TITLE:

PRIVACY AND CONFIDENTIALITY OF PROTECTED HEALTH INFORMATION AND USING AND DISCLOSING IT FOR PURPOSES OF TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

POLICY:
In accordance with city, state, and federal laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Columbia University Medical Center will protect patient records and other information that may reveal a patient's identity when using or disclosing such information for purposes of treatment, payment, or health care operations.

PURPOSE
The purpose of this policy is to describe how Columbia University Medical Center will protect the privacy of its patients' Protected Health Information (PHI) while allowing employees to use and disclose PHI for purposes of treatment, payment, or health care operations.

PROCEDURES:

1. Protecting the privacy and confidentiality of patients' PHI.
1. In accordance with city, state, and federal laws and regulations, including HIPAA, Columbia University Medical Center will:
1. appropriately use, manage, control, disclose, and release PHI; and



2. comply with the terms of the Columbia University Medical Center Notice of Privacy Practices.


2. Employees whose job description requires signing a Confidentiality Agreement will be asked to sign the Agreement as a condition of employment.



3. Columbia University Medical Center will provide training for its employees and affiliates to educate them about how Columbia University Medical Center will use, manage, control, disclose, and release patients' PHI. This training will also explain the terms and requirements contained in the Columbia University Medical Center Notice of Privacy Practices.



4. Employees and individuals who are affiliated with Columbia University Medical Center will continue to comply with existing city, state, and federal laws and regulations that govern confidentiality of patient PHI, including certain specially protected categories of PHI such as HIV/AIDS information, substance abuse and treatment records, and mental health outpatient services.


2. Using and disclosing PHI. Columbia University Medical Center will use and disclose a patient's PHI in accordance with city, state, and federal laws and regulations, including HIPAA, and primarily for purposes of:
1. Treatment.
1. Columbia University Medical Center may use a patient's PHI to provide him/her with treatment or services.



2. A patient's PHI may be shared by different Departments of Columbia University Medical Center as long as each Department sharing the PHI is providing or has, in the past, provided services and treatment.



3. Columbia University Medical Center may disclose a patient's PHI to its physicians, other health care professionals, and other Columbia University Medical Center personnel who are involved in the patient's care.



4. Columbia University Medical Center may disclose a patient's PHI to people outside Columbia University Medical Center who are involved in the patient's care.


2. Payment.
1. Columbia University Medical Center may use and disclose a patient's PHI to bill and collect for the treatment and services provided to the patient.



2. Columbia University Medical Center may disclose a patient's PHI to the patient's health plan to obtain prior approval for treatment and/or to determine whether the patient's plan will cover the treatment.



3. Columbia University Medical Center may disclose a patient's PHI to other health care providers to facilitate the other health care providers' billing and collection efforts and as permitted by law.


3. Health care operations.
1. Columbia University Medical Center may use and disclose a patient's PHI for purposes of its own operations.



2. Columbia University Medical Center may combine PHI about many patients to decide what additional services should be offered, what services are not needed, and whether certain new treatments are effective.



3. Columbia University Medical Center may combine the PHI in its possession with PHI from other health care providers in order to compare its performance with other like providers and to make improvements in the care and services offered.



4. Columbia University Medical Center may disclose a patient's PHI to its physicians, other health care professionals, and other Columbia University Medical Center personnel for educational purposes.



5. Columbia University Medical Center may disclose a patient's PHI to other health care organizations as permitted by law


3. Questions. Questions about using or disclosing PHI or about the Columbia University NOPP should be directed to the employee's supervisor or the HIPAA Privacy Officer.



4. Definitions.

Protected Health Information (PHI) means information, including demographic information that may identify the patient, that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual.

RESPONSIBILITY:         Departments, HIPAA Privacy Officer