HIPAA/HITECH Compliance

Objective

To safeguard the privacy of all patients and to protect the confidentiality and security of patient information.

Policy

To fulfill this responsibility and to comply with HIPAA, HITECH and other applicable laws and standards, CUIMC has implemented policies and standard procedures to protect the confidentiality and security of individually identifiable protected health information (“PHI”) in all of its activities that require the use and disclosure of PHI. These policies and procedures are posted on an internal HIPAA website.

 

Additionally, CUIMC has in place mandatory programs to provide training to all members of its workforce regarding its HIPAA policies and standard procedures. CUIMC has a Privacy Office and employs a full-time Privacy Officer who is dedicated to the day-to-day administration of HIPAA compliance. To further facilitate these privacy compliance efforts:

  • All CUIMC faculty are required to complete an annual web-based HIPAA training. Registration for this course (including your access ID) is obtained through the Privacy Office.
  • All research staff must complete the HIPAA training posted on the RASCAL database under the “testing center.” HIPAA research training is a pre-requisite to submitting a protocol for human subject research and provides instruction on the type of HIPAA forms needed to be filed for approval of research access to PHI. Researchers who also have clinical patient care responsibilities are required to complete both Rascal Research HIPAA and general HIPAA training.
  • All other CUIMC personnel must complete annual general HIPAA training. The HIPAA training is given during CUIMC new employee orientation.
  • Generally, vendor contracts that require the disclosure of PHI must have a Business Associate Addendum (BAA) included as part of the underlying contract. Certain exceptions may apply, but departments should obtain a signed BAA unless the Privacy Office given advance approval that a BAA is not necessary in connection with a particular arrangement.
  • All patients visiting CUIMC for the first time must receive a hard copy of the CUIMC Notice of Privacy Practices, which describes the patient’s HIPAA rights and the policies and practices of CUIMC with respect to the use and disclosure of the patient’s PHI. The patient is asked to sign an acknowledgement form when receiving the Notice of Privacy Practices, and that signed acknowledgment form must be placed in the patient’s medical record.
  • The administration and investigation of all patient complaints made with respect to the privacy of their PHI are handled by the Privacy Officer. If you are approached by a patient with a privacy complaint, call the Privacy Officer at (212) 305-7315. All patient privacy complaints are handled discreetly and are thoroughly investigated, resolved and logged.
  • There is a zero tolerance policy on the abuse of privileges to access patient information and/or clinical databases electronically, and on the use of such information for purposes not related to treatment, payment or other authorized use. Audit trails record electronic access and are frequently reviewed. All users of electronic clinical information systems are expected to follow procedures related to security of electronic information including password protection, business need and other information security policies posted on the HIPAA website.
  • Computer Security Reminders – The security of our shared systems requires that we all fully cooperate with the following basic measures. Failure to follow these requirements will result in disciplinary action.
  • Do not share your user ID and password with anyone. You are responsible for all access activity after you sign on to an application.
  • Audit reports can track what, when and where information is accessed based on your user ID. Do not sign on to a computer application and allow another person to access information or use the computer. All of the other persons’ work will appear in the audit log under your user ID. You are responsible for all information accessed with your user ID and password.
  • Do not write down your user ID and password and leave it available at a work station, desk or other unsecured area. Always refuse to use another person’s user ID and password.
  • Always refuse to use another person’s user ID and password.

 

If you think someone may have had access to your user ID or password you are urged to contact the CUIMCIT Help Desk by calling 5-Help (305-4347), or the administrator of the application you are using, and request that your password to be reset.

 

Please contact the following persons if you have questions about information security and privacy at CUIMC:

Karen Pagliaro-Meyer
Privacy Officer, CUIMC
kpagliaro@columbia.edu(link sends e-mail)
212-305-7315

 

Emechete Ejike
Chief Information Security Officer, CUIMC
e.ejike@columbia.edu
212-305-2665

 

 

 

 

 

Office for Billing Compliance
Policy#: 10041
Original Date of Issue: 1996
Revised: 3/22/2023
Reviewed: 3/1/2024