or their dependents directly or through insurance that:

(1) Has 50 or more participants (as defined by ERISA); or

(2) Is administered by an entity other than the employer that established and maintains the plan. See related definition for Health Plan.”

Health Care

“Care, services, or supplies related to the health of an individual and includes, but is not limited to, the following:

(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and

(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health Care Clearinghouse

“A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “”value-added”” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Health Care Operations

“Any of the following activities carried out directly by Washington University or through an Organized Health Care Arrangement in which Washington University participates:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of Health Care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.

(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance);

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities including, but not limited to:

(i) Management activities relating to implementation of and compliance with the requirements of HIPAA laws and regulations;

(ii) Customer service, including the provision of data analyses for policyholders, plan sponsors, or other customers,
provided that Protected Health Information is not disclosed to such policyholder, plan sponsor, or customer.

(iii) Resolution of internal grievances;

(iv) Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a Covered Entity or, following completion of the sale or transfer, will become a Covered Entity; and

(v) Creating de-identified health information, fundraising for the benefit of Washington University, and marketing for which an individual authorization is not required as described by HIPAA laws and regulations.

Health Oversight Agency

“An agency or other governmental authority, including employees, agents or contractors of such agency or authority, authorized by law to oversee the health care system (whether public or private) or government programs in which PHI is necessary to determine eligibility or compliance or to enforce civil rights law. For example, the federal Centers for Medicare and Medicaid (f.k.a. Health Care Financing Administration), JCAHO and the Missouri Department of Health.

Health Plan

“An individual or group plan that provides or pays the cost of medical care and includes the following, singly or in combination:

(1) A Group Health Plan, as defined herein
(2) A Health Insurance Issuer, as defined herein
(3) An HMO, as defined herein
(4) Part A or Part B of the Medicare program under Title XVIII
(5) The Medicaid program under Title XIX
(6) An issuer or a Medicare supplemental policy
(7) An issuer or a long-term care policy, excluding a nursing home fixed-indemnity policy
(8) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or
providing health benefits to the employees of two or more employers
(9) The health care program for active military personnel under title 10 of the United States Code
(10) The veterans health care program under 38 U.S.C. chapter 17.
(11) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)
(12) The Indian Health Service program under the Indian Health Care Improvement Act
(13) The Federal Employees Health Benefits Program
(14) An approved State child health plan under Title XXI providing benefits for child health assistance
(15) The Medicare + Choice program under Part C of Title XVIII
(16) A high risk pool that is a mechanism established under State law to provide health insurance coverage or
comparable coverage to eligible individuals
(17) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care

Individually Identifiable Health Information

“Information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an Individual; the provision of Health Care to an Individual; or the past, present, or future payment for the provision of Health Care to an Individual; and

(A) Identifies the Individual; or
(B) reasonably could be used to identify the Individual.

Information system

“An inteconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.


“The property that data or information have not been altered or destroyed in an unauthorized manner.

Law Enforcement Official

“An officer or employee of any agency or authority of the United States, a State or territory, political subdivision of a State or territory, or Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law or prosecute or otherwise conduct criminal, civil or administrative proceeding arising from an alleged violation of law.

Limited Data Set

“Protected Health Information that excludes the following identifiers of the Individual, or of relatives, employers or household members of the Individual: names, postal address information other than town or city, state and zip code, telephone numbers, fax numbers, electronic mail address, social security number, health plan beneficiary number, account number, certificate/license number, vehicle identifiers and serial numbers, including license plate numbers, device identifiers and serial numbers, web universal resource locators (URLs), Internet Protocol (IP) address numbers, biometric identifiers, including finger and voice prints and full face photographic images and any comparable images.

Malicious software

Software, for example, a virus, designed to damage or disrupt a system.


“To make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service. Communications are not considered marketing when they are:
(1) a face-to-face communication made by a Covered Entity to an individual;
(2) a promotional gift of nominal value provided by the Covered Entity;
(3) for the purpose of describing the entities participating in a Health Care Provider network or Health Plan network, or for the purpose of describing if and the extent to which a product or service (or payment for such) is provided by a Covered Entity or included in a plan of benefits;
(4) for treatment of the Individual;or
(5) for case management or care coordination for that individual or to direct or recommend alternative treatments, therapies, health care providers or settings of care to that individual.

Minimum Necessary

Term that applies when Washington University Uses, Discloses or requests Protected Health Information other than for Treatment purposes. The amount of Protected Health Information shared among the internal or external parties shall be the minimum amount necessary to accomplish the purpose of the Use or Disclosure. For internal Use, the amount of information necessary to accomplish the purpose varies by job title or job classification.

Organized Health Care Arrangement

“(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;

(2) An organized system of health care in which more than one Covered Entity such as Washington University participates, and in which the participating Covered Entities:

(A) Hold themselves out to the public as participating in a joint arrangement; and
(B) Participate in joint activities that include at least one of the following:

(i) Utilization review, in which Health Care decisions by participating Covered Entities are reviewed by other participating Covered Entities or by a third party on their behalf;
(ii) Quality assessment and improvement activities, in which treatment provided by participating Covered Entities is assessed by other participating Covered Entities or by a third party on their behalf; or
(iii) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating Covered Entities through the joint arrangement and if Protected Health Information created or received by a Covered Entity is reviewed by other participating Covered Entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.

(3) A Group Health Plan and one or more such plans each of which are maintained by the same plan sponsor; or

(4) The Group Health Plans described in paragraph (3) of this definition and Health Insurance Issuers or HMOs with respect to such group health plan but only with respect to Protected Health Information created or received by such health insurance issuers and HMOs plans that relates to Individuals who are or have been participants or beneficiaries in any of such Group Health Plans.

Physical safeguards

“Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Protected Health Information

“Individually Identifiable Health Information that is transmitted by electronic media; maintained in any electronic media; or transmitted or maintained in any other form or medium. Identifiers that make up Protected Health Information (PHI):
1. Name
2. DOB
3. SSN
4. Address
5. Telephone Number
6. Email Address
7. Fax Number
8. Medical Record Number
9. Health Plan ID
10. Internet IP address
11. Certificate Numbers
12. Device Identifiers
13. Photograph
14. Biometric Identifiers
15. Web Addresses (URL)
16. Vehicle Identifiers
17. Account Numbers
18. Any other unique identifying number, characteristic or code

Psychotherapy Notes

“Notes recorded (in any medium) by a Health Care Provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy Notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Public Health Authority

“An agency or authority of the United States, a State, territory, political subdivision of a State or territory, Indian tribe, person or entity acting under a grant of authority from or contract with such public agency including the employees or agents of such public agency, its contractors or delegated persons that is responsible for public health matters as part of its official mandate.


A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.


“The Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.

Security incident

The attempted or succcessful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Security or Security measures

“Encompasses all of the administrative, physical, and technical safeguards in an information system.

Technical safeguards

“The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.


“The transmission of information between two parties to carry out financial or administrative activities related to Health Care. It includes the following types of information

(1) Health care claims or equivalent encounter information
(2) Health care payment and remittance advice
(3) Coordination of benefits
(4) Health Care claim status
(5) Enrollment and disenrollment in a Health Plan
(6) Eligibility for a Health Plan
(7) Health Plan premium payments
(8) Referral certification and authorization
(9) First report of injury
(10) Health claims attachments
(11) Other transactions that the Secretary may prescribe by regulation


The provision, coordination, or management of health care and related services by one or more Health Care Providers, including the coordination or management of health care by a Health Care Provider with a third party; consultation between Health Care Providers relating to a patient; or the referral of a patient for Health Care from one Health Care Provider to another.

Unsecured Protected Health Information

Protected Health Information that is not secured through the use of encryption or manual destruction


With respect to Individually Identifiable Health Information, the internal sharing, employment, application, utilization, examination, or analysis of such information maintained by Washington University.


“A person or entity with authorized access.

Workforce member

Employees-both faculty and staff, volunteers, trainees, and other persons whose conduct, in the performance of work for Washington University is under the direct control of Washington University whether or not they are paid by Washington University.


“An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.