Information Privacy & Security Terminology


Authorization Formal permission allowing the release of a patient's health information to others. The official VUMC form authorizes the use or disclosure of health information. It also includes what information is to be disclosed, who will use the information, and purpose of the use or disclosure of the information (unless requested by the patient).
Covered Entity Healthcare providers, health plans, and healthcare clearinghouses that conduct specified transactions electronically and therefore are subject to HIPAA.
De-identified Data Individually identifiable health information that has been stripped of the 18 identifiers of the individual or relatives, employers, or household members of the individual as defined in the HIPAA regulations.  Fully de-identified data is no longer considered PHI and therefore is not subject to the HIPAA requirements.  See our policy on "De-Identification of Protected Patient Information" for more details.
 Disclosure The release, transfer, provision of access to, or divulging in any other manner information to entities or individuals outside of VUMC.  See our policy on "Use and Disclosure of Protected Patient Information" for more details.
Electronic Protected Health Information (EPHI) All individually identifiable health information related to our patients that is created, maintained, or transmitted electronically by VUMC. EPHI is the focus of the HIPAA Security Rule. 
Hybrid Entity An entity that is engaged in both Covered Entity functions and other activities that are not Covered Entity functions.
Limited Data Set (LDS): PHI that excludes direct identifiers of the individuals or relatives, employers, or household members of the individual with certain exceptions including city, state, zip code, elements of dates, and other numbers, characteristics or codes not listed as direct identifiers.
Research Health Information (RHI) A term used by Vanderbilt to identify individually identifiable health information (IIHI) used for research purposes that is not PHI, and thus is not subject to the HIPAA Privacy and Security regulations.  RHI is created in connection with research activity and is not created in connection with patient care activity.  If a researcher is also a healthcare provider and IIHI is created in connection with the researcher's healthcare provider activities, then the IIHI is PHI and is subject to HIPAA
Use The sharing, utilization, examination or analysis of information within VUMC.  More details can be found in our policy on "Use and Disclosure of Protected Patient Information."
Vanderbilt Affiliated Covered Entity (VACE) Includes the Vanderbilt Covered Entity together with affiliated healthcare entities that are wholly owned by VUMC and affiliated healthcare entities that are partially owned by VUMC and for which VUMC is responsible for operations management.