- Compliance Policies
- Corporate Compliance Program
- Compliance Committees
- HIPAA Security
- New Software System for Conflicts of Interest
- Got Any Skeletons in Your Closet?
- Understanding the Connection between Export Controls and Research
- SOM & FGP Compliance Office
- Are Your Inpatient Admissions Properly Documented?
- Federal SunShine Law: Proposed Regulations & Institutional Impact
- How Would You Do in a PATH Audit?
- Overpaid by Medicare? Proposed Rule Has Strict Requirements
- NYULMC's New E-mail Encryption
- Federal Grants Compliance: Charging Administrative and Clerical Salaries to Grants
- Where Did That Paper Go?
- The Holiday Season and the Spirit of Giving and Receiving: NYULMC's "GIFT POLICY"
- The Holiday Season and the Spirit of Giving and Receiving: NYULMC's "GIFT POLICY" FAQs
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Under Title II of HIPAA, Congress passed the Administrative Simplification provisions of HIPAA, to protect the privacy and security of protected health information (PHI), and to promote efficiency in the health care industry through the use of standardized electronic transactions. Protected health information, PHI, is any “individually identifiable” information contained in an electronic or paper medical record and includes a patient’s mental or physical health condition as well as a patient’s billing and demographic information. PHI is also protected when it is communicated by word of mouth. These rules help protect the confidentiality, integrity, and availability of PHI in any form: written, verbal, or electronic.
Generally, we may use and disclose PHI for treatment, payment and health care operations without specific authorization if we have provided patients with a Notice of Privacy Practices and the patient has acknowledged receipt of this notice. However, vertain types of sensitive information may require authorization, even if it is used or disclosed for one of these purposes.
We may also disclose PHI without authorization for certain public policy objectives, including: where disclosure is required by law; for a judicial or administrative proceedings; for public health activities; for health oversight activities; to report incidents of abuse, neglect or domestic violence; for law enforcement purposes; to avert a serious threat to health or safety; for national security and intelligence activities and protective services; for certain military and veterans activities and benefits; for the health, safety and security of prison inmates or other detainees; to facilitate organ, eye or tissue donation; and to coroners, medical examiners, and funeral directors.
As a general rule, we must take reasonable steps to limit the PHI that we use and disclose, or that we request from others, to the minimum amount that is necessary to accomplish the purpose of the use, disclosure, or request. This rule, however, does not apply when disclosing or requesting PHI for treatment purposes, or when using or disclosing PHI in a manner that is required by law.
There is a broad range of both criminal and civil penalties for violations of HIPAA, depending on the circumstances, cause, the number of patients affected, and other factors. Corporations and/or individuals may be responsible for paying fines depending on the circumstances.
|HIPAA Violation Category||Each HIPAA Violation||Maximum for Same HIPAA Violation/Year|
"Did not know"
|$100 to $50,000||$1.5 million|
|$1,000 - $50,000||$1.5 million|
|$10,000 to $50,000||$1.5 million|
"Willful neglect - not corrected"
For more information about HIPAA, please visit The Office for Civil Rights website.