TITLE:

Disclosures of Protected Health Information Required by Law

POLICY:
Columbia University Medical Center will use, disclose, or release a patient's protected health information (PHI) as required by and in accordance with city, state, and federal law, even if the patient has not provided a written authorization.

PURPOSE
All PHI at Columbia University Medical Center, including any PHI maintained electronically, is confidential, and would not normally be used, disclosed, or released without the patient's written authorization. However, there are times when Columbia University Medical Center is required by law to report or provide PHI to state or federal agencies or authorities, or when it must respond to judicial or administrative requests for PHI. This Policy defines the agencies, authorities, and instances in which Columbia University Medical Center will use, disclose, or release PHI without the patient's authorization in order to comply with its responsibilities under city, state, or federal law.

PROCEDURES:

1. Mandatory Reporting. Columbia University Medical Center is required to and will report PHI to certain agencies and authorities. A patient's authorization is not required for this mandatory reporting, and Columbia University Medical Center will not grant a patient's request for restriction if the request would interfere with a mandatory reporting obligation. The list of agencies and authorities and the types of PHI that must be reported follows:




Agency/Authority Receiving	Subject/Category of Required Report
City, County, or District Health Official	Suspected or confirmed cases of communicable diseases
Local Health Official	Exposure to animal suspected of having rabies
Local Health Official	Patients infected with tuberculosis who vacate an apartment or premises by death or removal from the premises
Local Health Official	Pregnant women who test positive for Hepatitis B
Local Health Official	Syphilis tests on pregnant women





Agency/Authority Receiving	Subject/Category of Required Report
National Practitioner Data Bank	Specified information regarding malpractice payments and adverse actions
NY City Department of Health	All immunizations administered to any child age seven and under
NY City Department of Health	Cases, carriers, and persons who at their time of death were affected by any of the communicable diseases
NY City Department of Health	Deaths - caused by natural causes
NY City Department of Health	HIV, HIV-related illness, and AIDS occurring within New York City
NY City Department of Health	Deaths - not a result of natural causes
NY City Department of Health	Tuberculosis
NY City Department of Mental Health and Hygiene	Births
NY City Department of Mental Health and Hygiene	Syndromic surveillance information (real-time reports of the chief complaint, home zip code, sex, age, and unique identifier of patients seen in the Emergency Room within the past 24 hours)
NY State Board of Medical Examiners	Specified information regarding malpractice payments and adverse actions
NY State Central Register of Child Abuse and Maltreatment	Suspected child abuse or maltreatment; failure to immunize infants for Hepatitis B if the mother is Hepatitis B positive
NY State Department of Health	Alzheimer's disease upon diagnosis or confirmation of presence of illness
NY State Department of Health	Cardiac reporting
NY State Department of Health	Cases of communicable diseases diagnosed after death
NY State Department of Health	Habitual narcotics users





Agency/Authority Receiving	Subject/Category of Required Report
NY State Department of Health	Hepatitis B test results for all women with newborn children
NY State Department of Health	HIV, HIV-related illness, and AIDS occurring outside of New York City
NY State Department of Health	Increased incidence of nosocomial infections or nosocomially acquired communicable disease
NY State Department of Health	Radioactive cadavers
NY State Department of Health	Sexually transmissible diseases (STDs)
NY State Department of Health	Statewide Planning and Research Cooperative System - data specified
NY State Department of Health Area Office	Patient death due to an act of omission or commission by a member of the ambulance service
NY State Department of Health's Bureau of Environmental Protection	Persons who have clinical evidence of occupational lung disease
NY State Department of Health's Wadsworth Center Laboratories	Blood sample from every newborn to be tested for certain diseases
NY State Office of Fire Prevention and Control	Burn injuries - Second or third degree burns to 5% or more of the body.
NY State Office of Mental Health	Aggregate data relating to incident reporting
NY State Office of Mental Retardation and Developmental Disabilities	Aggregate data relating to incident reporting
Occupational Safety and Health Administration (OSHA) - Area Office	Death of an employee or multiple employee injuries
Police	Violent injury - Bullet wound, gunshot wound, powder burn, other injury caused by a gun or firearm. All injuries that are likely to or do result in death and appear to be caused by a knife, ice pick, etc.





Agency/Authority Receiving	Subject/Category of Required Report
Regional Health Director or Associate Commissioner for New York State	Nosocomial infections
US Department of Health & Human Services - CMS	Deaths - caused by restraint or seclusion
US Department of Labor	Death of an employee or multiple employee injuries




1. The person providing PHI in response to a mandatory reporting requirement is responsible for documenting the name, title, and contact information of the individual to whom the PHI was provided, the agency name and address (if known), the date the PHI was provided, and a brief summary of the PHI provided (e.g., demographic information about the patient, copy of face sheet showing diagnosis, etc.) for each patient whose PHI is reported or released.



2. The person providing PHI to an individual, agency, or authority in response to a mandatory reporting requirement will take reasonable steps to confirm and verify the identity and authority of the individual, agency, or authority prior to providing the PHI. "Reasonable steps" may include, but are not limited to the following:
1. Obtaining the contact name, title, and telephone number of the individual making the request.
2. Recognizing the requester's voice, if the request or report is made in person or over the telephone.
3. Recognizing the requester's telephone or fax number or address if the report is made by fax or delivery.


3. Documentation of releases and disclosures that are required as part of a mandatory report may be maintained in each individual patient's file (for easy retrieval if the patient requests an Accounting of Disclosures) or on a log in the Department. If documentation is included in the patient's file, the entry will not be considered part of the patient's designated record set.



4. A list of the mandatory reporting disclosures for a single patient, a group of patients, or all patients must be provided to the HIPAA Privacy Officer upon his/her request within ten (10) days of his/her request.


2. Responding to Law Enforcement Inquiries.
1. Columbia University Medical Center will provide PHI to a law enforcement official without first obtaining the patient's written authorization:
1. to assist in the identification or location of a suspect, fugitive, material witness, or missing person;
2. regarding a patient who is or is suspected to be a victim of a crime;
3. to alert law enforcement of the death of the individual;
4. if Columbia University Medical Center believes the PHI requested constitutes evidence of criminal conduct that occurred on the premises of Columbia University Medical Center; and
5. in emergency situations, to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.


2. If the law enforcement official requests PHI via a court order, subpoena, warrant, summons, or other similar document, Columbia University Medical Center will provide the requested PHI if:
1. the PHI sought is relevant and material to the law enforcement inquiry;
2. the request is specific and limited in scope to the extent reasonably practicable;
3. de-identified PHI could not be used; and
4. the court order, subpoena, warrant, summons, or other similar document complies with New York law which in some cases requires patient authorization to release.


3. If a Columbia University Medical Center employee is presented with a court order, subpoena, warrant, summons, or other similar document,
1. the employee should immediately notify his/her department Administrator of the document; and
2. either the employee who received the initial document or the department Administrator should immediately contact the HIPAA Privacy Officer to discuss and evaluate the document and determine whether and how the disclosure will be made.


4. No PHI should be disclosed in response to a court order, subpoena, warrant, summons, or other similar document prior to discussing the document with either the General Counsel's Office or the HIPAA Privacy Officer.



5. The person providing PHI in response to a court order, subpoena, warrant, summons, or other similar document is responsible for documenting the name, title, and contact information of the individual to whom the PHI was provided, the agency name and address (if known), the date the PHI was provided, and a brief summary of the PHI provided (e.g., demographic information about the patient, copy of face sheet showing diagnosis, etc.) for each patient whose PHI is reported or released.



6. Documentation of releases and disclosures that are made in response to a court order, subpoena, warrant, summons, or other similar document may be maintained in each individual patient's file (for easy retrieval if the patient requests an Accounting of Disclosures) or on a log in the Department. If documentation is included in the patient's file, the entry will not be considered part of the patient's designated record set.


3. Responding to Inquiries from National Security, Intelligence, and Protective Services Officials.
1. Columbia University Medical Center will provide PHI to authorized federal officials for intelligence, counter-intelligence, and other national security activities without first obtaining the patient's written authorization.



2. Columbia University Medical Center will also provide PHI to authorized federal officials so they may conduct special investigations and provide protection to the President, other authorized persons, and foreign heads of state without first obtaining the patient's written authorization.



3. If a federal official requests PHI from a Columbia University Medical Center employee, the employee should immediately contact his/her supervisor and the HIPAA Privacy Officer.



4. The person providing PHI to authorized federal officials for national security and intelligence activities and protective services is responsible for documenting the name, title, and contact information of the individual to whom the PHI was provided, the agency name and address, the date the PHI was provided, and a brief summary of the PHI provided (e.g., demographic information about the patient, copy of face sheet showing diagnosis, etc.) for each patient whose PHI is reported or released.



5. Documentation of releases and disclosures that are made to authorized federal officials for national security and intelligence activities and protective services may be maintained in each individual patient's file (for easy retrieval if the patient requests an Accounting of Disclosures) or on a log in the Department. If documentation is included in the patient's file, the entry will not be considered part of the patient's designated record set.


4. Specially Protected PHI. An employee who receives a request from a federal, state, local, national security, or law enforcement official for PHI that includes HIV/AIDS information, mental health information, or substance abuse and treatment records must immediately contact his/her supervisor and the HIPAA Privacy Officer. Under no circumstances should PHI that includes HIV/AIDS information, mental health information, or substance abuse and treatment records be released to the requesting official unless the disclosure is approved by the HIPAA Privacy Officer.



5. Document Retention. All documentation relating to requests for a patient's PHI will be maintained for a minimum of six (6) years.



6. Definitions

Protected Health Information (PHI) means information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual.

RESPONSIBILITY:         HIPAA Privacy Officer, Department Administrators