HIPAA Policies

Business Associate Agreement

Columbia University is required by the HIPAA Privacy and Security Rules to obtain satisfactory assurances that protected health information will be appropriately safeguarded by a business vendor, service provider or other individuals that will create, receive, maintain, store or transmit protected health information on behalf of the CUHC.

Business Associate Agreement

Electronic Data Security Breach Reporting and Response Policy

This policy governs Columbia University Healthcare Component's response to malicious, suspected, and/or accidental unauthorized acquisition, access, use or disclosure of confidential data, such as Protected Health Information (PHI), Personally Identifiable Information (PII), or the information systems that support these data.

Breach Notification

Fundraising and HIPAA

To provide guidance regarding the use of PHI for fundraising purposes, including the procedure to follow when a patient wishes to opt out of receiving fundraising communications from the CUHC.

Fundraising and HIPAA

HIPAA Privacy and Information Security Training

The HIPAA rules require health care organizations provide education and information about the regulatory requirements of HIPAA to their workforce members, including the related policies and procedures with respect to PHI.

HIPAA Privacy and Information Security Training

HIPAA Privacy Rule and Patient Rights

Columbia University’s Healthcare Component (CUHC) will comply with all regulatory requirements including Patient Rights as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).

HIPAA Privacy Rule and Patient Rights

Marketing Involving Protected Health Information (PHI)

Subject to certain exceptions, HIPAA prohibits the use or disclosure of PHI for marketing purposes without patient authorization. This Policy describes the procedures to use or disclose PHI for marketing purposes.

Marketing Involving Protected Health Information (PHI)

Minimum Necessary

To provide guidance on the identification of the persons or class offers or within the organization that needs access to PHI to perform their job. Only the information needed to deliver the health care service required shall be used for that business service.

Minimum Necessary

Non-Retaliation

Columbia University Healthcare Component is committed to protecting patient privacy as mandated by city, state and federal laws and regulations and expects its work force members and affiliates to report actual or suspected violations of confidentiality laws and regulations without fear of retaliation.

Non-Retaliation

Notice of Privacy Practices

The Health Insurance Portability and Accountability Act of 1996 includes a regulatory requirement to provide every new patient with the organization’s Notice of Privacy Practices (Notice). The Notice informs patients how their PHI may be accessed, used and disclosed by the CUHC and how to exercise their rights with respect to their PHI.

Notice of Privacy Practices

Privacy and Information Security Sanction Policy

The purposes of this policy are (1) to provide a framework of appropriate and consistent sanctions for violations of Privacy and Information Security policies and procedures and the HIPAA Rules and in line with any related Human Resource disciplinary policies and (2) to inform workforce members of CUHC’s sanction policy, which will be enforced against workforce members in violation of the organization’s Privacy and Information Security policies or the HIPAA Rules.

Privacy and Information Security Sanction Policy

Privacy Complaint Handling Process and Mitigating Effects of Unauthorized Access, Use or Disclosure of Protected Health Information

The Columbia University Healthcare Component has established a process for individuals to file complaints if they feel their rights have been violated.  An individual also has a right to file a complaint about the organization’s privacy policies and procedures even without alleging the violation of a right.  

CUHC will mitigate, to the extent possible, any harmful effect that is known or resulting from an unauthorized or improper access, use or disclosure of Protected Health Information (PHI).

Privacy Complaint and Mitigation Effects Policy

Sale of Protected Health Information (PHI)

Subject to certain exceptions, HIPAA prohibits the sale of PHI. This Policy describes the procedures the CUHC shall follow in order to ensure that any remuneration in exchange for PHI is conducted in compliance with applicable law, including HIPAA.

Sale of Protected Health Information (PHI)

Sanctions for Unauthorized Access, Use or Disclosure of PHI

The purpose of this policy is to describe the sanctions that can be imposed against workforce members that violate policies, procedures and/or city, state, or federal laws or regulations.

Sanctions for Unauthorized Access, Use or Disclosure of PHI

Social Media and HIPAA

Social media used by workforce members is subject to the restrictions set forth in this policy.  These restrictions are intended to protect the privacy of patient information and to ensure compliance with legal and regulatory requirements, including the HIPAA Privacy Rule. 

Social Media and HIPAA

Use and Disclosure of Protected Health Information

Columbia University Healthcare Component is committed to protecting patient privacy and to disclosing patient PHI in accordance with the patient's desires. The following policies describe the procedures for releasing and limitations surrounding the release of patient's PHI to someone directly involved in the patient's care or for location or notification purposes.

Use and Disclosure of PHI

Use and Disclosure of PHI Guidance Document

Other HIPAA Related Policies

Accounting of Disclosures

One of the rights granted to patients under HIPAA, is the right of the patient to request and receive an accounting of the disclosures of the patient’s PHI.

Accounting of Disclosures

Amendment of Protected Health Information

The HIPAA Privacy Rule provides patients with specific rights related to their Protected Health Information (PHI), including the request to amend or correct their medical information.

Amendment of PHI

Authorization to Use and Disclose Patient Information

This policy includes the procedures to follow when a patient requests to disclose their medical information to another physician, hospital, or medical facility, an attorney, an insurance company, to the patient or any other party as authorized by the patient.

Authorization to Disclose Medical Information

Email Policy

This policy describes the use of email as an expedient communication vehicle to send messages to and from the Columbia University Healthcare Component. It recognizes and has established the use of email as an official means of communication.

Email Policy

Legal Health Record and Designated Record Set

This policy describes the formally defined legal business record for the patients seen in the private practice setting by members of ColumbiaDoctors, the faculty practice organization for Columbia University Healthcare Component.

Legal Health Record and Designated Record Set

Patient Request – Do Not Bill Health Plan

This policy outlines the steps to be taken when a patient requests ColumbiaDoctors to refrain from submitting their bill to their insurance carrier.

Patient Request - Do Not Bill Health Plan

 

Research and HIPAA

The purpose of this policy is to describe how Columbia University Healthcare Component will protect the privacy of an individual's PHI when preparing for, prior to, during and after medical records research activities.

Effective November 1, 2017, Columbia University has implemented a new Policy on the Privacy Rule and the Use of Health Information in Research. The new Policy replaces the current IRB HIPAA policies and the CUMC Policy on Research and HIPAA Clinical and Medical Records. The full Policy is available on the Columbia Human Research Protection Office (HRPO) website and can be found at the link below.

Research and HIPAA