HIPAA Policies for BU Health Plans: Introduction, HIPAA and the Boston University Health Plans
This Introduction is part of the HIPAA Policies for BU Health Plans Manual – Privacy and Security of Protected Health Information for BU Health Plans.
HIPAA and the Boston University Health Plans
The BU Health Plans are Covered Entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”). The policies in this BU Health Plans HIPAA Policy Manual are intended to guide the BU Health Plans in complying with HIPAA’s requirements.
The BU Health Plans and their Workforces are required by HIPAA to ensure the privacy and security of all Protected Health Information or PHI that they create, receive, maintain, or transmit. PHI subject to HIPAA may exist in any form including paper, electronic, or verbal. HIPAA further sets standards for how PHI can be used and disclosed, and specifies rights of individuals regarding their PHI.
These policies supersede and replace prior policies concerning HIPAA in the BU Health Plans, and they supplement other policies of the University. For example, under the University’s Data Classification policy, individually identifiable health information that is subject to HIPAA (“PHI”) is categorized as Restricted Use information, meaning that it requires the greatest protection of all data types at the University and breaches of this data are potentially reportable to state and/or federal authorities.
Privacy and Security
This Policy covers both HIPAA’s Privacy Rule and Security Rule.
The Privacy Rule describes who can access, use, create, and disclose PHI, and for what purpose. The Privacy Rule also describes how BU Health Plans must assist Individuals with exercising their rights under HIPAA to access and control the use of his or her PHI.
The Security Rule describes how to protect electronic PHI (ePHI) when using, storing, or transmitting it to minimize the chance that it will fall into the wrong hands. Throughout the Health Plans policies, links are provided to additional BU Information Security policies that also apply.
Policy Responsibility
The BU Health Plans’ HIPAA Privacy Officer is responsible for development and implementation of BU-wide HIPAA privacy policies.
The BU Health Plans’ HIPAA Security Officer is responsible for development and implementation of BU-wide HIPAA security policies to protect ePHI.
Each of the BU Health Plans has a HIPAA Contact, responsible for implementation of procedures, to implement these policies in their plans, documenting HIPAA compliance, and the other duties listed in Appendix A.
Every member of the BU Health Plans’ Workforce is responsible for understanding and complying with these policies.
The Sponsor of the Health Plans, Boston University (“BU” or “the University”), will comply with these policies and in particular with the limitations on information the BU Health Plans may share with BU as Plan Sponsor, as described in these policies.
Defined terms used in these policies are capitalized. The definitions of those terms are found in Policy 9, Definitions.
Additional Resources Regarding This Policy
Related Policies, Procedures, and Guides
- HIPAA
Related BU Policies and Procedures
- HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components
- HIPAA Policies for BU Health Plans [current page]
- HIPAA Information for Charles River Campus Researchers
- Data Security
BU Websites