Download PDF
Effective Date: April 10, 2017

HIPAA Policies for BU Health Plans: Policy 4, Non-Routine Uses and Disclosures of PHI without Authorization; Prohibited Uses

Responsible Office Research Compliance

This Policy 4 is part of the HIPAA Policies for BU Health Plans Manual – Privacy and Security of Protected Health Information for BU Health Plans.

The situations described below do not occur routinely, and there are a variety of conditions on these types of disclosures. Therefore, the BU Health Plans should refer any such requests for disclosure to the BU HIPAA Privacy Officer, and should not respond on their own.

4.1 Non-Routine Disclosures of PHI Permitted or Required by Law without Patient Authorization

Responsibilities of BU Health Plans:

  • Recognize these circumstances when they occur;
  • Contact the BU HIPAA Privacy Officer promptly for guidance; and
  • Keep record of any such disclosures on a form provided by the BU HIPAA Privacy Officer.

Responsibilities of Privacy Officer:

  • BU HIPAA Privacy Officer will respond promptly to notification from BU Health Plans of any requests for disclosure of PHI; and
  • BU HIPAA Privacy Officer will authorize and coordinate any disclosures of PHI, and will make or coordinate any communications necessary to the requestor.

Types of Disclosures That May Be Authorized
Please contact the BU HIPAA Privacy Officer if you receive any of the following types of requests for disclosure of medical records.  They can assist in ensuring the request is allowed under the law, and that the response to the request and any disclosure fulfills BU’s legal obligations.

Disclosures Required by Law: 

If a Disclosure is required by Law, the BU Health Plans will comply with the law.  Examples include:

  • Public Health Activities: A Public Health Authority (including the Massachusetts Department of Public Health (“DPH”) and the Centers for Disease Control) that is authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability.

In addition to the mandatory reports referenced above, BU Health Plans may disclose PHI in reporting:

  • Abuse, neglect and/or domestic violence (partner violence) when the Individual agrees to the Disclosure or when the Disclosure is authorized by statute or regulation;
  • To a health oversight agency for oversight activities authorized by law to oversee the provider or government benefit programs for beneficiary eligibility determinations, and to governmental agencies charged with determining compliance with program standards or civil rights laws, when the PHI is necessary for the oversight;
  • To a court or administrative tribunal order or in response to a subpoena, discovery request, or other lawful process; such disclosures are managed by the Office of the General Counsel;
  • To Law Enforcement for any of the following purposes:
    • When the subject of the Disclosure is an Individual who is or is suspected to be a victim of a crime, abuse, or other harm;
    • In response to a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer or a grand jury subpoena;
    • In response to an administrative subpoena or summons, a civil or an authorized investigative demand when the information sought is relevant to a legitimate law enforcement inquiry;
    • For the purpose of identifying or locating a suspect, fugitive, material witness, or missing person;
    • For the purpose of alerting law enforcement of the death of the Individual, if the BU Health Plans has a suspicion that such death resulted from criminal conduct; and
    • Based on a good faith belief that the PHI disclosed constitutes evidence of criminal conduct that occurred on BU Health Plans premises;
  • Based on a good faith belief that the Disclosure is necessary to prevent or lessen a serious imminent threat, including to the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an Individual under specified circumstances;
  • For certain military and veterans’ activities, national security and intelligence activities, and to correctional institutions, as specified in applicable regulations;
  • To workers’ compensation programs that provide benefits for work related injuries or illness; and/or
  • To the Secretary of Health and Human Services (HHS) information that is pertinent to ascertaining compliance with the privacy requirements.

4.2 Prohibited Uses of PHI:  Marketing; Sale; non-BU Purposes

Personal Use or Disclosure of PHI
Workforce members may access, use and disclose PHI only as stated in these policies and in the BU Health Plans’ Notice of Privacy Practices.  Use and disclosure for personal purposes, or to benefit someone other than the patient and the BU Health Plans, is prohibited.  For example:

  • Workforce members may not post any information, photos, videos or anything else about participants on social media.
  • Workforce members may not discuss individuals, their conditions, treatment or other information, with family members and close friends who are not part of the patient’ s care team.

Sale of PHI, Financial Remuneration Prohibited
BU Health Plans will not disclose any PHI for financial remuneration (i.e., direct or indirect payment from the party whose product or service is being marketed) unless the arrangement activity is approved in advance by the BU HIPAA Privacy Officer.

Marketing Defined 
Marketing is any communication about a product or service that encourages recipients of the communication to purchase or use the products or services of a person or entity that is outside of the BU Health Plans.

Marketing also does not include informing patients about services offered by the BU Health Plans.

Prohibition on Using PHI for Marketing
BU Health Plans may not market the products and services of companies or persons to their patients, and may not use or disclose their patient PHI (including lists of patients and their contact information) for marketing purposes, unless the patient has signed a properly completed written Authorization and the BU HIPAA Privacy Officer has approved the activity.

BU Health Plans Workforce members may not market products and services to BU Health Plans patients; for example, if a Workforce member sells supplements, or kitchenware, or cosmetics, s/he may not use work time to market those products, and may not discuss those products with any BU Health Plans patient.

4.3 Use of PHI in Communications for Fundraising and Promotion

PHI includes patient demographics and contact information.  Thus, a mailing list of current and/or former patients is PHI.

BU Health Plans may not use any PHI to solicit funds, unless the BU HIPAA Privacy Officer and the Senior Vice President for Development and Alumni Relations are consulted and agree on the PHI that may be accessed and used, consistent with HIPAA.

BU and/or certain BU Health Plans may wish to use images of patients and/or patient information in promoting BU and/or the BU Health Plans.  This is permissible if the individual patients signs an appropriate Authorization.  Contact the BU HIPAA Privacy Officer before proceeding.