Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policies for Healthcare Providers at Covered Components: Policy 4, Uses Required or Permitted by Law; Prohibited Uses of PHI

Responsible Office Research Compliance

This Policy 4 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.


The situations described below do not occur routinely, and there are a variety of conditions on these types of disclosures.  Therefore, the Covered Components should refer any such requests for disclosure to the BU HIPAA Privacy Officer and should not respond on their own.

4.1 Required by Law

Immunizations Records Provided to Schools:  Because schools are required by law to obtain certificates of vaccination, Covered Components may send such records to a school upon request by a student or parent.  No written Authorization is needed;

Other Types of Disclosures That May Be Authorized

Please contact the BU HIPAA Privacy Officer if you receive any of the following types of requests for disclosure of medical records.  They can assist in ensuring the request is allowed under the law, and that the response to the request and any disclosure fulfills BU’s legal obligations.

Responsibilities of Covered Components:
  • Recognize these circumstances when they occur;
  • Contact the BU HIPAA Privacy Officer promptly for guidance; and
  • Keep record of any such disclosures on a form provided by the BU HIPAA Privacy Officer.
Responsibilities of Privacy Officer:
  • BU HIPAA Privacy Officer will respond promptly to notification from Covered Component of any requests for disclosure of PHI; and
  • BU HIPAA Privacy Officer will authorize and coordinate any disclosures of PHI and will make or coordinate any communications necessary to the requestor.

Disclosures Required by Law:  If a Disclosure is required by Law, the Covered Component will comply with the law.  We do not need to obtain patient Authorization and may not refuse to comply with the law because the patient has not authorized the disclosure.  Examples include:

  • Public Health Activities;
  • A Public Health Authority (including the Massachusetts Department of Public Health (“DPH”) and the Centers for Disease Control) that is authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability. Typical mandatory reports include reporting certain diseases and injuries; participating in public health surveillance and public health investigations and interventions;
  • Reports of child abuse or neglect to the Massachusetts Department of Children and Families and similar public agencies;
  • Mandatory reports to the federal Food and Drug Administration (FDA); and
  • Reports of certain communicable diseases to the Massachusetts DPH (or similar agencies).

Disclosures Permitted by Law:  In addition to the mandatory reports referenced above, Covered Components may, if they wish, disclose PHI without any patient Authorization in reporting:

  • Abuse, neglect and/or domestic violence (partner violence) when the Individual agrees to the Disclosure or when the Disclosure is authorized by statute or regulation;
  • To a health oversight agency for oversight activities authorized by law to oversee the provider or government benefit programs for beneficiary eligibility determinations, and to governmental agencies charged with determining compliance with program standards or civil rights laws, when the PHI is necessary for the oversight;
  • To a court or administrative tribunal order or in response to a subpoena, discovery request, or other lawful process; such disclosures are managed by the Office of the General Counsel;
  • To Law Enforcement for any of the following purposes:
    • When the subject of the Disclosure is an Individual who is or is suspected to be a victim of a crime, abuse, or other harm;
    • In response to a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer or a grand jury subpoena;
    • In response to an administrative subpoena or summons, a civil or an authorized investigative demand when the information sought is relevant to a legitimate law enforcement inquiry;
    • For the purpose of identifying or locating a suspect, fugitive, material witness, or missing person;
    • For the purpose of alerting law enforcement of the death of the Individual, if the Covered Component has a suspicion that such death resulted from criminal conduct; and
    • Based on a good faith belief that the PHI disclosed constitutes evidence of criminal conduct that occurred on Covered Component premises;
  • Based on a good faith belief that the Disclosure is necessary to prevent or lessen a serious imminent threat, including to the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an Individual under specified circumstances;
  • For certain military and veterans’ activities, national security and intelligence activities, and to correctional institutions, as specified in applicable regulations;
  • To workers’ compensation programs that provide benefits for work related injuries or illness; and/or
  • To the Secretary of Health and Human Services (HHS) information that is pertinent to ascertaining compliance with the privacy requirements.

4.2 Prohibited Uses of PHI: Marketing; Sale; non-BU Purposes

Personal Use or Disclosure of PHI

Workforce members may access, use and disclose PHI only as stated in these policies and in the Covered Component’s Notice of Privacy Practices.  Use and disclosure for personal purposes, or to benefit someone other than the patient and the BU Covered Component, is prohibited.  For example:

  • Workforce members may not post any information, photos, videos or anything else about a patient on social media; and
  • Workforce members may not discuss patients, their conditions, treatment or other information, with family members and close friends who are not part of the patient’ s care team.
Sale of PHI Prohibited

BU will not disclose any PHI for financial remuneration (i.e., direct or indirect payment from the party whose product or service is being marketed) unless the arrangement activity is approved in advance by the BU HIPAA Privacy Officer.

Marketing Defined

Marketing is any communication about a product or service that encourages recipients of the communication to purchase or use the products or services of a person or entity that is outside of the Covered Component.

Marketing does not include medical advice and recommendations of a treating provider.  That is considered “treatment.”  See Policy 3, Routine Use and Disclosure of PHI.

Marketing also does not include informing patients about services offered by a Covered Component.  For example, the Danielsen Institute could inform a patient who has regular individual therapy that the Institute also offers group therapy sessions that the individual may wish to consider taking.  That communication is allowed as part of Treatment.  However, because each Covered Component is separate, if the Danielsen Institute were to recommend dental care at the GSDM Dental Clinic; that would constitute marketing.

Using PHI for Marketing Prohibited

BU Covered Components do not market the products and services of companies or persons to their patients, and do not use or disclose their patient PHI (including lists of patients and their contact information) for marketing purposes, unless the patient has signed a properly completed written authorization and the BU HIPAA Privacy Officer has approved the activity.

Covered Component Workforce members may not market products and services to Covered Component patients; for example, if a Workforce member sells supplements, or kitchenware, or cosmetics, s/he may not use work time to market those products and may not discuss those products with any Covered Component patient.

Activities Which Are Not “Marketing”

Marketing does not include activities for patient treatment, such as:

  • Prescription refill reminders;
  • Communications about a drug or biologic that is prescribed for or recommended to the patient; or
  • Activities involved in treatment of the patient by a health care provider, including communicating the Plan of Care; prescribing a course of medication; case management or care coordination; or to direct or recommend conventional or alternative treatments, therapies, health care providers, or settings of care to the patient.

4.3 Fundraising and Promotion

PHI includes patient demographics and contact information.  Thus, a mailing list of current and/or former patients is PHI.

Covered Components may not use any PHI to solicit donations unless the BU HIPAA Privacy Officer and the Senior Vice President for Development and Alumni Relations are consulted and agree on the PHI that may be accessed and used, consistent with HIPAA.

BU and/or certain Covered Components may wish to use images of patients and/or patient information in promoting BU and/or the Covered Component.  This is permissible if the individual patient signs an appropriate Authorization.  Contact the BU HIPAA Privacy Officer before proceeding.