HIPAA - Frequently Asked Questions (FAQs) - The University of Oklahoma Health Sciences Center

2. What’s the deal with all the new acronyms? What’s “PHI” or a “BA”, “OHCA”, or a “CE”?

It seems that every time the Federal government issues a new regulation, a whole new set of acronyms comes with it. The Privacy Regulations are a prime example.

PHI – This stands for “protected health information”. This term was defined in more detail in the FAQ distributed last week.

BA – A “BA” stands for “business associate” which is a person or entity not employed by the University that provides certain functions, activities, or services for or on behalf of the University, which involves the use and/or disclosure of a patient’s protected health information. Such activities may include, but are not limited to, billing, repricing, claims processing and administration, data analysis, legal, accounting, actuarial, consulting, utilization review, quality assurance, and similar services or functions. A business associate may be a covered entity. The definition of a business associate excludes a person who is part of the covered entity’s workforce.

OHCA – An “OHCA” stands for an “organized health care arrangement” which is a clinically integrated care setting in which the individuals typically receive health care from more than one health care provider (example: a hospital and members of its medical staff).

CE – A “CE” stands for a “covered entity” and refers to the entities to which the Privacy Regulations apply. There are 3 types of covered entities: (1) health plans; (2) health care clearinghouses; and (3) health care providers who transmit any health information in electronic form in connection with one of the HIPAA standard transactions. The University is a covered entity, as is the University’s self-insured health plan.