Download PDF
Effective Date: August 1, 2013
Revised: November 1, 2018
Policy
HIPAA Policy Manual – Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components
Responsible Office Research Compliance
Table of Contents
Section | Name |
---|---|
HCP Introduction | HIPAA at Boston University |
Privacy and Security | |
Policy Responsibility | |
HCP Policy 1 | HIPAA Basics |
1.1 HIPAA Covered Components | |
1.2 Key Roles | |
1.3 What is PHI? | |
1.4 De-Identified PHI | |
1.5 The Covered Component’s Designated Record Set | |
1.6 The Covered Component’s HIPAA Workforce | |
1.7 Access to PHI | |
1.8 HIPAA Training | |
HCP Policy 2 | Individual Responsibilities for Safeguarding PHI |
2.1 Safeguarding Paper and Other Tangible PHI | |
2.2 Safeguarding Verbal PHI | |
2.3 Safeguarding Electronic PHI | |
HCP Policy 3 | Using PHI in Treatment, for Payment, and for Healthcare Operations; Business Associates |
3.1 Overview | |
3.2 Minimum Necessary Rule | |
3.3 Special Rules for PHI in Limited Data Sets | |
3.4 Patient Authorization Not Needed for Treatment Purposes | |
3.5 Using PHI for Payment Purposes | |
3.6 Using PHI for Health Care Operations Purposes | |
3.7 Routine Disclosures to an Individual’s Family and Friends | |
3.8 Sharing PHI with the Patient’s Other Providers and Health Plans | |
3.9 Disclosing PHI to Business Associates | |
HCP Police 4 |
Uses Requited or Permitted by Law: Prohibited Uses of PHI |
4.1 Required by Law | |
4.2 Prohibited Uses of PHI: Marketing; Sale; non-BU Purposes | |
4.3 Fundraising and Promotion | |
HCP Policy 5 | Situations in which Authorizations are Necessary |
5.1 General Rules on Authorization | |
5.2 Parents, Guardians, and Minors | |
5.3 Legally Authorized Representative of an Adult Patient | |
5.4 After a Patient’s Death | |
5.5 Research: Authorizations and Waivers | |
5.6 Students and Observers | |
5.7 Using PHI in Publishing | |
HCP Policy 6 | Individuals’ Rights under HIPAA |
6.1 Right to Notice of Privacy Practices | |
6.2 Right to Access and Copy Own Health Record | |
6.3 Right to Request Amendment | |
6.4 Right to an Accounting of Disclosures | |
6.5 Right to Request Restriction | |
6.6 Right to Request Confidential and Alternative Modes of Communication | |
6.7 Right to Complain | |
HCP Policy 7 | Breaches |
7.1 Obligation to Report Potential Breaches | |
7.2 No Retaliation | |
7.3 Investigation and Remedial Action for Reports of Potential Breaches | |
7.4 Breach Notifications | |
7.5 Enforcement and Sanctions | |
HCP Policy 8 | HIPAA Security Program Philosophy Defined Terms |
8.1 Identify | |
8.2 Protect | |
8.3 Detect: Information System Activity Reviews | |
8.4 Respond | |
8.5 Recover Contingency Planning; Emergency Mode Operations: Recovery | |
HCP Policy 9 | Documentation and Retention |
HCP Policy 10 | Exceptions |
HCP Policy 11 | Definitions |
HCP Appendix | Appendix A – HIPAA Contacts |
Last updated: November 2018
Additional Resources Regarding This Policy
Related Policies, Procedures, and Guides
- Sensitive Data Incident Response
- FERPA Policy
- Access to Electronic Information Policy
- Digital Privacy Statement
- Conditions of Use and Policy on Computing Ethics
- Network Security Monitoring Policy
- Information Security Policy
Related Procedure
BU Websites