Data Security

Need to send PHI electronically? 

  • Encrypt the file, share the password over the phone
  • Share the file from SharePoint/OneDrive or Teams
  • Use a HIPAA Compliant Outlook Account (has extra controls, including one year auto deletion of all emails)


Personal Devices?

To ensure we have professional relationships with our patients we don’t use personal phone numbers or accounts.  This ensures provider safety, and compliance with HIPAA and state law.

The Security Rule conduit exception allows us to send and receive HIPAA data without a third party security review and HIPAA Business Associate Agreement when the third party does not store data.

  • landline phone call is permitted – but no one at BU has a landline
    • BU cell phones are digital
    • your personal cell phone is digital
      • most cell phone companies store text messages and voicemail messages
        • cell phone companies don’t sign HIPAA Business Associate Agreements  

See U.S. Dept. of Health and Human Services guidance


Use a HIPAA compliant method to contact patients

  • BU Desk Phone
    • BU desk phone extended to personal cell phones/devices using BU Cisco Webex
      • we have a HIPAA Business Associate Agreement with Cisco
        • Cisco Webex is normally connected to a BU desk phone but Cisco phone numbers can be purchased by contacting


  • BU cell phone to call patients
    • can leave voicemail messages for patients who have provided their phone number and consent for contact by phone
    • can never text patients
      • cell phone companies don’t sign HIPAA Business Associate Agreements


  • BU Microsoft Teams app
    • call, chat/text, video conference (free transcription), and share files
      • we have a HIPAA Business Associate Agreement with Microsoft

Use HIPAA compliant services, such as BU network drive and Teams/SharePoint

HIPAA Limited Data Sets or anonymized data (BU Data Classification Policyservices by classification) can be processed on our Shared Computing Cluster (SCC4).  SCC staff or the data provider (e.g., BMC Clinical Data Warehouse) can help you limit identifiers to dates (e.g., DOB/DOD, date of treatment), city, and zip code.  All other identifiers, including email, phone, pic/video of face, medical record # must be removed or left on Restricted Use network drive (e.g., BUMC Y Drive, RU-NAS).

A completely de-identified data set requires removal of all identifiersSee U.S. Department of Health and Human Services, Office for Civil Rights guidance on de-identification.