HIPAA Privacy Rule and Patient Rights Policy
Reason(s) for the Policy
The HIPAA Privacy Rule affords patients certain rights related to their health information including rights to examine and obtain a copy of certain health records and to request corrections to their health information in those records. This policy informs workforce members how CUHC administers patients’ privacy rights as required by the HIPAA Privacy Rule.
Primary Guidance To Which This Policy Responds
HIPAA Rule 45 CFR Parts 160 and 164 subparts A and E
Who is Governed by This Policy
All CUHC workforce members.
Who Should Know This Policy
All CUHC workforce members.
The HIPAA Privacy Rule provides patients with rights related to the use and disclosure of their protected health information (PHI). These rights are described in the Notice of Privacy Practices (Notice). The Notice is provided to every new patient, posted in faculty practice locations and also posted on the medical center website. The Notice informs patients of their privacy rights and how to exercise their rights. Patients should be directed to or provided with the appropriate HIPAA form to make a request or file a complaint. The forms can be found on the Privacy Office webpage.
Patient Privacy Rights include:
- The right to inspect the patient’s PHI in a designated record set and obtain a copy, including an electronic copy, of such PHI
- The right to request an amendment of the patient’s PHI in a designated record set
- The right to an Accounting of certain Disclosures of PHI
- The right to request a restriction on the use and disclosure of the patient’s PHI for certain purposes, including for treatment, payment, or healthcare operations
- The right to request a restriction on a disclosure of PHI to their health plan for services paid for in full, out of pocket
- The right to request Confidential Communications including that CUHC communicate with the patient at an alternate location (at work instead of at home) or via alternate means (cell phone only)
- The right to receive a paper copy of the Notice, even if the patient has received the Notice electronically
- The right to file a complaint if the patient believes that the patient’s privacy rights have been violated
- The right to choose someone to act on the patient’s behalf
- The right to be notified of a HIPAA Breach
Right to Inspect and Receive a Copy of Their PHI
The patient right to inspect or obtain a copy of their PHI includes some limitations:
- A patient must request to access, inspect, or obtain a copy of their PHI in writing to the Health Information Management department (HIM). HIM will respond to such request within 30 days unless extended to 60 days in accordance with HIPAA.
- The patient may only access, inspect, or obtain a copy of their PHI if that information is part of the designated record set.
- To request a copy of the patient’s PHI or to have a copy of the patient’s PHI sent to another organization or individual designated by the patient, the patient should complete the Authorization to Release Medical Information form. A copy of the authorization should be maintained in the patient’s record.
- Subject to certain limitations, the patient has the right to request and receive access to PHI in the form and format requested by the patient, provided the PHI is readily producible in such form and format. This includes the right to access an electronic copy of their PHI in a designated record set if the health information is maintained in an electronic format or readily producible in that form and format.
- CUHC may accept verbal authorization from a parent or an adult patient to send immunization records to a school or other educational institution if the school is required by law to have proof of immunization. This verbal authorization should be documented in the medical record.
- The patient right to inspect or obtain a copy of the patient’s PHI does not include a right to copy or inspect: (i) psychotherapy notes; or (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding or action.
Patients may have additional rights in circumstances where CUHC denies the patient’s access request. These may include the right to have the denial reviewed by a licensed health care professional who did not participate in the original denial. If the request is denied, the reason for the denial must be stated in writing in the medical record and the Office of Compliance should be notified.
Right to Request an Amendment of Their PHI
Subject to certain limitations, the HIPAA Privacy Rule provides patients with a right to amend their PHI in a designated record set. This includes patient information in any media (paper or electronic).
All requests must be made in writing and include information to support the reason for the amendment. Patients should be referred to complete the Request for an Amendment of Health Information form which should be sent to HIM. A written approval or denial of the request will be sent to the patient within 60 days, unless this timeline is extended for an additional 30 days in accordance with the HIPAA Privacy Rule. Patients have additional rights and CUHC has additional obligations where CUHC denies the patient’s amendment request. In limited circumstances, if the request for an amendment is denied by the physician, the denial will be reviewed by the Privacy Office in collaboration with the physician, department administration, etc., as necessary. Further, the patient has the right to have a statement of disagreement added to their health record. CUHC may prepare a written rebuttal to this statement of disagreement. The rebuttal must be provided to the patient and added to the patient’s health record subject to the disputed amendment. Refer to the Health Information Management Policy for additional information.
When Columbia receives a notification from another covered entity of an amendment to a patient’s PHI, the notification should be sent to Health Information Management and the Privacy Officer for review.
Right to an Accounting of Disclosures
Subject to certain limitations, patients have a right to receive an Accounting of certain Disclosures of PHI made by CUHC in the six years prior to the date on which the accounting is requested. HIM is responsible for receiving and processing patient requests for an Accounting of Disclosures and shall respond within 60 days unless extended an additional 30 days in compliance with HIPAA. The form to request an Accounting of Disclosures is found on the Privacy Office webpage.
CUHC is obligated to document the information required to be included in an accounting subject to an accounting request by a patient.
Right to Request Restriction on the Use or Disclosure of Their PHI
The HIPAA Privacy Rule grants patients the right to request restrictions regarding the use or disclosure of their PHI for certain purposes, including treatment, payment, and healthcare operations (TPO). The rule also grants patients the right to request restrictions for other disclosures, such as those made to family members. Patients should be referred to complete the Request for Restriction on Use or Disclosure of Health Information form which should be forwarded to the Privacy Office for review. Subject to certain exceptions, CUHC is not required to accept a restriction request, however if CUHC agrees to the restrictions, CUHC must comply with the restriction except in an emergency related to treatment of the patient. In addition, there are certain situations when we may not be able to comply with a request.
These situations include emergency treatment, disclosures to the Secretary of the Department of Health and Human Services, and certain uses and disclosures that do not require authorization.
The request must be received in writing, placed in the medical record, and linked to each record of care or the appropriate episode of care. Requests to modify or terminate a restriction that may no longer be applicable should be in writing and sent to the Privacy Office. The Privacy Office will review restriction requests, maintain a centralized log, and as necessary, conduct periodic audits to confirm the applicability.
Right to Request Restrictions on Disclosures to Their Health Plan for Services Paid for Out of Pocket
CUHC must agree to a request from a patient to restrict certain disclosures of the patient’s PHI to the patient’s health plan if the disclosure of the PHI pertains solely to a health care service and the patient has paid in full for the service out of pocket. Refer to the Clinical Revenue Self Pay FSC Selection Policy for additional information.
Request for Communications at an Alternate Location or by Alternate Means
Patients may request to receive communication related to their medical information in a certain way (e.g., by phone only) or at a certain location (e.g., use work address). Patients who request communications at an alternate location or by alternate means should be referred to complete the Request for Restriction on Use or Disclosure of Health Information form and requests should be forwarded to the Privacy Office which will accommodate reasonable patient requests.
Right to a Paper Copy of the Notice of Privacy Practice
Each Practice is responsible for maintaining paper copies of the Notice. A patient has the right to receive a paper copy of the Notice upon request. Staff can obtain copies of the Notice by contacting Columbia Print Services. The Notice is also available on the Privacy Office website and posted in Practice locations.
Right to File a Complaint
The HIPAA Privacy Rule provides patients with the right to file a complaint with CUHC and with the Office for Civil Rights (OCR). The contact information for OCR is included in the Notice. Upon receipt of the patient complaint, the Privacy Office will investigate and, as necessary, provide notification to the patient regarding the determinations.
Right to Designate a Personal Representative to Act on the Patient’s Behalf
Subject to certain exceptions, a patient has the right to appoint an individual as their personal representative under and in compliance with applicable state law with respect to uses and disclosures of their PHI, as well as their other rights under the HIPAA Privacy Rule. Refer to 45 CFR 164.502(g) for additional information.
Right to be Notified of a Breach
A patient has the right to be notified of a breach of the patient’s PHI. Information related to breach notification is maintained by the Privacy Office and patient notification is coordinated by the Privacy Office.
Patients or staff with questions about completion of a form, the status of a request or complaint may contact the Privacy Office at 212-305-7315 or firstname.lastname@example.org
All documentation relating to patient rights will be maintained for a minimum of six (6) years.
Review policy to respond to patients requesting to exercise their rights related to their protected health information.
Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.
Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.
Designated Record Set – means a group of records maintained by or for CUHC that is: (1) The medical records and billing records about individuals; or (2) Used, in whole or in part, by or for CUHC to make decisions about individuals.
HIPAA Rules - The HIPAA Privacy, Security, Breach Notification, HITECH and Enforcement Rules as amended from time to time 45 CFR 160 and 164.
Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.
Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.