Term
| Cobit (The Control Objectives for Information and related Technology) |
|
Definition
| CobiT is a set of best practices for IT management. CobiT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong CobiT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice. |
|
|
Term
|
Definition
| Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. |
|
|
Term
| IaaS (Infrastructure as a Service) |
|
Definition
| Rather than purchasing servers, software, data-center space or network equipment, clients instead buy those resources as a fully outsourced service. Suppliers typically bill such services on a utility computing basis; the amount of resources consumed (and therefore the cost) will typically reflect the level of activity. |
|
|
Term
| PaaS (Platform as a Service) |
|
Definition
| s the delivery of a computing platform and solution stack as a service. PaaS offerings facilitate deployment of applications withoutthe cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities, providing all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet. |
|
|
Term
| SaaS (Software as a Service) |
|
Definition
| sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud) and are typically accessed by users using a thin client, normally using a web browser over the Internet. |
|
|
Term
|
Definition
| The protection of data and systems in networks that connect to the Internet. |
|
|
Term
|
Definition
| A strategic resource that aligns business and technology, leverages shared assets, builds internal and external partnerships, and optimizes the value of information technology services. |
|
|
Term
|
Definition
| An intranet that allows specified levels of access to authorized, external users. |
|
|
Term
| HITRUST (Health Information Trust Alliance) |
|
Definition
| The HITRUST Common Security Framework (CSF) is a framework that normalizes the security requirements of healthcare organizations including federal (e.g., ARRA and HIPAA), state (Mass.), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS). |
|
|
Term
| HIPAA Privacy, Security, and Enforcement |
|
Definition
| he HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings |
|
|
Term
|
Definition
| “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. |
|
|
Term
|
Definition
| A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. |
|
|
Term
| BAA (Business Associate Agreement) |
|
Definition
| The agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other key piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate administrative, physical and technical safeguards. |
|
|
Term
|
Definition
| A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. |
|
|
Term
|
Definition
| The regulations requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. |
|
|
Term
|
Definition
| Any business entity that must comply with HIPAA regulations, which includes health-care providers, health plans and health-care clearinghouses. For purposes of HIPAA, health-care providers include hospitals, physicians and other caregivers. Examples include Providers, Health Plans, Clearinghouses, and Business Associates. |
|
|
Term
|
Definition
| The U.S. Department of Justice established who can be held liable for HIPAA violations due to criminal activity. This includes covered entities and any specified individual working under a covered entity. Anyone who knowingly misuses health information can be fined up to $50,000 including up to a year of imprisonment. More serious offenses call for higher fines and prison time. |
|
|
Term
| De-Identified Information |
|
Definition
| De-identified data (e.g., aggregate statistical data or data stripped of individual identifiers) require no individual privacy protections and are not covered by the Privacy Rule. |
|
|
Term
|
Definition
| Patient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or other organization that falls under covered entity. |
|
|
Term
| Individually Identifiable Health Information |
|
Definition
| A subset of health information, this includes demographic information about an individual’s health that identifies or can be used to identify the individual. This includes name, address, date of birth, etc |
|
|
Term
| PHI (Protected Health Information) |
|
Definition
| Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual. Is transmitted or maintained in any form (electronic, paper, or oral representation).This includes any individually identifiable health information collected from an individual by a healthcare provider, employer or plan that includes name, social security number, phone number, medical history, current medical condition, test results and more. |
|
|
Term
|
Definition
| An organization is in violation, but they have taken every possible step they could have foreseen to prevent that. Minimum fine: $100 per incident with annual maximum of $25,000 for repeat violations. Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations |
|
|
Term
|
Definition
| The part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access. |
|
|
Term
|
Definition
| The part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically. |
|
|
Term
| TPO (Treatment,” “Payment,” and “Health Care Operations”) |
|
Definition
| “Treatment” generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding. “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. |
|
|
Term
|
Definition
| Any use or disclosure of protected health information for treatment, payment, or health care operations must be consistent with the covered entity’s notice of privacy practices. A covered entity is required to provide the individual with adequate notice of its privacy practices, including the uses or disclosures the covered entity may make of the individual’s information and the individual’s rights with respect to that information. |
|
|
Term
|
Definition
| A covered entity must develop policies and procedures that reasonably limit its disclosures of, and requests for, protected health information for payment and health care operations to the minimum necessary. A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access toprotected health information for treatment, payment, and health care operations, based on those who need access to the information to do their jobs. |
|
|
Term
|
Definition
| The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect. Minimum fine: $1,000 per incident with annual maximum of $100,000 for repeat violations. Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations. |
|
|
Term
|
Definition
| There are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time. Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake. Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations. Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations |
|
|
Term
|
Definition
| An internal network that looks and acts like the World Wide Web. Intranets allow companies to take advantage of Web-based technology and create a private means of sharing data and applications among their networked users. |
|
|
Term
| ITIL (Information Technology Infrastructure Library) |
|
Definition
| A set of Best Practice guidance for IT Service Management. ITIL is owned by the OGC and consists of a series of publications giving guidance on the provision of Quality IT Services, and on the Processes and facilities needed to support them. |
|
|
Term
| MU (Meaningful Use Criteria) |
|
Definition
| These are the ways in which practitioners must use federally-certified EHR products in order to secure EHR incentive program payments from either Medicare or Medicaid |
|
|
Term
| PMBOK (Project Management Body of Knowledge Guide) |
|
Definition
| A publication by the Project Management Institute on best practices for project management. |
|
|
Term
| RFI Request for Information |
|
Definition
| This is a procurement document sent to one or more vendors, producing similar products, to secure comparative information on product function, ancillary services, and price. An RFI usually provides extensive description(s) of the requirements that the bidder’s solution must satisfy to be acceptable. |
|
|
Term
|
Definition
| This is a procurement document sent to one or more vendors which seeks a proposed solution to the described service needs of the requestor. As a general rule, these proposals do not include detailed specifications onwhat the requestor needs. The premise is that the bidder has considerable experience in the field and part of their value proposition is the innovation that the bidder provides through their solution. |
|
|
Term
| RFQ Request for Quotation |
|
Definition
| Generally, an RFQ is used when the product that is being sought is rather conventional and does not require much description or requirements. This document generally secures vendor prices for commodities. |
|
|
Term
|
Definition
| The ability to add users and increase the capabilities of an application without having to making significant changes to the application software or the system on which it runs. |
|
|
Term
|
Definition
| A contract between a service provider and a user that specifies the level of service expected during a contract term. Service level agreements determine how performance will be measured and, in the event of underperformance, how the penalties will be calculated and paid. |
|
|
Term
|
Definition
| A business model based on a monthly fee charged for the use of equipment, software, services or content, or some combination of those. Used by many vendors, such as providers of e-prescribing systems. See also transaction-based model. |
|
|
Term
|
Definition
| A long-term view of all costs associated with a specific technology investment. Costs include that of acquiring, installing, using, maintaining, changing, and disposing of a technology during its useful life. |
|
|
Term
|
Definition
| A business model based on service fees charged for each transaction conducted using the vendor’s equipment, software, services or network. Used by some e-health vendors, including providers of e-prescribing systems. See also subscription-based model. |
|
|
