• Safeguard security and privacy of Protected Health Information; • Improve efficiency to compile/analyze data, audit, and detect fraud; and • Improve the Medicare and Medicaid programs. Business Associate (BA) in relationship to a Covered Entity (CE) means a person to whom the CE discloses Protected Health Information (PHI) so that a person may carry out, assist with the performance of, or perform a function or activity for the CE. This includes contractors or other persons who receive PHI from the CE (or from another business partner of the CE) for the purposes described in the previous sentence, including lawyers, auditors, consultants, Third Party Administrators, health care clearinghouses, data processing firms, billing firms, and other Covered Entities. This excludes persons who are within the CE's workforce. Covered Entity (CE) is one of the following: a health plan, a health care clearinghouse, or a health care provider who transmits any health information in connection with a transaction covered by this law. Designated Record Set means a set of records maintained by or for a Covered Entity that includes a Covered Person’s PHI. This includes medical records, billing records, enrollment records, Payment records, claims adjudication records, and case management record systems maintained by or for this Plan. This also includes records used to make decisions about Covered Persons. This record set must be maintained for a minimum of six years. Disclose or Disclosure is the release or divulgence of information by an entity to persons or organizations outside that entity. Electronic Protected Health Information (Electronic PHI) is Individually Identifiable Health Information that is transmitted by electronic media or maintained in electronic media. It is a subset of Protected Health Information. Health Care Operations are general administrative and business functions necessary for the CE to remain a viable business. These activities include: • Conducting quality assessment and improvement activities; • Reviewing the competence or qualifications and accrediting/licensing of health care professional plans; • Evaluating health care professional and health plan performance; • Training future health care professionals; • Insurance activities related to the renewal of a contract for insurance; • Conducting or arranging for medical review and auditing services; • Compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding; • Population-based activities related to improving health or reducing health care costs, protocol development, case management, and care coordination; • Contacting of health care providers and patients with information about Treatment alternatives and related functions that do not entail direct patient care; and • Activities related to the creation, renewal, or replacement of a contract for health insurance or health benefits, as well as ceding, securing, or placing a contract for reinsurance of risk related to claims for health care (including stop-loss and excess of loss insurance). Individually Identifiable Health Information is information that is a subset of health information, including demographic information collected from a Covered Person, and that: • Is created by or received from a Covered Entity; • Relates to the past, present, or future physical or mental health or condition of a Covered Person, the provision of health care, or the past, present, or future Payment for the provision of health care; and • Identifies the Covered Person, or there is reasonable basis to believe the information can be used to identify the Covered Person. -112- 7670-00-413597