In This Section

HIPAA Glossary

Published on · Last Updated 1 year 9 months ago


Subscribe to be notified of changes or updates to this page.

7 + 11 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
Term Definition
Accounting for Disclosures Information that describes the Hospital's Disclosures of PHI other than for Treatment, Payment, and Healthcare Operations (TPO); Disclosures made with Authorization; and certain other limited Disclosures. Patients are entitled to request an account of these Disclosures.
Actions May include but are not limited to preliminary analysis of data, submission of progress reports, adverse event reporting, reporting of study to DSMB.

Hospital personnel must get a signed, written Authorization from the patient in order to use or disclose PHI for purposes other than Treatment, Payment or Healthcare Operations (TPO). Authorizations would be needed, for example, for some types of research and for contacting our patients for marketing or fund raising.

Each Authorization must include, among other things:

  • A description of the PHI to be used or disclosed.
  • The persons or classes of persons authorized to use or disclose the information.
  • A list of those who would receive the PHI.
  • A description of the purpose of each Use or Disclosure of the PHI.
  • Expiration date or event.
  • Signature of the patient or his or her representative.
Business Associate A person or organization that has a written or unwritten contract to perform an activity on behalf of CHOP, involving the Use or Disclosure of PHI.

Coded data and specimens are defined by OHRP as meaning:

  1. identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a number, letter, symbol, or combination thereof (i.e., the code); and
  2. a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens. See the page on

Some PHI elements may remain in the dataset if required for the research. Typically this might include the elements permitted in a limited data set.

Data Use Agreement An agreement with the intended recipient of a Limited Data Set that establishes the ways in which the information in the Limited Data Set may be used and how it will be protected.
Decedent A deceased person

Deidentified datasets are those (1) without any elements of PHI and (2) without a way for the investigator/recipient to relink the data back to PHI. The elements of PHI from the individual, relatives of the individual, employers or household members of the individual that must be excluded for the dataset to be considered deidentified include:

  • Names
  • All geographic subdivisions smaller than a State, including street address, city*, county*, precinct*, zip code* and their equivalent geocode (except the initial 3 digits of a zip code)
  • All elements of dates* (except Year), including date of birth, date of admission, or date of visit / service
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identification numbers and serial numbers, including license plate numbers
  • Device identifiers (e.g. implanted medical devices) and serial numbers
  • Web URLs
  • Internet protocol (IP) address numbers
  • Biometric indicators, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code except as permitted above provided the investigator could not use the information alone or in combination with other information to identify an individual who is a subject of the information.

* These items may be included in a Limited Data Set.

Designated Record Set A group of records maintained by or for the Hospital that include (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the Hospital to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the Hospital.
Disclosure The release, transfer, provision of access, to, or divulging in any other manner of information outside the Hospital.
Fully Executed The signatures of all parties to an agreement
HIM Health Information Management
hipaa The Health Insurance Portability and Accountability Act of 1996. It includes the Privacy Rule, which becomes effective April 14, 2003.
Hospital The Children's Hospital of Philadelphia (CHOP) and all its affiliates, practices and subsidiaries
Individual The person who is the subject of PHI
Individually Identifiable Health Information Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or healthcare clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Investigator Person conducting research as defined in a protocol
Limited Data Set

A limited data set is protected health information (PHI) that excludes certain PHI. A limited data must exclude the same PHI as required for a Deidentified data set except for the following: some postal address information (city, state, ZIP Code); elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. A limited dataset may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authorization for its Use and Disclosure, provided the provider and the recipient have executed a Data Use Agreement.

Creating a Limited Data Set:

Delete/remove all elements of PHI from the data that would be required to created a Deidentified data set with the exception of the following items:

  • Postal address information other than town, or city, State and zip code
  • Dates including date of birth, date of admission, date of visit, or date of service
Minimum Necessary The least information reasonably necessary to accomplish the intended purpose of the Use, Disclosure, or request.
Notice of Privacy Practices This notice describes the Hospital's Uses and Disclosures of PHI, and the patient's PHI rights. Each of our patients must receive this notice when services are first delivered - either upon admission or when first seen as an outpatient, or after a treatment telephone call or e-mail.
PHI (Protected Health Information; also called patient or health information) PHI is Individually Identifiable Information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. There are 18 PHI identifiers of individual patients, their relatives, household members or employers. These include: name; all geographic identifiers smaller than a state, including address and zip codes; dates except for years (including birth, admission, discharge or death dates); Social Security numbers; telephone and fax numbers; e-mail addresses; and medical record and health plan numbers. (See De-identified and Individually Identifiable Health Information)
Preparatory to Research Activities done as part of designing a study and/or determining the feasibility of conducting a study. These activities would be prior to submitting an IRB protocol.
Prospective In a prospective study, data is collected going forward in time; IRB approval is required. For prospective research the timepoint is from the date of submission to the IRB.
Protocol A description of a research project that sets forth explicit objectives and formal procedures designed to reach the objectives of the study.
Research A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.
Retrospective In a retrospective study, the research is based on records, biospecimens or other materials that exist already. IRB approval is required. For retrospective research, all of the materials must exist as of the date of submission to the IRB.
Subject Individual or individual's data used in a research study
Treatment, Payment and Healthcare Operations (TPO) Without first getting written authorization, the Hospital can use PHI for Treatment, Payment and Healthcare Operations purposes. So a patient's case can be discussed among the medical staff, including those undergoing training, and referring physicians. PHI can be used for submitting claims for payment and for such healthcare operations purposes as quality assurance, utilization review, case management and risk management - all without getting a written Authorization from the patient.
Use This includes but is not limited to the application, utilization, examination or analysis of PHI.
Waiver of Authorization The determination and documentation that the Hospital obtains from the IRB that states that the IRB has waived or altered the Privacy Rule's requirement that an individual must authorize the Hospital to use or disclose the individual's PHI for research purposes.
Workforce Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Hospital, is under direct control of the Hospital, whether or not they are paid by the Hospital.