Columbia University is required by the HIPAA Privacy and Security Rules to obtain satisfactory assurances that protected health information will be appropriately safeguarded by a business vendor, service provider or other individuals that will create, receive, maintain, store or transmit protected health information on behalf of the CUHC.
It is the policy of the Columbia University Healthcare Component (CUHC) to use and disclose de-identified information, rather than Protected Health Information (PHI) when appropriate and consistent with university and legal requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
To provide guidance regarding the use of PHI for fundraising purposes, including the procedure to follow when a patient wishes to opt out of receiving fundraising communications from the CUHC.
This policy establishes the process to investigate and provide required notification in the event of a breach of unsecured PHI.
The HIPAA rules require health care organizations provide education and information about the regulatory requirements of HIPAA to their workforce members, including the related policies and procedures with respect to PHI.
Columbia University’s Healthcare Component (CUHC) will comply with all regulatory requirements including Patient Rights as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).
When appropriate and feasible, a Limited Data Set shall be used, disclosed, or requested by the Columbia University Healthcare Component (CUHC) rather than a completely identifiable data set of Protected Health Information (PHI), consistent with university and legal requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Subject to certain exceptions, HIPAA prohibits the use or disclosure of PHI for marketing purposes without patient authorization. This Policy describes the procedures to use or disclose PHI for marketing purposes.
To provide guidance on the identification of the persons or class offers or within the organization that needs access to PHI to perform their job. Only the information needed to deliver the health care service required shall be used for that business service.
Columbia University Healthcare Component is committed to protecting patient privacy as mandated by city, state and federal laws and regulations and expects its work force members and affiliates to report actual or suspected violations of confidentiality laws and regulations without fear of retaliation.
The Health Insurance Portability and Accountability Act of 1996 includes a regulatory requirement to provide every new patient with the organization’s Notice of Privacy Practices (Notice). The Notice informs patients how their PHI may be accessed, used and disclosed by the CUHC and how to exercise their rights with respect to their PHI.
The purposes of this policy are (1) to provide a framework of appropriate and consistent sanctions for violations of Privacy and Information Security policies and procedures and the HIPAA Rules and in line with any related Human Resource disciplinary policies and (2) to inform workforce members of CUHC’s sanction policy, which will be enforced against workforce members in violation of the organization’s Privacy and Information Security policies or the HIPAA Rules.
The Columbia University Healthcare Component has established a process for individuals to file complaints if they feel their rights have been violated. An individual also has a right to file a complaint about the organization’s privacy policies and procedures even without alleging the violation of a right.
CUHC will mitigate, to the extent possible, any harmful effect that is known or resulting from an unauthorized or improper access, use or disclosure of Protected Health Information (PHI).
Subject to certain exceptions, HIPAA prohibits the sale of PHI. This Policy describes the procedures the CUHC shall follow in order to ensure that any remuneration in exchange for PHI is conducted in compliance with applicable law, including HIPAA.
Social media used by workforce members is subject to the restrictions set forth in this policy. These restrictions are intended to protect the privacy of patient information and to ensure compliance with legal and regulatory requirements, including the HIPAA Privacy Rule.
Columbia University Healthcare Component is committed to protecting patient privacy and to disclosing patient PHI in accordance with the patient's desires. The following policies describe the procedures for releasing and limitations surrounding the release of patient's PHI to someone directly involved in the patient's care or for location or notification purposes.
Other HIPAA Related Policies
One of the rights granted to patients under HIPAA, is the right of the patient to request and receive an accounting of the disclosures of the patient’s PHI.
The HIPAA Privacy Rule provides patients with specific rights related to their Protected Health Information (PHI), including the request to amend or correct their medical information.
This policy includes the procedures to follow when a patient requests to disclose their medical information to another physician, hospital, or medical facility, an attorney, an insurance company, to the patient or any other party as authorized by the patient.
This policy establishes how a patient can grant proxy access to their patient portal account. The use of portal proxy access for a patient is intended to assist and support a patient in managing their medical care.
This policy describes the use of email as an expedient communication vehicle to send messages to and from the Columbia University Healthcare Component. It recognizes and has established the use of email as an official means of communication.
This policy governs Columbia University Healthcare Component's response to malicious, suspected, and/or accidental unauthorized acquisition, access, use or disclosure of confidential data, such as Protected Health Information (PHI), Personally Identifiable Information (PII), or the information systems that support these data.
This policy describes the formally defined legal business record for the patients seen in the private practice setting by members of ColumbiaDoctors, the faculty practice organization for Columbia University Healthcare Component.
This policy outlines the steps to be taken when a patient requests ColumbiaDoctors to refrain from submitting their bill to their insurance carrier.
The purpose of this policy is to describe how Columbia University Healthcare Component will protect the privacy of an individual's PHI when preparing for, prior to, during and after medical records research activities.
Effective November 1, 2017, Columbia University has implemented a new Policy on the Privacy Rule and the Use of Health Information in Research. The new Policy replaces the current IRB HIPAA policies and the CUMC Policy on Research and HIPAA Clinical and Medical Records. The full Policy is available on the Columbia Human Research Protection Office (HRPO) website and can be found at the link below.
In accordance with the Minimum Necessary requirements of the HIPAA Privacy Rule, Workforce
Members should only access the Electronic Health Record (EHR) to perform their assigned
clinical or business tasks to fulfill their specific job duties and assignments.