Download PDF
Effective Date: August 1, 2013
Revised: November 1, 2018
Policy
HIPAA Policy Manual – Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components
Responsible Office Research Compliance
Table of Contents
| Section | Name |
|---|---|
| HCP Introduction | HIPAA at Boston University |
| Privacy and Security | |
| Policy Responsibility | |
| HCP Policy 1 | HIPAA Basics |
| 1.1 HIPAA Covered Components | |
| 1.2 Key Roles | |
| 1.3 What is PHI? | |
| 1.4 De-Identified PHI | |
| 1.5 The Covered Component’s Designated Record Set | |
| 1.6 The Covered Component’s HIPAA Workforce | |
| 1.7 Access to PHI | |
| 1.8 HIPAA Training | |
| HCP Policy 2 | Individual Responsibilities for Safeguarding PHI |
| 2.1 Safeguarding Paper and Other Tangible PHI | |
| 2.2 Safeguarding Verbal PHI | |
| 2.3 Safeguarding Electronic PHI | |
| HCP Policy 3 | Using PHI in Treatment, for Payment, and for Healthcare Operations; Business Associates |
| 3.1 Overview | |
| 3.2 Minimum Necessary Rule | |
| 3.3 Special Rules for PHI in Limited Data Sets | |
| 3.4 Patient Authorization Not Needed for Treatment Purposes | |
| 3.5 Using PHI for Payment Purposes | |
| 3.6 Using PHI for Health Care Operations Purposes | |
| 3.7 Routine Disclosures to an Individual’s Family and Friends | |
| 3.8 Sharing PHI with the Patient’s Other Providers and Health Plans | |
| 3.9 Disclosing PHI to Business Associates | |
| HCP Police 4 |
Uses Requited or Permitted by Law: Prohibited Uses of PHI |
| 4.1 Required by Law | |
| 4.2 Prohibited Uses of PHI: Marketing; Sale; non-BU Purposes | |
| 4.3 Fundraising and Promotion | |
| HCP Policy 5 | Situations in which Authorizations and Attestations are Necessary |
| 5.1 General Rules on Authorization | |
| 5.2 Parents, Guardians, and Minors | |
| 5.3 Legally Authorized Representative of an Adult Patient | |
| 5.4 After a Patient’s Death | |
| 5.5 Research: Authorizations and Waivers | |
| 5.6 Students and Observers | |
| 5.7 Using PHI in Publishing | |
| HCP Policy 6 | Individuals’ Rights under HIPAA |
| 6.1 Right to Notice of Privacy Practices | |
| 6.2 Right to Access and Copy Own Health Record | |
| 6.3 Right to Request Amendment | |
| 6.4 Right to an Accounting of Disclosures | |
| 6.5 Right to Request Restriction | |
| 6.6 Right to Request Confidential and Alternative Modes of Communication | |
| 6.7 Right to Complain | |
| HCP Policy 7 | Breaches |
| 7.1 Obligation to Report Potential Breaches | |
| 7.2 No Retaliation | |
| 7.3 Investigation and Remedial Action for Reports of Potential Breaches | |
| 7.4 Breach Notifications | |
| HCP Policy 8 | HIPAA Security Program Philosophy Defined Terms |
| 8.1 Identify | |
| 8.2 Protect | |
| 8.3 Detect: Information System Activity Reviews | |
| 8.4 Respond | |
| 8.5 Recover Contingency Planning; Emergency Mode Operations: Recovery | |
| HCP Policy 9 | Enforcement and Sanctions |
| HCP Policy 10 | Documentation and Retention |
| HCP Policy 11 | Exceptions |
| HCP Policy 12 | Definitions |
| HCP Appendix | Appendix A – HIPAA Contacts |
Last updated: November 2018
Additional Resources Regarding This Policy
Related Policies, Procedures, and Guides
- Sensitive Data Incident Response
- FERPA Policy
- Access to Electronic Information Policy
- Digital Privacy Statement
- Conditions of Use and Policy on Computing Ethics
- Network Security Monitoring Policy
- Information Security Policy
Related Procedure
BU Websites