Compliance & Privacy Office

Privacy FAQ

How do I Report a Privacy Incident?

For questions regarding privacy incidents please contact the Privacy Office at Privacy@med.cornell.edu or call (646) 962-6930.

What is Care Everywhere and Health Information Exchange (HIE)?

  • Care Everywhere is a functionality within Epic, our electronic medical records system, that allows our providers to electronically exchange patient medical information. This exchange only works within Epic with other institutions' Epic systems.
  • Health Information Exchange (HIE) allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient’s vital medical information electronically—improving the speed, quality, safety and cost of patient care.

I No Longer Want to Participate in the Health Information Exchange (HIE). What Do I Do?

Patients have the ability to change their  authorization  choice at any time. You can  contact  our Privacy Office by calling 646-962-6930  during the hours of 9am to 5pm  or email  privacy@med.cornell.edu  for assistance. Once the Privacy Office  provides you with assistance and terminates your current authorization status, you will be asked to sign the form again at your next visit by the check-in staff. At that visit, you will be able to provide your updated authorization choice.

My Medical Records are Incorrect. What Do I Do?

To request changes to your medical records please contact the Privacy Office at 646-962-6930 or privacy@med.cornell.edu. We will send you an Amendment Request Form for you to fill out and return to the Privacy Office. Your request will be reviewed and processed within 30 days of receipt.

How Do I Obtain a Copy of My Medical Records?

You can request your outpatient medical records online through your Connect account.

You can also fill out the Authorization to Release PHI form (available in English or Spanish, see above). Completed forms can be emailed to medicalrecords@med.cornell.edu or sent by fax to (646) 962-0635. You may also mail the form to the Release of Information unit:

Weill Cornell Medicine
Release of Information Unit
Box 303
New York, NY 10065

The Release of Information Unit can also be reached by phone at (646) 962-9820.

How do I Submit a Compliance Question or Compliant?

To submit a question or complaint to the Compliance Office, please contact us at compliance@med.cornell.edu or by phone at (646) 962-7539.

What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. It is a federal law designed to help protect patient’s health information.

What is the purpose of HIPAA?

HIPAA protects the privacy and security of patient medical information in both written and electronic forms and establishes safeguards that Covered Entities must implement to protect that information.  It also sets the terms on which medical information can be transmitted to other providers and to heatlh insurers. Furthermore, it gives patients more control over, and access to, their medical information and sets limitations on the use and release of that information.

Is the University required to comply with HIPAA?

Yes.  The University is a covered entity and HIPAA applies to all covered entities— Healthcare providers, Health plans, and healthcare clearinghouses.

Often, contractors, subcontractors, third party service providers (vendors) and other outside persons that are not employees of the covered entity will need to have access to patients’ health information when providing services to the covered entity.  These entities are called “Business Associates” and are required to comply with HIPAA.

What is a Business Associate (BA)?

A business associate (BA) can be any University third party service provider (vendor) that either:

  1. receives protected health information (PHI) from the University, another BA, or as part of an Organized Health Care Arrangement (OHCA);
  2. provides accounting, accreditation, actuarial, administrative, consulting, data aggregation, management, financial, or legal services for the University or OHCA; or
  3. one who performs a function or activity that involves the usesand/or disclosure ofes PHI on behalf of the University or OHCA.

What is a Business Associate Agreement (BAA)?

A Business AssociateBA Contract, or Business Associate AgreementBAA, is a written arrangement that specifies each party’s responsibilities as it relateswhen it comes to handling PHI.

HIPAA requires Covered Entities to only work with Business AssociatesBAs who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.

What is an OHCA?

An OHCA is an organized system of health care in which more than one HIPAA covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement.

Weill Cornell Medicine, New York Presbyterian, and Columbia University Medical Centercurrently hold themselves out to the public as participating in a joint arrangement.

When is a BAA needed?

The HIPAA rules require a BAA from every vendor third-party service provideryou a Covered Entity engages with use that will use, access, or disclose  could be exposed to your clients' PHI on its behalf.

How do you determine if a BAA is needed?

Essentially, if an vendororganization is hired engaged to handle, use, distribute, or access protected health information (PHI), the vendory would likely qualify as a BA under the HIPAA regulation. The quick rule to remember with BABusiness Associates: before you share PHI, you mustmust have a signed BAA in place.

Why do I need to submit a BAA request?

To conduct do business with a new vendor that will have access to Protected Health Information ( PHI), you will need to complete the BAAthe Business Associates Agreements request and send a copy of the underlying contract between the vendor and the University to the Compliance and Privacy ourOoffice via email Privacyagreements@med.cornell.edu. We will then determine if a BAA business associate agreement is required and begin the process, if necessary.

What is PHI?

PHI is any individually identifiable health information created or received by the University. Such information may relate to past, present, or future physical or mental health of a patient or research study participant. PHI either identifies or could be used to identify the individual and has been transmitted or maintained in any form or medium (electronic, paper, or oral), such as patient demographics, medical record number, Social Security number, etc.

What are the 18 direct/indirect identifiers related to PHI?

  1. Names
  2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

How long will it take to process a BAA request?

The Compliance and Privacy Office processes most BAA requests within two business days. If the vendor is not identified as a BA, the Compliance and Privacy Office will notify the rRequester(s) and business may continue. If athe vendor needs a BAA, the Compliance and  Privacy Office will send a draft BAA to the vendor for negotiations and signatures and include the rRequester in ththeat communication.

How long do vendors take to return the signed BAA?

It depends on the vendor. If the vendor requests changes to the agreement, the time needed to process the paperwork could increase by weeks to months, as any changes may need approval from General Counsel, ITS, etc. If no changes are made, the entire process is often completed within 10 business days.

What does a “Fully Executed” BAA mean?

A “Fully Executed” BAA means that all parties have agreed to the terms and conditions of the contract and any revisions thereto, and they have signed and initialed the written contract.

Is there anything that needs to be done differently if I am working with a BA as opposed to a member of the University’s workforce?

Yes, if PHI is being shared with a BA, you must ensure that a proper BAA is in place. Please consult the Compliance and Privacy Office for review of all BAA documents. The BAA to execute will depend upon the circumstances of each situation.

Is a covered entity liable for, or required to monitor, the actions of its business associates?

No. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with BAs which protect the privacy of PHI; but covered entities are not required to monitor or oversee the means by which their BAs carry out privacy safeguards or the extent to which the BA abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its BAs. However, if a covered entity finds out about a material breach or violation of the contract by the BA, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the BA. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the HHS/OCR. See 45 CFR 164.504(e)(1).

Submit Compliance Incident

Weill Cornell Medicine Compliance & Privacy Office 575 Lexington Avenue, 9th Fl New York, NY 10022 Phone: (866)-293-3077