Medical Records and Health Information
Compliance is a must.
The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of all protected health information within each of the University’s clinics that are subject to HIPAA. Those units must comply with the University’s HIPAA Policies.
Click here for those clinics:
The Massachusetts Health Privacy Law protects the privacy and security of patient records in the University’s other licensed clinics. Those records are Restricted Use data under the Data Protection Standards.
Click here for those clinics:
Failing to comply with these laws and policies has serious consequences.
PAGE CONTENTS:
The Basics
Consequences
Still Have Questions?
The Basics
- The University’s HIPAA Policy explains what must be done to protect patient records in units subject to HIPAA.
- Patient records in other University clinics are Restricted Use data under the University’s Data Protection Standards.
- Research may involve personally identifiable health information of research subjects that must be protected. Contact the Institutional Review Board of the Charles River Campus or the Medical Campus for assistance.
- For information about Research Data Management consult the Boston University Libraries.
- Otherwise, medical information and records concerning medical information generally are not protected by law. For example, a note from a doctor explaining an absence or an email from a colleague noting an illness most likely are not protected by federal or state privacy laws. The information may be sensitive, however, and you should respect the privacy of your fellow community members.
- Report any suspected data breach to the Incident Response Team immediately or call 617-358-1100.
Consequences
- A data breach involving personal health information protected by federal or state law may lead to identity theft or the exposure of sensitive health information. You don’t want either of those to happen to you; you should do what you can to minimize the risk that it happens to others.
- If there is a data breach that involves protected health information the University may be required to notify every individual whose information has been breached. In addition, the University may be required to notify state attorneys general or the U.S. Department of Health and Human Services about the breach. The department in which the breach occurs will participate in these efforts.
- Regulators may impose fines or penalties and individuals who are harmed may file lawsuits.
Still have questions?
Below you can find contact information and links to team sites.
Compliance Services
Email Compliance Services or call 617-358-8090 if you aren’t sure where to start, or for questions concerning compliance with laws or policies concerning medical records or health information.
Information Security
Information Security can help you keep data secure, reliable, and accessible. Report a data breach to the Information Security Breach Response Team.
Institutional Review Board, Charles River Campus
Institutional Review Board, Medical Campus
The Institutional Review Boards oversee the safety and protection of human subjects in research, including the privacy and confidentiality of information about those subjects.