access, consent, disclosure, fair information practices, health care, identity theft, notice, personally identifiable information, privacy,



The mechanism(s) by which individuals can view data specific to the themselves AND edit and update that data for accuracy and completeness (also participation). [FTC] The mechanism(s) by which individuals can view data specific to themselves [FTC] (see also authorization, fair information practices) (includes authorized access, reasonable access, unauthorized access)
accountability principle
A data controller should be accountable for complying with measures which give effect to the stated principles. The United States endorsed the OECD Guidelines. [OECD] (see also OECD privacy guidelines)
accounting for disclosures
Information that describes a covered entity's disclosures of PHI other than for treatment, payment, and health care operations; disclosures made with authorization; and certain other limited disclosures. For those categories of disclosures that need to be in the accounting, the accounting must include disclosures that have occurred during the 6 years (or a shorter time period at the request of the individual) prior to the date of the request for an accounting. However, PHI disclosures made before the compliance date for a covered entity are not part of the accounting requirement. [HIPAA] (see also authorization, tracking of disclosures, disclosure)
Any company that controls, is controlled by, or is under common control with another company. [GLB] (includes affiliated covered entity)
affiliated covered entity
Legally separate health care providers (or health plans or clearinghouses) that are under common ownership or control and that choose to comply with HIPAA privacy regulations as one affiliated entity. Partners has designated itself as one affiliated covered entity, which includes all Partners hospitals, affiliated physician organizations, PCHI, and owned or managed PCHI practices. This designation permits easier sharing of individually identifiable health care information within the system and avoids the need for some 'business associate' agreements. [HIPAA] (see also business associate, use, affiliate)
A name, usually short and easy to remember and type, that is translated into another name or string, usually long and difficult to remember or type. Commonly used as a single name for a list of e-mail addresses or hyper-link re-directs. [FTC]
amending PHI
Individuals have the right to amend protected health information (PHI) in the designated record set. This does not include research notes outside of the designated record set (information that would not be used for clinical or billing decisions). [HIPAA] (see also designated record set, protected health information)
Previously identifiable data that have been deidentified and for which a code or other link no longer exists. An investigator would not be able to link anonymized information back to a specific individual. [HIPAA] (see also anonymous, coded, directly identifiable, indirectly identifiable)
Data that were collected without identifiers and that were never linked to an individual. Coded data are not anonymous. [HIPAA] Describes an entity whose identity is unknown. [FTC] (see also anonymized, coded, deidentified, directly identifiable, indirectly identifiable, privacy)
Document designating permission. The HIPAA Privacy Rule requires authorization or waiver of authorization for the use or disclosure of identifiable health information for research (among other activities). The authorization must indicate if the health information used or disclosed is existing information and/or new information that will be created during the research. The authorization form may be combined with the informed consent form, so that a subject need sign only one form. An authorization must include the following specific elements: a description of what information will be used and disclosed and for what purposes; a description of any information that will not be disclosed, if applicable; a list of who will disclose the information and to whom it will be disclosed; an expiration date for the disclosure; a statement that the authorization can be revoked; a statement that disclosed information may be redisclosed and no longer protected; a statement that if the individual does not provide an authorization, s/he cannot receive research-related treatment; the subject's signature and date. [HIPAA] Process by which a known (not anonymous) entity gains specified privileges such as access, read or write rights, system administration rights, etc. [FTC] (see also Health Insurance Portability and Accountability Act, access, accounting for disclosures, common rule, consent, disclosure, informed consent, institutional review board, privacy notice, use, waiver of authorization) (includes authorized access)
authorized access
The mechanisms by which access to data is granted by challenges to the requesting entity to assure proper authority based on the identity of the individual, level of access to the data, and rights to manipulation of that data. [FTC] (see also unauthorized access, access, authorization, security)
(see notice)
biometric identifier
Identifying information based on a physical characteristic (e.g., a fingerprint). [HIPAA] Methods of authentication based on the requester's unique biological traits, such as retinal patterns, handprint, thumbprint, voiceprint, facial details, etc. [FTC] (see also personally identifiable information, biometrics)
The science of determining, storing, comparing, and validating the identity of an entity based on biometric identifiers. [FTC] (includes biometric identifier)
business associate
An outside person/entity that performs a service on behalf of the health care provider (including a researcher) or the health care institution during which individually identifiable health information is created, used, or disclosed. Certain exceptions apply. Anyone within the Partners affiliated covered entity is not a business associate. Outside researchers and coordinating or statistical centers that participate in conducting the research or third parties that sponsor research are generally not business associates. Third parties that perform a function on the hospitals' or researchers' behalf that is not itself research may be business associates if they receive protected health information. For example, web hosting or data storage companies will be business associates if they receive protected health information. In addition, third parties that handle billing for a research study, or recruitment and screening, will also be business associates. [HIPAA] (see also affiliated covered entity, data aggregation)
(see consent)
Data are separated from personal identifiers through use of a code. As long as a link exists, data are considered indirectly identifiable and not anonymous or anonymized. Coded data are not covered by the HIPAA Privacy Rule, but are protected under the Common Rule. [HIPAA] (see also anonymized, anonymous, directly identifiable, indirectly identifiable)
collection limitation principle
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. [OECD] (see also OECD privacy guidelines)
common rule
Also known as 45 CFR 46. Outlines requirements of federally supported research with regards to human subjects protections and places the responsibility of these protections on institutions, their Institutional Review Boards (IRBs), and investigators. Among other requirements, the Common Rule mandates that all researchers obtain informed consent from human subjects to participate in research, unless the IRB has approved a waiver of the requirement for informed consent. Partners policy and assurances to the government require all research (not just federally supported studies) to adhere to the Common Rule. [HIPAA] (see also Health Insurance Portability and Accountability Act, authorization, indirectly identifiable, informed consent, institutional review board, limited data set)
compliance date
Covered entities must comply with the HIPAA Privacy Rule by April 14, 2003. [HIPAA] The date by which a covered entity must comply with a standard, implementation specification, requirement, or modification adopted under the Privacy Rule. With the exception of small health plans, which have an extra year to comply, covered entities must complete implementation of, and be in compliance with, the Privacy Rule by April 14, 2003. [HIPAA]
The protection of individually identifiable information as required by state and federal legal requirements and Partners policies. [HIPAA] (see also privacy) (includes data confidentiality, data confidentiality service)
One of the five elements of Fair Information Practices, choice indicates that, once provided Notice/Disclosure, have options of choice over the data being requested and the use of that data (also choice). [FTC] (see also authorization, fair information practices) (includes informed consent, opt-in, opt-out)
An individual (anonymous or identified) who interacts with commercial entities for personal benefits. [FTC] An individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. [GLB]
the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. [EUDPD] (see also personal data filing system, processor, third party)
covered entity
Refers to three types of entities that must comply with the HIPAA Privacy Rule: health care providers; health plans; and health care clearinghouses. For purposes of the HIPAA Privacy Rule, health care providers include hospitals, physicians, and other caregivers, as well as researchers who provide health care and receive, access or generate individually identifiable health care information. [HIPAA] (see also health care, health care clearinghouse, health care provider) (includes covered functions)
covered functions
Those functions of a covered entity the performance of which makes the entity a health care provider, health plan, or health care clearinghouse under the HIPAA Administrative Simplification Rules. [HIPAA] (see also covered entity)
A consumer who has a 'customer relationship' with a financial institution. A 'customer relationship' is a continuing relationship with a consumer. [GLB]
data aggregation
Combining of sets of protected health information by a business associate to permit data analyses. [HIPAA] (see also business associate, data collection)
data collection
The processes and sources used by a commercial entity to accumulate information about consumers. There are many methods of collection, including automated methods, direct or indirect entry by consumers, and 3rd party sources. [FTC] (see also data aggregation)
data confidentiality
(see also confidentiality)
data confidentiality service
(see also confidentiality)
data practices
The methods by which a commercial entity manages information. Specifically, the policies and methods used by a commercial entity in the collection, storage, access, security and distribution of customer information. [FTC]
data privacy
The reasonable assurance that data cannot be viewed by anyone other than its intended recipient. [misc] (see also privacy)
data quality principle
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. [OECD] (see also OECD privacy guidelines)
data subject's consent
any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. [EUDPD]
data use agreement
A satisfactory assurance between the covered entity and a researcher using a limited data set that the data will only be used for specific uses and disclosures. The data use agreement is required to include the following information: to establish that the data will be used for research, public health or health care operations (further uses or disclosure are not permitted); to establish who is permitted to use or receive the limited data set; and to provide that the limited data set recipient will: (1) not use or further disclose the information other than as permitted by the data use agreement or as required by law; (2) use appropriate safeguards to prevent use or disclosure of the information other than as provided in the agreement; (3) report to the covered entity any identified use or disclosure not provided for in the agreement; (4) ensure that any agents, including a subcontractor, to whom the limited data sets are provided agree to the same restrictions and conditions that apply to the recipient; and (5) not identify the information or contact the individuals. [HIPAA] (see also limited data set)
Under the HIPAA Privacy Rule, data are deidentified if either (1) an experienced expert determines that the risk that certain information could be used to identify an individual is 'very small' and documents and justifies the determination, or (2) the data do not include any of the following eighteen identifiers (of the individual or his/her relatives, household members, or employers) which could be used alone or in combination with other information to identify the subject: names, geographic subdivisions smaller than a state (including zip code), all elements of dates except year (unless the subject is greater than 89 years old), telephone numbers, FAX numbers, email address, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers including license plates, device identifiers and serial numbers, URLs, internet protocol addresses, biometric identifiers, full face photos and comparable images, and any unique identifying number, characteristic or code; note that even if these identifiers are removed, the Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined. [HIPAA] (see also anonymous, directly identifiable, indirectly identifiable, privacy)
derived personal information
Information that is not directly contributed by an individual or automated collection process, but is calculated as a result of analysis of the collected data. For example, a new attribute of 'potential new car buyer' can be derived by seeing that a consumer has recently and frequently visited car-selling sites, auto loan sites, and product-rating sites for automobiles. [FTC] (see also personally identifiable information)
designated record set
A health care provider's medical and billing records about individuals and any records used by the provider to make decisions about individuals. Individuals, including research subjects, have the right under the HIPAA Privacy Rule to access and amend protected health information in a Designated Record Set. [HIPAA] (see also amending PHI)
directly identifiable
Any information that includes personal identifiers. [HIPAA] (see also anonymized, anonymous, coded, deidentified, indirectly identifiable, individually identifiable health information, information in identifiable form, limited data set, protected health information)
A release of identifiable health information to anyone or any entity outside of the Partners affiliated covered entity. [HIPAA] (see also authorization, informed consent, protected health information, use, notice) (includes accounting for disclosures, privacy notice, tracking of disclosures)
electronic medical record
A computer-based record containing health care information. This record may contain some, but not necessarily all, of the information that is in an individual's paper-based medical record. One goal of HIPAA is to protect identifiable health information as the system moves from a paper-based to an electronic medical record system. [HIPAA] (see also individually identifiable health information)
Mechanisms to ensure compliance (enforcement) and appropriate means of recourse by injured parties (also redress). [FTC] (see also fair information practices)
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
Fair Credit Reporting Act (FCRA)
fair information practices
A set of principles designed to guide commercial entities in their data practices for customer and consumer information. [FTC] (see also OECD privacy guidelines, privacy) (includes access, consent, enforcement, notice, security)
federal functional regulator
Refers to: a) the Board of Governors of the Federal Reserve System; b) the Office of the Comptroller of the Currency; c) the Board of Directors of the Federal Deposit Insurance Corporation; d) the Director of the Office of Thrift Supervision; e) the National Credit Union Administration Board; and f) the Securities and Exchange Commission. [GLB]
financial activities
a) lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death; providing financial investment or economic advisory services; underwriting or dealing with securities. b) engaging in an activity that the Federal Reserve Board has determined to be closely related to banking. c) engaging in an activity that a bank holding company may engage in outside of the United States. [GLB] (see also financial institution)
financial institution
Any institution, the business of which is, engaging in financial activities as described in section 4(k) of the Bank Holding Company Act (12 U.S.C. § 1843(k)). Under the Final Rule promulgated by the Federal Trade Commission (FTC), an institution must be significantly engaged in financial activities to be considered a 'financial institution.' [GLB] (see also joint agreement) (includes financial activities)
financial privacy rule
The FTC financial privacy rule requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Also, financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information. [FTC] (see also Gramm-Leach-Bliley Act, privacy)
The study of how particular traits are passed from parents to children. Identifiable genetic information receives the same level of protection as other health care information under the HIPAA Privacy Rule. Of note for genetic researchers, the rule defines 'identifiable' information to include information from the individual as well as relatives. Thus researchers considering whether to deidentify data should review the definition of deidentified information closely. [HIPAA] (see also personally identifiable information)
globally unique identifier
Typically a long sting of alphanumeric characters that are assigned in such a manner that they are guaranteed to be unique within a well-defined context. These numbers are generally, but not always, assigned using a standard protocol called the UUID (Universally Unique Identifiers), however numbers such as social security numbers could also be considered GUID's. [FTC] (see also personally identifiable information)
Gramm-Leach-Bliley Act (GLBA)
Subtitle A of Title V of the Gramm-Leach-Bliley Act ('GLB Act') has privacy provisions relating to consumers' financial information. Under these provisions, financial institutions have restrictions on when they may disclose a consumer's personal financial information to nonaffiliated third parties. Financial institutions are required to provide notices to their customers about their information-collection and information-sharing practices. Consumers may decide to 'opt out' if they do not want their information shared with nonaffiliated third parties. The GLB Act provides specific exceptions under which a financial institution may share customer information with a third party and the consumer may not opt out. All financial institutions are required to provide consumers with a notice and opt-out opportunity before they may disclose information to nonaffiliated third parties outside of what is permitted under the exceptions. [GLB] (see also privacy) (includes financial privacy rule, nonaffiliated third party, nonpublic personal information, notice, opt-out, personally identifiable financial information, pretexting, safeguards rule)
health care
Care, services, and supplies related to the health of an individual. Health care includes preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, among other services. Health care also includes the sale and dispensing of prescription drugs or devices. [HIPAA] (see also covered entity, health information, health oversight agency, health plan, psychotherapy notes) (includes health care clearinghouse, health care operations, health care provider, treatment)
health care clearinghouse
An entity that standardizes health information (e.g., a billing service that processes or facilitates the processing of data from one format into a standardized billing format). Partners and PCHI are considered clearinghouses, because part of their activities meet this definition (note: they are not health care providers). [HIPAA] (see also covered entity, health care)
health care operations
Institutional activities that are necessary to maintain and monitor the operations of the institution. Examples include but are not limited to: conducting quality assessment and improvement activities; developing clinical guidelines; case management; reviewing the competence or qualifications of health care professionals; education and training of students, trainees and practitioners; fraud and abuse programs; business planning and management; and customer service. Under the HIPAA Privacy Rule, these are allowable uses and disclosures of identifiable information 'without specific authorization.' Research is not considered part of health care operations. [HIPAA] (see also health care)
health care provider
Providers of medical or health care. Researchers who provide health care are health care providers. [HIPAA] (see also covered entity, health care)
health information
Information in any form (oral, written or otherwise) that relates to the past, present or future physical or mental health of an individual. That information could be created or received by a health care provider, a health plan, a public health authority, an employer, a life insurer, a school or university or a health care clearinghouse. [HIPAA] (see also health care)
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996. HIPAA is a federal law that was designed to allow portability of health insurance between jobs. In addition, it required the creation of a federal law to protect personally identifiable health information; if that did not occur by a specific date (which it did not), HIPAA directed the Department of Health and Human Services (DHHS) to issue federal regulations with the same purpose. DHHS has issued HIPAA privacy regulations (the HIPAA Privacy Rule) as well as other regulations under HIPAA. [HIPAA] (see also authorization, common rule, institutional review board)
health oversight agency
A person or entity at any level of the federal, state, local or tribal government that oversees the health care system or requires health information to determine eligibility or compliance or to enforce civil rights laws. [HIPAA] (see also health care)
health plan
An individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)) and including entities and government programs listed in the Rule. Health plan excludes: (1) any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and (2) a government-funded program (unless otherwise included at section 160.103 of HIPAA) whose principal purpose is other than providing, or paying for the cost of, health care or whose principal activity is the direct provision of health care to persons or the making of grants to fund the direct provision of health care to persons. [HIPAA] (see also health care)
host enterprise
The entity controlling the systems storing personal information to be accessed by consumers [FTC]
human subject
A living subject participating in research about whom directly or indirectly identifiable health information or data are obtained or created. [HIPAA]
An identity is the collection of information that uniquely identifies and/or locates an individual. Usually some combination of first and last name, mailing address, email address, phone number, and age can by used to uniquely identify an individual. [FTC] (see also personally identifiable information) (includes verifying identity)
identity theft
The deliberate use of another person's name and other identifying information to commit theft or fraud or to access confidential information about an individual. This is a particularly troubling issue in that it can take years for a victim of identity theft to recover. [SSA] (see also phishing, pretexting) (includes identity theft report)
identity theft report
A report: (1) that alleges an identity theft; (2) that is filed by a consumer with an appropriate Federal, State, or local government agency, including the U.S. Postal Inspection Service and any law enforcement agency; and (3) the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information if, in fact, the information in the report is false. [FTC] (see also identity theft)
indirectly identifiable
Data that does not include personal identifiers, but links the identifying information to the data through use of a code. This data is still considered identifiable by the common rule. [HIPAA] (see also anonymized, anonymous, coded, common rule, deidentified, directly identifiable, individually identifiable health information, protected health information)
means a citizen of the United States or an alien lawfully admitted for permanent residence. [OMB] (see also privacy, privacy impact assessment)
individual participation principle
An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have communicated to him, data relating to him
within a reasonable time;
at a charge, if any, that is not excessive;
in a reasonable manner; and
in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. [OECD] (see also OECD privacy guidelines)
individually identifiable health information
A subset of health information that identifies the individual or can reasonably be used to identify the individual. [HIPAA] (see also directly identifiable, electronic medical record, indirectly identifiable, protected health information, personally identifiable information)
information in identifiable form
is information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). [OMB] (see also directly identifiable, personally identifiable information)
information technology (IT)
means, as defined in the Clinger-Cohen Act3, any equipment, software or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. [OMB] (see also privacy impact assessment)
informed consent
Required by the Common Rule. Refers to the requirement that all researchers explain the purposes, risks, benefits, confidentiality protections, and other relevant aspects of a research study to potential human subjects so that they may make an informed decision regarding their participation in the research. IRBs review the informed consent process and form documenting the consent to ensure compliance with research regulations and policies. The HIPAA Privacy Rule permits entities to include in the informed consent form for research an 'authorization' for use or disclosure of individually identifiable health care information. [HIPAA] (see also authorization, common rule, disclosure, institutional review board, consent)
institutional review board (IRB)
Common Rule-mandated method of peer review to protect human subjects. HIPAA privacy regulations require an IRB also to protect the privacy rights of research subjects in specific ways. At Partners, the IRB will now review all HIPAA-required authorizations and waiver of authorizations for research use of identifiable health information. [HIPAA] (see also Health Insurance Portability and Accountability Act, authorization, common rule, informed consent, limited data set, tracking of disclosures, waiver of authorization, privacy board)
joint agreement
A formal written contract pursuant to which two or more financial institutions jointly offer, endorse, or sponsor a financial product or service, and as may be further defined in the regulations prescribed under section 6804 of this title. [GLB] (see also financial institution)
limited data set
Set of data that may be used for research, public health or health care operations without an authorization or waiver of authorization. The limited data set is defined as PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual: names; postal address information, (other than town or city, State and zip code); telephone and FAX numbers; electronic mail addresses; SSN; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plates; device identifiers and serial numbers; web universal resource locators (URLs); internet protocol (IP) address; biometric identifiers, including finger and voice prints; full face photos, and comparable images. A covered entity must enter into a data use agreement with the recipient of a limited data set. It should be noted that although a limited data set is subject to only select provisions of the HIPAA Privacy Rule, it may be covered by the Common Rule. Therefore, the Partners policy will be that a request for use or disclosure of a limited data set must be submitted to the IRB. [HIPAA] (see also common rule, data use agreement, directly identifiable, institutional review board, protected health information)
(see coded)
minimum necessary
A HIPAA Privacy Rule standard requiring that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the health care provider or other covered entity. This standard does not apply to uses and disclosures for treatment purposes (so as not to interfere with treatment) or to uses and disclosures that an individual has authorized, among other limited exceptions. Justification regarding what constitutes the minimum necessary will be required in some situations (e.g., disclosures with a waiver of authorization and non-routine disclosures). [HIPAA] (see also protected health information)
nonaffiliated third party
Any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution. [GLB] (see also Gramm-Leach-Bliley Act)
nonpublic personal information
Personally identifiable financial information a) provided by a consumer to a financial institution; b) resulting from any transaction with the consumer or any service performed for the consumer; or c) otherwise obtained by the financial institution. [GLB] (see also publicly available information, Gramm-Leach-Bliley Act, personally identifiable financial information)
One of the five Fair Information Practices, notice of an entity's data policies and practices must be provided to consumers prior to collection of personal information (also awareness). [FTC] (see also Gramm-Leach-Bliley Act, fair information practices) (includes disclosure)
OECD privacy guidelines
(see also fair information practices, privacy) (includes accountability principle, collection limitation principle, data quality principle, individual participation principle, openness principle, purpose specification principle, security safeguards principle)
online collected personal information
Information that is overtly collected from an individual via an online mediai (e.g., the world wide web); i.e., the individual contributes the information, and information that is collected from an individual by observation while the individual surfs the web (visits web sites) with or without the consumers knowledge. [FTC] (see also personally identifiable information)
openness principle
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. [OECD] (see also OECD privacy guidelines)
Mechanism that states data collection and/or use methods and provides user choice to accept such collection and/or use [FTC] (see also consent)
Mechanism that states data collection and/or use methods and provides user choice to decline such collection and/or use [FTC] (see also Gramm-Leach-Bliley Act, consent)
Organziation for Economic Co-operation and Development (OECD)
(see access)
personal data
any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. [EUDPD] (see personally identifiable information)
personal data filing system
any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis (also filing system). [EUDPD] (see also controller, personally identifiable information, processor)
personal representative
A person authorized under state or other law to act on behalf of the individual in making health-related decisions. Examples include a court-appointed guardian with medical authority, a health care agent under a health care proxy, and a parent acting on behalf of an unemancipated minor (with exceptions where state law gives minors the right to make health decisions). For a decedent, the personal representative may be an executor, administrator, or other authorized person for matters concerning PHI. [HIPAA]
personally identifiable financial information
Any Information a) provided by a consumer to a financial institution; b) resulting from any transaction with the consumer or any service performed for the consumer; or c) otherwise obtained about a consumer in connection with providing a financial product or service. [GLB] (see also pretexting, Gramm-Leach-Bliley Act, personally identifiable information) (includes nonpublic personal information)
personally identifiable information (PII)
Those data elements that enable the identification and/or location of a unique individual. PII can be achieved as a single data point (such as e-mail address) or by a combination of data points (first name, last name, postal address). [FTC] (see also biometric identifier, genetics, personal data filing system, privacy, processing of personal data) (includes derived personal information, globally unique identifier, identity, individually identifiable health information, information in identifiable form, online collected personal information, personally identifiable financial information, publicly available information, sensitive personally identifiable information)
a high-tech scam that uses spam to deceive consumers into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information (also referred to as carding) [FTC] (see also identity theft, pretexting)
The use of false pretenses, including fraudulent statements and impersonation, to obtain consumers’ personal financial information, such as bank balances [FTC] (see also identity theft, personally identifiable financial information, phishing, Gramm-Leach-Bliley Act)
(1) The ability of an individual or organization to control the collection, storage, sharing, and dissemination of personal and organizational information. (2) The right to insist on adequate security of, and to define authorized users of, information or systems. Note: The concept of privacy cannot be very precise, and its use should be avoided in specifications except as a means to require security, because privacy relates to 'rights' that depend on legislation. [AJP] (1) The right of individuals to self-determination as to the degree to which they are willing to share with others information about themselves that may be compromised by unauthorized exchange of such information among other individuals or organizations. (2) The right of individuals and organizations to control the collection, storage, and dissemination of their information or information about themselves. [SRV] (1) the ability of an individual or organization to control the collection, storage, sharing, and dissemination of personal and organizational information. (2) The right to insist on adequate security of, and to define authorized users of, information or systems. Note: The concept of privacy cannot be very precise and its use should be avoided in specifications except as a means to require security, because privacy relates to 'rights' that depend on legislation. [TNI] For purposes of the HIPAA Privacy Rule, privacy means an individual's interest in limiting who has access to personal health care information. [HIPAA] (see also Gramm-Leach-Bliley Act, anonymous, deidentified, fair information practices, individual, personally identifiable information, public law 100-235, safeguards rule, secure single sign-on, sensitive information) (includes OECD privacy guidelines, confidentiality, data privacy, financial privacy rule, privacy board, privacy impact assessment, privacy notice, privacy programs, privacy protection, privacy system, privacy, authentication, integrity, non-repudiation, speech privacy)
privacy board
A board of members authorized by the HIPAA Privacy Rule to approve a waiver of authorization for use and/or disclosure of identifiable health information. For research purposes, the Institutional Review Board will function as the Privacy Board. [HIPAA] (see also privacy) (includes institutional review board)
privacy impact assessment (PIA)
is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. [OMB] (see also individual, information technology, privacy)
privacy notice
Institution-wide notice describing the practices of the covered entity regarding protected health information. Health care providers and other covered entities must give the notice to patients and research subjects and should obtain signed acknowledgements of receipt. Internal and external uses of protected health information are explained. It is the responsibility of the researcher to provide a copy of the Privacy Notice to any subject who has not already received one. If the researcher does provide the notice, the researcher should also obtain the subject's written acknowledgement of receipt. [HIPAA] (see also authorization, protected health information, disclosure, privacy)
privacy programs
(see also privacy)
privacy protection
The establishment of appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of data records to protect both security and confidentiality against any anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom such information is maintained. [SRV] (see also privacy)
privacy system
Commercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack. [NSTISSC] (see also privacy)
privacy, authentication, integrity, non-repudiation (PAIN)
(see also security, privacy)
processing of personal data
any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (also processing). [EUDPD] (see also personally identifiable information)
a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. [EUDPD] (see also controller, personal data filing system, third party)
protected health information (PHI)
Individually identifiable health information transmitted or maintained in any form. [HIPAA] (see also amending PHI, directly identifiable, disclosure, indirectly identifiable, individually identifiable health information, limited data set, minimum necessary, privacy notice)
psychotherapy notes
These include notes recorded by the health care provider who is a mental health professional during a counseling session, either in a private session or in a group. These notes are separate from documentation placed in the medical chart and do not include prescriptions. Specific patient authorization is required for use and disclosure of psychotherapy notes. [HIPAA] (see also health care)
public health authority
A federal, state, local or tribal person or organization that is required to conduct public health activities. [HIPAA]
public law 100-235
Also known as the Computer Security Act of 1987. This U.S. law creates a means for establishing minimum acceptable security practices for improving the security and privacy of sensitive information in federal computer systems. This law assigns to the U.S. National Institute of Standards and Technology responsibility for developing standards and guidelines for federal computer systems processing unclassified data. The law also requires establishment of security plans by all operators of federal computer systems that contain sensitive information. [AJP][NCSC/TG004] (see also privacy)
publicly available information
Any information that a financial institution has a reasonable basis to believe is lawfully made available to the general public from: a) Federal, state, or local government records; b) Widely distributed media; or c) Disclosures to the general public required by federal, state, or local law. [GLB] (see also nonpublic personal information, reasonable basis to believe, personally identifiable information)
purpose specification principle
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. [OECD] (see also OECD privacy guidelines)
quality of protection
Quality of protection refers to the set of security functions that are applied to what needs to be protected. The QOP can consist of any combination of authentication, privacy, integrity, and non-repudiation. [misc]
reasonable access
To be defined as part of the advisory committee's work. Generally regarded as meaning that access cannot be constrained by artificial barriers set by interfaces, frequency, or cost of access. [FTC] (see also access)
reasonable basis to believe
Means the financial institution: a) Cannot assume information is publicly available. b) Must take steps to determine if: i) the information is of the type generally made available to the public; ii) whether an individual can direct that it not be made available; and iii) if so, whether that particular consumer has directed that it not be disclosed. [GLB] (see also publicly available information)
a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients. [EUDPD] (see also third party)
(see enforcement)
A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. [HIPAA]
safeguards rule
The FTC safeguards rule requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information [FTC] (see also privacy, Gramm-Leach-Bliley Act, security)
secure single sign-on (SSSO)
Secure single sign-on, or SSSO satisfies three synergetic sets of requirements. From an end-user perspective, SSSO refers to the ability of using a single user ID and a single password to logon once and gain access to all resources that one is allowed to access. From an administrative perspective, SSSO allows management of all security-related aspects of one's enterprise from a central location. This includes adding, modifying, and removing users as well as granting and revoking access to resources. From an enterprise perspective, SSSO provides the ability to protect the privacy and the integrity of transactions as well as to engage in auditable and non-repudiable transactions. [misc] (see also privacy)
One of the five Fair Information Practices, security assures that information shall be protected from unauthorized access, use, or distribution and shall not suffer quality degradation or loss. [FTC] (see also privacy, authentication, integrity, non-repudiation, fair information practices) (includes authorized access, safeguards rule)
security safeguards principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. [OECD] (see also OECD privacy guidelines)
sensitive information
(1) Information that, as determined by a competent authority, must be protected because its unauthorized disclosure, alteration, loss, or destruction will at least cause perceivable damage to someone or something. (2) Any information, the loss, misuse, modification of, or unauthorized access to, could affect the U.S. National interest or the conduct of federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, U.S. Code, but that has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy. [AJP] Any information, the loss, misuse, modification of, or unauthorized access to, could affect the U.S. National interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, U.S. Code, but that has not been specifically authorized under criteria established by an Executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy. [NCSC/TG004] Information the loss, misuse, or unauthorized access to or modification of, which would adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L. 100-235). Some specific categories of sensitive information are protected by statute, regulation or contract, (e.g., privacy information, proprietary information, export control information, pre-publication academic information). [800-37] Information, the loss, misuse, or unauthorized access to or modification of, which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L.100-235).) [NSTISSC] Unclassified information, the loss, misuse, or unauthorized disclosure or modification of which could adversely affect the national interest, the conduct of Federal programs, or the privacy of individuals protected by the Privacy Act (5 U.S.C. Section 552a). Information systems containing sensitive information are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L. 100-235). [CIAO] (see also privacy) (includes sensitive personally identifiable information)
sensitive personally identifiable information
A classification of data used in the EU data directive that specifies certain information as deserving special treatment due to it's sensitive nature, including financial, health, religious, and sexual data. Sensitive data generally requires higher standards of authentication, authorization, choice, security, and distribution. [FTC] (see also personally identifiable information, sensitive information)
speech privacy
Techniques using fixed sequence permutations or (C.F.D.) voice/speech inversion to render speech unintelligible to the casual listener. [NSTISSC] (see also privacy)
state insurance authority
In the case of any person engaged in providing insurance, the State insurance authority of the State in which the person is domiciled. [GLB]
third party
any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data. [EUDPD] (see also controller, processor, recipient)
tracking of disclosures
The HIPAA Privacy Rule gives individuals the right to request an accounting of disclosures of protected health information over the previous six years. If an individual authorizes uses or disclosures for research, the disclosures do not need to be tracked, but disclosures must be tracked if the researcher receives an IRB-approved waiver of authorization. The accounting of disclosures generally must include: the date of the disclosure, the name of the entity or person (and address if known) who received the protected health information, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure. The Rule allows for an alternative tracking option is available for research involving 50 or more people. This alternative tracking option will not be used by Partners. [HIPAA] (see also accounting for disclosures, institutional review board, waiver of authorization, disclosure)
The exchange of information for administrative or financial purposes such as health insurance claims or payment. [HIPAA]
The provision of health care by one or more health care providers. Treatment includes any consultation, referral or other exchanges of information to manage a patient's care. The Privacy Notice explains that the HIPAA Privacy Rule allows Partners and its affiliates to use and disclose protected health information for treatment purposes without specific authorization. [HIPAA] (see also health care)
unauthorized access
Access by an entity who does not have proper authority to access the information in the manner it is being accessed (view, modify, delete, etc.). [FTC] (see also authorized access, access)
The sharing of individually identifiable health information within a covered entity. For Partners' purposes, a use is the sharing of such information within the Partners affiliated covered entity [HIPAA] (see also affiliated covered entity, authorization, disclosure)
use limitation principle
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:
a) with the consent of the data subject; or
b) by the authority of law. [OECD]
verifying identity
Process by which an individual's identity if proven. Verification is different from authentication. Jane Doe can enter data identifying herself as Joan Smith and can be authenticated as such. However, Jane Doe's identity can only be verified as being Jane Doe unless she impersonates the identity of Joan Smith. [FTC] (see also identity)
waiver of authorization
Under limited circumstances, a waiver of the requirement for authorization for use or disclosure of private health information may be obtained from the IRB by the researcher. A waiver of authorization can be approved only if specific criteria have been met. [HIPAA] (see also authorization, institutional review board, tracking of disclosures)