HIPAA Policies
Business Associate Agreement
Columbia University is required by the HIPAA Privacy and Security Rules to obtain satisfactory assurances that protected health information will be appropriately safeguarded by a business vendor, service provider or other individuals that will create, receive, maintain, store or transmit protected health information on behalf of the CUHC.
De-Identified Information Policy
It is the policy of the Columbia University Healthcare Component (CUHC) to use and disclose de-identified information, rather than Protected Health Information (PHI) when appropriate and consistent with university and legal requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Fundraising and HIPAA
To provide guidance regarding the use of PHI for fundraising purposes, including the procedure to follow when a patient wishes to opt out of receiving fundraising communications from the CUHC.
HIPAA Breach Response and Reporting
This policy establishes the process to investigate and provide required notification in the event of a breach of unsecured PHI.
HIPAA Training
The HIPAA rules require health care organizations provide education and information about the regulatory requirements of HIPAA to their workforce members, including the related policies and procedures with respect to PHI.
HIPAA Privacy Rule and Patient Rights
Columbia University’s Healthcare Component (CUHC) will comply with all regulatory requirements including Patient Rights as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).
Limited Data Set Policy
When appropriate and feasible, a Limited Data Set shall be used, disclosed, or requested by the Columbia University Healthcare Component (CUHC) rather than a completely identifiable data set of Protected Health Information (PHI), consistent with university and legal requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marketing Involving Protected Health Information (PHI)
Subject to certain exceptions, HIPAA prohibits the use or disclosure of PHI for marketing purposes without patient authorization. This Policy describes the procedures to use or disclose PHI for marketing purposes.
Minimum Necessary Rule
To provide guidance on the identification of the persons or class offers or within the organization that needs access to PHI to perform their job. Only the information needed to deliver the health care service required shall be used for that business service.
Non-Retaliation Policy
Columbia University Healthcare Component is committed to protecting patient privacy as mandated by city, state and federal laws and regulations and expects its work force members and affiliates to report actual or suspected violations of confidentiality laws and regulations without fear of retaliation.
Notice of Privacy Practices
The Health Insurance Portability and Accountability Act of 1996 includes a regulatory requirement to provide every new patient with the organization’s Notice of Privacy Practices (Notice). The Notice informs patients how their PHI may be accessed, used and disclosed by the CUHC and how to exercise their rights with respect to their PHI.
Privacy and Information Security Sanction Policy
The purposes of this policy are (1) to provide a framework of appropriate and consistent sanctions for violations of Privacy and Information Security policies and procedures and the HIPAA Rules and in line with any related Human Resource disciplinary policies and (2) to inform workforce members of CUHC’s sanction policy, which will be enforced against workforce members in violation of the organization’s Privacy and Information Security policies or the HIPAA Rules.
Privacy Complaint
The Columbia University Healthcare Component has established a process for individuals to file complaints if they feel their rights have been violated. An individual also has a right to file a complaint about the organization’s privacy policies and procedures even without alleging the violation of a right.
CUHC will mitigate, to the extent possible, any harmful effect that is known or resulting from an unauthorized or improper access, use or disclosure of Protected Health Information (PHI).
Sale of Protected Health Information (PHI)
Subject to certain exceptions, HIPAA prohibits the sale of PHI. This Policy describes the procedures the CUHC shall follow in order to ensure that any remuneration in exchange for PHI is conducted in compliance with applicable law, including HIPAA.
Social Media and HIPAA
Social media used by workforce members is subject to the restrictions set forth in this policy. These restrictions are intended to protect the privacy of patient information and to ensure compliance with legal and regulatory requirements, including the HIPAA Privacy Rule.
Use and Disclosure of Protected Health Information
Columbia University Healthcare Component is committed to protecting patient privacy and to disclosing patient PHI in accordance with the patient's desires. The following policies describe the procedures for releasing and limitations surrounding the release of patient's PHI to someone directly involved in the patient's care or for location or notification purposes.
Other HIPAA Related Policies
Accounting of Disclosures
One of the rights granted to patients under HIPAA, is the right of the patient to request and receive an accounting of the disclosures of the patient’s PHI.
Amendment of Protected Health Information
The HIPAA Privacy Rule provides patients with specific rights related to their Protected Health Information (PHI), including the request to amend or correct their medical information.
Authorization to Use and Disclose Patient Information
This policy includes the procedures to follow when a patient requests to disclose their medical information to another physician, hospital, or medical facility, an attorney, an insurance company, to the patient or any other party as authorized by the patient.
Connect Patient Portal Proxy Access
This policy establishes how a patient can grant proxy access to their patient portal account. The use of portal proxy access for a patient is intended to assist and support a patient in managing their medical care.
Email Policy
This policy describes the use of email as an expedient communication vehicle to send messages to and from the Columbia University Healthcare Component. It recognizes and has established the use of email as an official means of communication.
Electronic Data Security Breach Reporting and Response Policy
This policy governs Columbia University Healthcare Component's response to malicious, suspected, and/or accidental unauthorized acquisition, access, use or disclosure of confidential data, such as Protected Health Information (PHI), Personally Identifiable Information (PII), or the information systems that support these data.
Legal Health Record and Designated Record Set
This policy describes the formally defined legal business record for the patients seen in the private practice setting by members of ColumbiaDoctors, the faculty practice organization for Columbia University Healthcare Component.
Patient Request – Do Not Bill Health Plan
This policy outlines the steps to be taken when a patient requests ColumbiaDoctors to refrain from submitting their bill to their insurance carrier.
Patient Request - Do Not Bill Health Plan
Physical Privacy Guidelines
With new technology and changing business practices, we find more of our Columbia workforce members working remotely. While there are benefits to remote work, there are also protections that must be in place to ensure compliance with federal and state patient privacy regulations.
This guidance document provides best practices to protect patient confidentiality while working in the office or remotely.
Research and HIPAA
The purpose of this policy is to describe how Columbia University Healthcare Component will protect the privacy of an individual's PHI when preparing for, prior to, during and after medical records research activities.
Effective November 1, 2017, Columbia University has implemented a new Policy on the Privacy Rule and the Use of Health Information in Research. The new Policy replaces the current IRB HIPAA policies and the CUIMC Policy on Research and HIPAA Clinical and Medical Records. The full Policy is available on the Columbia Human Research Protection Office (HRPO) website and can be found at the link below.
Workforce Member Access to Their Own Electronic Protected Health Information (“ePHI”)
In accordance with the Minimum Necessary requirements of the HIPAA Privacy Rule, Workforce
Members should only access the Electronic Health Record ("EHR") to perform their assigned
clinical or business tasks to fulfill their specific job duties and assignments.
Workforce Member Access to Their Own Electronic Protected Health Information (“ePHI”)