Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policies for Healthcare Providers at Covered Components: Introduction – HIPAA at Boston University

Responsible Office Research Compliance

This Introduction is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.

HIPAA at Boston University

These policies are intended to guide the health care provider units of Boston University that are covered by the Health Insurance Portability and Accessibility Act (“HIPAA”) in complying with HIPAA’s requirements. Those units are referred to as Covered Components. Separate policies apply to the BU Health Plans, which are Covered Entities.

The Covered Components and their Workforces are required by HIPAA to ensure the privacy and security of all protected health information (“PHI”) that they create, receive, maintain, or transmit. PHI subject to HIPAA may exist in any form including paper, electronic, or verbal.  They also observe the rights of individuals regarding their PHI as mandated by HIPAA.

These policies supersede and replace all prior policies concerning HIPAA at BU, and they supplement other policies of the University.  For example, under the University’s Data Classification policy, individually identifiable health information that is subject to HIPAA (“PHI”) is categorized as Restricted Use information, meaning that it requires the greatest protection of all data types at the University and breaches of this data are potentially reportable to state and/or federal authorities.

Privacy and Security

The Privacy Rule describes who can access, use, and disclose PHI, and for what purposes. The Privacy Rule also describes how Covered Components must assist Individuals with exercising their rights under HIPAA to access and control the use of his or her PHI.

The Security Rule describes how to protect electronic PHI (“ePHI”) when using, storing, or transmitting it to minimize the chance that it will fall into the wrong hands.  Links are provided to pertinent BU Information Security policies.

Policy Responsibility

These HIPAA Privacy and Security Policies apply to all Boston University designated Covered Components. Those primarily responsible for implementation of these policies are:

  • BU’s HIPAA Privacy Officer is responsible for development and implementation of BU-wide HIPAA privacy policies.
  • BU’s HIPAA Security Officer is responsible for development and implementation of BU-wide HIPAA security policies to protect ePHI.
  • Each Covered Component has a HIPAA Contact, responsible for implementation of procedures to implement these policies in their units, documenting HIPAA compliance, and the other duties listed in Appendix A. Every member of each Covered Component Workforce is responsible for understanding and complying with these policies and the Covered Component’s procedures.

Defined terms used in these policies are capitalized. The definitions of those terms are found in Policy 11, Definitions.


Next Section: HIPAA Policies for Healthcare Providers at Covered Components, 1 HIPAA Basics