Boston University and the HIPAA Privacy Requirements

PREPARING THE COVERED COMPONENT FOR HIPAA COMPLIANCE

Workforce Training

All members of the Workforce of Boston University HIPAA Covered Components (including support services) who use or access Protected Health Information concerning them are required to complete a training program approved by the Boston University HIPAA Security and Privacy Officers and to be further trained, as necessary, by their supervisors.

Initial and Annual Training

New Workforce members and existing Workforce members who are assigned new duties that require use or disclosure of Protected Health Information will undergo training before gaining access to PHI. All Workforce members will complete training annually.

Documentation

The person responsible for oversight of the Covered Component will ensure that an internal record is maintained for the initial and annual training of each member of its Workforce.

Minimum Necessary Standard

All Workforce members, when using or disclosing Protected Health Information or when requesting Protected Health Information from a third party, must make reasonable efforts to limit Protected Health Information to that which is minimally necessary to accomplish the intended purpose of the use, disclosure, or request for information. {164.308(a)(1)}

Exceptions

  • Disclosures or requests by a health care provider of information for treatment purposes.
  • Uses or disclosures to the individual or individual’s personal representative.
  • Uses or discloses made under a written Authorization (see Authorization for use and disclosure)
  • Disclosures to the Secretary of the US Department of Health and Human Services
  • Uses or disclosures that are required by law
  • Uses or disclosures that are required for compliance with the HIPAA Privacy Rule.

Role-based access to PHI

The Covered Component will establish role-based categories that identify the types of Protected Health Information necessary for Workforce members to use in order to perform their functions. In establishing such Minimum Necessary use, the Component shall take into consideration the Workforce members’ “need to know.” If justifiable based on broad roles, the Component may establish one category of access for all types of information, provided that access will occur only when there is a legitimate role-based need to access the information. See also Workforce Security et seq.

SOP for minimum necessary disclosures of PHI

The Covered Component will implement Standard Operating Procedures (SOPs) for routine and non-routine disclosures that limit the Protected Health Information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.

Requests for PHI

When making routine or recurring requests for Protected Health Information, Provider Components and Workforce members will limit such requests to the minimum amount of information necessary to accomplish the intended purpose.

Notice of Privacy Practices

The Covered Component will provide the Notice of Privacy Practices (NPP) to individuals before initiating services.

NPP Content

The Covered Components will use the standard Notice of Privacy Practices form for health care providers or health plans, as the case may be. Modifications to the form may be made as needed if approved by the BU HIPAA Security and Privacy Officer and the Office of the General Counsel.

First service date

Initially, the NPP will be provided by Provider Components no later than the first service delivery date.

Posting the NPP

The Notice of Privacy Practices must be posted at the Provider Component’s service delivery site in a clear and prominent location. The Notice must also be available electronically on the service’s website.

Acknowledgement of receipt of NPP

The Provider Component must make a good faith effort to obtain from the individual a standard Written Acknowledgement of receipt of the Notice of Privacy Practices in such a way as to not negatively impact timely delivery of and access to quality care.

 

LIMITATIONS ON COVERED COMPONENT’S USE AND DISCLOSURE OF PHI

Authorization for Use and Disclosure

A Covered Component may not use or disclose Protected Health Information without an individual’s Authorization that is valid, unless the use or disclosure is otherwise permitted or required by law. See the Notice of Privacy Practices. The Notice of Privacy Practices permits uses and disclosures for most purposes of treatment, payment and health care operations (TPO), as described immediately below, without authorization. However, uses and disclosures outside of TPO and not required by law, including disclosures and access requested by the individual, generally require the individual’s signed Authorization.

Treatment, Payment, and Health Care Operations (TPO)

The Covered Component may generally use or disclose PHI as necessary for its treatment, payment or health care operations (TPO) without authorization from the individual,except in certain special circumstances (see below) where authorization is required. See Other Definitions – Treatment, Payment, and Health Care Operations.

TPO of another health care provider

TPO includes the treatment and payment activities of another health care provider to which disclosure is made. TPO also includes the health care operations of another covered entity, to which disclosure is made, provided that:

  • Both covered entities have or had a relationship with the patient who is the subject of the PHI;
  • The PHI pertains to that relationship; and
  • The disclosure is for a “health care operations” purpose described in the definition.

Uses and Disclosures for TPO where Authorization is required

Certain sensitive uses and disclosures require an individual’s authorization, regardless of whether they fall within TPO, such as:

  1. The sale of PHI.
  2. The use or disclosure of PHI for marketing purpose,
  3. The use or disclosure of genetic information for underwriting purposes, and
  4. Uses or disclosures covered by state and federal laws that give special protection to certain types of health information such as
    1. HIV testing or test results.
    2. Genetic testing and test results.
    3. Sensitive information such as sexual assault counseling records or communications between an individual and a social worker, psychologist, psychotherapist or licensed mental health nurse clinical specialist.
    4. Psychotherapy notes (notes maintained outside of the medical record for the therapist’s own use). However, specific permission is not required for use or sharing of these notes if used by the therapist to treat the individual, for training programs, for legal defense in an action the individual brings, or for professional oversight of the therapist.

Use or disclosure to persons involved in the individual's care

The Covered Component may use or disclose to a family member, other relative, close personal friend or any other person identified by the individual, the PHI directly relevant to such person’s involvement with the care or payment related to the care. The individual must normally be informed in advance and be afforded the opportunity, orally or in writing, to agree, object or restrict the use or disclosure, except in certain circumstances (patient incapacitation and emergency) described below. When the individual is not present or an opportunity to agree or object cannot practically be provided because the individual is incapacitated or there is an emergency, the Component must exercise professional judgment as to the individual’s best interest. If the individual is deceased, the Component may disclose to a family member, or other persons identified above who were involved in the individual’s care or payment for health care prior to the individual’s death, PHI of the individual that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known.

Marketing

The Covered Component must obtain authorization for any use or disclosure of PHI for “marketing” purposes, except if the communication is in the form of:

  • A face-to-face communication made by a covered entity to an individual; or
  • A promotional gift of nominal value provided by the Covered Component.

Definition of 'Marketing'

Marketing is “[making] a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” For more information, go to 45 CFR 164.501 and review with the BU HIPAA Security and Privacy Officer and the Office of the General Counsel before undertaking any activity that might constitute marketing without authorization.

Disclosure of 'financial renumeration' from a third party

If the marketing involves “financial remuneration” to the covered entity from a third party, the authorization must state that such remuneration is involved. “Financial remuneration” means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

Fundraising

PHI may be used or disclosed by the Covered Component for fundraising purposes with a proper authorization from the individual. In addition, certain PHI may be used and disclosed by the Component for the purpose of raising funds for its own benefit without an authorization if certain conditions are met. Individuals have the right to opt out of fundraising communications. For more information, go to 45 CFR 164.514(f); also, seek approval of the BU HIPAA Security and Privacy Officers and Office of the General Counsel before undertaking any fundraising without authorization.

Sale of PHI

The Covered Component may not sell PHI without a valid Authorization.

Sale of PHI prohibited, without authorization

“Sale” of Protected Health Information means: Subject to the exceptions stated in the Privacy Rule, a disclosure of Protected Health Information in exchange for remuneration (i.e. payment or other financial or nonfinancial benefit) received directly or indirectly from or on behalf of the recipient of the Protected Health Information.

Exceptions:

  1. For public health purposed permitted by the Privacy Rule;
  2. For research purposes permitted by the Privacy Rule where the only remuneration is a reasonable cost-based fee to cover the cost to prepare an transmit the Protected Health Information for such purposes;
  3. For treatment and payment purposes permitted by the Privacy Rule;
  4. For the sale, transfer, merger, or consolidation of all or part of the Covered Component and for related due diligence as described in the definition of “health care operations” and permitted by the Privacy Rule;
  5. to or by a Business Associate for activities that the Business Associate undertakes on behalf of a Covered Component, or on behalf of a Business Associate in the case of a subcontractor, as permitted by the Privacy Rule, where the only remuneration is by the Covered Component to the Business Associate, or by the Business Associate to the subcontractor, for the performance of such activities;
  6. To an individual when requested in connection with the individual’s right or access or right to an accounting;
  7. Required by law as permitted by the Privacy Rule; and
  8. For any other purpose permitted by and in accordance with the Privacy Rule, where the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the Protected Health Information for such purpose or a fee otherwise expressly permitted by other law.

For more information go to 45 CFR 502(a)(5)(ii); also, seek approval of the BU HIPAA Security and Privacy Officers and Office of the General Counsel before undertaking any activities that may be considered sale of PHI without authorization.

Researcher's Request for Access to PHI

The HIPAA Covered Component may not allow access to PHI for research purposes unless the Researcher presents appropriate authorization or other documentation permitting such access that bears evidence of approval by the cognizant IRB at BU Charles River Campus or Medical Campus. (Requests from researchers outside BU should be referred by the Covered Component to the BU HIPAA Security and Privacy Officer and Office of the General Counsel for discussion.) For the HIPAA privacy requirements relating to access to PHI for research, see http://www.bu.edu/irb/hipaaandphi/ and http://www.bumc.bu.edu/hipaa/

Underwriting

The Health Plans may not use PHI that is “genetic information” for “underwriting purposes”. See BU InfoSec 1.3.3 – Health Plans: HIPAA Privacy and Security

For the definition of “genetic information” see 45 CFR 160.103 and for the definition of “underwriting” see 45 CFR 164.502(a)(5)(i).

Safeguards

Covered Components will implement appropriate administrative, technical, and physical safeguards to safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule and to limit incidental uses or disclosures. These safeguards encompass all the actions taken to carry out this HIPAA Policy.

Administrative Safeguards

See Details – Boston University HIPAA Security Requirements - Administrative Safeguards.

Similar administrative safeguards will be implemented to protect PHI in written or oral form, including documentation of the procedures adopted to carry out the HIPAA Privacy Requirements; Workforce training; Workforce access restrictions; gap analyses and compliance assessments.; and steps taken to re-mediate incidents of noncompliance and to reduce the risk of future noncompliance.

Physical Safeguards

See Details – Boston University HIPAA Security Requirements – Physical Safeguards.

Similar physical safeguards will be implemented to protect PHI in written or oral form. Additional safeguards include the use of covers and other physical barriers, and locked cabinets and storage rooms for paper records; and sign-ins/escorts for visitors and patients.

Technical Safeguards

See Details – Boston University HIPAA Security Requirements – Technical Safeguards.

Similar technical safeguards will be implemented to protect PHI in written or oral form.

 

PROCEDURE FOR OBTAINING INDIVIDUAL’S WRITTEN AUTHORIZATION

Authorization form - Content

The Covered Component will use the Standard BU Authorization Form [link], except that modifications to the form may be made if approved by the BU HIPAA Security and Privacy Officers and the Office of the General Counsel. Also, any authorization form bearing evidence that it has been approved by the CRC or BUMC IRB may be used. For detail on the content required in an authorization see 45 CFR 164.508.

No conditioning of services or benefits on Authorization

A Covered Component may not condition the provision of treatment, payment, enrollment in a health plan or eligibility for benefits on the individual’s signing an Authorization except in the event that the Component:

  1. Provides Research related treatment and needs to have permission to share Protected Health Information with third parties participating in the Research;
  2. Needs to share the individual’s Protected Health Information for underwriting purposes or risk determination with the health plan in which the individual wishes to enroll;
  3. Is providing healthcare solely to create Protected Health Information for disclosure to a third party.

Compound Authorization

An authorization for use or disclosure of Protected Health Information generally will not be combined with any other document to create a compound authorization.

Defective authorization

The Covered Component should considered an Authorization to be defective and invalid if any material information in the Authorization is known to be false or if other deficiencies exist, including:

  1. The expiration date has passed or the expiration event is known to have occurred;
  2. The Authorization has not been filled out correctly or completely;
  3. The Authorization is known by to have been revoked.

Verification of Recipient's Identity

The Covered Component should make reasonable efforts to verify the identity of the person named in an Authorization before giving such person access to the Protected Health Information. See Authorization form

Revocation of Authorization

Individuals may revoke a duly signed Authorization to use or disclose PHI at any time, provided that the revocation is in writing. When an individual revokes an Authorization, the individual is revoking all previous Authorizations up until the point of revocation, except the PHI may have already been used or disclosed pursuant to a valid Authorization. The Covered Component will normally use the standard Revocation of Authorization form.

 

DISCLOSING PROTECTED HEALTH INFORMATION WITHOUT WRITTEN AUTHORIZATION WHEN PERMITTED OR REQUIRED

Authorization not required - circumstances

The Covered Component is permitted or required to disclose PHI without authorization for the purposes listed in the Notice of Privacy Practices.

 

INDIVIDUALS’ RIGHTS TO CONTROL THEIR PHI

Identify the Designated Record Set

Each Covered Component must identify the contents of its Designated Record Set (DRS). This will enable the Covered Component to make determinations about what Protected Health Information may be accessed or amended upon an individual’s request.

Individual's Access to Designated Record Set

Unless otherwise allowed or prohibited under law, individuals have a right to access, inspect and receive a copy of Protected Health Information in the Designated Record Set (DRS) of the Component, for a reasonable fee.

Requesting access

To request access or copies, individual must sign the standard Authorization form.

Providing access - form, format

The Covered Component will make a reasonable attempt to provide the information requested

    • in a the form and format requested by the individual, if readily producible; or,
    • if not readily producible, in a readable hard copy form or such other form and format as mutually agreed.

      See 45 CFR 164.524 for information on providing a summary of the record.

      Providing access - time and place

      If the Covered Component grants the request, then access or copies will be provided as soon as possible, but no later than 30 days after receipt of the request; provided that, if the Component is unable to meet this deadline, the time may be extended for up to another 30 days if the individual is given notification in writing during the initial 30 days of the reasons for the delay and the expected date of fulfilling the request. The Covered Component will arrange for a mutually convenient time and place for the individual to inspect the information or obtain a copy, or will send a copy of the Protected Health Information at the individual’s request.

      Electronic record

      If the PHI that is the subject of a request for access is maintained in one or more Designated Record Sets electronically and if the individual requests an electronic copy of such information, the Covered Component must provide the individual with access to the Protected Health Information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the Covered Component and the individual. Readable electronic formats include MS Word or Excel, text, HTML, or text-based PDF. The Covered Component is not required to scan paper records. The preferred method of transmitting requested medical records or health information is via encrypted email. See Authorization form and BU Data Protection – Release of Electronic Protected Health Information for further guidance from BU Information Security.

      Charges

      Charges for copies will be based on a reasonable cost-based fee including the labor and supply costs of copying.

      Denying access - notification/time requirement

      If the Covered Component intends to deny a request, in whole or in part, it will provide the individual with a written Notice of Denial of Access to Protected Health Information form, as soon as possible but no later than 30 days after receipt of the request.

      Grounds for denial

      See 45 CFR 164.524 for details concerning reviewable and non-reviewable grounds for denial of an individual’s request for access and for the procedure for review when appropriate.

      See also Notice of Denial of Access to Protected Health Information.

      Individual’s Request for Amendment of Designated Record Set

      Unless otherwise allowed or prohibited under law, an individual has the right to have a Covered Component amend Protected Health Information or a record about the individual in a Designated Record Set.

      Requests for amendment

      Requests for amendment by an individual shall be made in writing by completing the standard Request for Amendment of Protected Health Information form or a substantially similar written document.

      Notification of decision - timeliness

      Using the Notification of Decision on Request for Amendment form, the Covered Component will notify the individual (and others if indicated in the form) of its decision to accept or deny, in whole or in part, the request for amendment. The individual will be notified, in writing, of the decision within 60 days of receipt of the request for amendment. If the Component is unable to act on the amendment within 60 days, the period may be extended for no more than 30 days if the Component gives the individual a written statement of the reasons for the delay.

      Continuing disagreement - future disclosure

      If the individual submits a statement of disagreement (or does not submit a statement but requests future disclosures to include information about the request for amendment), then the Covered Component must include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the Protected Health Information.

      Amending the record

      If it accepts the requested amendment, in whole or in part, the Covered Component will make the appropriate amendment to the Protected Health Information or record that is the subject of the request by, at a minimum, identifying the records in the Designated Record Set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.

      Individual's request for Restrictions on use or Disclosure of PHI

      An individual may orally, or in writing on the Request to Restrict PHI form, make a request for restrictions involving the Covered Component’s

        • uses and disclosures of PHI to carry out treatment, payment, or health care operations or
        • disclosures to persons permitted to be involved in the individual’s care.

                Agreeing to restrictions is generally not required

                The request for restriction should be referred to the Records Administrator of the Component who may, in his/her discretion, deny any and all requests, except that the Component must agree to an individual’s request to restrict disclosure of PHI about the individual to a health plan if:

                1. The PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the Covered Component in full; and
                2. The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law.

                Any agreed-upon restriction must not be violated; Exceptions

                The Component must not violate any agreed-upon accommodation, objection or restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment, the Component may use the restricted PHI or disclose it to a health care provider to provide such treatment to the individual. In this case, the Component must request that the health care provider not further use or disclose the information.

                Circumstances where an agreed restriction is not effective

                An agreed restriction is not effective to prevent uses or discloses of PHI that are permitted or required:

                1. To the Secretary of Health and Human Services to investigate or determine compliance with the HIPAA Privacy and Security Rules;
                2. For directory purposes, unless the individual has (officially) objected to the disclosure of directory information;
                3. For all purposes permitted without the individual’s authority or opportunity to agree or object.

                Terminating restrictions

                The Covered Component may terminate its agreement to a restriction. One of the following conditions must be met:

                • The individual requests and agrees to the termination in writing;
                • The individual agrees to the termination orally and the oral agreement is documented; or
                • The Component informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to Protected Health Information created or received after notification of the termination.

                Individual's request for Confidential Communications

                The Covered Component will accommodate any reasonable request from an individual to receive communications of Protected Health Information by an alternative means (e.g., written or oral) or at an alternative location (e.g., work, school or home).

                Requesting Accommodation

                When an individual submits the Request for Confidential Communications form requesting to receive communications of PHI by alternative means, the Covered Component must accommodate the requests if the request is reasonable.

                Conditional acceptance

                The Covered Component may condition the provision of a reasonable accommodation on:

                • When appropriate, information as to how payment, if any, will be handled; and
                • Specification of an alternative address or other method of contact.

                Individual's request for an Accounting of Unauthorized disclosures

                The Covered Component will keep track of disclosures of PHI in order to provide an individual with an accounting of any disclosures made without a written Authorization for a time period requested by the individual up to and including the 6 years prior to the date of the individual’s request.

                Exceptions: Disclosures that do not need to be tracked for an accounting

                Disclosures without a written Authorization do not need to be tracked if made for the following purposes:

                1. Disclosures to carry out treatment, payment and health care operations
                2. “Incidental” disclosures. An “Incidental” disclosure is an unintended disclosure to a third party during the course of a permitted use of disclosure.
                3. Disclosures made for directory purposes.
                4. Disclosures made to persons involved in the individual’s care.
                5. Disclosures made for National Security or Intelligence purposes.
                6. Disclosures to correctional institutions, or custodial law enforcement officials.
                7. Disclosures made as part of a Limited Data Set in accordance with a “limited data use agreement,” used solely to disclose a subset of information for Research, public health or health care operations.
                8. Disclosure for Research purposes made in accordance with IRB or Privacy Board waiver requirements unless the research involves fewer than 50 individuals, in which case a full Accounting must be made of the disclosure for research.

                Content of accounting tracking log

                The following elements must be included for each disclosure listed

                1. Date of disclosure.
                2. Receiving party, and address, if known.
                3. Description of Protected Health Information disclosed.
                4. A brief statement of the purpose of the disclosure.
                5. If multiple disclosures were made to the same entity for the same purpose, the Covered Component must identify the number of times the disclosure was made, and the date of the last such disclosure.

                 

                ADMINISTRATIVE REQUIREMENTS

                Personnel Designations

                The BU HIPAA Privacy Officer is responsible for the development and implementation of the BU HIAA privacy policies and procedures.

                Each Covered Component will designate a Records Administrator or other appropriate representative as the contact person who is responsible for receiving complaints and who is able to provide further information about matters covered by the Notice of Privacy Practices. The contact information for this individual will be included in the Notice of Privacy Practices.

                Complaints

                Each Covered Component will provide a process for individuals to make complaints concerning the HIPAA policies and procedures or compliance with the policies and procedures or HIPAA requirements.

                Filing a Complaint

                If an individual indicates a wish to file a complaint, the Records Administrator or other appropriate representative of the Covered Component will offer to provide a complaint or incident form to the individual to facilitate the process.

                Investigation of a Complaint

                The Records Administrator or other appropriate representative of the Covered Component will conduct an investigation as appropriate to have an understanding of the facts and to determine whether a violation occurred. The investigation will include gathering additional relevant information and documentation from the complainant and other internal and external sources as appropriate. The representative of the Covered Component may meet with the complainant. If an allegation is made against a Workforce member, the representative will provide an opportunity for the Workforce member to meet with the representative in accordance with applicable personnel/student practices.

                Documentation

                The complaint, investigation, and determination or disposition resulting from the investigation will be documented by the Covered Component. The accused Workforce member will be informed of the determination or disposition of the complaint in accordance with applicable personnel/student practices.

                Sanctions

                The complaint, investigation, and determination or disposition resulting from the investigation will be documented by the Covered Component. The accused Workforce member will be informed of the determination or disposition of the complaint in accordance with applicable personnel/student practices.

                Mitigation

                If PHI has been used or disclosed in violation of this HIPAA Policy or HIPAA requirements, the Covered Component will mitigate, to the extent practicable, any harmful effect that is known.

                Refraining from Intimidating or Retaliatory Acts

                Covered Components must not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established by, or for participation in any process provided for, this HIPAA Policy or HIPAA requirements, including the filing of a complaint with the Covered Component or governmental authorities, testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing by governmental authorities under HIPAA, or opposing any act or practice made unlawful by HIPAA, provided the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve an impermissible disclosure of PHI.

                No Waiver of Rights

                Covered Components may not require individuals to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. See Authorization form.

                Policies and Procedures

                Covered Components must implement policies and procedures with respect to PHI that are designed to comply with the requirements of the HIPAA Privacy Rule. This HIPAA Policy and any policies and procedures implemented established at the Covered Component level meet this requirement. See also Details-Boston University HIPAA Security Requirements-Organizational Requirements.

                Changes

                The policies and procedures must be changed as necessary and appropriate to comply with changes in the law. If a change materially affects the content of the Notice of Privacy Practices, the Covered Component must promptly make the appropriate revisions to the NPP and make the revised NPP available. See 45 CFR 164.520, Notice of Privacy Practices.

                Documentation

                This HIPAA Policy and all policies and procedures established at the Covered Component level, as well as all communications, actions, activities, and designations that are required to be documented under HIPAA must be maintained in written or electronic form and retained for at least six years from the date of creation or when last in effect, whichever is later. See also Details-Boston University HIPAA Security Requirements-Organizational Requirements.