Weill Cornell Medicine complies with all state and federal privacy standards, including those outlined by the Health Insurance Portability and Accountability Act (HIPAA). Adherence to these standards protects the confidentiality and integrity of sensitive patient information.
Passed by Congress in 1996, the Health Insurance Portability and Accountability Act:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs.
- Reduces health care fraud and abuse.
- Mandates industry-wide health care information standards for electronic billing and other processes.
- Requires the protection and confidential handling of protected health information.
Confidential Handling of Protected Health Information (PHI)
The HIPAA Privacy Rule requires health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of Protected Health Information (PHI) when it is transferred, received, handled or shared. This applies to all forms of PHI, including printed, oral, electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
The HIPAA Security Rule also establishes national standards to protect electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic PHI.
PHI consists of any information about health status, provision of health care or payment for health care that can be linked to a specific individual. This definition is interpreted broadly and includes the entirety of a patient's medical record or payment history. PHI includes:
- Any geographical subdivisions smaller than a state, including street addresses, cities, counties and precincts, as well as ZIP code and equivalent geocode information, apart from the initial three digits of a ZIP code if, according to currently available public data from the Bureau of the Census: (1) the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a ZIP code for all geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to individuals, including birth dates, admission dates, discharge dates and dates of death, as well as all elements of dates (including year) indicative of ages over 89 (these ages and elements may be aggregated into a single category of age 90 or older).
- Phone numbers.
- Fax numbers.
- Email addresses.
- Social security numbers.
- Medical record numbers.
- Health plan beneficiary numbers.
- Account numbers.
- Certificate and license numbers.
- Vehicle identifiers, including serial numbers and license plate numbers.
- Device identifiers and serial numbers.
- Uniform Resource Locators (URLs).
- Internet Protocol (IP) address numbers.
- Biometric identifiers, including fingerprints and voice prints.
- Full-face photographic or comparable images.
- Any other unique identifying numbers, characteristics or codes, apart from codes assigned by investigators to organize data.
For further information, please consult the Weill Cornell Medicine Privacy Office.