CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
     
Columbia University Medical Center logo,Positioning Line Discover. Educate. Care. Lead., image for New York Skyline Students Interacting
 
HIPAA Home
HIPAA Compliance
Columbia University Medical Center
601 West 168th Street
Apt. #22, 2nd Floor
New York, NY 10032
Tel: (212) 342-0059
Fax: (212) 342-5173
HIPAA Policies
Authorization to Release Medical Informationn
Accounting for Disclosures
Disclosures to Family/Friend
Email Policy and Forms
- Email Policy (112K pdf) pdf file
- Provider/Patient Email information (70K pdf) pdf file
- Patient Request for Email Communications (90K pdf) pdf file
Fax
Fundraising
Genetic Information
HIPAA Training
HIV/AIDS Information
Marketing
Minimum Necessary
Minors
Non-Retaliation
Notice of Privacy Practices
Ownership of Medical Record
Patient Complaints
Patient Rights
Research and HIPAA
Psychotherapy Notes
Organ Donation/Coroners
Required by Law
Health and Safety
Sanctions
Telephone Disclosures
Treatment and Payment
HIPAA Security
 

TITLE:

  

PATIENT COMPLAINTS ABOUT USES AND DISCLOSURES OF THEIR PROTECTED HEALTH INFORMATION

POLICY:
In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Columbia University Medical Center patients may complain about how Columbia University Medical Center uses and discloses their Protected Health Information (PHI). All patient complaints will be submitted to the HIPAA Privacy Officer for investigation and resolution.


PURPOSE :
The purpose of this policy is to describe the procedure for receiving, documenting, and taking appropriate action on complaints from patients at Columbia University Medical Center about the uses and disclosures of their PHI.


PROCEDURES:

  1. Submission of complaints. A patient may submit a complaint about how Columbia University Medical Center used or disclosed his/her PHI to either Columbia University Medical Center or to the Secretary of the Department of Health and Human Services (HHS) in Washington, DC.
    1. If the patient wants to file a formal complaint with Columbia University Medical Center, he/she must submit a completed Privacy Rights Complaint Form to the HIPAA Privacy Officer.

      The Privacy Rights Complaint Form is available on the Columbia University Medical Center website. Click on Administrative Services or "Patient Care" from the home page, then click on the link to HIPAA on the right side of the page. Select the form from the list of forms available on the left side of the page.


    2. If the patient wants to file his/her complaint with the Secretary of HHS, he/she should be directed to and follow the steps provided on the Office for Civil Rights website (www.hhs.gov/ocr/hipaa).

  2. Responsibilities of the HIPAA Privacy Officer upon receipt of a patient complaint..
    1. Documentation. The HIPAA Privacy Officer will document each privacy complaint received including in the documentation a brief description of and/or the basis for the complaint.


    2. Investigation. The HIPAA Privacy Officer will conduct an investigation to determine:
      1. What, if any PHI was misused or improperly disclosed;


      2. If PHI was misused or improperly disclosed, whether such misuse or improper disclosure violates Columbia University Medical Center's policies and procedures;


      3. What, if any, privacy practices at Columbia University Medical Center require modification;


      4. Whether a new policy, procedure, or form should be developed or whether an existing policy, procedure, or form should be revised; and


      5. Whether additional training is required to avoid a repeat violation.


    3. Resolution.
      1. If the HIPAA Privacy Officer determines a violation has occurred, he/she will consult with Columbia University Medical Center's Human Resources department and together, will determine what sanctions, if any, will be imposed against the individual who committed the violation.


      2. The HIPAA Privacy Officer will supplement the initial documentation to include documentation of the investigation and any actions taken in response to the complaint.


      3. All documentation relating to the patient's complaint will be maintained for a minimum of six (6) years.


      4. If the PHI that was wrongfully used or disclosed is created or maintained by a business associate of Columbia University Medical Center, the HIPAA Privacy Officer will:
        1. Notify the business associate of the results of the investigation and any required action on the part of the business associate.


        2. If the results of the investigation are that the business associate misused or improperly disclosed a patient's PHI, prepare a recommendation for Columbia University Medical Center's General Counsel as to whether the business associate relationship between the business associate and Columbia University Medical Center should continue.


    4. Notification. The HIPAA Privacy Officer will notify the patient submitting the complaint of the results of the investigation in writing.

  3. Non-retaliation for filing a complaint. Columbia University Medical Center will not intimidate, threaten, coerce, discriminate, penalize, or take other retaliatory action against a patient who exercises his/her rights under HIPAA or against any patient who participates in a process governed by the HIPAA Privacy Regulations. This prohibition also applies to:
    1. Individual and/or patient complaints filed with the Secretary of HHS;


    2. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing arising under the HIPAA Privacy Regulations; or


    3. Opposing any act or practice of Columbia University Medical Center, provided the individual or patient, as appropriate, has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not disclose PHI in violation of the HIPAA Privacy Regulations.

  4. No waiver. No patient or individual will be asked to waive his/her HIPAA rights, including the right to file a complaint about the use or disclosure of his/her PHI.


  5. Questions. Questions about filing a patient complaint with Columbia University Medical Center or the Secretary of HHA should be directed to the HIPAA Privacy Officer.


  6. Definitions.

      7. Protected Health Information (PHI) means information, including demographic information that may identify the patient, that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual.


RESPONSIBILITY:         HIPAA Privacy Officer, Departments



ISSUED: December 2003
REVIEWED: October 2007

| TOP |

Last updated 3/21/2007



  
CUMC Home | © Columbia University | Affiliated with New York-Presbyterian Hospital | Comments | Text-Only Version