Medical Records and Health Information

Compliance is a must.

The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of all protected health information within each of the University’s clinics that are subject to HIPAA. Those units must comply with the University’s HIPAA Policies.

The Massachusetts Health Privacy Law protects the privacy and security of patient records in the University’s other licensed clinics. Those records are Restricted Use data under the Data Protection Standards.

Failing to comply with these laws and policies has serious consequences.


The Basics
Still Have Questions?

The Basics

  • The University’s HIPAA Policy explains what must be done to protect patient records in units subject to HIPAA.
  • Patient records in other University clinics are Restricted Use data under the University’s Data Protection Standards.
  • Research may involve personally identifiable health information of research subjects that must be protected. Contact the Institutional Review Board of the Charles River Campus or the Medical Campus for assistance.
  • For information about Research Data Management consult the Boston University Libraries.
  • Otherwise, medical information and records concerning medical information generally are not protected by law. For example, a note from a doctor explaining an absence or an email from a colleague noting an illness most likely are not protected by federal or state privacy laws. The information may be sensitive, however, and you should respect the privacy of your fellow community members.
  • Report any suspected data breach to the Incident Response Team immediately or call 617-358-1100.


  • A data breach involving personal health information protected by federal or state law may lead to identity theft or the exposure of sensitive health information. You don’t want either of those to happen to you; you should do what you can to minimize the risk that it happens to others.
  • If there is a data breach that involves protected health information the University may be required to notify every individual whose information has been breached. In addition, the University may be required to notify state attorneys general or the U.S. Department of Health and Human Services about the breach. The department in which the breach occurs will participate in these efforts.
  • Regulators may impose fines or penalties and individuals who are harmed may file lawsuits.

Still have questions?

Below you can find contact information and links to team sites.

Compliance Services

Email Compliance Services or call 617-358-8090 if you aren’t sure where to start, or for questions concerning compliance with laws or policies concerning medical records or health information.

Information Security

Information Security can help you keep data secure, reliable, and accessible. Report a data breach to the Information Security Breach Response Team.

Institutional Review Board, Charles River Campus

Institutional Review Board, Medical Campus

The Institutional Review Boards oversee the safety and protection of human subjects in research, including the privacy and confidentiality of information about those subjects.

Back to top