Medical Records and Health Information
Compliance is a must.
The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of all protected health information within each of the University’s clinics that are subject to HIPAA. Those units must comply with the University’s HIPAA Policies.
Click here for those clinics:
- Boston University Rehabilitation Services (including the BU Physical Therapy Center and Neurorehabilitation);
- Sargent Choice Nutrition Center;
- Henry M. Goldman School of Medicine Patient Treatment Centers;
- BU Dental Health Center;
- The Albert and Jessie Danielsen Institute; and
- Boston University Student Health Services (but only with respect to services provided to non-students).
Other University departments that provide support services for those units that are subject to HIPAA must treat protected health information from those units as required by HIPAA, and follow the University’s HIPAA Policy.
The Massachusetts Health Privacy Law protects the privacy and security of patient records in the University’s other licensed clinics. Those records are Restricted Use data under the Data Protection Standards.
Click here for those clinics:
- The Occupational Health Center, and
- The Center for Anxiety and Related Disorders.
Other University departments that provide support services for those units that are subject to the Massachusetts Health Privacy Law must treat protected health information from those units as required by the Massachusetts law and the Data Protection Standards.
Failing to comply with these laws and policies has serious consequences.
- The University’s HIPAA Policy explains what must be done to protect patient records in units subject to HIPAA.
- Patient records in other University clinics are Restricted Use data under the University’s Data Protection Standards.
- Research may involve personally identifiable health information of research subjects that must be protected. Contact the Institutional Review Board of the Charles River Campus or the Medical Campus for assistance.
- For information about Research Data Management consult the Boston University Libraries.
- Otherwise, medical information and records concerning medical information generally are not protected by law. For example, a note from a doctor explaining an absence or an email from a colleague noting an illness most likely are not protected by federal or state privacy laws. The information may be sensitive, however, and you should respect the privacy of your fellow community members.
- Report any suspected data breach to the Incident Response Team immediately or call 617-358-1100.
- A data breach involving personal health information protected by federal or state law may lead to identity theft or the exposure of sensitive health information. You don’t want either of those to happen to you; you should do what you can to minimize the risk that it happens to others.
- If there is a data breach that involves protected health information the University may be required to notify every individual whose information has been breached. In addition, the University may be required to notify state attorneys general or the U.S. Department of Health and Human Services about the breach. The department in which the breach occurs will participate in these efforts.
- Regulators may impose fines or penalties and individuals who are harmed may file lawsuits.
Still have questions?
Below you can find contact information and links to team sites.
Email Compliance Services or call 617-358-8090 if you aren’t sure where to start, or for questions concerning compliance with laws or policies concerning medical records or health information.
The Institutional Review Boards oversee the safety and protection of human subjects in research, including the privacy and confidentiality of information about those subjects.