Download PDF
Effective Date: April 10, 2017

HIPAA Policies for BU Health Plans: Introduction, HIPAA and the Boston University Health Plans

Responsible Office Research Compliance

This Introduction is part of the HIPAA Policies for BU Health Plans Manual – Privacy and Security of Protected Health Information for BU Health Plans.


HIPAA and the Boston University Health Plans

The BU Health Plans are Covered Entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”). The policies in this BU Health Plans HIPAA Policy Manual are intended to guide the BU Health Plans in complying with HIPAA’s requirements.

The BU Health Plans and their Workforces are required by HIPAA to ensure the privacy and security of all Protected Health Information or PHI that they create, receive, maintain, or transmit. PHI subject to HIPAA may exist in any form including paper, electronic, or verbal. HIPAA further sets standards for how PHI can be used and disclosed, and specifies rights of individuals regarding their PHI.

These policies supersede and replace prior policies concerning HIPAA in the BU Health Plans, and they supplement other policies of the University. For example, under the University’s Data Classification policy, individually identifiable health information that is subject to HIPAA (“PHI”) is categorized as Restricted Use information, meaning that it requires the greatest protection of all data types at the University and breaches of this data are potentially reportable to state and/or federal authorities.

Privacy and Security

This Policy covers both HIPAA’s Privacy Rule and Security Rule.

The Privacy Rule describes who can access, use, create, and disclose PHI, and for what purpose. The Privacy Rule also describes how BU Health Plans must assist Individuals with exercising their rights under HIPAA to access and control the use of his or her PHI.

The Security Rule describes how to protect electronic PHI (ePHI) when using, storing, or transmitting it to minimize the chance that it will fall into the wrong hands. Throughout the Health Plans policies, links are provided to additional BU Information Security policies that also apply.

Policy Responsibility

The BU Health Plans’ HIPAA Privacy Officer is responsible for development and implementation of BU-wide HIPAA privacy policies.

The BU Health Plans’ HIPAA Security Officer is responsible for development and implementation of BU-wide HIPAA security policies to protect ePHI.

Each of the BU Health Plans has a HIPAA Contact, responsible for implementation of procedures, to implement these policies in their plans, documenting HIPAA compliance, and the other duties listed in Appendix A.

Every member of the BU Health Plans’ Workforce is responsible for understanding and complying with these policies.

The Sponsor of the Health Plans, Boston University (“BU” or “the University”), will comply with these policies and in particular with the limitations on information the BU Health Plans may share with BU as Plan Sponsor, as described in these policies.

Defined terms used in these policies are capitalized. The definitions of those terms are found in Policy 9, Definitions.