Compliance & Privacy Office

Compliance FAQ

What is the purpose of HIPAA?

HIPAA protects the privacy and security of patient medical information in both written and electronic forms and establishes safeguards that Covered Entities must implement to protect that information.  It also sets the terms on which medical information can be transmitted to other providers and to heatlh insurers. Furthermore, it gives patients more control over, and access to, their medical information and sets limitations on the use and release of that information.

Is the University required to comply with HIPAA?

Yes.  The University is a covered entity and HIPAA applies to all covered entities— Healthcare providers, Health plans, and healthcare clearinghouses.

Often, contractors, subcontractors, third party service providers (vendors) and other outside persons that are not employees of the covered entity will need to have access to patients’ health information when providing services to the covered entity.  These entities are called “Business Associates” and are required to comply with HIPAA.

What is a Business Associate (BA)?

A business associate (BA) can be any University third party service provider (vendor) that either:

  1. receives protected health information (PHI) from the University, another BA, or as part of an Organized Health Care Arrangement (OHCA);
  2. provides accounting, accreditation, actuarial, administrative, consulting, data aggregation, management, financial, or legal services for the University or OHCA; or
  3. one who performs a function or activity that involves the usesand/or disclosure ofes PHI on behalf of the University or OHCA.

What is a Business Associate Agreement (BAA)?

A Business AssociateBA Contract, or Business Associate AgreementBAA, is a written arrangement that specifies each party’s responsibilities as it relateswhen it comes to handling PHI.

HIPAA requires Covered Entities to only work with Business AssociatesBAs who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.

What is an OHCA?

An OHCA is an organized system of health care in which more than one HIPAA covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement.

Weill Cornell Medicine, New York Presbyterian, and Columbia University Medical Centercurrently hold themselves out to the public as participating in a joint arrangement.

Submit Compliance Incident

Weill Cornell Medicine Compliance & Privacy Office 575 Lexington Avenue, 9th Fl New York, NY 10022 Phone: (866)-293-3077