| 270/271 Eligibility for a Health Plan Inquiry/Response | 270 and 271 are the ASC X12N eligibility inquiry and response transactions, respectively. This is a way for providers to determine if a patient is covered and how much of the fees are the patient's responsibility.
|
 |
|
|
| 276/277 Health Care Claim Status Inquiry/Response | The ASC X12N claim status request and response transactions. 276 is the inquiry from the provider asking the status of a claim and 277 is the response from the health plan. 277 can also be sent from a health plan asking for more information.
|
|
|
|
| 278 Referral Authorization Inquiry/Response | The ASC X12N request for services review and response. It is used to determine pre-certification and referral authorization.
|
|
|
|
| 820 Health Plan Premium Payments | The ASC X12N transaction standard for payroll deductions and other group premium payments available for use between employers and health plans.
|
|
|
|
| 834 Health Plan Enrollment and Disenrollment | The ASC X12N benefit enrollment and maintenance transaction. It covers who is or is not eligible for a group health plan.
|
|
|
|
| 835 Health Care Payment and Remittance Advice | The ASC X12N payment and remittance advice transaction. The first part is the actual payment and the second part explains how the health plan arrived at the amount.
|
|
|
|
| 837 Health Care Claims or Equivalent Encounter Information/Coordination of Benefits | The ASC X12N professional, institutional, and dental claim transactions (each with its own separate Implementation Guide). The first claim transaction is for primary insurance and the second is for any secondary insurance.
|
|
|
|
| 997 Functional Acknowledgment | A message commonly used although not a HIPAA standard. It is sent from receivers to the senders of the transaction to tell them the transaction has been received without any transmission errors.
|
|
|
|
| abuse | Action that improperly uses another person's or entity's resources.
|
|
|
|
| accounting of disclosures | A report that tells a patient to whom his or her health information has been disclosed.
|
|
|
|
| Acknowledgment of Receipt of Notice of Privacy Practices | A form signed by patients indicating they have received a copy of a health care provider's notice of privacy practices.
|
|
|
|
| ACS X12 Accredited Standards Committee X12, Insurance Subcommittee (ASC X12N) | The ANSI-accredited standards development organization, and one of the six Designated Standards Maintenance Organizations (DSMO). It created and maintains the administrative and financial transactions standards adopted under HIPAA for all health plans, clearinghouses, and providers who use electronic transactions. ASC X12N does not develop claims standards used in retail pharmacies.
|
|
|
|
| addressable implementation specifications | Guidelines that must be addressed by a covered entity (CE) or the CE must document why it did not do so.
|
|
|
|
| administrative code sets | Code sets used in a general business situation for items, such as zip codes, rather than a medical condition or service. Under HIPAA, these are sometimes referred to as non-clinical or non-medical code sets. See also medical code sets.
|
|
|
|
| administrative law judge (ALJ) | A judge who presides over complaint hearing in HHS and makes determinations of penalties.
|
|
|
|
| Administrative Simplification (A/S) | The part of HIPAA that gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the standards to protect the security and privacy of ePHI. This is Title II.
|
|
|
|
| administrative standards | Under HIPAA, the standards for security to protect electronic protected health information (ePHI) that a covered entity must perform.
|
|
|
|
| advisory opinion | Legal opinions issued by the OIG or CMS upon request of an individual, such as a physician, or a legal entity, such as a hospital, that formally presents a situation and asks whether the way they intend to handle it is fraudulent.
|
|
|
|
| amendment | A correction of a finalized entry in a medical record that has been identified as incorrect.
|
|
|
|
| antivirus software | Software that scans a computer system for viruses and attempts to remove the virus and, in some cases, fix any problems that the virus has caused.
|
|
|
|
| audit | A formal examination or review, such as a review to see if an entity is complying with regulations.
|
|
|
|
| audit reports | The formal report issued after an audit, especially one issued by the OIG.
|
|
|
|
| authentication | The process of verifying that a person who seeks access to electronic protected health information (ePHI) is in fact the person he or she claims to be.
|
|
|
|
| authorization | The process of determining whether a particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or running a program. Also, a form giving written permission for something, such as the release of medical information.
|
|
|
|
| availability | The process of ensuring that the systems responsible for delivering, storing, and processing data are accessible when needed, by those who need them under both routine and emergency circumstances.
|
|
|
|
| backup procedure | The activity of copying files to another medium (such as tape, disk, CD, or online backup service) so that they will be preserved in case the originals are no longer available.
|
|
|
|
| benchmark | To compare something against a standard, such as an activity looked at in an audit that is compared against a HIPAA standard.
|
|
|
|
| business associate (BA) | A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity itself. Business associates, such as law firms and accountants must adhere to HIPAA standards in order to do business with a covered entity.
|
|
|
|
| Centers for Medicare and Medicaid Services (CMS) | (formerly known as HCFA) The division of Health and Human Services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.
|
|
|
|
| certification of compliance agreement (CCA) | An agreement between the OIG and a health care entity in which the OIG negotiates a compliance agreement for infractions that are not considered serious.
|
|
|
|
| civil money penalties (CMP) | Financial penalties imposed by the OIG for a wide variety of conduct.
|
|
|
|
| civil violation | A violation of civil law as opposed to a violation of criminal law.
|
|
|
|
| claim adjustment reason codes (RC) | A national administrative code set that identifies the reasons for any differences, or adjustments, between the original provider charge for a claim or service and the payer's payment for it.
|
|
|
|
| claim attachment | Supplemental health information needed to support a particular health care claim. There are a variety of hardcopy forms or electronic records needed to process a claim in addition to the claim itself.
|
|
|
|
| claim status category codes | A national administrative code set that indicates the general category of the status of health care claims. Used in communication from the payer to the provider.
|
|
|
|
| claim status codes | A national administrative code set that further details the status of health care claims in addition to claim status category codes.
|
|
|
|
| clearinghouse | (also called Health Care Clearinghouse) A company that handles electronic transactions for providers, such as submitting claims using HIPAA formats and may also manage electronic medical records.
|
|
|
|
| code of conduct | A written document created by a health care provider for members of its organization based on the basic principles of health care and HIPAA rules and regulations.
|
|
|
|
| code set | Alphabetic and/or numeric representations for data. Medical code sets are systems of medical terms that are required for HIPAA transactions. Administrative (nonmedical) code sets, such as ZIP codes, are also used in HIPAA transactions.
|
|
|
|
| compliance plan | Written plan created by a health care provider or health plan that includes: written policies and procedures; appointment of a compliance officer and committee; a code of conduct; training plans; effective lines of communication; ongoing auditing and monitoring; disciplinary guidelines and policies; and corrective action for errors.
|
|
|
|
| compliance program guidance | Guidance issued by the OIG for the preparation of compliance plans.
|
|
|
|
| confidentiality | The assurance that electronic protected health information (EPHI) is shared only among authorized individuals or organizations.
|
|
|
|
| confidentiality notice | A statement on all faxes and e-mails instructing the receiver to destroy the materials and contact the sender immediately, in the event that the transmission reached him/her in error.
|
|
|
|
| Consolidated Omnibus Budget Reconciliation Act (COBRA) | An amendment to Title I of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.
|
|
|
|
| corporate integrity agreement (CIA) | A negotiated agreement between the OIG and a covered entity (CE) in which the CE agrees to certain obligations in return for the OIG's agreement not to exclude the CE from participation in federal health care programs.
|
|
|
|
| covered entity (CE) | A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.
|
|
|
|
| creditable coverage | Insurance coverage under a group health plan, a health plan, or the Medicaid program know as SCHIP. This coverage is taken into account when an employee joins a new health plan.
|
|
|
|
| criminal violation | A violation of criminal law as opposed to a violation of civil law.
|
|
|
|
| cryptography | The protection of information by transforming it into an unreadable format before it is distributed. To read a message, the recipient must have a key that deciphers the information.
|
|
|
|
| Current Dental Terminology (CDT) | HIPAA-mandated code set for procedures performed in a dental office.
|
|
|
|
| Current Procedural Terminology (CPT) | HIPAA-mandated procedural code set developed, owned, and maintained by the American Medical Association.
|
|
|
|
| Deficit Reduction Act (DRA) of 2005 | A federal law designed to reduce fraudulent claims. It encourages states to pass their own false claims acts.
|
|
|
|
| degaussing | A method for disposal of electronic media with personal health information in which a strong magnetic field is applied to fully erase the data.
|
|
|
|
| de-identified health information | Medical data from which individual identifiers have been removed.
|
|
|
|
| Department of Health and Human Services (HHS) | The federal department that administers federal programs covering public health and welfare.
|
|
|
|
| Department of Justice (DOJ) | The federal government's main law enforcement division.
|
|
|
|
| designated record set (DRS) | A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.
|
|
|
|
| Designated Standard Maintenance Organization (DSMO) | An organization that has been designated by the Secretary of HHS to perform those activities necessary to support the use of a HIPAA standard. Such organizations make technical corrections to an implementation specification, expand a code set, or recommend other modifications to keep the standard current.
|
|
|
|
| digital certificates | Digital files that certify the identity of an individual or institution seeking access to computerbased information.
|
|
|
|
| direct provider | A health care provider who has a direct treatment relationship with a patient, such as a physician or therapist. See also indirect provider.
|
|
|
|
| disclosure | release or divulgence of information by a health care entity to persons or organizations outside of that entity. Rule is in HIPAA Part II.
|
|
|
|
| documentation | Systematic, logical, and consistent recording of a patient's health status—history, examinations, tests, results of treatments, and observations—in chronological order in a patient medical record.
|
|
|
|
| e-discovery | The process of gathering information from digital sources for use in legal proceedings.
|
|
|
|
| EIN (Employer Identifier Number) | The 10-digit federal tax number for employers, issued by the Internal Revenue Service, and adopted under HIPAA as the Standard Unique Employer Identifier.
|
|
|
|
| electronic data interchange (EDI) | The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.
|
|
|
|
| electronic medical record (EMR) | or electronic health record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized users.
|
|
|
|
| encounter | Visit between a patient and a medical professional.
|
|
|
|
| encryption | The process of encoding electronic information in cryptography.
|
|
|
|
| ePHI | PHI that is stored or transmitted in electronic form.
|
|
|
|
| excluded parties | Employees, physicians, and contractors who have been found guilty of fraud, and are excluded from work for government programs.
|
|
|
|
| external audit | A formal examination in which an agency, such as the OIG, selects certain records for review.
|
|
|
|
| False Claims Act (FCA) | A federal law that prohibits submitting a fraudulent claim or making a false statement or representation in connection with a claim.
|
|
|
|
| Federal Employees Health Benefits (FEHB) program | The program that provides medical insurance coverage to the more than 8 million federal employees, retirees, and their families. Administered by the federal government's Office of Personnel Management (OPM).
|
|
|
|
| Federal Register | A publication of the Office of the Federal Register (OFR), which is responsible for publishing federal laws, presidential documents, admistrative regulations and notices, and descriptions of federal organizations, programs, and activities.
|
|
|
|
| firewall | A security device that examines traffic entering and leaving a network, and determines (based on a set of user-defined rules) whether to forward it toward its destination.
|
|
|
|
| fraud | Intentional deceptive act to obtain a benefit.
|
|
|
|
| group health plan | Medical insurance offered to employees and payed for in part or in full by an employer.
|
|
|
|
| Health Care Common Procedure Code System (HCPCS) | A classification system for medical procedures, services, and supplies. It was set up to give providers a coding system that describes specific products, supplies, and services patients receive that are not in CPT.
|
|
|
|
| Health Care Fraud and Abuse Control Program | A HIPAA program designed to uncover and prosecute fraud and abuse.
|
|
|
|
| health insurance reform | See Title I.
|
|
|
|
| Health Insurance Portability and Accountability Act (HIPAA) of 1996 | The federal legislation covering rules regarding the health care industry, specifically how it is administered and the rights of patients in regard to health care coverage and privacy.
|
|
|
|
| health plan | Any individual or group plan that provides or pays for medical care.
|
|
|
|
| HIPAA Electronic Health Care Transactions and Code Sets (TCS) | HIPAA standards governing the electronic exchange of health information using standard formats and standard code sets.
|
|
|
|
| HIPAA Employer Identifier | HIPAA standards that mandate using certain identifying numbers for employers that sponsor health plans and for providers.
|
|
|
|
| HIPAA final enforcement rule | HIPAA rule that reconciles differences in enforcement procedures that had existed between the privacy and the security standards. This single rule covers all administrative simplification provisions.
|
|
|
|
| HIPAA privacy rule | Law that regulates the use and disclosure of patients' protected health information (PHI).
|
|
|
|
| HIPAA security rule | Security standards that require appropriate administrative, physical, and technical safeguards to protect the privacy of protected health information against unintended disclosure through breach of security.
|
|
|
|
| hybrid record | Medical record that is made up of both electronic and paper documents.
|
|
|
|
| identity theft | The criminal use of another person's personal information to take on that person's identity.
|
|
|
|
| ICD-9-CM | International Classification of Diseases, Ninth Revision, Clinical Modification Mandatory code set used by the United States. It provides rules for selecting and sequencing diagnosis codes in both the inpatient and the outpatient environments.
|
|
|
|
| ICD-10-CM | International Classification of Diseases, Tenth Revision, Clinical Modification, published in 1990 and expected to be made mandatory for the United States.
|
|
|
|
| implementation guide | The official source of detailed technical information on how the HIPAA administrative and financial transactions are to be implemented.
|
|
|
|
| implementation specifications | Under HIPAA, the specific instructions for implementing a standard. This is in Part II, Implementation Guide.
|
|
|
|
| incidental use and disclosure | The release of protected health information (PHI) that happens as a result of correct use and disclosure.
|
|
|
|
| indirect provider | A health care provider is a person or business that has an indirect treatment relationship with the patient, such as a laboratory. See also direct provider.
|
|
|
|
| integrity | The certainty that the electronic information is not changed in any way during storage or transmission, and that it is authentic, complete, and can be relied upon to be sufficiently accurate for its purpose.
|
|
|
|
| internal audit | Routine audits that a covered entity performs regularly by itself as part of its compliance plan.
|
|
|
|
| legacy numbers | The identifying numbers that were in use before the National Provider Identifier (NPI) system.
|
|
|
|
| malware | Any program that harms information systems; often brought into organizations through email attachments or programs that are downloaded from the Internet.
|
|
|
|
| medical code sets | Codes that are used for a medical condition or treatment. These code sets are usually maintained by professional societies and public health organizations. See also administrative code sets.
|
|
|
|
| medical record | Progress notes, reports, and other clinical materials relating to a patient and maintained by a health care provider.
|
|
|
|
| medical standards of care | State specified performance measures for the delivery of health care by medical professionals.
|
|
|
|
| minimum necessary standard | Principle that individually identifiable health information should be disclosed only to the extent needed to support the purpose of the disclosure.
|
|
|
|
| National Drug Codes (NDC) | A code set maintained by the Food and Drug Administration (FDA) that classifies drugs and biologicals. It was originally required for use in the ASC X12N standards, but is now required for use only in retail pharmacies. Hospitals and physicians are not required to use this code set.
|
|
|
|
| National Plan and Provider Enumeration System (NPPES) | A system set up by HHS which processes applications for NPIs, assigns them, and then stores the data and identifying numbers for both health plans and providers.
|
|
|
|
| National Provider Identifier (NPI) | Under HIPAA, a system for uniquely identifying all providers of health care services, supplies, and equipment.
|
|
|
|
| network security | The practice of protecting and preserving resources and information on a network.
|
|
|
|
| Notice of Privacy Practices (NPP) | A document stating the privacy policies and procedures of a covered entity (CE).
|
|
|
|
| Notice of Proposed Rule-Making (NPRM) | A document that describes and explains rules that the Federal Government proposes to adopt at some future date. Interested parties are invited to submit comments, which may then be used in developing a final regulation.
|
|
|
|
| Office for Civil Rights (OCR) | The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.
|
|
|
|
| Office of the Inspector General (OIG) | Federal agency that investigates and prosecutes fraud against government health care programs such as Medicare.
|
|
|
|
| OIG Fraud Alert | Alerts issued periodically to inform providers of problematic actions that have come to the OIG's attention.
|
|
|
|
| OIG Work Plan | A list of the year's projects that the OIG will be working on in areas that the government is investigating. This list is given to covered entities (CEs) so that they can make sure they are in compliance.
|
|
|
|
| password | A string of numbers and/or characters that are required to log into a system, used as a means of preventing unauthorized users from gaining access to information on a computer or network.
|
|
|
|
| physical standards | Under HIPAA, standards that require covered entities to implement policies and procedures that limit unauthorized physical access to electronic information systems such as computers as well as the facilities where the ePHI is stored. including portable/mobile media devices
|
|
|
|
| place of service (POS) | Under HIPAA administrative code that indicates where medical services were provided.
|
|
|
|
| preemption | The rule that HIPAA rules supersede state laws except when HIPAA deems a state law necessary to prevent fraud and abuse or when the state law is more restrictive than the HIPAA rule.
|
|
|
|
| protected health information (PHI) | The HIPAA terminology for individually identifiable health information in any medium, except such information maintained in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records.
|
|
|
|
| protocol | A set of rules governing the format of messages that are to be exchanged electronically either within a network or between two parties.
|
|
|
|
| provider | People or businesses that furnish, bill, or are paid for health care in the normal course of business. Under HIPAA, a covered provider is one who submits electronic administrative and financial transactions.
|
|
|
|
| qui tam | Meaning "who as much;" refers to the whistle blowers in whistle blower cases.
|
|
|
|
| relator | A person who makes an accusation of suspected fraud.
|
|
|
|
| release of information (ROI) | Release of information (ROI) of a patient's information.
|
|
|
|
| remittance advice (RA) | An electronic message that explains how a payer arrived at benefits.
|
|
|
|
| remittance advice remark codes (REM) | Remark codes maintained by CMS and used by payers to explain why payments differ from billed amounts.
|
|
|
|
| required implementation specifications | Under HIPAA, specifications that must be performed by covered entities. These specifications include administrative, physical, and technical standards.
|
|
|
|
| risk analysis | The process of creating policies and procedures to protect electronic protected health information (ePHI).
|
|
|
|
| risk management | The establishment of policies and procedures that reduce the risk of breaches of security.
|
|
|
|
| role-based authorization | A structure set up by most covered entities (CEs) in which access is based on the individual's title and/or job function, so that only people who need information can see it.
|
|
|
|
| sanction policy | Under HIPAA, a key specification that requires covered entities (CEs) to set up a policy that states the consequences for violations of security policies and procedures by employees, agents, and contractors.
|
|
|
|
| security incidents | Defined in HIPAA as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."
|
|
|
|
| small health plan | Under HIPAA, a health plan with annual revenue of 5 million dollars or less. It is in Part II.
|
|
|
|
| Stark II | Federal law that prohibits self-interested referrals, or referrals in which the entity referring has a financial interest or may receive a kickback.
|
|
|
|
| subpoena | An order by a court requiring a party to appear and testify.
|
|
|
|
| subpoena duces tecum | A subpoena that also includes the requirement to bring certain documents.
|
|
|
|
| taxonomy codes | A ten-digit number that stands for a physician's medical specialty. The codes are published by the Washington Publishing Company.
|
|
|
|
| technical standards | Defined in HIPAA as "the technology and the policy and procedures for its use that protect ePHI and control access to it."
|
|
|
|
| Title I | The portion of the HIPAA law concerned with health insurance reform. The main purpose of Title I is to ensure the continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.
|
|
|
|
| Title II | The portion of the HIPAA law known as administrative simplification. The rules in this section cover administrative, financial, and case management policies and procedures. It contains strict requirements for the uniform transfer of electronic health data and covers rules of patient confidentiality.
|
|
|
|
| transaction | One electronic exchange in EDI, specifically under HIPAA, the exchange of information between two parties involved in financial or administrative activities related to health care. It is in Part II.
|
|
|
|
| treatment, payment, and health care operations (TPO) | Under HIPAA, the rule that patients' protected health information may be shared without authorization for the purposes of treatment, payment, and operations.
|
|
|
|
| triggered reviews | An audit or review triggered by certain events or certain repeated actions indicating noncompliance.
|
|
|
|
| unique user identification | Under HIPAA, an implementation specification that requires every individual in the workplace to have his or her own unique name and/or number for access to the computer system.
|
|
|
|
| upcoding | Use of a procedure code that provides a higher payment than the code for the service actually provided.
|
|
|
|
| workstation | An electronic computing device such as a laptop or desktop computer and electronic media stored in its immediate area.
|