HIPAA Policies for Health Care Providers

Privacy and Security of Protected Health Information

Table of Contents

Section Name
HCP Introduction HIPAA at Boston University
Privacy and Security
Policy Responsibility
HCP Policy 1 HIPAA Basics
1.1 HIPAA Covered Components
1.2 Key Roles
1.3 What is PHI?
1.4 De-Identified PHI
1.5 The Covered Component’s Designated Record Set
1.6 The Covered Component’s HIPAA Workforce
1.7 Access to PHI
1.8 HIPAA Training
HCP Policy 2 Individual Responsibilities for Safeguarding PHI
2.1 Safeguarding PHI and Other Tangible PHI
2.2 Safeguarding Verbal PHI
2.3 Safeguarding Electronic PHI
HCP Policy 3 Routine Use and Disclosure of PHI
3.1 Overview of Routine Uses and Disclosures
3.2 Minimum Necessary Rule
3.3 PHI in Limited Data Sets
3.4 Routine Use and Disclosure of PHI without Patient Authorization for Treatment Purposes
3.5 Routine Use of PHI without Patient Authorization for Payment Purposes
3.6 Routine Use and Disclosure of PHI without Patient Authorization for Health Care Operations Purposes
3.7 Routine Disclosures to an Individual’s Family and Friends
3.8 Routine Disclosures of PHI to Other Providers and Health Plans
3.9 Disclosing PHI to Business Associates
HCP Police 4 Non-Routine PHI Uses and Disclosures
4.1 Non-Routine Disclosures PHI Permitted by Law without Patient Authorization
4.2 Prohibited Uses of PHI: Marketing; Sale; non-BU Purposes
4.3 Use of PHI in Communications for Fundraising and Promotion
HCP Policy 5 Authorizations and When They are Necessary
5.1 General Rules on Authorization
5.2 Authorization by Parents, Guardians, and Minors
5.3 Authorization by a Legally Authorized Representative of an Adult
5.4 Authorization on Behalf of a Deceased Individual
5.5 Accessing and Using PHI for Research: Authorizations and Waivers
5.6 Disclosures of PHI to Students and Observers
5.7 Use and Disclosure of PHI in Publishing
HCP Policy 6 Individuals’ Rights under HIPAA
6.1 Right to Notice of Privacy Practices
6.2 Right to Access and Copy Own Health Record
6.3 Right to Request Amendment
6.4 Right to an Accounting of Disclosures
6.5 Right to Request Restriction
6.6 Right to Request Confidential and Alternative Modes of Communication
6.7 Right to Complain
HCP Policy 7 Breaches
7.1 Obligation to Report Potential Breaches
7.2 No Retaliation
7.3 Response to Reports of Potential Breaches: Investigation and Remedial Action
7.4 Breach Notifications
7.5 Enforcement and Sanctions
HCP Policy 8 HIPAA Security Program
8.1 Phase 1: Identify
8.2 Phase 2: Protect
8.3 Phase 3: Detect
8.4 Phase 4: Respond
8.5 Phase 5: Recover
8.6 Ongoing Maintenance of Security
HCP Policy 9 Documentation and Retention
HCP Policy 10 Exceptions
HCP Policy 11 Definitions
HCP Appendix Appendix A – HIPAA Contacts

Last updated: April 2017