CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
     
Columbia University Medical Center logo,Positioning Line Discover. Educate. Care. Lead., image for New York Skyline Students Interacting
 
HIPAA Home
HIPAA Compliance
Columbia University Medical Center
601 West 168th Street
Apt. #22, 2nd Floor
New York, NY 10032
Tel: (212) 342-0059
Fax: (212) 342-5173
HIPAA Policies
Authorization to Release Medical Informationn
Accounting for Disclosures
Disclosures to Family/Friend
Email Policy and Forms
- Email Policy (112K pdf) pdf file
- Provider/Patient Email information (70K pdf) pdf file
- Patient Request for Email Communications (90K pdf) pdf file
Fax
Fundraising
Genetic Information
HIPAA Training
HIV/AIDS Information
Marketing
Minimum Necessary
Minors
Non-Retaliation
Notice of Privacy Practices
Ownership of Medical Record
Patient Complaints
Patient Rights
Research and HIPAA
Psychotherapy Notes
Organ Donation/Coroners
Required by Law
Health and Safety
Sanctions
Telephone Disclosures
Treatment and Payment
HIPAA Security
 

TITLE:

  

SANCTIONS FOR UNAUTHORIZED USES AND DISCLOSURES OF A PATIENT'S PROTECTED HEALTH INFORMATION

POLICY:
Columbia University Medical Center will take appropriate disciplinary action against any member of its workforce who violates its privacy policies and procedures or an applicable city, state, or federal confidentiality law or regulation, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


PURPOSE
The purpose of this policy is to describe the enforcement of and the sanctions that will be imposed against individuals at Columbia University Medical Center who violate a Columbia University Medical Center privacy policy or procedure or a city, state, or federal confidentiality law or regulation.


PROCEDURES:

  1. Violation of Columbia University Medical Center privacy policies or procedures. Failure to comply with the Columbia University Medical Center privacy policies or procedures will result in disciplinary action against the individual committing the violation.
    1. Columbia University Medical Center privacy policies and procedures will be enforced consistently across the organization.


    2. Sanctions that are imposed as a result of a violation of a Columbia University Medical Center privacy policy or procedure will be imposed consistently across the organization.


    3. The following types of conduct on the part of a member of Columbia University Medical Center's workforce will result in disciplinary action against the individual engaging in the conduct:
      1. Accessing a VIP's medical record for any purpose outside of treatment, payment, or health care operations.
      2. Discussing a patient's PHI in a public area or outside of Columbia University Medical Center.
      3. Failing to logoff or leaving a computer monitor on and unsecured.
      4. Accessing a patient's PHI out of curiosity or for any purpose outside of treatment, payment or health care operations.
      5. Using a patient's PHI for personal reasons (such as developing a personal relationship with the patient) rather than for legitimate and authorized business reasons.
      6. Copying or compiling PHI with the intent to sell or use the PHI for personal or financial gain.

  2. Disciplinary action that may be taken.
    1. Will be determined on a case by case basis, taking into consideration the specific circumstances and severity of the violation; and


    2. May be up to and including termination of employment, or of the business relationship as appropriate.


    3. Sanctions that may be imposed include, but are not limited to:
      1. A letter to the employee's personnel file;
      2. Administrative leave without pay;
      3. Attendance and successful completion of additional training;
      4. Reimbursement of expenses incurred by Columbia University Medical Center to resolve the matter; or
      5. Immediate termination of employment.

  3. Violations of state or federal confidentiality laws and regulations. Disciplinary action will also be taken against individuals or entities who violate related state or federal confidentiality laws and regulations.


  4. Duty to report. Any workforce member who observes or becomes aware of or suspects a wrongful use or disclosure of PHI maintained by Columbia University Medical Center is required to report his/her suspicion or the wrongful use or disclosure as soon as possible to his/her supervisor or the HIPAA Privacy Officer.
    1. A workforce member who makes a report of a suspected or actual improper use or disclosure in good faith will not be retaliated against for making the report.


    2. A workforce member who fails to report either a suspected or actual violation will have violated this Policy, and may be subject to disciplinary action, up to and including termination.

  5. No retaliation for good faith reports. Columbia University Medical Center will not retaliate against a member of its workforce who acts in good faith believing the practice he/she reports is unlawful.


  6. Definitions.

      7. Protected Health Information (PHI) means information, including demographic information that may identify the patient, that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual.

      Workforce means employees of, volunteers and trainees at, and other persons affiliated with Columbia University Medical Center whose work is under the direct control of Columbia University Medical Center, regardless of whether they are paid by Columbia University Medical Center.


RESPONSIBILITY:         HIPAA Privacy Officer, Departments



ISSUED: December 2003
REVIEWED: October 2007

| TOP |

Last updated 3/21/2007



  
CUMC Home | © Columbia University | Affiliated with New York-Presbyterian Hospital | Comments | Text-Only Version