Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policy Manual – Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components

Responsible Office Research Compliance

Table of Contents

Section Name
HCP Introduction HIPAA at Boston University
Privacy and Security
Policy Responsibility
HCP Policy 1 HIPAA Basics
1.1 HIPAA Covered Components
1.2 Key Roles
1.3 What is PHI?
1.4 De-Identified PHI
1.5 The Covered Component’s Designated Record Set
1.6 The Covered Component’s HIPAA Workforce
1.7 Access to PHI
1.8 HIPAA Training
HCP Policy 2 Individual Responsibilities for Safeguarding PHI
2.1 Safeguarding Paper and Other Tangible PHI
2.2 Safeguarding Verbal PHI
2.3 Safeguarding Electronic PHI
HCP Policy 3 Using PHI in Treatment, for Payment, and for Healthcare Operations; Business Associates
3.1 Overview
3.2 Minimum Necessary Rule
3.3 Special Rules for PHI in Limited Data Sets
3.4 Patient Authorization Not Needed for Treatment Purposes
3.5 Using PHI for Payment Purposes
3.6 Using PHI for Health Care Operations Purposes
3.7 Routine Disclosures to an Individual’s Family and Friends
3.8 Sharing PHI with the Patient’s Other Providers and Health Plans
3.9 Disclosing PHI to Business Associates
HCP Police 4 Uses Requited or Permitted by Law: Prohibited Uses of PHI
4.1 Required by Law
4.2 Prohibited Uses of PHI: Marketing; Sale; non-BU Purposes
4.3 Fundraising and Promotion
HCP Policy 5 Situations in which Authorizations are Necessary
5.1 General Rules on Authorization
5.2 Parents, Guardians, and Minors
5.3 Legally Authorized Representative of an Adult Patient
5.4 After a Patient’s Death
5.5 Research: Authorizations and Waivers
5.6 Students and Observers
5.7 Using PHI in Publishing
HCP Policy 6 Individuals’ Rights under HIPAA
6.1 Right to Notice of Privacy Practices
6.2 Right to Access and Copy Own Health Record
6.3 Right to Request Amendment
6.4 Right to an Accounting of Disclosures
6.5 Right to Request Restriction
6.6 Right to Request Confidential and Alternative Modes of Communication
6.7 Right to Complain
HCP Policy 7 Breaches
7.1 Obligation to Report Potential Breaches
7.2 No Retaliation
7.3 Investigation and Remedial Action for Reports of Potential Breaches
7.4 Breach Notifications
7.5 Enforcement and Sanctions
HCP Policy 8 HIPAA Security Program
Defined Terms
8.1 Identify
8.2 Protect
8.3 Detect: Information System Activity Reviews
8.4 Respond
8.5 Recover Contingency Planning; Emergency Mode Operations: Recovery
HCP Policy 9 Documentation and Retention
HCP Policy 10 Exceptions
HCP Policy 11 Definitions
HCP Appendix Appendix A – HIPAA Contacts

Last updated: November 2018