This Policy 10 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.

10. Exceptions

The HIPAA Privacy Officer and HIPAA Security Officer will jointly review any requested exceptions to the requirements set forth in this Policy. Exceptions will be granted if a thorough review of the situation demonstrates appropriate compensating controls have been implemented, and the risk posed by the exception is reasonable and acceptable.

If the requested exception also involves a deviation from standards and policies of the BU IS&T department, the Covered Component must contact IS&T for a separate waiver or exception of those policies.