NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.504 Definitions.


As used in this subpart, the following terms have the following meanings:

Business partner means, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. “Business partner” includes contractors or other persons who receive protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence, including lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms, and other covered entities. “Business partner” excludes persons who are within the covered entity’s workforce, as defined in this section.

Designated record set means a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual and which is used by the covered entity to make decisions about the individual. For purposes of this paragraph, the term “record” means any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity.

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Health care operations means the following activities undertaken by or on behalf of a covered entity that is a health plan or health care provider for the purpose of carrying out the management functions of such entity necessary for the support of treatment or payment:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which undergraduate and graduate students and trainees in areas of health care learn under supervision to practice as health care providers, accreditation, certification, licensing or credentialing activities;

(3) Insurance rating and other insurance activities relating to the renewal of a contract for insurance, including underwriting, experience rating, and reinsurance, but only when the individuals are already enrolled in the health plan conducting such activities and the use or disclosure of protected health information relates to an existing contract of insurance (including the renewal of such a contract);

(4) Conducting or arranging for medical review and auditing services, including fraud and abuse detection and compliance programs; and

(5) Compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding.

Health oversight agency means an agency, person or entity, including the employees or agents thereof,

(1) That is:

(i) A public agency; or

(ii) A person or entity acting under grant of authority from or contract with a public agency; and

(2) Which performs or oversees the performance of any audit; investigation; inspection; licensure or discipline; civil, criminal, or administrative proceeding or action; or other activity necessary for appropriate oversight of the health care system, of government benefit programs for which health information is relevant to beneficiary eligibility, or of government regulatory programs for which health information is necessary for determining compliance with program standards.

Individual means the person who is the subject of protected health information, except that:

(1) “Individual” includes:

(i) With respect to adults and emancipated minors, legal representatives (such as court-appointed guardians or persons with a power of attorney), to the extent to which applicable law permits such legal representatives to exercise the person’s rights in such contexts.

(ii) With respect to unemancipated minors, a parent, guardian, or person acting in loco parentis, provided that when a minor lawfully obtains a health care service without the consent of or notification to a parent, guardian, or other person acting in loco parentis, the minor shall have the exclusive right to exercise the rights of an individual under this subpart with respect to the protected health information relating to such care.

(iii) With respect to deceased persons, an executor, administrator, or other person authorized under applicable law to act on behalf of the decedent’s estate.

(2) “Individual” excludes:

(i) Foreign military and diplomatic personnel and their dependents who receive health care provided by or paid for by the Department of Defense or other federal agency, or by an entity acting on its behalf, pursuant to a country-to-country agreement or federal statute; and

(ii) Overseas foreign national beneficiaries of health care provided by the Department of Defense or other federal agency, or by a non-governmental organization acting on its behalf.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and that:

(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

(i) Which identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Law enforcement official means an officer of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to conduct:

(1) An investigation or official proceeding inquiring into a violation of, or failure to comply with, any law; or

(2) A criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, any law.

Payment means:

(1) The activities undertaken by or on behalf of a covered entity that is:

(i) A health plan, or by a business partner on behalf of a health plan, to obtain premiums or to determine or fulfill its responsibility for coverage under the health plan and for provision of benefits under the health plan; or

(ii) A health care provider or health plan, or a business partner on behalf of such provider or plan, to obtain reimbursement for the provision of health care.

(2) Activities that constitute payment include:

(i) Determinations of coverage, improving methods of paying or coverage policies, adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, and medical data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and

(v) Utilization review activities, including precertification and preauthorization of services.

Protected health information means individually identifiable health information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form.

(1) For purposes of this definition,

(i) “Electronically transmitted” includes information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial- up lines, private networks, telephone voice response, and “faxback” systems.

(ii) “Electronically maintained” means information stored by a computer or on any electronic medium from which information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media.

(2) “Protected health information” excludes:

(i) Individually identifiable health information in education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and

(ii) Individually identifiable health information of inmates of correctional facilities and detainees in detention facilities.

Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe that is responsible for public health matters as part of its official mandate.

Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. “Generalizable knowledge” is knowledge related to health that can be applied to populations outside of the population served by the covered entity.

Treatment means the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual.

Use means the employment, application, utilization, examination, or analysis of information within an entity that holds the information.

Workforce means employees, volunteers, trainees, and other persons under the direct control of a covered entity, including persons providing labor on an unpaid basis.