Docstoc

DEFINITIONS

Document Sample
DEFINITIONS Powered By Docstoc
					                                          DEFINITIONS


Acceptable           Set of rules and guidelines that specify appropriate use of
Use Policy           computed systems or networks. [HITSP]


Access               The ability or the means necessary to read, write, modify, or
                     communicate data/information or otherwise use any system
                     resource. [HIPAA]



                                    Access Control
Guideline (v1)    The policies, rules, deployment mechanisms which prevent
                  unauthorized access, use, disclosure of transmission of information or
                  information systems by controlling access to networks, computer
                  devices, computer applications, programs or data. [HITSP and
                  HISPC]
Comments          incomplete. access controls may also be physical perimeter security
                  into a facility, such as a data center, a pharmacy, medical records, etc.



                                     Accountability
Guideline (v1)    Ensure that the actions of an individual or entity may be traced to that
                  individual or entity. [HISPC]
Comments          accountability is an inexact synonym for nonrepudiation. our current
                  audit tools of nonrepudiation and authentication do not "ensure that
                  the individual in question" is actually responsible, only that someone
                  using their authenticated login was responsible. the presence of this
                  imprecise term will lead to misunderstandings. i suggest dropping this
                  definition and instead saying "see nonrepudiation".


Accuracy             Ensure that data are the correct values, valid, and attached to
                     the correct patient record. [AHIMA HIE Task Force, Data
                     Quality Grid, 09-07]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Administrative Actions, policies, and procedures to manage the selection,
Safeguards     development, implementation, and maintenance of security
               measures to protect electronic individual health information
               and to manage the conduct of the entity‘s workforce in relation
               to the protection of that information. [HIPAA]



                   Admissions, Discharge and Transfer (ADT)
Guideline (v1)    Transaction Set – transmitting new or updated demographic and visit
                  information about patients. Generally information will be entered into
                  an ADT system and passed to the nursing, ancillary and financial
                  systems either in the form of an unsolicited update or in response to a
                  record-oriented query. [CCHIT]
Comments          weak definition. better: "the transactional data set that maintains and
                  updates the patient census by noting the time and date of each
                  transition in patient status or location." source: redwood mednet public
                  glossary.



                               Adverse Drug Reaction
Guideline (v1)    Any untoward medical occurrence in a patient or clinical investigation
                  subject administered a pharmaceutical product and which does not
                  necessarily have a causal relationship with this treatment. [CCHIT]
Comments          awful english. untoward is cumbersome and archaic; use abnormal.
                  better definition: "an abnormal response in a patient after
                  administration of a pharmaceutical product..."


Adverse Event        Any adverse event associated with the use of a drug in
                     humans, whether or not considered drug related, including the
                     following: An adverse event occurring in the course of the use
                     of a drug product in professional practice; an adverse event
                     occurring from drug overdose, an adverse event occurring from
                     drug withdrawal; and any failure of expected pharmacologic
                     action. [CCHIT]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Alcohol or           Patient records, or discrete portions thereof, specifically
Drug Abuse           relating to evaluation and treatment of alcoholism or drug
Records              abuse. [Patients Access to Health Records Act, Health and
                     Safety Code section 123105(f)]



                                           Alert
Guideline (v1)    Written or acoustic signals to announce the arrival of messages and
                  results, and to avoid possible undesirable situations, such as
                  contradictions, conflicts, erroneous entry, tasks that are not performed
                  in time or exceptional results.
Comments          strike "written or acoustic" and replace with "visual, textual or audible
                  signals..."


Ambulatory           Any medical care delivered on an outpatient basis. Sites where
Care                 ambulatory care can be delivered include physician offices,
                     hospital emergency departments, and urgent care centers.
                     [HISPC]



                         Ambulatory Medical Record (AMR)
Guideline (v1)    A computer system for storing, managing, and retrieving electronic
                  patient health information in the outpatient setting. [In the inpatient
                  setting, it is often referred to as an electronic medical record (EMR).
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          sure to confuse. why not also include "acpoe" for "ambulatory
                  computer provider order entry"? blackford middletone uses acpoe all
                  the time.




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Amend or             Direct changes made to an existing record that affects the data
Amendment            associated with the ‗current‘ version of a record. The identifier
                     associated with the record remains the same, though a copy of
                     the original version is retained and can be access by querying
                     for the history of the record. There are usually limitations on
                     what amendments can be made for a given type of record, and
                     the specifics of those amendments. In general, amendments
                     are supported for records where the information associated
                     with the record is frequently subject to change. [CCHIT]



                                      Anonymized
Guideline (v1)    Individually identifiable information which has been processed to make
                  it impossible to know whose information it is.
Comments          wrong. the proper goal of anonymization is to obscure the original
                  identity sufficiently to prevent re-identification.


Applicant            A party undergoing the process of registration and identity
                     proofing. [HISPC]



                         Application Service Provider (ASP)
Guideline (v1)    Web-based software applications that do not require an entity to won
                  or maintain the server. The software and database contents are
                  remotely stored, backed-up, serviced and upgraded by the vendor.
                  Typically ASP products reduce the cost to implement a software
                  product because the entity does not have to purchase a server or hire
                  technical support. However, it internet service is out and slow, the
                  practice will not be able to access the electronic medical applications.
                  [http://www.miamimed.com]
Comments          an asp offers a hosted service, and not necessarily a web-based
                  service. the "a" is for application, and may be a thick client with no http
                  dna at all. if you keep this definition, it will cause confusion.




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Architecture          This term refers to the structure of an information system and
                      how it pieces communicate and work together.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Assurance            The degree of confidence in the vetting process used to
                     establish the identity of an individual to whom the credential
                     was issued, and the degree of confidence that the individual
                     who uses the credentials is the individual to whom the
                     credential was issued. [HISPC] or NIST?


Asset Owner          An individual or entity that has approved management
                     responsibility for controlling the production, development,
                     maintenance, use and security of the assets.
                     [ISO/IEC 27002:2005, Section 7.1 Responsibility for Assets]

Audit Record         A record that alerts for action, as evidenced of output of an
                     audit. [CCHIT]



                                       Audit Trail
Guideline (v1)    Records showing specific individuals who have accessed computers
                  or systems and what they accessed, altered, transmitted or deleted
                  while they were in the computers or systems. [CalPSAB]
Comments          wrong. the audit trail shows the authenticated identity responsible for
                  system access, but does necessarily show that it was a specific
                  individual.




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Authentication Corroboration that a person is the one claimed. [HIPAA]
               Verifying the identity of an individual, originator, user,
               terminal, workstation, process, or device to determine an
               entity‘s right to access specific categories of information, and a
               measure designated to protect against fraudulent access, use,
               disclosure, alteration, transmission or deletion before allowing
               access to an information system by verifying through reliable
               security identification of subjects incorporating identifiers and
               authenticators. [CalPSAB]


Authentication A defined sequence of messages between a claimant and a
Protocol       verifier that demonstrates that the claimant has control of a
               valid token to establish his/he identity, and optionally,
               demonstrates to the claimant that he or she is communicating
               with the intended verifier.


Authorization        Written permission granted by an individual in a form that
(Privacy)            adheres to the HIPAA authorization requirements to permit the
                     use or disclosure an individual‘s health information.
                     For consent to exchange individual health information via an
                     electronic health information exchange, see eConsent.
                     [CalPSAB]


Authorization         A system established to grant access to generally confidential
(Security)            information, establishes the level of access an individual or
                      entity has to a data set and includes a management
                      component – an individual or individuals must be designated
                      to authorize access and manage access once access is
                      approved. [HISPC]


Authorization
Arbitration

Authorized     Any person who is authorized to receive medical information
Representative as evidenced by a valid authorization for the release of the
               information or permitted by law. [CalPSAB – based on CMIA
               Civil Code section 56.05(b) & 56.11]


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Authorized           Any person or organization that is authorized to collect,
User                 request, access, use or disclose individual health information
                     utilizing an electronic health information exchange. [CalPSAB]

Availability         The property that data or information is accessible and useable
                     upon demand by an authorized person. [HIPAA]


Backup               A copy of files made to help regain any lost information in the
                     record if necessary,


Bandwidth             A measure of how much information can be transmitted at
                      once through a communication medium, such as a telephone
                      line, fiber-optic cable, or radio frequency.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Best Practice         A technique or methodology that through experience and
                      research has shown to reliably lead to a desired result.
                      [http://www.phii.org/]


Bioinformatics        The science of developing and using computer databases and
                      algorithms to hasten and improve biological and
                      pharmaceutical research.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Biometrics            Automated recognition of individuals based on their behavioral
                      or biological characteristics. Biometrics may be used to unlock
                      authentication tokens and prevent repudiation and
                      registrations. [NIST]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Breach                Unauthorized access, use, disclosure, modification, or
                      destruction of information, or interference with an entity‘s
                      system, of which an entity has knowledge or should have
                      knowledge.
                      [CCHIT]
                      Unauthorized acquisition of individual health information that
                      comprise the security, confidentiality, or integrity of
                      information maintained by a person or business.
                      [California Civil Code § 1798.82(d)]


Broadband             A medium that can carry multiple signals, or channels of
                      information, at the same time without interference.
                      Broadband Internet connections enable high-resolution video
                      conferencing and other applications that require rapid,
                      synchronous exchange of data.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]



                                         Browser
Guideline (v1)    A software program that interprets documents written in HTML, the
                  primary programming language of the Web. A browser such as
                  Netscape Navigator or Microsoft Explorer is required to experience the
                  photos, video, and sound elements on a Web page and assists in
                  quick, easy travel around the Web.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          what's with the 90s era browsers? how about saying "internet explorer,
                  mozilla firefox, apple safari, etc."




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Business              A person or entity who:
Associate             a) on behalf of a covered entity in a capacity other than that
                         of a member of the workforce performs or assists in the
                         performance of:
                            1) a function or activity involving the use or disclosure of
                               individual health information, including claims
                               processing or administration, data analysis,
                               processing, or administration, utilization review,
                               quality assurance, billing, benefit management,
                               practice management or repricing; or
                            2) any other function or activity regulated by HIPAA.
                      b) Provides, other than in the capacity of a member of the
                         workforce of such covered entity, legal, actuarial,
                         accounting, consulting, data aggregation, management
                         administrative, accreditation, or financial services to or for
                         such covered entity, where the provision of the service
                         involves the disclosure of individual health information
                         from such covered entity for from another business
                         associate of such covered entity to the person.
                      c) A covered entity may be a business associate of another
                         covered entity.
                      [HIPAA]


Business Case        A structured proposal for business improvement that functions
                     as a decision package for organizational decision-makers. A
                     business case includes an analysis of business process
                     performance and associated needs or problems, proposed
                     alternative solutions, assumptions, constraints, and risk-
                     adjusted cost-benefit analysis. [Interoperability Clearinghouse
                     Glossary of Terms, http/www.ichnet.org/glossary.htm]


Business             Habitual or customary actions or acts in which an organization
Practice             engages. Also used in the plural to describe a set of business
                     operations that are routinely followed [http://www.phii.org/]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Business             A set of related work tasks designed to produce a specific
Process              desired programmatic (business) result. The process involves
                     multiple parties internal or external to the organization and
                     frequently cuts across organization boundaries.
                     [http://www.phii.org/]



                                       Certification
Guideline (v1)    A complete examination of an information system to be sure that the
                  system can perform at the level required to support the intended
                  results and meet the national standards for HIT. [HISPC]
Comments          certification is not limited to information systems. clinical credentials
                  must be certified. fiscal audits are certified. etc. don't be a source of
                  confusion.


Chain of Trust

Claimant             An individual or entity whose identity is to be verified using an
                     authentication protocol. [NIST]


Clinicians           Health care providers with patient care responsibilities,
                     including physicians, advanced practice nurses, physician
                     assistances, nurses, and other credentialed personnel involved
                     in treating patients. [HISPC]


Code Set             Any set of codes used to encode data elements, such as tables
                     of terms, medical concepts, medical diagnostic codes, or
                     medical procedure codes. A code set includes the codes and
                     the descriptors of the codes. [HIPAA]


Collect or           Assembly of information through interviews, forms, reports, or
Collection           other information sources. [CCHIT]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Compliance           Adherence to those policies, procedures, guidelines, laws,
                     regulations, and contractual arrangements, to which the
                     business process is subject. Obligation of an entity that
                     receives identifiable information about an individual as part of
                     providing a service to that individual, to protect that data or
                     information, including not disclosing the identifiable information
                     to unauthorized persons or through unauthorized processes,
                     including an obligation of those who receive information to
                     respect the privacy interests to those to whom the data relates.
                     [CCHIT]


Confidentiality The property that data or information is not made available or
                disclosed to unauthorized persons or processes. [HIPAA]


Consent              For consent to exchange individual health information via an
                     electronic health information exchange, see eConsent.
                     Permission granted by an authorized person that allows the
                     provider, agency, or organization to release information about
                     an individual. The authorized person may be the subject of the
                     information or they may be a designated representative such
                     as a parent or guardian. Law, policy and procedures, and
                     business agreements guide the use of consent. [HISPC]


Consent              The record of a health care entity‘s privacy policy that grants or
Directives           withholds consent for one or more identified entities or roles;
                     performing one or more operations; purpose such as
                     treatment, payment and operations; certain conditions, e.g.,
                     unconscious; specified time period; and certain context, e.g.,
                     emergencies. [CCHIT]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Consumers            See Individual.
                     Members of the public whom ay receive healthcare services.
                     These individuals may include: caregivers, patient advocates,
                     surrogates, family members, and other parties who may be
                     acting for, or in support of, a patient in the activities of
                     receiving healthcare.
                     A consumer of health care services, including patients, health
                     plan members, or personal representatives or organizations
                     formed to address consumer needs and protect consumer
                     rights. [HISPC]


Contractor            Any person or entity that is a medical group, independent
                      practice association, pharmaceutical benefits manager, or a
                      medical service organization and is not a health care service
                      plan, provider of health care, an insurance institution, or a
                      pharmaceutical benefits manager. [CMIA, Civil Code section
                      56.05 (c)]


Correctional          Correctional institution means any penal or correctional
Institution           facility, jail, reformatory, detention center, work farm, halfway
                      house, or residential community program center operated by,
                      or under contract to, the United States, a State, a territory, a
                      political subdivision of a State or territory, or an Indian tribe,
                      for the confinement or rehabilitation of persons charged with
                      or convicted of a criminal offense or other persons held in
                      lawful custody. Other persons held in lawful custody includes
                      juvenile offenders adjudicated delinquent, aliens detained
                      awaiting deportation, persons committed to mental institutions
                      through the criminal justice system, witnesses, or others
                      awaiting charges or trial.

Credentials           A trusted entity that issues or registers Subscriber tokens and
Service               issues electronic credentials to Subscribers. The CSP may
Provider (CSP)        encompass Registration Authorities and Verifiers that it
                      operates. A CSP may be an independent third party, or may
                      issue credentials for its own use. A credential is an object that
                      authoritatively binds an identity (and optionally, additional
                      attributes) to a token possessed and controlled by a person.
                       [NIST 800-63-1]

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Data                  The combining of individual health information to permit data
Aggregation           analysis that relates to the health care operations of an entity.
                      [HIPAA]


Data                  A collection of numbers, images and other outputs from
                      devices to convert physical qualities into symbols or images.
                      Data includes numbers, words, images, etc. typically accepted
                      as they stand. Data is typically further processed by a human
                      or entered into a computer, stored and processed there, or
                      transmitted to another human, computer, or other system to
                      create information. [CCHIT]


Database              An aggregation of records or other data that is updateable.
                      Databases are used to manage and archive large amounts of
                      information.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Database              A computer that stores data centrally for network users. It
Server                often uses client/server software to distribute the processing
                      of data among itself and other workstations on the network.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Data Content          All the data elements and code sets inherent to a transaction,
                      and not related to the format of the transaction. Data
                      elements that are related to the format are not data content.
                      [HIPAA]


Data                  A list that describes the specifications and locations of all data
Dictionary            contained in a system.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Data Element          The smallest named unit of information in a transaction.
                      [HIPAA]


Data Entry            The transcription of information from the original source into a
                      machine-readable form. Although keyboard entry is the most
                      familiar, other fast-growing methods include scanners and
                      speech recognition.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]



                                      Data Integrity
Guideline (v1)    The property that data or information have not been altered or
                  destroyed in an unauthorized manner.
                  [HIPAA]
                  See Integrity.
Comments          this definition is nonsense. if i enter via keystroke error a whole pile of
                  bogus data, it has nothing to do with altering or destroying data. data
                  integrity is about accuracy, period. data integrity is about the front desk
                  clerk who always enters a space before each data element, which can
                  cause some software indexing services to fail to correctly match
                  separate records from the same patient. data integrity is about
                  catching typos and fixing them. data integrity is about merging
                  unnecessary duplicate records into a single correct record. see also
                  "data validation"


Data Mining           Analyzing information in a database using tools that look for
                      trends or anomalies without knowledge of the data‘s meaning.
                      Mining a clinical database may produce new insights on
                      outcomes, alternate treatments, or effects of treatment on
                      different races and genders.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Data Origin           Corroboration that the source of data received is as claimed.
Authentication        [ISO 7498-2-1989]



                                     Data Repository
Guideline (v1)    A database acting as an information storage facility. Although often
                  used synonymously with data warehouse, a repository does not have
                  the analysis or querying capabilities of a warehouse.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          i disagree. a data warehouse is simply a collection of databases. by
                  itself, a data warehouse has no business intelligence. also, a
                  repository can be virtual, or hosted in a grid or cloud environment.



                                          Data Set
Guideline (v1)    A semantically meaningful unit of information exchanged between to
                  parties to a transaction. [HIPAA]
Comments          this definition is wrong, it is for a "data element"

                  a data "set" is generally a collection of fields, strings, rows, etc., with
                  the emphasis on multiple units (plural).



                             Decision Support Application
Guideline (v1)    A computer program that analyzes data and presents the information
                  sot he clinician can make medical decisions more easily. Typical tasks
                  of a decision support system include data storage, data analysis,
                  predictive modeling, and risk-adjusted comparison of actual outcomes
                  with predicted outcomes.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          "sot he" should be "so the"



Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Defective             The HIEconsent document lacks a required element or the
HIEconsent            individual has revoked the HIEconsent. [§164.506(d)]


Demographics          Information about name, address, age, gender and role used
                      to link patient records from multiple sources in absence of a
                      unique patient identifier. [http://www.ehealthintiative.org/]



                                         Descriptor
Guideline (v1)    The text defining a code. [HIPAA]
Comments          " a code, field, attribute or table of data


Digital               An attachment to an electronic message used for security
Certificate           purposes. The most common use of a digital certificate is to
                      verify that a user sending a message is who he or she claims
                      to be, and to provide the receiver with the means to encode a
                      reply. It is an electronic document which uses a digital
                      signature to bind together a public key with an identity —
                      information such as the name of a person or an organization,
                      their address, and so forth. The certificate can be used to
                      verify that a public key belongs to an individual. [Webopedia
                      and Wikipedia]


Digital              A private key used to digitally sign an electronic document and
Signature            the public key is used to verify the signature. Digital
                     signatures provide authentication and integrity protection.
                     [NIST 800-63-1]



                             Digital Subscriber Line (DSL)
Guideline (v1)    A technology for delivering high-bandwidth Internet service over
                  ordinary copper telephone lines.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          then what is a T1, which also arrives on a copper pair?

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Direct Data         The direct entry of data that is immediately transmitted into an
Entry               entity‘s computer. [HIPAA]


Direct              A treatment relationship between an individual and a health
Treatment           care provider that is not:
Relationship        (1) Care based on the orders of another health care provider,
                          or
                    (2) Services, products, reports of diagnosis, or results
                          reported directly to another health care provider who
                          provides such items to the individual. [HIPAA]

Disclose             To disclose, release, transfer, disseminate, or otherwise
                     communicate all or any part of any record orally, in writing, or
                     by electronic or any other means to any person or entity.
                     [Information Practices Act, Civil Code section 1798.3(c)]


Disclosure           The release, transfer, provision of, access to, or divulging in
                     any other manner of information outside the entity holding the
                     information. [HIPAA]


Disease             A coordinated and proactive approach to managing care and
Management          support for patients with chronic illnesses such as diabetes,
                    congestive heart failure, asthma, HIV/AIDS, and cancer.
                    [http://www.wvsma.com/shared/content_objects/pdfs//glossary
                    %20of%20hit%20acronyms%20and%20terms%20-
                    %20revised.pdf]


Disease              An electronic system used to capture, manage, and provide
Registry             information on specific conditions to support organized care
                     management for all of a practitioner‘s patients. Also known as
                     Chronic Disease Management System. [CHCF]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Distributed           A system in which computational and storage tasks are
Computing             distributed among multiple computers rather than being
                      performed exclusively by a central computer. Often used to
                      overcome the limitations of a single computer or to exploit the
                      unused computing power of a group of computers.
                      Client/server systems are one type of distributed computing.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Document             A computer system used to track and store electronic
Image                documents and/or images of paper documents. [CHCF]
Management
System
(DIMS)



                                       eLaboratory
Guideline (v1)    Electronic delivery of laboratory results to practices so that such data
                  may be integrated into electronic patient records in a full EHR system,
                  or used by a dedicated application to view structured, context-rich,
                  and/or longitudinal laboratory results on a patient.
                  [http://www.ehealthinitiative.org/]
Comments          please eLiminate this term. no one uses it. it will only confuse people.
                  "elr" (for electrinic laboratory reporting" is a common term.


Electronic            (Claims, Eligibility, Remittance) The ability to contact the
Billing               payer before the patient is seen and get a response that
                      indicates whether or not the services to be rendered will be
                      covered by the payer. [http:/www.ehealthinitiative.org]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Electronic Data The use of electronic technology to gather and collect data,
Capture (EDC) especially in the context of clinical trails. Allows data to be
                aggregated, sorted, shared, and searched more easily than
                paper-based records. May be Web-based, use handheld
                computers, etc.
                [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                ry%20of%20hit%20acronyms%20and%20terms%20-
                %20revised.pdf]


Electronic           A standard format for exchanging business data. An EDI
Data                 message contains a string of data elements, each of which
Exchange             represents a singular fact, such as a price, product model
(EDI)                number, and so forth, separated by delimiters (a character that
                     identifies the beginning and end of a character string). The
                     entire string is called a data segment. EDI is one form of e-
                     commerce, which also includes e-mail and fax. [CCHIT]



                    Electronic Health Information Exchange (eHIE)
Guideline (v1)    The electronic movement of personal health related data and
                  information among organizations. [CalPSAB]
Comments          this is an absurd term that no one uses. and it's not personal, it's
                  individually identifiable information.



                            Electronic Health Record (EHR)
Guideline (v1)    An electronic record of health-related information on an individual that
                  conforms to nationally recognized interoperability standards and that
                  can be created, managed, and consulted by authorized clinicians and
                  staff across more than one health care organization. [National
                  Alliance for HIT]
Comments          NAHIT performed a serious disservice. This is a pretend definition that
                  should be discarded.


Electronic           See certificate.
Certificate


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Electronic           Electronic storage media including memory devices in
Media                computers (hard drives) and any other
                     removable/transportable digital memory medium, such as
                     magnetic tape or disk, optical disk, or digital memory cards; or
                     Transmission media used to exchange information already in
                     electronic storage media. Transmission media includes, for
                     example, the internet (wide-open), extranet (using internet
                     technology to link a business with information accessible only
                     to the collaborating parties), leased lines, dial-up lines, private
                     networks, and the physical movement of
                     removable/transportable electronic storage media. Certain
                     transmissions, including of paper, via facsimile, and of voice,
                     via telephone, are not considered to be transmissions via
                     electronic media, because the information being exchanged did
                     not exist in electronic form before the transmission. [HIPAA]



                           Electronic Medical Record (EMR)
Guideline (v1)    An electronic record of health-related information on an individual that
                  can be created, gathered, managed, and consulted by authorized
                  clinicians and staff within one health care organization. [National
                  Alliance for HIT]
Comments          NAHIT performed a serious disservice. This is a pretend definition that
                  should be discarded. The difference between EMR and EHR is that
                  one is limited to medical records, while the other includes nonmedical
                  records like oral health, mental health, etc.


Electronic           See ePrescribing.
Prescribing




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Emancipated          Person under the age of 18 years is an emancipated minor if
Minor                any of the following conditions is satisfied:
                         (a) The person has entered into a valid marriage, whether
                              or not the marriage has been dissolved.
                         (b) The person is on active duty with the armed forces of
                              the United States.
                         (c) The court has issued a declaration of emancipation.
                     [Reference: California Family Code §§ 7002 &7122]

Employer             The person for whom an individual performs or performed any
                     service, of whatever nature, as the employee of such person,
                     except that—
                        (1) If the person for whom the individual performs or
                              performed the services does not have control of the
                              payment of the wages for such services, the term
                              ―employer‖ means the person having control of the
                              payment of such wages, and
                        (2) In the case of a person paying wages on behalf of a
                              nonresident alien individual, foreign partnership, or
                              foreign corporation, not engaged in trade or business
                              within the United States, the term ―employer‖ means
                              such person.
                     [As defined in 26 U.S.C. 3401(d)] [HIPAA]



                         Employer Identification Number (EIN)
Guideline (v1)    A number assigned by the Internal revenue Service, U.S. Department
                  of the Treasury. The EIN is a taxpayer identifying number of an
                  individual or other entity. [HIPAA]
Comments          capitalize "Revenue" also, the ein of an individual is not an ein, it is an
                  ssn.



                                        Encryption
Guideline (v1)    Use of an algorithmic process to transform data into a form in which
                  there is a low probability of assigning meaning without use of a
                  confidential process or key. [HIPAA]

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Comments          "lower" not "low" -- many algorithms can be run backwards to recreate
                  the original data.


Enterprise           A strategic resource that aligns business and technology,
Architecture         leverages shared assets, builds internal and external
                     partnerships, and optimizes the value of information
                     technology services.
                     [http://www.hhs.govhealthit/glossary.html]


Enterprise-           A network in which all computers in the various facilities of an
Wide Network          organization (e.g., a health care system) are connected.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Entity                A person, corporation, association, partnership or other legal
                      entity, other than an individual in possession of individual
                      health information.
                      For example, physician, hospital, provider, health plan,
                      clearinghouse, health information organization, regional health
                      information organization, clinic, etc.
                       [HIPAA/CalPSAB]



                                       ePrescribing
Guideline (v1)    The process of using electronic means to transfer information between
                  providers and pharmacists regarding a prescription. [HISPC]
Comments          then what is a refill request, which may travel directly between a
                  patient and a pharmacy?



                                           eRX
Guideline (v1)    See ePrescribing.
Comments          typo. "eRx" the x is always lower case.



Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Ethernet              Probably the most commonly used standard for local area
                      network (LAN) architecture. It supports data transfer rates of
                      up to 10 megabits per second, although newer systems, called
                      Fast Ethernet or Gigabit Ethernet, support transfer rates of
                      100 megabits per second and 1 gigabit (1,000 megabits) per
                      second, respectively.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Extranet              An internet that allows specified levels of access to authorized,
                      external users.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


File Server           A computer dedicated to managing the flow of information
                      among networked computers and used as a storage location
                      for data and applications shared by network users.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Firewall             A part of a computer system or network that is designed to
                     block unauthorized access while permitting outward
                     communication. It is a device or set of devices configured to
                     permit, deny, encrypt, decrypt, or proxy all computer traffic
                     between different security domains based upon a set of rules
                     and other criteria. [Wikipedia]


Format               Data elements that provide or control the enveloping or
                     hierarchical structure, or assist in identifying data content of a
                     transaction. [HIPAA]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Formulary             A list of medications (both generic and brand names) that are
                      covered by a specific health insurance plan or pharmacy
                      benefit manager (PBM), used to encourage utilization of more
                      cost-effective drugs. Hospitals sometimes use formularies of
                      their own, for the same reason.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]



                   Geographic Health Information Exchange (GHIE)
Guideline (v1)    A multi-stakeholder entity, which may be a free standing organization
                  that supports health information exchange and enables the movement
                  of health-related data within state, local, territorial, tribal, or
                  jurisdictional participant groups. Activities supporting health
                  information exchanges may also be provided by entities that are
                  separate from geographical health information exchanges including
                  integrated delivery networks, health record banks, and others. See
                  Regional Health Information Organizations (RHIOs). [HISPC]
Comments          get rid of this useless acronym. either that, or you better have "LHII"
                  when i get to the l section...


Graphical User        An interface that allows a person to operate a software
Interface             program using visual images (called icons), drop-down menu
(GUI)                 choices, and tool bars, rather than complex keystrokes and
                      text commands. The most common manipulating device is a
                      mouse.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Handheld              A portable computer that is small enough to hold in one‘s
                      hand. Used to refer to a variety of devices ranging from
                      personal data assistants, such as Palm or Visor models, to
                      more powerful devices that offer many of the capabilities of
                      desktop or laptop computers. Handheld are used to clinical
                      practice for such tasks as ordering prescriptions, accessing
                      patients‘ medical records and documenting patient encounters.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Harmonization Making identical or minimizing the differences between
              standards or related measures of similar scope.
              [www.health.state.mn.us/e-health]



                              Health Action Network (HAN)
Guideline (v1)    Communication system used by the Center for Disease Control (CDC)
                  to exchange disease information with state and local health
                  departments.
                  [[http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]]
Comments          totally inadequate. the han extends far beyond federal & local public
                  health. the han includes all local stakeholders, like hospitals, labs,
                  veterinarians, public safety, etc.




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Health Care          Care, services, or supplies related to the health of an
                     individual. Health care includes, but is not limited to:
                        (1) Preventive, diagnostic, therapeutic, rehabilitative,
                              maintenance, or palliative care, and counseling
                              service, assessment, or procedure with respect to the
                              physical or mental condition, or functional status, of
                              an individual or that affects the structure or function
                              of the body; and
                        (2) Sale or dispensing of a drug, device, equipment, or
                              other item in accordance with a prescription.
                     [HIPAA]


Health Care          Organizations that are engaged in or support the delivery of
Entities             health care. These organizations could include hospitals,
                     ambulatory clinics, long-term care facilities, community-based
                     health care organizations, employers/occupational health
                     programs, school health programs, dental clinics, psychology
                     clinics, care deliver organizations, pharmacies, home health
                     agencies, hospice care providers, airport clinics, mass
                     vaccination sites, public health agencies, retail store clinics,
                     and other health care facilities. [HISPC]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Health Care          Health care operations are certain administrative financial,
Operations           legal, and quality improvement activities of a covered entity
                     that are necessary to run its business and to support the core
                     functions of treatment and payment. A brief summary of the
                     health care operations activities includes:
                         1. Conducting quality assessment and improvement
                            activities, including outcomes evaluation and
                            development of clinical guidelines, provided that the
                            obtaining of generalizable knowledge is not the primary
                            purpose of any studies resulting from such activities;
                            population-based activities relating to improving health
                            or reducing health care costs, protocol development, case
                            management and care coordination, contacting of health
                            care providers and patients with information about
                            treatment alternatives; and related functions that do not
                            include treatment;
                         2. Reviewing the competence or qualifications of health care
                            professionals, evaluating practitioner and provider
                            performance, health plan performance, conducting
                            training programs in which students, trainees, or
                            practitioners in areas of health care learn under
                            supervision to practice or improve their skills as health
                            care providers, training of non-health care professionals,
                            accreditation, certification, licensing, or credentialing
                            activities;




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                         3. Underwriting, premium rating, and other activities
                            relating to the creation, renewal or replacement of a
                            contract of health insurance or health benefits, and
                            ceding, securing, or placing a contract for reinsurance of
                            risk relating to claims for health care (including stop-loss
                            insurance and excess of loss insurance), provided that
                            the requirements the California Privacy and Security
                            guidelines are met, if applicable;
                         4. Conducting or arranging for medical review, legal or
                            auditing services, including fraud and abuse detection
                            and compliance programs;
                         5. Business planning and development, such as conducting
                            cost-management and planning-related analyses related
                            to managing and operating the entity, including
                            formulary development and administration, development
                            or improvement of methods of payment or coverage
                            policies; and
                        6. Business management and general administrative
                           activities of the entity, including, but not limited to:
                              o (Management activities relating to implementation
                                  of and compliance with the requirements of this
                                  subchapter;
                              o Customer service, including the provision of data
                                  analyses for policy holders, plan sponsors, or other
                                  customers, provided that protected health
                                  information is not disclosed to such policy holder,
                                  plan sponsor, or customer.
                     [HIPAA]


Health Care          Officially registered organization that has a main activity
Organization         related to health care services or health promotion. [ISO IS
                     17090]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Health Care          Insurers, including health plans, self-insured employer plans,
Payers               and third-party administrators, providing health care benefits
                     to enrolled members and reimbursing provider organizations.
                     As part of this role, they provide information on eligibility and
                     coverage for individual consumers, as well as claims-based
                     information on consumer medication history. Case
                     management or disease management may also be supported.
                     [HISPC]



                             Health Care Provider [HIPAA]
Guideline (v1)    Include:
                  •    Hospitals,
                  •    Critical access hospitals,
                  •    Skilled nursing facilities,
                  •    Comprehensive outpatient Rehabilitation facilities,
                  •    Home health agencies, and
                  •    Hospice programs. [42 U.S.C. § 1395(u)]
                  •    A provider of medical or health services including:
                  o Physicians’ services,
                  o Services and supplies furnished as an incident to a physician’s
                  professional services, or services or supplies which are commonly
                  furnished in a physician’s office and commonly rendered without
                  charge or included in a physician’s bill,
                  o Diagnostic services:
                       Furnished to an individual as an outpatient by a hospital or by
                  others under arrangements with them made by a hospital, and
                       Ordinarily furnished by a hospital to its outpatients for the
                  purposes of diagnostic study,
                  o Outpatient physical therapy services,
                  o Outpatient health care services,
                  o Rural health clinic services,
                  o Federally-qualified health care services,
                  o Home dialysis supplies and equipment, self-care home dialysis
                  support services and institutional dialysis services and supplies,
                  o Antigens prepared by physicians for a particular patient,
                  o Services furnished by contract to a member of an eligible
                  organization by a physician assistant or by a nurse practitioner,
                  o Services furnished pursuant to a risk-sharing contract to members
Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  of an eligible organization by a clinical psychologist, or by a clinical
                  social worker and furnished as an incident to such clinical
                  psychologist’s services or clinical social worker’s services,
                  o Blood clotting factors for hemophilia patients,
                  o Prescription drugs used in immunosuppressive therapy furnished
                  to an individual who receives an organ transplant, but only in case of
                  certain drugs,
                  o Services furnished by a nurse that would be a physician’s
                  services,
                  o Certified nurse-midwife services,
                  o Qualified psychologist services,
                  o Clinical social workers services,
                  o Erythropoietin for dialysis patients,
                  o Prostrate cancer screening tests,
                  o Oral drug prescribed for use as an anti-cancer chemotherapeutic
                  agent for a given indication and containing an active ingredient(s),
                  o Colorectal cancer screening tests,
                  o Diabetes outpatient self-management training screening,
                  o An oral drug prescribed for use as an acute anti-emetic used as
                  part of an anti-cancer chemotherapeutic regimen,
                  o Diagnostic x-ray tests furnished in place of residence, e.g., used
                  as the patient’s home,
                  o X-ray, radium, and radioactive isotope therapy, including materials
                  and services of technicians,
                  o Surgical dressings, splints, casts, and other devices used for
                  reduction of fractures and dislocations,
                  o Durable medical equipment,
                  o Ambulance service where the use of other methods of
                  transportation is contraindicated by the individual’s condition,
                  o Prosthetic devices (other than dental) which replace all or part of
                  an internal body organ and including one pair of conventional
                  eyeglasses or contact lenses furnished subsequent to cataract
                  surgery,
                  o Leg, arm, back, and neck braces;
                  o Artificial legs, arms, and eyes, including replacements, if required,
                  o Pneumococcal vaccine and its administration,
                  o Hepatitis B vaccine and its administration,
                  o Services of a certified register nurse anesthetist,
                  o Extra-depth shoes with inserts or custom molded shoes with
                  inserts for an individual with diabetes,
Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  o Screening mammography,
                  o Screening pap smear and screening pelvic exam,
                  o Bone mass measurement
                  [42 U.S.C. 1395x(s)] [HIPAA]
Comments          There should be only one definition of "health care provider". If two
                  terms are needed, they should be different.



                                  Health Care Provider
Guideline (v1)    Any of the following:
                  (1) A health facility licensed pursuant to Chapter 2, commencing with
                  Section 1250) of Division 2 of the California Health and Safety Code.
                  [Patients Access to Health Records Act, Health and Safety Code
                  section 123105(a)]
                  (2) A clinic licensed pursuant to Chapter 1 (commencing with Section
                  1200 of Division 2 of the California Health and Safety Code.
                  (3) A home health agency licensed pursuant to Chapter 8
                  (commencing with Section 1725) of Division 2 of the California Health
                  and Safety Code.
                  (5) A physician and surgeon licensed pursuant to Chapter 5
                  (commencing with Section 2000) of Division 2 of the Business and
                  Professions Code.
                  (6) A podiatrist licensed pursuant to Article 22 (commencing with
                  Section 2460) of Chapter 5 of Division 2 of the California Business and
                  Professions Code.
                  (7) A dentist licensed pursuant to Chapter 4 (commencing with
                  Section 1600) of Division 2 of the California Business and Professions
                  Code.
                  (8) A psychologist licensed pursuant to Chapter 6.6 (commencing
                  with Section 2900) of Division 2 of the California Business and
                  Professions Code.
                  (9) An optometrist licensed pursuant to Chapter 7(commencing with
                  Section 3000) of Division 2 of the California Business and Professions
                  Code.
                  (10) A chiropractor licensed pursuant to the California Chiropractic
                  Initiative Act. [Initiative measure approved by the electors November
                  7, 1922, effective December 21, 1922.]
                  (11) A marriage and family therapist licensed pursuant to Chapter 13
                  (commencing with Section 4980) of Division 2 of the California
                  Business and Professions Code.

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  (12) A clinical social worker licensed pursuant to Chapter 14
                  (commencing with Section 4990) of Division 2 of the California
                  Business and Professions Code.
                  (13) A physical therapist licensed pursuant to Chapter 5.7
                  (commencing with Section 2600) of Division 2 of the California
                  Business and Professions Code.
                  [Patients Access to Health Records Act, Health and Safety Code
                  section 123105(a)]]
Comments          Should hospices be included?

                  Would it be appropriate to include nurse mid-wives or nurse
                  practitioners?

                  There is also a definition of Health Care Provider that is apparently
                  from HIPAA. It appears to be more broad. One comprehensive
                  definition would be preferable.


Health Care          Any entity regulated pursuant to the California Knox-Keen
Service Plan         Health Care Service Plan Act of 1975 (Chapter 2.2,
                     commencing with Section 1340, of Division 2 of the California
                     Health and Safety Code). [CMIA, Civil Code Section 56.05(d)]



                                   Health Information
Guideline (v1)    Any information, whether oral or record in any form or medium, that:
                  (1) Is created or received by a health care provider, health plan,
                  public health authority, employer, life insurer, school or university,
                  health care clearing house, personal health record, health information
                  organization; and
                  (2) Relates to the past, present, or future physical or mental health or
                  condition or an individual; the provision of health care to an individual;
                  or the past, present or future payment for the provision of health care
                  to an individual
                  [HIPAA]
Comments          The 6th word "record" should be "recorded". Before the last item in the
                  list in (1), the word "or" should be inserted.

                  This is not the same as "medical information" but it is unclear how it is
                  meant to be different. If both definitions are included, they should be
Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  more clearly differentiated. If they are meant to be used for different
                  purposes, that should be specified.

                  In (1) - A "personal health record" is not really an entity comparable to
                  a provider, plan etc. They are persons or organizations that can
                  actively create or receive data in a way that a "personal health record"
                  cannot. Perhaps there is a different way to incorporate the concept of
                  "personal health records". The term is not used in the HIPAA
                  definition.

                  Should this definition include state or local agencies that are not in the
                  categories listed in (1)? Many other agencies obtain health information
                  on individuals in other roles - for example, to provide benefits that may
                  not be health benefits.

                  The use of the term "employer" as defined may be limiting. If anyone
                  works for someone else in a differently defined way information shared
                  because of that relationship is not covered.



                             Health Information Exchange
Guideline (v1)    The electronic movement of health-related information among
                  organizations according to nationally recognized standards.
                  [National Alliance for HIT]
Comments          NAHIT performed a terrible disservice to the country in this bogus set
                  of definitions.



                         Health Information Organization (HIO)
Guideline (v1)    An organization that oversees and governs the exchange of health-
                  related information among organizations according to nationally
                  recognized standards.
                  [National Alliance for HIT]
Comments          only bureaucrats use this term. out in the real world, people use "hie"
                  as both a noun and a verb




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                               Health Information Privacy
Guideline (v1)    An individual’s right to control the acquiring, use or release of his or
                  her personal health information.
                  [HISPC]
Comments          Personal health information is not a defined term. I would suggest
                  using a defined term, or defining "personal health information."



                          Health Information Service Provider
Guideline (v1)    A network service provider that enables or oversees the access to and
                  exchange of health information, in a secure manner, for the purpose of
                  supporting clinician and consumer needs. [HISPC]
Comments          yet another temporary term originating from washington and used
                  basically nowhere in the day to day operations of health information
                  service provides, who call themselves by other, more accurate names
                  (like hie, or registry, or clearinghouse, etc.)


Health         Services provided by health information networks for
Information    information exchange and interoperability in a local market.
Services (HIS) [HISPC]



                              Health Information Security
Guideline (v1)    The protection of an individual’s information from being shared without
                  the owner’s permission. [HISPC]
Comments          "permission" may be too narrow. Doesn't security have to do with
                  control in accordance with a set of rules? The rules may allow for
                  sharing without permission under certain circumstances.

                  The definition of "security" refers to unauthorized access, etc.




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Health               The hardware and software used to store, retrieve, share and
Information          use clinical information to treat patients effectively. [CHCF]
Technology
(HIT)


Health               Any information regarding an individual‘s medical history,
Insurance            mental or physical condition, or medical treatment or diagnosis
Information          by a health care professional
                     [California Civil Code § 1798(e)(5)]

Health               An agency or authority of the United States, a State, a
Oversight            territory, or political subdivision of a State or territory, or an
Agency               Indian tribe, or a person or entity acting under a grant of
                     authority from or contract with such public agency, including
                     employees or agents of such public agency or its contractors or
                     persons or entities to whom it has granted authority, that is
                     authorized by law to oversee the health care system (whether
                     privacy or public) or government programs in which health
                     information is necessary to determine eligibility or compliance,
                     or to enforce civil rights laws for which health information is
                     relevant.
                     [HIPAA]


Health Record        The health record is a longitudinal record of patient health
                     information generated in one or more encounters in any care
                     delivery setting. The information may include patient
                     demographics, progress notes, indications, medications, vital
                     signs, past medical history, immunizations, laboratory
                     information and radiology reports. [HISPC]


Health Record        Entities/mechanisms for holding an individual‘s lifetime health
Banks                records. This information may be personally controlled and
                     may reside in various settings such as hospitals, doctor‘s
                     offices, clinics, health plans, etc. See Personal Health Records.
                     [HISPC]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Health               A health registry is an organized system for the collection,
Registries           storage, retrieval, analysis, and dissemination of information
                     on individual persons who have either a particular disease, a
                     condition that predisposes to the occurrence of a health-related
                     event, or a prior exposure to substances or circumstances
                     know or suspected to cause adverse health effects. [HISPC]



                                       HIEconsent
Guideline (v1)    Permission granted by an individual or an authorized person that
                  allows the provider, agency, or organization to exchange individual
                  health information via an electronic health information exchange. The
                  authorized person may be the subject of the information or they may
                  be a designated representative such as a parent or guardian. E-
                  Consent is limited to exchange of individual health information for the
                  purposes of treatment. [CalPSAB]
Comments          Is E-Consent (last sentence) the same as HIEconsent?

                  Will this always be limited exchange for purposes of treatment?

Comments          please delete this absurd term. "consent" is sufficiently accurate all by
                  itself, and needs no obscure prefixes.


HIPAA                The Health Insurance Portability and Accountability Act passed
                     by Congress in 1996 to ensure that an individual‘s health
                     insurance would not stop when they changed employment. It
                     also provided the Administrative Simplification to adopt
                     national standards for electronic health care transactions. At
                     the same time Congress recognized that advances in electronic
                     technology could erode the privacy of health information.
                     Consequently, Congress incorporated into HIPAA provisions
                     that mandated the adoption of federal privacy and security
                     protections for individually identifiable health information.
                     HIPAA regulations may be found at 46 C.F.R. parts 160, 162,
                     163m and 164. [HISPC]



                                            HL7
Guideline (v1)    Health Level Seven. One of several accredited standards
                  (specifications or protocols) established by the American National
Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  Standards Institute (ANSI) for clinical and administrative data.
                  Systems which are HL7 compliant improve the ability for
                  interoperability and exchange of electronic data.
                  [http://www.wvsma.com/shared/content_objects/pdfs//glossary%20of%
                  20hit%20acronyms%20and%20terms%20-%20revised.pdf]
Comments          hl7 is first of all a nonprofit corporation, which vigorously defends its
                  intellectual property. one of its key intellectual properties is the set of
                  data specifications it creates. therefore, it is also an "sdo" -- a
                  standards development organization. it is incorrect to say the hl7
                  standards were "established" by ansi. they were "accredited" by ansi.
                  but hl7 is now global, so it now generally works with iso, not ansi. try
                  running this definition by hl7 and see what they say.


Host                  A computer that acts as a source of information or provides
                      functionality for multiple terminals, peripherals, and or/users.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]



                                           HTML
Guideline (v1)    Hypertext Markup Language – the basic programming language for
                  sites on the World Wide Web. This skeleton of code surrounds blocks
                  of text and/or images and contains all the necessary commands and
                  display instructions. A Web browser program is needed to interpret
                  HTML and depict it as a graphical display on a computer screen.
                  [http://www.wvsma.com/shared/content_objects/pdfs//glossary%20of%
                  20hit%20acronyms%20and%20terms%20-%20revised.pdf]
Comments          see also "SGML" and "XML"


HTTP                  Hypertext Transfer Protocol – a language protocol used in
                      communication among Web sites. When http appears as part
                      of a Web site uniform resource locator (URL), it indicates to
                      Web browsers, ―html spoken here.‖
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]



Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
ICD-9                 International Classification of Disease – 9th Revision –
                      international disease system developed by the World Health
                      Organization (WHO) that provides a detailed description of
                      know diseases and injuries. The classification system is used
                      worldwide for morbidity and mortality statistics,
                      reimbursement systems and automated decision support in
                      medicine.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]



                                          Identity
Guideline (v1)    A unique name of an individual person. Since the legal names
                  of persons are not necessarily unique, the identity of a person
                  must include sufficient additional information (for example an
                  address, or some unique identifier such as an employee or
                  account number) to make the complete name unique. [NIST
                  800-63-1]
Comments          This may be more harmful than helpful.

                  There are many ways to identify people - names are only one.

                  A person can be identified if you can tell who they are, even without a
                  name.

                  Information can be identifying even without a name.


Identity             Set of services to include authentication, user provisioning
Access               (UP), password management, role matrix management,
Management           enterprise single sing-on, enterprise access management,
                     federation, virtual and meta-directory services, and auditing.
                     [CCHIT]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Indirect             A relationship between an individual and a health care provider
Treatment            in which:
Relationship            1. The health care provider delivers health care to the
                           individual based on orders of another health care
                           provider; and
                        2. The health care provider typically provides services or
                           products, or reports the diagnosis or results associated
                           with the health care, directly through another health care
                           provider, who provides the services or products or
                           reports to the individual.
                     [HIPAA]


Individual           The person who is subject to the individual health information;
                     generally the patient. An individual includes patients,
                     consumers, and their authorized representatives.
                     [HIPAA]



                                 Individually Identifiable
Guideline (v1)    Medical information that includes or contains any element of
                  personal indentifying information sufficient to allow
                  identification of the individual, such as the patient‘s name,
                  address, electronic mail address, telephone number, or social
                  security number, or other information that alone or in
                  combination with other publicly available information, reveals
                  the individual‘s identity. [CMIA, Civil Code section 56.05(g)]
Comments          The way "individually identifiable" is defined is not consistent with
                  HIPAA or the term "individual health information."

                  Use of the term "medical information" is confusing. Health information
                  is used more often, and why a different term is needed here is unclear.



                              Individual Health Information
Guideline (v1)    Information that is a subset of health information, including
                  demographic information collected from an individual, and:
                  (1) Is created or received by a health care provider, health

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  plan, employer, health care clearinghouse, or personal health
                  record; and
                  (2) Relates to the past, present, or future physical or mental
                  health or condition of the individual; the provision of health
                  care to an individual; or the past, present, or future payment
                  for the provision of health care to an individual; and
                  a. Identifies the individual; or
                  b. There is reasonable basis to believe the information can
                  be used to identify the individual.
                  [HIPAA]
Comments          This definition simply incorporates two others - "health information"
                  and "individually identifiable" - and creates confusion since the title is
                  so similar to "health information", the definition of which incorporates
                  the concept that it relates to an individual.



                  The concept of individually identifiable presented in (2) a and b is
                  consistent with HIPAA. It is inconsistent with the definition of
                  "individually identifiable".

                  A personal health record is not the same type of entity as a provider,
                  plan, etc, and "records" do not actively create and receive information.


Informatics           Or Information Science – the study of information. It is often,
                      through not exclusively, studied as a branch of Computer
                      Science and Information Technology (IT) and is related to
                      database, ontology and software engineering. Informatics is
                      primarily concerned with the structure, creation, management,
                      storage, retrieval, dissemination and transfer information.
                      Informatics also includes studying the application of
                      information in organizations, on its usage and the interaction
                      between people, organizations and information systems.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Information          An identified occurrence of a system, service or network state
Security Event       indicating a possible breach of information security policy or
                     failure of safeguards, or a previously unknown situation that
                     may be security relevant
                     [ISO/IEC TR 18044:200 4]

Information          An interconnected set of information resources under the same
System               direct management control that share common functionality. A
                     system normally includes hardware, software, information,
                     data, applications, communications, and people.
                     [HIPAA]


Integrity            The property that data or information have not been altered or
                     destroyed in an unauthorized manner.
                     [HIPAA]



                                         Internet
Guideline (v1)    A publicly accessible, global network connecting millions of
                  computers. The Internet carries data for applications such as
                  email, instant messaging and teleconferencing, in addition to
                  the billions of documents and images that make up the World
                  Wide Web. Although the terms Internet and Web are often
                  used interchangeably, they are not synonymous.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          It says "Internets allow companies..." I think you want to say "Intranets
                  allow companies..."


Interoperability        Ability of various health information technology products to
- Compatibility         exchange information safely and securely. [CHCF]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Intranet              An internal network that looks and acts like the World Wide
                      Web. Internets allow companies to take advantage of Web-
                      based technology and create a private means of sharing data
                      and applications among their networked users.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Knowledgeable            An HIEconsent to the collection, request, use or disclosure of
HIEconsent               an individual‘s health information is knowledgeable if it is
                         reasonable in the circumstances to believe that the individual
                         knows:
                         The purposes of the collection, use or disclosure, as the
                           case may be.
                         That the individual may give or withhold HIEconsent.
                         [Canada Personal Health Information Protection Act, 2004,
                        Part III, 18]


Law                   An officer or employee of any agency or authority of the
Enforcement           United States, a State, a territory, a political subdivision of a
Official              Stat or territory, or an Indian tribe, who is empowered by law
                      to:
                          1. Investigate or conduct an official inquiry into a potential
                             violation of law, or
                          2. Prosecute or otherwise conduct a criminal, civil, or
                             administrative proceeding arising from an alleged
                             violation of law.
                      [HIPAA]


Lawful                Other persons held in lawful custody includes juvenile
Custody               offenders adjudicated delinquent, aliens detained awaiting
                      deportation, persons committed to mental institutions through
                      the criminal justice system, witnesses, or others awaiting
                      charges or trial.
                      An individual is no longer an inmate when released on parole,
                      probation, supervised release, or otherwise is no longer in
                      lawful custody.


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Legacy System         An existing information technology system or application, often
                      built around a mainframe computer, which generally has been
                      in place for a long time and represents a significant
                      investment. Compatibility with legacy systems is often a
                      major issue when considering new applications.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Life-                 Either or both of diseases or conditions where the likelihood of
Threatening           death is high unless the course of the disease is interrupted;
                      diseases or conditions with potentially fatal outcomes, where
                      the end point of clinical intervention is survival, and ―chronic
                      and seriously debilitating" means diseases or conditions that
                      require ongoing treatment to maintain remission or prevent
                      deterioration and cause significant long-term morbidity.
                      [CA H&S Code § 1367.21(d) & (e)]

Local Area    A network consisting of computers that are located in
Network (LAN) relatively close physical proximity to each other and are
              connected by wire cables, fiber optic lines, or other physical
              means.
              [http://www.wvsma.com/shared/content_objects/pdfs//glossa
              ry%20of%20hit%20acronyms%20and%20terms%20-
              %20revised.pdf]


Local Health          Used synonymously with regional health information
Information           organization (RHIO). LHII was originally termed by the Office
Infrastructure        of the National Coordinator of Health Information Technology
(LHII)                (ONCHIT) to describe the regional efforts that will eventually
                      be linked together to form the national health information
                      network (NHIN).
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Log In               Action a person must take to confirm his or her identity before
                     being allowed to use a computer system. [CCHIT]


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Licensed             Any person licensed or certified pursuant to Division 2
Health Care          (commending with Section 500) of the California Business and
Professional         Professions Code, the Osteopathic Initiative Act or the
                     Chiropractic Initiative Act, or Division 2.5 (commencing with
                     Section 1797) of the California Health and Safety Code. [CMIA,
                     Civil Code Section 56.05(e)]


Limited Data         Health information that does not contain identifiers. It is
Set                  protected but may be used for certain purposes without the
                     individual‘s consent. It requires the use of a Data Use
                     Agreement between the parties disclosing and receiving the
                     information. [HISPC]


Maintain             Maintain, acquire, use or disclose. [Information Practices Act,
                     Civil Code section 1798.3(e)]


Malicious            Software designed to damage or disrupt a system, e.g., a
Software             virus.
                     [HIPAA]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Marketing            1. To make a communication about a product or service that
                        encourages recipients of the communication to purchase or
                        use the product or service. Marketing does not include any
                        of the following:
                        a. Communications made orally or in writing for which the
                            communicator does not receive direct or indirect
                            remuneration, including bur not limited to; gifts, fees,
                            payments, subsidies, or other economic benefits, from a
                            third party for making the communication.
                        b. Communications made to current enrollees solely for the
                            purpose of describing a provider‘s participation in an
                            existing health care provider network or health plan
                            network of a licensed health plan to which the enrollees
                            already subscribe;
                        c. Communications made to current enrollees solely for the
                            purpose of describing if, and to the extent to which, a
                            product or service, or payment for a product or service, is
                            provided by a provider, contractor, or plan or included in
                            a plan of benefits of a licensed health plan to which the
                            enrollees already subscribe; or
                        d. Communications made to plan enrollees describing the
                            availability of more cost-effective pharmaceuticals.
                        e. Communications that are tailored to the circumstances of
                            a particular individual to educate or advise the individual
                            about treatment options, and otherwise maintain the
                            individual‘s adherence to a prescribed course of medical
                            treatment for a chronic or seriously debilitating or life-
                            threatening condition, if the health care provider,
                            contractor, or health plan receives direct or indirect
                            remuneration, including, but not limited to, gifts, fees,
                            payments, subsidies, or other economic benefits, from a
                            third party for making the communication, if all of the
                            following apply:
                            i.   The individual receiving the communication is notified
                                 in the communication of the fact that the provider,
                                 contractor, or health plan has been remunerated and
                                 the source of the remuneration.
                           ii.   The individual is provided the opportunity to opt out
                                 of receiving future remunerated communications.
                          iii.   The communication contains instructions describing
                                 how the individual can opt out of receiving further
Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                                communications by calling a toll-free number of the
                                health care provider, contractor, or health plan
                                making the remunerated communications. No
                                further communication may be made to an individual
                                who has opted out after 30 calendar days fro the
                                date the individual makes the opt out request.
                     [California Confidentiality of Medical Information Act (CMIA)
                     Civil Code Section 56.05(f)]


Mask or              A process of restricting access to or transfer of individual health
Masking              information. Typically masking is applied at the data source
                     and may be overridden, as permitted by law, by the accessing
                     custodian (e.g., in an emergency situation). [CCHIT]


Master Patient A list of all known patients in an area, activity or organization.
Index (MPI)    [HISPC]


Meaningful           Demonstrating to the satisfaction of the Secretary of U.S.
Use                  Department of health and Human Services that the
                     professional (provider) is using a certified EHR in a meaningful
                     manner, which includes the use of e-prescribing, electronic
                     HIE, and submission of information on clinical quality
                     measures. [Additional clarity on interoperability will be
                     completed by the end of 2009.] [CCHIT]


Medical              Medically necessary care which is immediately needed to
Emergency            preserve life, prevent serious impairment of bodily functions,
                     organs, or parts, or prevent placing the physical or mental
                     health of a patient in serious jeopardy.
                     [https://www.revisor.leg.state.mn.us]


Medical              Any individually identifiable information, in electronic or
Information          physical form, in passion of or derived from a provider of
                     health care, health care service plan, pharmaceutical company,
                     or contractor regarding a patient‘s medical history, mental or
                     physical condition, or treatment. [CMIA, Civil Code section
                     56.05(g)]


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Medication           A list of past and present prescriptions and non-prescription
History              patient medication that is relevant for future clinical episodes.
                     [HISPC]


Medication           The system health care organizations use to handle
Management           medications. The medication management process includes
                     ordering and prescribing, preparing an dispensing,
                     administration, monitoring, medication selection and
                     procurement (i.e., formulary considerations) and medication
                     storage. [HISPC]


Mental Health        Patient records, or discrete portions thereof, specifically related
Records              to evaluation or treatment of a mental disorder. Includes but
                     is not limited to all alcohol and drug abuse records. [Patients
                     Access to Health Records Act, Health and Safety Code section
                     123105(b)]


Meta Data            Information about a particular data set or document that
                     describes how, when and by whom it was collected, created,
                     accessed, or modified; and how it is formatted. [CCHIT]


Minimum              The minimum amount of individual health information that is
Necessary            necessary to meet the intended purpose of the request,
                     collection, use, or disclosure.
                      [HIPAA]


Minor


                                            MPI
Guideline (v1)    See Master Patient Index.
Comments          or "person" -- see also "eis" and "hssp"




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
National              Often used synonymously with the national health information
Health                network (NHIN). NHII came bore NHIN and is an acronym
Information           that encompasses all of the necessary components needed to
Infrastructure        make electronic health records (EHRs) interoperable. NHIN,
(NHII)                as the name suggests, refers to both the physical and national
                      network needed for interoperability to occur.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


National             An internet-based architecture that links disparate health care
Health               information systems together to allow patients, physicians,
Information          hospitals, community health centers, and public health
Network              agencies across the country to share clinical information
(NHIN)               securely. [HISPC]


National              Founded in 1901, NIST is a non-regulatory federal agency
Institute of          within the U.S. Commerce Department‘s Technology
Standards and         Administration, promoting U.S. Innovation and industrial
Technology            competitiveness by advancing measurement science,
(NIST)                standards, and technology. See www.nist.gov.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


National             A system for classifying all providers of health care services,
Provider             supplies, and equipment covered under HIPAA. [HISPC]
Identifier
(NPI)


Network              An open communication medium, typically the internet, that is
                     used to transport messages between other parties. Unless
                     otherwise stated no assumptions are made about the security
                     of the network; it is assumed to be open and subject to active
                     and passive attack at any point between the parties. [NIST
                     800-63-1]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Network              A security agreement necessary to obtain particular services,
Service              such as security features, service levels, and management
Agreement            requirements. The agreement should ensure that network
                     service providers include the provision of connections, private
                     network services, and value-added networks and managed
                     network security solutions such as firewalls and intrusion
                     detection systems.
                     [ISO/IEC 27002:2005 Section 10.6.2 Security of Network
                     Services]

NHII                 See National Health Information Infrastructure.


NHIN                 See National Health Information Network.


NIST                 See National Institute of Standards and Technology.


Non-                 Service providing proof of the integrity and origin of data which
Repudiation          can be verified by any party. [HISPC, adapted from ASTM
                     (31)]


Notice of            A document provided to patients that explains an entities
Privacy              privacy practices and how information about an individual‘s
Practices            health information may be shared. [CalPSAB]
(Privacy
Notice)



                                      Open Source
Guideline (v1)    Software in which the source code is available to users, who
                  can read and modify the code.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          nonsense. open source is an intellectual property license that compels
                  certain user behaviors as a condition of the license. there's alots of
                  code that is available to the users that is not open source. see also

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  "gpl"


Opt In with          An alternative where an individual may decide to include their
Restrictions         individual health information, or part of their individual health
                     information in the HIE system. [CalPSAB]


Opt Out              An alternative where an individual may decide not to allow
                     access or disclosure of their individual health information which
                     is in the HIE system. [CalPSAB]


Participant          A patient participant, a provider participant, or authenticated
                     user of a health information organization.


Participation        A patient participant who receives health care services and
                     authorizes confidential health information to be utilized by an
                     HIO; a provider participant who is a data-submitting partner
                     with the HIO, an authenticated user, the HIO which participate
                     in an HIO through authorization submission, and disclosure of
                     health via the HIO.



                                        Password
Guideline (v1)    Confidential authentication information composed of a string
                  of characters.
                  [HIPAA]
Comments          an authentication token. not necessarily confidential.


Patient              Any natural person, whether or not still living, who receives or
                     has received health care services from a provider of health care
                     and to whom medical information pertains. See Individual.
                     [CMIA, Civil Code section 56.05(h) & [Patients Access to Health
                     Records Act, Health and Safety Code section 123105(c)]]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Patient              See Consent.
Permission


Patient              Records in any form or medium maintained by or in the
Records              custody or control of, a health care provider related to the
                     health history, diagnosis, or condition of a patient, or relating
                     to treatment provide or proposed to be provided to the patient.
                        (1) Includes only records pertaining to the patient
                              requesting the records or whose representative
                              requests the records.
                        (2) Does not include information:
                              a. Given in confidence to a health care provider by a
                                 person other than another health care provider or a
                                 patient, and that material may be removed from
                                 any record to inspection or copying.
                              b. Contained in aggregate form, such as indices,
                                 registers, or logs.
                     [Patients Access to Health Records Act, Health and Safety Code
                     section 123105(d)]


Patient Record        The electronic means by which patient files are located to
Locator (PRL)         assist patients and clinicians to find test results, medical
                      history, prescription data, and other health information. A
                      record locator would act as a secure health information search
                      tool.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Patient        A parent or the guardian of a minor, who is a patient, or a
Representative guardian or conservator of the person or of an adult patient, or
               the beneficiary or personal representative of a deceased
               patient.
               [Patients Access to Health Records Act, Health and Safety
               Code section 123105(e)]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Payment              1. The activities untaken by:
                           a. A health plan to obtain premiums or to determine or
                              fulfill its responsibility for coverage and provision of
                              benefits under the health plan; or
                           b. A health care provider or health plan to obtain or
                              provide reimbursement for the provision of health
                              care; and
                     2. These activities relate to the individual to whom health care
                        is provided and include, but are not limited to:
                           a. Determinations of eligibility or coverage (including
                              coordination of benefits or the determination of cost
                              sharing amounts), and adjudication or subrogation of
                              health benefit claims;
                           b. Risk adjusting amounts due based on enrollee health
                              status and demographic characteristics;
                           c. Billing, claims management, collection activities,
                              obtaining payment under a contract for reinsurance
                              (including stop-loss insurance and excess of loss
                              insurance), and related health care data processing‘
                           d. Review of health care services with respect to medical
                              necessity, coverage under a health plan,
                              appropriateness of care, or justification of charges;
                           e. Utilization review activities, including precertification
                              and preauthorization of services, concurrent and
                              retrospective review of services; and
                           f. Disclosure of consumer reporting agencies of any of
                              the following individual health information related to
                              the collection of premiums or reimbursement:
                                   i. Name and address;
                                  ii. Date of birth;
                                 iii. Social security number;
                                iv. Payment history;
                                  v. Account number; and
                                vi. Name and address of the health care provider
                                       and/or health plan.
                     [HIPAA]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Peer-to-Peer          1. A network structure in which the computers share
(P2P)                    processing and storage tasks as equivalent members of the
                         network. Different from a client/server network, in which
                         computers are assigned specific roles.
                      2. A general term for popular file-sharing systems like
                         gnutella, in which there is no central repository of files.
                         Instead, files can be stored on-and retrieved from-any
                         user‘s computer. See distributed computing.
                      3. [http://www.wvsma.com/shared/content_objects/pdfs//glo
                         ssary%20of%20hit%20acronyms%20and%20terms%20-
                         %20revised.pdf]


Permitted            Use of individual health information for purposes allowed under
Purposes             federal and state law. [CalPSAB]


Person               A natural person, trust or estate, partnership, corporation,
                     limited liability company, firm, association, professional
                     association or corporation, or other entity, public or private.
                     [HIPAA & [Information Practices Act, Civil Code section
                     1798.3(fc)]]



                             Personal Data Assistant (PDA)
Guideline (v1)    A handheld computer that offers relatively limited
                  functionality and computing power. Often used primarily as
                  organizers, but some PDAs offer wireless e-mail and Internet
                  access. Increasingly used in clinical practice for applications
                  such as taking patient notes and ordering prescriptions.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          d = digital, not data



                             Personal Health Record (PHR)
Guideline (v1)    An electronic record of health-related information of an
                  individual that conforms to nationally recognized

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  interoperability standards and that can be drawn from
                  multiple sources while being managed, shared, and controlled
                  by the individual.
                  [National Alliance for HIT]
Comments          NAHIT's work was a mistake.


Personal              A password consisting only of decimal digits. [NIST 800-63-1]
Identification
Number (PIN)


Personal              See authorized representative.
Representative

Pharmaceutical Any company or business, or an agent or representative, that
Company        manufactures, sells, or distributes pharmaceuticals,
               medications, or prescription drugs. It does not include a
               pharmaceutical benefits manager or a provider of health care.
               [CMIA, Civil Code section 56.05(i)]


Pharmacies           Organizations that dispense pharmaceuticals to consumers, use
                     data to check for contraindications and allergies, and
                     potentially participate as an intermediary or sub-network
                     provider of data on dispensed medications or provide PHR
                     services. [HISPC]


Pharmacists          Health professionals or clinicians who are licensed to prepare
                     and dispense medication pursuant to the request of authorized
                     prescribers. The practice of pharmacy includes but is not
                     limited to, the assessment, monitoring and modification of
                     medication and the compounding or dispensing of medication.
                     Direct care activities that pharmacists can perform include
                     patient education, patient assessment, and consultation.
                     [HISPC]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Pharmacy             Entities that manage pharmacy benefits on behalf of payers,
Benefit              interacting with pharmacies and providers via a pharmacy
Managers             network intermediary. As part of this role, they can provide
(PBMs)               information on pharmacy benefits available to an individual
                     consumer and an individual consumer‘s medication history.
                     [HISPC]


PHR                  See Personal Health Record.


Physical             Measures, policies and procedures to protect an entity‘s
Safeguards           electronic information systems and related buildings and
                     equipment from natural and environmental hazards, and
                     unauthorized intrusion.
                     [HIPAA]


Point-to-Point       Direct interactions between two systems which do not involve
Exchange             intermediary information exchange functions to route and
                     deliver the data. Representative architectures could include
                     point-to-point messaging, service-oriented architectures, or
                     information exchange amount participants using a common
                     application platform. [HISPC]


Portal                A Web site that offers a range of resources, such as e-mail,
                      chat boards, search engines, content and online shopping.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Prescribed           Disease management programs and services" means services
Course of            administered to patients to improve their overall health and to
Medical              prevent clinical exacerbations and complications utilizing cost-
Treatment            effective, evidence-based, or consensus-based practice
                     guidelines and patient self-management strategies. Disease
                     management programs and services shall contain a population
                     identification process, evidence-based or consensus-based
                     clinical practice guidelines, risk identification, and matching of
                     interventions with clinical need, patient self-management and
                     disease education, process and outcomes measurement,
                     evaluation, management, and reporting.
                     [CA H&S Code § 1399.901]

Prescription         An order by a qualified health professional to a pharmacist or
                     other therapist for the preparation and administration of a drug
                     or device for a patient. [HISPC]


Privacy              Freedom from intrusion into the private life or affairs of an
                     individual when the intrusion results from undue or illegal
                     gathering and use of data about that individual. [ISO/IEC
                     2382-8:1998]


Provider             See Health Care Provider.
                     [HIPAA]


Provider of          Any person licensed or certified pursuant to Division 2
Health Care          (commending with Section 500) of the California Business and
                     Professions Code; any person licensed pursuant to the
                     Osteopathic Initiative Act or the Chiropractic Initiative Act; any
                     person certified pursuant to Division 2.5 (commencing with
                     Section 1797) of the California Health and Safety Code; any
                     clinic, health dispensary, or health facility licensed pursuant to
                     Division 2 (commencing with Section 1200) of the California
                     Health and Safety Code. Provider of health care does not
                     include insurance institutions as defined in subdivision (k) of
                     Section 791.02 of the Insurance Code. [CMIA, Civil Code
                     section 56.05(j)]



Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Public Health        Program(s) that promote, maintain, and conserve the public‘s
                     health by providing health services to individuals and/or by
                     conducting research, investigations, examinations, training,
                     and demonstrations. Public health services may include but
                     are not limited to the control of communicable diseases,
                     immunizations, maternal and child health programs, sanitary
                     engineering, sewage treatment and disposal, sanitation
                     inspection and supervision, water purification and distribution,
                     air pollution control, garbage and trash disposal, and the
                     control and elimination of disease-carrying animals and insects.
                     [U.S. General Services Administration Website]


Public Health        Local, state, tribal, territorial and federal government
Agencies             organizations and clinical care personnel that exist to help
                     protect and improve the health of their respective constituents.
                     See definition of public health. [HISPC]


Psychotherapy Notes recorded (in any medium) by a health care provider who
Notes         is a mental health professional documenting or analyzing the
              contents of conversations during a private counseling session
              or a group, joint, or family counseling session and that are
              separated from the rest of the individual‘s medical record.
              Psychotherapy notes excludes medication prescriptions and
              monitoring, counseling session start and stop times, the
              modalities and frequencies of treatment furnished, results of
              clinical tests, and any summary of the following items:
              1. Diagnosis,
              2. Functional status,
              3. The treatment plan,
              4. Symptoms,
              5. Prognosis, and
              6. Progress to date.
              [HIPAA]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Public Health        An agency or authority of the United States, a State, a
Authority            territory, or political subdivision of a State or territory, or an
                     Indian tribe, or a person or entity acting under a grant of
                     authority from or contract with such public agency, including
                     the employees or agents of such public agency or its
                     contractors or persons or entities to whom it has granted
                     authority, that is responsible for public health matters as part
                     of its official mandate. [HIPAA]



                             Public Key Infrastructure (PKI)
Guideline (v1)    A conceptual framework that enables the encryption,
                  decryption, and electronic signing of data transmission in a
                  secure fashion within an open network environment.
                  [http://www.ehealthinitiative.org/]
Comments          a certificate based trust authentication process invented in the 1970s,
                  with limited commercial deployments in the private sector. not
                  generally useful outside of highly regimented operational silos with
                  closed membership.


Radio                 Technology that uses tiny chips and antennas to track
Frequency             products and store product information.
Identification        [http://www.wvsma.com/shared/content_objects/pdfs//glossa
(RFID)                ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Rational              A database in which all information is arranged in tables
Database              containing predefined fields. Changing a field in one record
                      automatically changes the same field in all related records,
                      allowing for easy global database management. Using
                      Structured Query Language (SQL), reports, and comparisons
                      can be generated by selecting fields of interest from the
                      original database.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Record               Any filing or grouping of information about an individual that is
                     maintained by an agency by reference to an identifying
                     particular such as the individual‘s name, photograph, finger or
                     voice print, or a number or symbol assigned to the individual.
                     [Information Practices Act, Civil Code section 1798.3(g)]


Record               An electronic index of patient identifying information that
Locator              directs providers in a health information exchange to the
Service              location of patient health records held by providers and group
                     purchasers. [https://www.revisor.leg.state.mn.us]



                  Regional Health Information Organization (RHIO)
Guideline (v1)    A health information organization that brings together health
                  care stakeholders within a defined geographic area and
                  governs health information exchange among them for the
                  purpose of improving health and care in that community.
                  [National Alliance for HIT]
Comments          a useless term that increases confusion


Registration         The process through which a party applies to become a
                     subscriber of a credentials service provider (CSP) and the
                     registration authority validates the identity of the party on
                     behalf of the CSP. [NIST 800-63-1]


Registration         A trusted entity that establishes and vouches for the identity of
Authority            a scriber to a credentials service provider (CSP). The
                     registration authority may be an integral part of a CSP, or it
                     may be independent of a CSP, but it has a relationship to the
                     CSPs. [NIST 800-63-1]


Registries           Organized systems for the collection, storage, retrieval,
                     analysis, and dissemination of information to support health
                     needs. This also includes government agencies and
                     professional associations which define, develop, and support
                     registries. [HISPC]


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                              Release of Information (ROI)
Guideline (v1)    Providing either paper or electronic copies of individually
                  identifiable health information. [CCHIT]
Comments          roi generally is a financial term indicating "return on investment"


Repository           A central storage location for electronic health records –
                     provides aggregation point for information used by public
                     health practitioners and emergency operations management.
                     [HISPC]


Required by          A mandate contained in law that compels an entity to make a
Law                  use or disclosure of protected health information and that is
                     enforceable in a court of law. ―Required by law‖ includes, but
                     is not limited to, court orders and court-ordered warrants,
                     subpoenas or summons issued by a court, grand jury, a
                     governmental or tribal inspector general, or an administrative
                     body authorized to require the production of information; a civil
                     or an authorized investigative demand; Medicare conditions of
                     participation with respect to health care providers participating
                     in the program; and statutes or regulations that require the
                     production of information, including statutes or regulations that
                     require such information if payment is sought under a
                     government program providing public benefits. [HIPAA]


Research             Systematic investigation, including research development,
                     testing, and evaluation, designed to develop or contribute to
                     generalizable knowledge.
                     [HIPAA]


Roadmap              A formal written plan that is a proposed or intended method of
                     achievement of one or more objectives or goals. It includes a
                     communication plan, business scope, work plan and financial
                     plan. [www.health.state.mn.us/e-health]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                                           Role
Guideline (v1)    Set of behaviors that is associated with a task. [HISPC]
Comments          "are"


Role-Based     Nondiscretionary method of regulating and controlling access to
Access Control resources based on the roles of the individual users within an
               entity.


Safeguards           Measures that protect the security of health information.
                     [HISPC]


Scalability          Ability to add users and increase the capacity of an application
                     without having to make significant changes to the application
                     software or the system on which it runs.
                     [www.health.state.mn.us/e-health]


Security             Encompasses all administrative, physical, and technical
                     safeguards in an information system. Includes processes,
                     practices and software that secure health information from
                     unauthorized access, ensuring that the information is not
                     altered and that it is accessible when needed by those
                     authorized.
                     [HIPAA & HISPC]


Security             Information, software assets, physical assets, services and
Assets               people.
                     [ISO/IEC 27002:2005, Section 7.1 Responsibility for Assets]

Security             Attempted or successful unauthorized access, use, disclosure,
Incident             modifications, or destruction of information or interference with
                     system operations in an information system.
                     [HIPAA]


Sensitive            Health information which is protected by separate laws or by

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Information          societal norms. It may include but is not limited to health
                     information related to substance abuse (alcohol and drug),
                     family planning, AIDS/HIV, sexually transmitted diseases,
                     mental health, etc.


Server                A networked computer that manages a specific set of network
                      resources. A server may manage network traffic or peripheral
                      use, store files, or run applications for users at other computer
                      on the network.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Service Level         A contract between a service provider and a user that specifies
Agreement             the level of service expected during a contract term. Service
                      level agreements determine how performance will be
                      measured and, in the event of underperformance, how the
                      penalties will be calculated and paid.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Smart Card            An electronic device about the size of a credit card that
                      contains electronic memory, and increasingly, an embedded
                      microchip. The cards are used to store data – in a health care
                      context, this is often personal health information. The data
                      can be accessed using a smart cared reader: a device into
                      which the cared is inserted. Smart cards are not the same as
                      magnetic stripe cards, such as most credit cards; smart cards
                      typically can store more information.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Sniffer               A program that monitors and analyzes the flow of information
                      on a network, searching for bottlenecks and problems.
                      Network managers use sniffer programs to monitor traffic flow
                      and keep data moving efficiently. A sniffer can also be used
                      legitimately or illegitimately to capture data transmitted over a

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                      network.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

SQL                   Structured Query Language – A standard command language
                      used to interact with a database.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Standards            An established norm or requirement. It is usually a formal
                     document that establishes uniform engineering or technical
                     criteria, methods, processes and practices. [Wikipedia]

Subscriber           A party who receives a credential or token from a Credential
                     Service Provider. [NIST 800-63-1]


Subscription-         A business model based on a monthly fee charged for the use
Based Model           of equipment, software, services, or content, or some
                      combination of those. Used by many vendors, such as
                      providers of e-prescribing systems.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Symmetric            A cryptographic key that is used to perform both the
Key                  cryptographic operation and its inverse, for example to encrypt
                     and decrypt, or to create a message authentication code and to
                     verify that code. [NIST 800-63-1]


System of            One or more records, which pertain to one or more individuals,
Records              which is maintained by any agency from which information is
                     retrieved by the name of an individual or by some identifying
                     number, symbol or other identifying particular assigned to the
                     individual. [Information Practices Act, Civil Code section
                     1798.3(h)]



Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
T1, T3, T4            Types of transmission lines in the T-carrier telecommunications
                      system that are often used to provide Internet access to larger
                      organizations. T1 lines can transit about 1.5 megabits per
                      second of data. A T3 line contains 28 T1 lines together and
                      can transmit about 45 times the data of single T1, enough for
                      full-motion video. Six T3 lines make one T4 line, capable of
                      transmitting 274 megabits per second.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Technical            Technology and policy and procedures for its use that protect
Safeguards           individual health information and control access to it.
                     [HIPAA]


Telehealth            A form of electronic health that uses telecommunications and
                      information technologies t provide health care services over
                      distance and/or time, to include diagnosis, treatment, public
                      health, consumer health information, and health professions
                      education. This may be done through real-time or
                      asynchronous exchange of complex data (video, images,
                      audio, etc.) [www.health.state.m,n.us/e-health]


Telemedicine          The use of telecommunications and information technology to
                      deliver health services and transmit health information over
                      distance. Sometimes called telehealth.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Third Party           Service delivery by a third party that includes the agreed
Service               security arrangements, service definitions, and aspects of
Delivery              service management.
                      [ISO/IEC 27002:2005, Section 10.2 – Third Party Service
                      Delivery Management]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Token                 Something an entity possesses and controls used to
                      authenticate their identity; typically a key or password. [NIST
                      800-63-1]


Trading               Entities that exchange (submit or receive) data electronically
Partners              with each other. Examples include any pairing of physicians,
                      providers, billing services, clearinghouses, health plans or
                      third-party administrators. [HIPAA]


Transaction-          A business model based on service fees charged for each
Based Model           transaction conducted using the vendor‘s equipment, software,
                      services or network. Used by some e-health vendors,
                      including providers of e-prescribing systems.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Transmit              A process to transfer data from point-to-point over a physical
                      point-to-point or point-to-multipoint communication channel.
                      For purposes of the CalPSAB scope, transmit does not apply to
                      a midpoint service that only provides a data pass-through
                      function that does not access data content.
                      [HIPAA]


Treatment             Provision, coordination, or management of health care and
                      related services by one or more health care providers,
                      including the coordination or management of health care by a
                      health care provider with a third party; consultation between
                      health care providers related to a patient; or the referral of a
                      patient for health care from one health care provider to
                      another.
                      [HIPAA]


Trusted Third-        An entity which facilitates interactions between two parties
Party                 who both trust the third party; they use this trust to secure
                      their own interactions.
                      [Wikipedia: http://en.wikipedia.org/wiki/Trusted_third_party]


Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Trust Network

Unauthorized          The act of gaining access to a network, system, application,
Access                health information or other resource without permission.
                      [HISPC]


Unauthorized          The act of exposing, releasing, or displaying health information
Disclosure            to those not authorized to have access to the information.
                      [HISPC]



                           Uniform Resource Locator (URL)
Guideline (v1)    A web address. Each web page has a unique URL.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          see also "uri"


Use                   With respect to the sharing of individual health information,
                      the sharing, employment, application, utilization, examination,
                      or analysis of such information within an entity that maintains
                      or transmits such information.
                      [HIPAA]


Use Case              A methodology used in system analysis to identify, clarify, and
                      organize system requirements. More often in HIT and HIE, it
                      refers to a special kind of scenario that breaks down system
                      requirements into user functions; each use case is a sequence
                      of events preformed by a user.
                      [http://www.ichnet.org/glossary.html]



                                    User Interface (UI)
Guideline (v1)    The part of an application that allows the user to access the
                  application and manipulate its functionality. It can include
                  menus, forms, command buttons, etc.
                  [http://www.wvsma.com/shared/content_objects/pdfs//gloss
Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                  ary%20of%20hit%20acronyms%20and%20terms%20-
                  %20revised.pdf]
Comments          see also "gui"


Value                Logical link between action and payoff that knowledge
Proposition          management must create to be effective; e.g., customer
                     intimacy, product-to-market excellence, and operational
                     excellence. [http://www.ichnet.org/glossary.htm]


Verification of      Process by which the identity of an individual, authorized
Identity             representative or user is verified. [CalOHI Policy, Chapter 6]


Verified Name        A credentialed entity name that has been verified by identity
                     proofing. [NIST 800-63-1]


Verifier             A party that verifies a credentialed entity‘s identity by verifying
                     their possession of a token using an authentication protocol.
                     The verifier may also need to validate credentials that link the
                     token and identity and check their status. [NIST 800-63-1]


Virtual Private      A network that uses public connections, such as the Internet,
Network              to link users but relies on encryption and other security
(VPN)                measures to ensure that only authorized users can access the
                     network. [www.health.state.mn.us/e-health]


Web Master            The person responsible for operating/maintaining a particular
                      web site or web page.

Web Server            A networked computer that stores and transmits documents
                      and other data to web browsers via HTTP, an internet data
                      transfer protocol.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Web Site              A group of related files, including text, graphics, and hypertext

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
                      links, on the world wide web. Accessed by typing its URL, a
                      site usually includes layers of supporting pages as well as a
                      home page.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Web-Enabled           Software applications that can be used directly through the
                      web. Web-enabled applications are often used to collect
                      information from, or make functionality available to,
                      geographically dispersed users (e.g., disease surveillance
                      systems).

Wide Area             A computer network that covers a large physical area. A WAN
Network               usually consists of multiple local area networks (LAN).
(WAN)                 [www.health.state.mn.us/e-health]


Wired-                A security protocol for wireless local area networks (WLAN)
Equivalent            using the Wi-Fi standards (802,11b).
Privacy (WEP)         [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]


Wi-Fi                 Another name for 802.11b, a wireless networking standard
                      ratified by the Institute of Electrical and Electronics
                      Engineering (IEEE) in late 1999 and supported by the largest
                      wireless local are network (WLAN) vendors. Wi-Fi is short for
                      wireless fidelity.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Wireless              A proposed standard for delivering content to mobile wireless
Application           devices such as cellular phones and handhelds.
Protocol              [http://www.wvsma.com/shared/content_objects/pdfs//glossa
(WAP)                 ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Wireless              Wireless mobile computing that uses the internet as part of the

Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Internet              underlying network communication infrastructure. Sometimes
                      called wireless Web.

Wireless Local        Web development language that allows web sites to format
Area Network          content to fit the small screens and limited storage and
(WLAN)                processing capabilities of mobile devices.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]

Workstation           An electronic computing device, for example, a lap top or desk
                      computer, or any other device that performs similar functions
                      and electronic media stored in its immediate environment.
                      [HIPAA]

World Wide            An international group of databases within the Internet
Web                   containing billions of documents that are formatted in HTML
                      and link to other documents and files. Although the term
                      Internet and Web are often used interchangeably, they are not
                      synonymous.
                      [http://www.wvsma.com/shared/content_objects/pdfs//glossa
                      ry%20of%20hit%20acronyms%20and%20terms%20-
                      %20revised.pdf]




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.
Suggested additional terms for California Privacy and Security HIE
Guidelines:




                                           XML
Guideline (v1)
Comments




Version 1.0 draft 6/22/09; Accessed on 12/9/2011
*This document is a work in progress and is intended for the sole use of members of the California
Privacy and Security Advisory Board (CalPSAB) and its committees and task groups for their work in
the CalPSAB process. Members shall not share these documents outside of this process without
permission from the California Office of Health Information Integrity.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:24
posted:12/9/2011
language:English
pages:70