Sale of Protected Health Information (PHI)

The Columbia University Healthcare Component (CUHC) shall not directly or indirectly receive remuneration, including non-financial benefits such as in-kind benefits, in exchange for any Protected Health Information (PHI), unless patient authorization is obtained or an applicable exception applies.

Reason(s) for the Policy

Subject to certain exceptions, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) prohibits the Sale of Protected Health Information (PHI). This Policy describes the procedures that CUHC shall follow in order to ensure that any remuneration in exchange for PHI is conducted in compliance with applicable law, including HIPAA.

Primary Guidance To Which This Policy Responds

HIPAA Rules 45 CFR 164.502(a)(5)(ii), 164.508(a)(4)

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

General Rule

If CUHC receives direct or indirect remuneration from or on behalf of a person or entity in exchange for PHI, a valid HIPAA authorization shall be obtained from the patient(s) who are the subjects of the information, unless one of the exceptions below applies.

Evaluate if a disclosure of PHI is a Sale of PHI

Prior to disclosing any PHI in exchange for direct or indirect remuneration, CUHC shall evaluate whether such disclosure is a Sale of PHI.

Exceptions

The disclosure of PHI for any of the following purposes is not considered a Sale of PHI under HIPAA:

  • Public health purposes;
  • Research purposes, where the remuneration is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI;
  • Treatment and payment purposes;
  • Sale, transfer, merger, or consolidation of all or part of CUHC with another covered entity, or an entity that will become a covered entity following the transaction and due diligence related to this activity;
  • Business Associate activities that a Business Associate undertakes on behalf of a covered entity (or a subcontractor undertakes on behalf of a Business Associate) provided that the only remuneration provided is by the covered entity to the Business Associate (or Business Associate to a subcontractor) for the performance of such activities;
  • To patients, when the patient requests access to PHI or an accounting of disclosures;
  • Disclosures required by law; and
  • Any other disclosures permitted by the HIPAA Privacy Rule, where the only remuneration received by the covered entity or Business Associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI or a fee otherwise expressly permitted by other law.

State law

Any disclosure of PHI in exchange for remuneration that meets an exception under HIPAA shall be further evaluated under applicable state law to ensure such exchange is permissible without patient authorization under applicable state law.

Authorization Requirement

If a disclosure of PHI meets the definition of a Sale of PHI and an applicable exception does not apply, CUHC shall obtain patient authorization.

  • Patient authorization shall be obtained, and the authorization obtained shall meet the requirements of HIPAA and applicable state law and specifically disclose that CUHC will receive direct or indirect remuneration in exchange for the PHI.
  • The authorization form is available on the Privacy Office web page.
  • The signed authorization form shall be placed in the patient’s medical record.
  • Questions related to a Sale of PHI disclosure that do not satisfy an exception should be reported to the Privacy Officer to evaluate if the disclosure constitutes a Sale of PHI.
 
Responsibilities

Workforce members must:

  • Ensure that any direct or indirect remuneration in exchange for PHI that constitutes a Sale of PHI meets an exception and is permissible under HIPAA and applicable state law without individual authorization.
  • For such activities that do not meet an exception, patient authorization in the form and manner required by HIPAA and applicable state law shall be obtained before any such disclosure of PHI in exchange for remuneration.
 
Definitions

Business Associate – A person or entity that performs certain functions or activities that involve the creation, receipt, maintenance, or transmission, of protected health information for or on behalf of the Columbia University Healthcare Component.

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.