Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018
Policy
Information Management, Privacy and Security, Research and Scholarly Activities

HIPAA Policies for Healthcare Providers at Covered Components: Policy 4, Uses Required or Permitted by Law; Prohibited Uses of PHI

Responsible Office Research Compliance

This Policy 4 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.

 

The situations described below do not occur routinely, and there are a variety of conditions on these types of disclosures.  Therefore, the Covered Components should refer any such requests for disclosure to the BU HIPAA Privacy Officer and should not respond on their own.

4.1 Required by Law

Immunizations Records Provided to Schools:  Because schools are required by law to obtain certificates of vaccination, Covered Components may send such records to a school upon request by a student or parent.  No written Authorization is needed;

Other Types of Disclosures That May Be Authorized

Please contact the BU HIPAA Privacy Officer if you receive any of the following types of requests for disclosure of medical records.  They can assist in ensuring the request is allowed under the law, and that the response to the request and any disclosure fulfills BU’s legal obligations.

Responsibilities of Covered Components:
  • Recognize these circumstances when they occur;
  • Contact the BU HIPAA Privacy Officer promptly for guidance; and
  • Keep record of any such disclosures on a form provided by the BU HIPAA Privacy Officer.
Responsibilities of Privacy Officer:
  • BU HIPAA Privacy Officer will respond promptly to notification from Covered Component of any requests for disclosure of PHI; and
  • BU HIPAA Privacy Officer will authorize and coordinate any disclosures of PHI and will make or coordinate any communications necessary to the requestor.

Disclosures Required by Law:  If a Disclosure is required by Law, the Covered Component will comply with the law.  We do not need to obtain patient Authorization and may not refuse to comply with the law because the patient has not authorized the disclosure.  Examples include:

  • Public Health Activities;
  • A Public Health Authority (including the Massachusetts Department of Public Health (“DPH”) and the Centers for Disease Control) that is authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability. Typical mandatory reports include reporting certain diseases and injuries; participating in public health surveillance and public health investigations and interventions;
  • Reports of child abuse or neglect to the Massachusetts Department of Children and Families and similar public agencies;
  • Mandatory reports to the federal Food and Drug Administration (FDA); and
  • Reports of certain communicable diseases to the Massachusetts DPH (or similar agencies).

Disclosures Permitted by Law:  In addition to the mandatory reports referenced above, Covered Components may, if they wish, disclose PHI without any patient Authorization in reporting:

  • Abuse, neglect and/or domestic violence (partner violence) when the Individual agrees to the Disclosure or when the Disclosure is authorized by statute or regulation;
  • To a health oversight agency for oversight activities authorized by law to oversee the provider or government benefit programs for beneficiary eligibility determinations, and to governmental agencies charged with determining compliance with program standards or civil rights laws, when the PHI is necessary for the oversight;*
  • To a court or administrative tribunal order or in response to a subpoena, discovery request, or other lawful process; such disclosures are managed by the Office of the General Counsel;*
  • To Law Enforcement for any of the following purposes:*
    • When the subject of the Disclosure is an Individual who is or is suspected to be a victim of a crime, abuse, or other harm;
    • In response to a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer or a grand jury subpoena;
    • In response to an administrative subpoena or summons, a civil or an authorized investigative demand when the information sought is relevant to a legitimate law enforcement inquiry;
    • For the purpose of identifying or locating a suspect, fugitive, material witness, or missing person;
    • For the purpose of alerting law enforcement of the death of the Individual, if the Covered Component has a suspicion that such death resulted from criminal conduct; and
    • Based on a good faith belief that the PHI disclosed constitutes evidence of criminal conduct that occurred on Covered Component premises;
  • Based on a good faith belief that the Disclosure is necessary to prevent or lessen a serious imminent threat, including to the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an Individual under specified circumstances;
  • For certain military and veterans’ activities, national security and intelligence activities, and to correctional institutions, as specified in applicable regulations;
  • To workers’ compensation programs that provide benefits for work related injuries or illness; and/or
  • To the Secretary of Health and Human Services (HHS) information that is pertinent to ascertaining compliance with the privacy requirements.
  • To organ procurement organizations for the purpose of facilitating organ, eye, or tissue donation and transplantation.
  • To funeral directors (including disclosing PHI prior to, and in reasonable anticipation of the individual’s death), as necessary to carry out their duties with respect to the decedent.
  • To coroners and medical examiners for purposes of identification, determining cause of death, or other duties authorized by law.*

* While a patient Authorization is not required in these circumstances, a valid Attestation (which can be found on the HIPAA site) is required from the person requesting PHI potentially limited to reproductive health care. See Policy 5, Section 5.8 for more information on Attestations.

4.2 Prohibited Uses of PHI:

Personal Use or Disclosure of PHI

Workforce members may access, use and disclose PHI only as stated in these policies and in the Covered Component’s Notice of Privacy Practices.  Use and disclosure for personal purposes, or to benefit someone other than the patient and the BU Covered Component, is prohibited.

Sale of PHI

BU will not disclose any PHI for financial remuneration (i.e., direct or indirect payment from the party whose product or service is being marketed) unless the arrangement activity is approved in advance by the BU HIPAA Privacy Officer.

Social Media

Workforce members may not post or share any information, photos, or videos of patients or anything else about a patient on or through social media, regardless of whether it is de-identified. The only exception is social media content (which will comply with HIPAA and Massachusetts health privacy laws) made by an individual and/or department of a Covered Component approved by the BU HIPAA Privacy Officer. Social media is defined as internet-based applications, which support and promote the exchange of user developed content including, but not limited to, social networks, blogs, micro-blogs, video, audio, or photo sharing, social bookmarking, public comment sections on webpages, user created web pages, and other online communications or internet-based social media application similar in purpose or function to those applications described herein.

Reproductive Health Care

Workforce members may not use or disclose PHI for any of the following activities:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
  • To identify any person for any purpose described above.

This prohibition will not apply only if: a workforce member has actual knowledge that the reproductive health care was not lawful; or the requestor demonstrates a substantial factual basis that the reproductive health care was not lawful. However, prior to using and/or disclosing PHI for such activities, staff members must contact their supervisor or manager (as applicable), who will reach out to the HIPAA contact.

Marketing Defined

Marketing is any communication about a product or service that encourages recipients of the communication to purchase or use the products or services of a person or entity that is outside of the Covered Component.

Marketing does not include medical advice and recommendations of a treating provider.  That is considered “treatment.”  See Policy 3, Routine Use and Disclosure of PHI.

Marketing also does not include informing patients about services offered by a Covered Component.  For example, the Danielsen Institute could inform a patient who has regular individual therapy that the Institute also offers group therapy sessions that the individual may wish to consider taking.  That communication is allowed as part of Treatment.  However, because each Covered Component is separate, if the Danielsen Institute were to recommend dental care at the GSDM Dental Clinic; that would constitute marketing.

Using PHI for Marketing

BU Covered Components do not market the products and services of companies or persons to their patients, and do not use or disclose their patient PHI (including lists of patients and their contact information) for marketing purposes, unless the patient has signed a properly completed written authorization and the BU HIPAA Privacy Officer has approved the activity.

Covered Component Workforce members may not market products and services to Covered Component patients; for example, if a Workforce member sells supplements, or kitchenware, or cosmetics, s/he may not use work time to market those products and may not discuss those products with any Covered Component patient.

Activities Which Are Not “Marketing”

Marketing does not include activities for patient treatment, such as:

  • Prescription refill reminders;
  • Communications about a drug or biologic that is prescribed for or recommended to the patient; or
  • Activities involved in treatment of the patient by a health care provider, including communicating the Plan of Care; prescribing a course of medication; case management or care coordination; or to direct or recommend conventional or alternative treatments, therapies, health care providers, or settings of care to the patient.

4.3 Fundraising and Promotion

PHI includes patient demographics and contact information.  Thus, a mailing list of current and/or former patients is PHI.

Covered Components may not use any PHI to solicit donations unless the BU HIPAA Privacy Officer and the Senior Vice President for Development and Alumni Relations are consulted and agree on the PHI that may be accessed and used, consistent with HIPAA.

BU and/or certain Covered Components may wish to use images of patients and/or patient information in promoting BU and/or the Covered Component.  This is permissible if the individual patient signs an appropriate Authorization.  Contact the BU HIPAA Privacy Officer before proceeding.

Additional Resources Regarding This Policy

Related Policies, Procedures, and Guides

BU Websites