Privacy Law
|
Acceptable Risk:
The level of risk management finds acceptable to a particular information asset. Acceptable risk is based on empirical data and supportive technical opinion that the overall risk is understood and that the controls placed on the asset or environment will lower the potential for its loss. Any remaining risk is recognized and accepted as an accountability issue.
Acceptable Use Policy (AUP):
A set of rules and guidelines that specify in more or less detail the expectations in regard to appropriate use of systems or networks.
Access Control:
The prevention of unauthorized use of information assets. It is the policy rules and deployment mechanisms, which control access to information systems, and physical access to premises.
Access:
The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
Administrative Order:
An order that has the same meaning as the definition in ORS 183.310(5)(a), where an "order" means any agency action expressed orally or in writing directed to a named person or named persons, other than employees, officers or members of an agency.
Administrative Safeguards:
Administrative actions and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Administrative Tribunal:
The entity authorized by state law to preside over an administrative proceeding, whether conducted by the director or administrator, or designated employee, of an Oregon state agency or before an administrative hearing officer in a contested case hearing pursuant to Oregon law, that may result in an Administrative Order (defined above).
Authentication:
The act of verifying the identity of an individual, originator, terminal, or workstation, to determine that entity's right to access specific categories of information and a measure designed to protect against fraudulent transmission by verifying the validity of a transmission, message, station, or originator.
Authorization:
Permission by an individual or his/her personal representative(s) for the release or use of information. An "authorization" is a written document that gives permission to obtain and use information from third parties for specified purposes or to disclose information to a third party specified by the individual.
Availability:
Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them and that the information it provides will be of acceptable integrity.
Business Associate:
An individual or corporate "person" who performs on behalf of the department any function or activity involving the use or disclosure of Protected Health Information (PHI), and who is not a member of the department’s workforce. The definition of "function or activity" includes:
claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services and similar services for which the Department might contract are included, if access to PHI is involved. Business associates do not include licensees or providers unless the licensee or provider also performs some "function or activity".
Client:
An individual who requests or receives services from the Department of Human Services. Examples of "clients" include but are not limited to:
applicants for or recipients of public assistance; minors and adults receiving protective services.
Client Information:
Personal information relating to a client.
Client Records:
All personal information that has collected, compiled, or created about clients, which may maintain in one or more locations and in various forms, reports, or documents, including information that is stored or transmitted by electronic media.
Client Services:
The provision of assistance, care, treatment, training or support to a client.
Collect / Collection:
The assembling of personal information through interviews, forms, reports or other information sources.
Compliance:
Adherence to those policies, procedures, guidelines, laws, regulations and contractual arrangements to which the business process is subject.
Confidentiality:
The degree to which sensitive data, about both individuals and organizations, must be protected. Information is not made available or disclosed to unauthorized individuals, entities, or processes.
Confidential Information:
Any client information (defined above) that may have in its records or files on any client that must be safeguarded pursuant to policy. This includes, but is not limited to, "individually identifying information" (defined below).
Cookies:
Cookies register information about a visit to a Web site for future use by the server. A server may receive information of cookies of other sites as well, which create concern in terms of breach of privacy.
Correctional Institution:
Any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a state, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. "Other persons held in lawful custody" includes juvenile offenders, adjudicated delinquents; aliens detained awaiting deportation, witnesses, or others awaiting charges or trial.
Corrective Action:
For purposes of programs, an action that a business associate must take to remedy a breach or violation of the business associate’s obligations under the business associate agreement or other contractual requirement, including by not limited to reasonable steps that must be taken to cure the breach or end the violation, as applicable.
Cure Letter:
A letter sent by one party to another, proposing or agreeing to actions that a party will take to correct legal errors or defects that have occurred under a contract between the parties or other legal requirement.
Data Classification:
The conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted. The classification of the data then determines the extent to which the data needs to be controlled / secured and is indicative of its value in terms of information assets.
Decrypting:
The process of reversing the encryption of a file or message to recover the original data in order to use or read it.
Digital Signature:
A mathematical computer program creates a digital signature. It is neither a hand-written signature nor a computer-produced picture of one. The signature is like a wax seal that requires a special stamp to produce it, and is attached to an email message or file. The digital signature may then verify the origin of the message or file.
Disclosure / Disclose:
The release, transfer, relay, provision of access to, or conveying client information to any individual or entity.
Downloading:
The act of retrieving files from a server on the network.
Employee:
A public employee or officer for whom is the appointing official.
Encryption:
The process by which data is temporarily re-arranged into an unreadable or unintelligible form for confidentiality, transmission, or other security purposes.
EPHI:
Electronic Protected Health Information (EPHI)
Facility:
The physical premises and the interior and exterior of a building.
Facility Directory:
A listing or reference document maintained by a health care provider, such as (but not limited to) a hospital, nursing home, or treatment center, of persons receiving care or treatment from that provider and containing information about each individual patient or resident receiving care or treatment.
File Server:
A computer system that provides a way of sharing and working on files stored on the system among users with access to these files over a network.
FTP (File Transfer Protocol):
A protocol that allows for the transfer of files between an FTP client and FTP server.
Health Care:
Care, services or supplies related to the health of an individual. Health care includes but is not limited to:
preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling services, assessment, or procedure with respect to the physical or mental condition, or functional status of an individual, or that affects the structure or function of the body; and the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Individual:
The person who is the subject of information collected, used or disclosed.
Individually Identifying Information:
Any single item or compilation of information or data that indicates or reveals the identity of an individual, either specifically (such as the individual’s name or social security number), or that does not specifically identify the individual but from which the individual’s identity can reasonably be ascertained.
Information Asset:
Refers to any information in any form (e.g. written, verbal, oral or electronic) upon which the organization places a measurable value. This includes information created, gathered, or stored for external parties.
Information Owner/User:
An (human) individual that makes use of computer systems and networks.
Information Security:
Management and technology programs to protect the organization from unacceptable risks to the organization's information assets. The mechanisms and practices to protect confidential and sensitive information.
Information Security Office:
Information Security Office (ISO) was established to manage Privacy and Security programs.
Information Systems:
The computer systems and information sources used by an organization to support its day-to-day operations.
Inmate:
A person incarcerated in or otherwise confined in a correctional institution. An individual is no longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in custody.
Institutional Review Board (IRB):
A specially constituted review body established or designated by an entity in accordance with 45 CFR Part 46 to protect the welfare of human subjects recruited to participate in biomedical or behavioral research.
Integrity:
The property that data or information have not been altered or destroyed in an unauthorized manner.
Law Enforcement Official:
An officer or employee of any agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to: Investigate or conduct an official inquiry into a potential violation of law; or Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Licensee:
A person or entity that applies for or receives a license, certificate, registration or similar authority to perform or conduct a service or activity or function.
Log In, Logging into a System:
This is an action performed by an end-user, when he authenticates himself to a computer system.
Malicious Software:
Software, for example, a virus, designed to damage or disrupt a system.
Minimum Necessary:
The least amount of information, when using or disclosing confidential client information that is needed to accomplish the intended purpose of the use, disclosure or request.
Mission Critical:
Activities, processing, etc., which are deemed vital to the organization's business success and, possibly, its very existence.
Non-routine Use:
The disclosure of records that is not for a purpose for which it was collected.
Open Office Environment:
A work location structured with few enclosed offices or rooms in which private conversations may be conducted. An open office environment is characterized by individual work stations not separated by walls or partitions, or by partitions that do not extend from floor-to-ceiling or have a closable door and therefore do not allow for workstation conversations that cannot be overheard by other persons.
Patch:
Vendors, in response to the discovery of security vulnerabilities, provide sets of files that have to be installed on computer systems. These files ‘fix’ or ‘patch’ the computer system or programs and remove the security vulnerability.
Participant:
Individuals participating in population-based services, programs and activities that serve the general population, but who do not receive program benefits or direct services that are received by a "client." Examples of "participants" include but are not limited to:
A person whose birth certificate is recorded; the subjects of public health studies, immunization or cancer registries, newborn screening and other public health services; and individuals who contact hotlines or the other public information services.
Password:
Confidential authentication information composed of a string of characters.
Physical Safeguards:
Physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
Privacy:
An individual's or organization's right to determine whether, when and to whom personal or organizational information is released. Also, the right of individuals to control or influence information that is related to them, in terms of who may collect or store it and to whom that information may be disclosed.
Privacy Rights:
The specific actions that an individual can take or request to be taken with regard to the uses and disclosures of their information.
Provider:
A person or entity that may seek reimbursement as a provider of services to Clients pursuant to a contract. For purposes of this policy, reimbursement may be requested on the basis of claims or encounters or other means of requesting payment.
Psychotherapy Notes:
Notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session, or a group, joint, or family counseling session, when such notes are separated from the rest of the individual’s record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items:
diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.
Public Official:
Any employee of a government agency, who is authorized to act on behalf of that agency in performing the lawful duties and responsibilities of that agency.
Remote Log In:
If an end-user uses a network to log in to a system, this act is known as remote log in.
Research:
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge.
Required by Law:
A duty or responsibility that federal or state law specifies that a person or entity must perform or exercise. Required by law includes but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or rules that require the production of information, including statutes or rules that require such information if payment is sought under a government program providing public benefits.
Routine and Recurring Use:
The disclosure of records for a purpose that is compatible with the purpose for which the information was collected.
Security/Security Measures:
Encompass all of the administrative, physical and technical safeguards in an information system.
Security Incident:
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Server:
A server is a computer system, or a set of processes on a computer system providing services to clients across a network.
Shared Account:
A common account is shared by a group of users as opposed to a normal account, which is available to only one user. If the account is misused, it is very difficult or impossible to know which of users was responsible.
Storage System:
Any form of office equipment or furniture, including but not limited to file cabinets, lateral files, or shelving units, in which stores client information or files.
Systems Administrator:
The individual who maintains the system and has system administrator privileges. In order to avoid errors and mistakes done by this individual while not acting as an administrator, he/she should limit the time he/she acts as an administrator (as known to the system) to a minimum.
Technical Safeguards:
The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
Threats:
The potential that an existing vulnerability can be exploited to compromise the security of systems or networks. Even if vulnerability is not known, it represents a threat by this definition.
Treatment, Payment and Operation (TPO):
Please refer to the separate definitions for Treatment, Payment and Health care operations.
Treatment:
The provision, coordination, or management of heath care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with the third party; consulting between health care providers relating to a patient or the referral of a patient for health care from one health care provider to another.
Use:
The sharing, employment, application, utilization, examination, or analysis of information.
User:
A person or entity with authorized access.
Virus:
A program, which replicates itself on computer systems by incorporating itself (secretly and maliciously) into other programs. A virus can be transferred onto a computer system in a variety of ways.
Vulnerability:
Vulnerability is the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.
Virus-Detection Tool:
Software that detects and possibly removes computer viruses, alerting the user appropriately.
Workstation:
An electronic computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.
Worm:
A computer program, which replicates itself and is self-propagating. Worms, as opposed to viruses, are meant to spawn in network environments.
|
|
