---

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy and security of all protected health information within each of the University’s clinics that are subject to HIPAA. Those units must comply with the University’s HIPAA Policies for BU Healthcare Provider Covered Components. The University also maintains HIPAA Policies for the BU Health Plans.

The Commonwealth also has a Massachusetts Health Privacy Law that protects the privacy and security of patient records that applies in the University’s other licensed clinics. Those records are Restricted Use data under the Data Protection Standards.

The Basics

• The University’s HIPAA Policy explains what must be done to protect patient records in units subject to HIPAA.
• Patient records in other University clinics are considered Restricted Use data under the University’s Data Protection Standards.
• Research may involve personally identifiable health information of research subjects that must be protected. The Institutional Review Board of the Charles River Campus or the Boston University Medical Campus should be consulted for assistance.
• Otherwise, medical information and records concerning medical information generally are not protected by law. For example, a note from a doctor explaining an absence or an email from a colleague noting an illness most likely are not protected by federal or state privacy laws. The information may be sensitive, however, and you should respect the privacy of your fellow community members.
• Information on how to report any suspected data breach can be found on the BU HIPAA website, on a webpage specifically dedicated to protocols for reporting suspected breaches,

• Additionally, there are resources for researchers who may be handing Protected Health Information, whether covered by HIPAA or not. Those resources are the HIPAA Information for Charles River Campus Researchers and the Guidance on Data Security for Boston University Medical Campus Researchers,

Consequences

• A data breach involving personal health information protected by federal or state law may lead to identity theft or the exposure of sensitive health information. You don’t want either of those to happen to you; you should do what you can to minimize the risk that it happens to others.
• If there is a data breach that involves protected health information the University may be required to notify every individual whose information has been breached. In addition, the University may be required to notify state attorneys general or the U.S. Department of Health and Human Services about the breach. The department in which the breach occurs will participate in these efforts.
• Regulators may impose fines or penalties and individuals who are harmed may file lawsuits.

HIPAA Contacts Around the University

HIPAA at Boston University is a website that includes information for BU’s HIPAA Covered Components and HIPAA Covered Health Plans on how to comply with HIPAA, as well as other health information privacy resources. It is also a helpful resource for members of the BU community who provide services to or otherwise support the Covered Components.

The HIPAA Policy includes an up-to-date listing of all relevant HIPAA contacts throughout the University to help you determine the appropriate contact(s) depending on your specific inquiries. The HIPAA contacts list includes:

• HIPAA Contacts designated by the Covered Components
• HIPAA Contacts designated by the Business Associates
• HIPAA Contacts designated by the Support Units

 

---