Health Insurance Portability and Accountability Act (HIPAA) Policy

    Boston University is required by the Health Insurance Portability and Accountability Act (HIPAA) to ensure the privacy and security of all “Protected Health Information” or “PHI” created, received, maintained, or transmitted by or for its health care providers and self-insured health plans that are subject to HIPAA.   This Policy is intended to guide components at Boston University that are covered by HIPAA (“HIPAA Covered Components”) to rigorously implement all HIPAA-mandated requirements as they are subject to enforcement by the federal government.

    Regardless of where or in what form (paper, electronic or otherwise) University data is stored, it remains the property of the University and the University’s HIPAA Covered Components are responsible for ensuring proper protection.

    Related Policies

    The BU HIPAA Policy

    Boston University is required by the Health Insurance Portability and Accountability Act (HIPAA) to ensure the privacy and security of all “Protected Health Information” or “PHI” created, received, maintained, or transmitted by or for its health care providers and self-insured health plans that are subject to HIPAA.   This Policy is intended to guide components at Boston University that are covered by HIPAA (“HIPAA Covered Components”) to rigorously implement all HIPAA-mandated requirements as they are subject to enforcement by the federal government.

    Regardless of where or in what form (paper, electronic or otherwise) University data is stored, it remains the property of the University and the University’s HIPAA Covered Components are responsible for ensuring proper protection.

    In addition to the specific HIPAA policies laid out below, HIPAA Covered Components are subject to the Boston University Data Protection Policies approved by the Information Security and Business Continuity Governance Committee.

    It is very important that all HIPAA Covered Components familiarize themselves fully with the requirements for Restricted Use Data as defined in the BU Data Protection Standards as well as those laid out in this document.

    Departments are permitted to develop local policies, standards and guidelines as long as they are not less restrictive than or contradictory to this policy.

    • HIPAA Security Officer and Interim HIPAA Privacy Officer

    Eric Jacobsen            (617) 353-8284

    • BU Information Security

    • BU Information Security – Incident Response Team                     (617) 358-1100

    • Director ad interim, Information Security Officer

    Eric Jacobsen             (617) 353-8284

    • Boston University Police (BUPD, Public Safety)

    Thomas G. Robbins     (617) 353-2121

    • VP of Information Services and Technology

    Tracy Schroeder           (617) 353-1155

    • Office of the General Counsel

    Diane Gardener            (617) 353-2326

    BU has certain organizational units that are subject to HIPAA. These are referred to in this document as HIPAA Covered Components or Covered Components. The Covered Components include (i) health care providers that actually engage in the types of electronic transactions that trigger HIPAA (in most cases, electronic billing) and (ii) health plans, together with the support services that have access to PHI of these providers and health plans.

    The following organizational units have been designated, as of the publishing of this policy, as being HIPAA Covered Components, together with all other units that provide support services to these HIPAA Covered Components involving access to Protected Health Information.

    Health Care Providers (“Provider Components”)

    1. The following clinical centers at Boston University College of Health & Rehabilitation Sciences: Sargent College –

    - Boston University Rehabilitation Services, including the Physical Therapy Center at the Ryan Center for Sports Medicine and Rehabilitation;

    - Sargent Choice Nutrition Center

    2. Henry M. Goldman School of Dental Medicine, including the Dental Clinics and the Dental Health Center

    3. The Albert and Jessie Danielsen Institute

    Health Plans

    4. Boston University Health Plan

    5. Boston University Dental Plan

    6. Boston University Flexible Benefits Program – Flexible Spending Accounts – Health Care

    Support Services

    Units that provide support services may also be covered where those units access Protected Health Information.  Such units may include:

    • Information Services & Technology, including Boston University Medical Campus Information Technology
    • Financial Affairs
    • Office of the General Counsel
    • Internal Audit
    • Risk Management
    • Boston University Police Department

    What is PHI?

    Protected Health Information (PHI) is any individually identifiable health information that can be linked to a particular person.  It includes all information that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.  This information can relate to:

    • The individual’s past, present or future physical or mental health or condition,
    • The provision of health care to the individual, or,
    • The past, present, or future payment for the provision of health care to the individual.

    Data elements commonly used to link health information to a specific individual are called the HIPAA identifiers (details provided below).

    What is not PHI?

    Health information that does not identify an individual or that cannot be used to identify an individual is not PHI, but great rigor is required to confirm that no identifier is present in the dataset.  For example, a dataset of vital signs by themselves do not constitute Protected Health Information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier.

    There are some types of identifiable health information that are not protected as PHI under HIPAA:

    • Information in education records covered by FERPA
    • Information in treatment records retained solely by student health services
    • Information in employment records
    • Information about an individual who has been deceased for more than 50 years

    The following data elements have been specifically identified in the regulation as being “identifiers.” When a medical record or result contains or is associated with any of these elements, it may be traceable back to the person associated with that record.

    Any document or communication containing health information created, received, maintained, or transmitted by or for any of the HIPAA Covered Components is covered by HIPAA if it includes any of these elements:

    1. Names (including initials only);
    2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
    4. Phone numbers;
    5. Fax numbers;
    6. Electronic mail addresses;
    7. Social Security numbers;
    8. Medical record numbers;
    9. Health plan beneficiary numbers;
    10. Account numbers;
    11. Certificate/license numbers;
    12. Vehicle identifiers and serial numbers, including license plate numbers;
    13. Device identifiers and serial numbers;
    14. Web Universal Resource Locators (URLs);
    15. Internet Protocol (IP) address numbers;
    16. Biometric identifiers, including finger and voice prints;
    17. Full face photographic images and any comparable images; and
    18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by an investigator to code the data)

    HIPAA contains both a Privacy Rule and a Security Rule. Security and privacy are distinct, but go hand-in-hand.

    Privacy basically relates to the right of an individual to control the use of his or her personal information. Protected Health Information (PHI) should not be divulged or used by others without the patient’s authorization, except in certain limited circumstances (for example, to confer with a referring physician). The HIPAA Privacy Rule covers the confidentiality of PHI in all forms and formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized use and disclosure.

    Security is a mechanism used to protect the privacy of information.  The HIPAA Security Rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, alteration, loss or destruction, whether external or internal, stored or in transit, is all part of the HIPAA Security Rule.

    The regulations contain definitions of numerous terms. The definitions of some key terms are set forth above and in the pertinent sections of the requirements and checklists below. A few other key terms are defined as follows:

    All members of a Covered Component’s Workforce (including Workforce members of their Support Services) must comply with the requirements of HIPAA. Workforce is broadly defined as including (but not limited to) employees, volunteers, trainees and other persons whose work is under the control of the Covered Component (or Support Service), whether or not they are paid by the University.

    Individuals have a right to access and request amendment of the records that comprise their Designated Record Set (45 CFR 164.501). Designated Record Set means the following groups of records maintained by or for a Covered Component:

    (i) For the Provider Components – The medical records and billing records about individuals, and any other records used by or for the Provider Component to make decisions about individuals. These will include, at a minimum, assessments and evaluations, consent for treatment, consultation reports, discharge instructions, history and physicals, intake and output sheets, medications sheets, orders, pathology reports, progress notes, x-rays and radiology reports, laboratory reports, copies of medical records and reports from other health providers if used to make decisions about the individual, and emails concerning patient treatment, records of claims submitted, remittance advice, eligibility information, etc.

    (ii) For the Health Plans – The enrollment, payment, claims adjudication, and case or medical management record systems; and any other records used by or for the Health Plan to make decisions about individuals.

    As a general matter, Covered Components may use and disclose an individual’s Protected Health Information for purposes of Treatment, Payment, and Health Care Operations, without the need to get a written authorization from the individual.

    Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including consultation among providers and referral from one provider to another.

    Payment has a multi-part definition, which includes activities undertaken by a health care provider or health plan to obtain or provide reimbursement for the provision of health care to an individual, including billing, claims management, collection activities, related health care data processing, and certain other activities.

    Health Care Operations is defined by reference to numerous categories of activities including (among other things): (1) conducting quality assessment and improvement activities; patient safety activities; case management and care coordination; (2) reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) with certain exceptions, underwriting, enrollment, premium rating, and other activities related to a contract of health insurance or health benefits; (4) conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) business planning and development; and (6) business management and general administrative activities (see the definition in the regulations for examples).

    The link below provides a checklist of the privacy requirements of Boston University for its HIPAA Covered Components.    The links to the Privacy Rule sections in the Code of Federal Regulations (CFR) permit easy reference to the relevant regulatory text.

    The checklist contains links to HIPAA-compliant standard forms. These forms may be modified only with the approval of the HIPAA Privacy and Security Officers and the Office of the General Counsel.

    Privacy Checklist

    For additional information relating to access to HIPAA in research, see and

    The link below lists all the security controls defined and required by HIPAA.  The policies that govern how Boston University meets these requirements are also provided as part of the checklist.

    Covered Components must meet these requirements.  The HIPAA Privacy and Security Officers, BU Information Security, and Information Services and Technology (IS&T), are all available to assist the Covered Component in this effort.

    In some cases, controls required by HIPAA (and listed below) are found in other regulations and have therefore already been incorporated into an overarching data security policy at BU: The BU Data Protection Standards.  In such cases, the full text of those policies is not repeated in this document; instead, a link is provided to the existing policy.  In some such cases, a short summary may be provided.  That summary is not a complete review of the important elements contained in the referred policy; it is intended to highlight only a few of the important elements.  Where a summary is provided, you still need to read the full text of the policy.

    Security Checklist

    For each control in the checklist, links are provided that will take you to the appropriate reference, whether in this document, in the Data Protection Standards or elsewhere.

    Required vs. Addressable

    Note that the controls are classified with an “R” for “required” or an “A” for “addressable”.  For example, Risk Analysis is followed by R – § 164.308(a)(1)(ii)(A).   If the control is required, no system can be approved to contain or process HIPAA information unless this control is in place.  If the control is “addressable”, the organization must respond in one of three ways and must document its decision.  The decision to be taken will be made jointly by the organization and Information Security during the required Risk Assessment.

    1. Implement the addressable implementation specifications.  This must be done if it is reasonable and appropriate to do so.  Otherwise,
    2. Implement one or more alternative security measures to accomplish the same purpose if there is a reasonable and appropriate alternative.  Otherwise,
    3. Not implement either an addressable implementation specification or an alternative.

    The decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions must be documented in writing and should include the factors considered as well as the results of the risk assessment on which the decision was based.

    Additional requirements applicable to the Health Plans are reflected in the Notice of Privacy Practices for the Health Plans.

    Business Associate is defined in HIPAA as a person or organization that is not a member of the Covered Component’s (or support unit’s) Workforce and that falls within one of the following categories:

    1. on behalf of the Covered Component (or support unit), it creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA, including billing, claims processing or administration, data analysis, process or administration, utilization review, quality assurance, patient safety activities, benefit management, or practice management;


    1. it provides one of the following types of services to the Covered Component where the service involves the disclosure of PHI to the business associate by the Covered Component or another business associate. The types of services are: legal, actuarial or accounting, consulting, data aggregation, management or administrative, accreditation, or financial services.

    Checklist on Business Associates

    Some data may be subject to specific protection requirements under a contract or grant, or according to a law or regulation not described here.  In those circumstances, the most restrictive protection requirements should apply.  If you have questions, please contact your supervisor, your Departmental Security Administrator, the Information Security Program Director, or any of the other key contacts within the University on the subject of information security.  See Key Contacts


    Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University.  The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of University policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.