Definitions

Act: means the Social Security Act.

Business Associate: an individual or entity that is not a member of the SHC/LPCH Workforce (defined below) and that either:

(1) Acting on behalf of SHC/LPCH, assists in the performance of a function or activity involving the Use or Disclosure of Protected Health Information (as defined below). Examples of such activities and functions include, but are not limited to, (a) claims processing or administration, (b) data analysis processing or administration, (c) utilization review, (d) quality assurance, (e) billing, (f) benefits management, (g) practice management, (h) repricing and (i) information technology; or

(2) Receives Protected Health Information in the course of providing the following types of services to SHC/LPCH: (a) legal, (b) actuarial, (c) accounting, (d) consulting, (e) data aggregation, (f) management, (g) administrative, (h) accreditation or (i) financial.

Covered Entity means:

(1) A health plan;

(2) A health care clearinghouse; or

(3) A health care provider who transmits any health information in electronic form in connection with a Transaction (defined below) covered by the HIPAA Privacy Rule.

Designated Record Set means a group of records maintained by or for SHC/LPCH that is:

(1) The medical records and billing records about Individuals maintained by or for SHC/LPCH;

(2) The enrollment, Payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(3) Used, in whole or in part, by or for SHC/LPCH to make decisions about Individuals.

De-identified Information means health information that does not contain any elements that have the potential to identify the Individual. De-identified information is not Protected Health Information.

Direct Treatment Relationship means a Treatment relationship between an Individual and a health care provider that is not an Indirect Treatment Relationship (defined below).

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside of the entity holding the information. (A transfer of information from SHC/LPCH to Stanford, or vice-versa, is not a "Disclosure" under the HIPAA Privacy Rule; such a transfer is within the Stanford Affiliated Covered Entity and, accordingly, would constitute a "Use" of information rather than a Disclosure.)

Group Health Plan means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act (PHS Act), 42 U.S.C. 300gg-91(a)(2)), including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:

(1) Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or

(2) Is administered by an entity other than the employer that established and maintains the plan.

(A "Group Health Plan" is a type of health plan and, therefore, a Covered Entity under the HIPAA Privacy Rule.)

Health Care Components are those components of a Hybrid Entity (defined below) that (i) perform covered functions under the HIPAA Privacy Rule (that is, health care provider, health plan or health care clearinghouse functions), or (ii) perform support functions for the components performing covered functions (e.g., legal, accounting, internal audit, information technology, etc.) involving the Use or Disclosure of Protected Health Information.

Health Care Operations means a broad range of business and administrative activities of a Covered Entity, including the following:

1. Quality assessment and improvement activities;
2. Education and training of students and other trainees;
3. Reviewing the competence or qualifications of health care professionals, evaluating provider performance, health plan performance, and training, accreditation, certification, licensing or credentialing activities;
4. Contracting for Health Care services; or
5. Business planning, business management and general administrative activities.

HHS stands for the United States Department of Health and Human Services.

HIPAA means the Health Insurance Portability and Accountability Act of 1996.

Hybrid Entity means a Covered Entity that performs both health-related and non-health-related functions and has segregated its various functions into "Health Care Components" (defined above) and non-Health Care Components for purposes of compliance with the HIPAA Privacy Rule.

Stanford Definition of Hybrid Entity

The federal HIPAA privacy regulations (the "HIPAA Rules" or the "Rules") apply to three types of covered entities: (i) health care providers that conduct certain financial and administrative transactions electronically, (ii) health plans and (iii) health care clearinghouses. Stanford Hospital and Clinics (SHC), Lucile Packard Children's Hospital (LPCH), and Stanford University (SU) have operations that meet the definition of a health care provider and a the definition of a health plan under the HIPAA Rules. For this reason, SU, SHC and LPCH are, in whole or in part, covered entities and must comply with the HIPAA Rules by April 14, 2003.

SHC and LPCH are covered entities under the HIPAA Rules in all aspects of their operations as health care providers. SU also performs a number of functions that meet the definition of a health care provider under the HIPAA Rules. For example, the faculty of the School of Medicine ("SOM") treat patients at SHC, LPCH and elsewhere as physician health care providers. Vaden Student Health Center also provides qualifying physician services to students and their spouses, and SU's employee health benefits plans constitute health plans under the Rules. Other SU programs may meet the definition of a covered entity under the HIPAA Rules, such as the Department of Athletics training room (where physicians and trainers likely constitute health care providers).

At the same time, SU has many programs and operations that do not meet the definition of a covered entity under the HIPAA Rules. For entities like SU, the HIPAA Rules include a special designation. An entity that performs both health-related and non-health-related functions may designate itself as a "hybrid entity" for purposes of compliance with the Rules by segregating its various functions into health care components and non-health care components. SU has elected to designate itself as a hybrid entity under the HIPAA Rules.

In addition, the HIPAA Rules allow covered entities under common ownership or control to aggregate themselves into a "single affiliated entity" for purposes of compliance with the Rules. Since SU, SHC and LPCH are under common control (i.e., SU is effectively the parent of SHC and LPCH), they may make this election. SU (specifically, the segregated health components of SU as a hybrid ¿ including the SOM) has joined with SHC and LPCH to form a single affiliated entity under the HIPAA Rules. This approach should provide the most flexibility and administrative efficiency to SU, SHC and LPCH in their efforts to comply with the Rules.

Indirect Treatment Relationship means a relationship between an Individual and a health care provider in which:

(1) The health care provider delivers health care to the Individual based on the orders of another health care provider; and

(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the Individual.

Individual means the person who is the subject of Protected Health Information.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

1. That identifies the individual; or
2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Limited Data Set means Protected Health Information that excludes the following identifiers of the Individual or of the Individual's relatives, employers or household members:

1. Names;
2. Addresses, other than town or city, state, and zip code;
3. Telephone numbers;
4. Fax numbers;
5. Electronic mail addresses;
6. Social security numbers;
7. Medical record numbers;
8. Health plan beneficiary numbers;
9. Account numbers;
10. Certificate / license numbers;
11. Vehicle identifiers and serial numbers (including license plate numbers);
12. Device identifiers and serial numbers;
13. Web universal Resource Locators (URLs);
14. Internet Protocol (IP) address numbers;
15. Biometric identifiers, including finger and voice prints; and
16. Full face photographic images and any comparable images.

Limited Demographic Information: Demographic information relating to an Individual and the dates of health care provided to the Individual.

Marketing means communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service. Marketing does not include oral communications or written communications for which SHC/LPCH does not receive direct or indirect payment from a third party that are made by SHC/LPCH:

(1) For the purpose of describing the entities participating in a health care provider network or health plan network, or for the purpose of describing if and the extent to which a product or service (or payment for such product or service) is provided by a Covered Entity or included in a plan of benefits; or

(2) That are tailored to the circumstances of a particular Individual and the communications are:

(A) Made by a health care provider to an Individual as part of the Treatment of the Individual, and for the purpose of furthering the Treatment of that Individual; or

(B) Made by a health care provider or health plan to an Individual in the course of managing the Treatment of that Individual, or for the purpose of directing or recommending to that Individual alternative treatments, therapies, health care providers, or settings of care.

Organized Health Care Arrangement means a clinically integrated care setting in which individuals typically receive health care from more than one health care provider.;

Payment means the activities undertaken to obtain or provide compensation or reimbursement for the provision of health care services.

Personal Representative means any person authorized under applicable law to act on behalf of the Individual patient with respect to the Individual's patient's health care. For example, a personal representative may include the parent or guardian of a minor patient (unless the minor has the authority under California law to act on his or her own behalf), the guardian or conservator of an adult patient, or the representative of a deceased patient.

Plan Sponsor is defined as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B).

Protected Health Information means individually identifiable health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse and that relates to the mental or physical health of the Individual, the provision of health care to the Individual, or Payment for the provision of health care to the Individual. Protected Health Information does not include education records covered by the Family Educational Rights and Privacy Act or employment records held by a Covered Entity in its role as employer.

1. Names;
2. Social Security numbers;
3. Telephone numbers;
4. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combing all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
5. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
6. Fax numbers;
7. Electronic mail addresses;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the research data)

Required by Law means a legal mandate that compels a Covered Entity to make a Use or Disclosure of Protected Health Information and that is enforceable in a court of law. (Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if Payment is sought under a government program providing public benefits.)

Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Secretary means the Secretary of the U.S. Department of Health and Human Services.

Single Affiliated Entity means two or more Covered Entities that are under common ownership or/and control and that have designated themselves as a "Single Affiliated Entity" for purposes of compliance with the HIPAA Privacy Rule. (SHC and LPCH have joined with the Health Care Components (defined above) of Stanford University to form a Single Affiliated Entity for purposes of compliance with the HIPAA Privacy Rule.)

State Law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Use means, with respect to Protected Health Information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Workforce means SHC/LPCH's employees, medical staff, volunteers, trainees, and other persons whose conduct, in the course of work for SHC/LPCH is under SHC/LPCH's direct control, whether or not they are paid by SHC/LPCH.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -