Patient Privacy

At Boston Medical Center Health System (BMCHS), we place the highest priority on a patient’s right to privacy. We are committed to providing you and your family with exceptional care and forming a relationship that is built on trust. This means that we respect your right to privacy and will endeavor to protect the confidentiality of you and your family health information–whether this information is stored in a paper or electronic file.

BMCHS adheres to the requirements outlined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Federal Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2), and the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as applicable Massachusetts General Laws, which ensure the privacy and security of an individual’s health information and promotes privacy and trust between patients and their healthcare providers.

What Is HIPAA?

The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information.

• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
• It strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care.

• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.

• It empowers individuals to control certain uses and disclosures of their health information.  

  (See What does the HIPAA Privacy Rule do? | HHS.gov)

Privacy Protections for SUD Records  

If you receive SUD treatment at BMCHS, your SUD records are protected by Part 2 Federal Privacy Rules. You have additional rights related to who may see, use, or disclose your SUD records. We rely on patient consent to permit future uses and disclosures of your Part 2 records for treatment, payment, and health care operations (TPO). A copy of your consent, along with proper notice, will be provided with any disclosure made pursuant to that consent. HIPAA-covered entities (and their business associates) that receive your Part 2 records under this consent may redisclose the records as permitted by HIPAA.  

You may revoke your consent at any time in writing; revocation does not affect prior uses/disclosures made in reliance on your consent. SUD records, or testimony based on their content, will not be disclosed or used in legal, criminal, or administrative proceedings against you without your specific written consent or court order.

BMCHS may disclose Part 2 records without your consent in limited circumstances permitted by law. These circumstances include, but may not be limited to, medical emergencies; reports of child abuse/neglect; crimes on program premises/against personnel; to qualified service organizations; audits/program evaluations; certain research; and disclosure of de-identified medical information to public health authorities. Breach notification and penalties for Part 2 records are aligned with HIPAA.

How We Assure Your Privacy

Your privacy is very important to BMCHS. We do not allow access to your health information by those outside of BMCHS without the appropriate authorization or authority to do so. We're also committed to safeguarding your personal information online.

Our workforce members are trained in the appropriate use and disclosure of health information and know that it is available to continue to provide care to you and for other legitimate purposes. We address any violation of confidentiality or failure of a workforce member to protect your information from accidental or unauthorized access.

We have detailed policies and procedures in place to safeguard your rights to privacy and confidentiality. Our Privacy Office and the Health Information Department can also provide information on how we protect your health information and how you may request your or your minor child’s health information.

Please bookmark bmc.org/privacy to return to this page in the future as we continue to review and update our policies as needed.

HIPAA Notice of Patient Privacy Practices

At BMCHS, we place the highest priority on a patient’s right to privacy. We are committed to respecting your right to privacy and confidentiality of your health information at all times.

As part of HIPAA requirements, all new patients seeing their healthcare provider upon their initial visits are required to sign the Acknowledgement of Receipt of Privacy Notice form to indicate that they have received the Notice of Privacy Practices. Our Notice of Privacy Practices describes how we (hospital/provider) may use or disclose your health information; your rights to access your health information and or to request changes to your health information. You may also request a list of people or organizations that you did not authorize, but who may have received your health information from us, with some exceptions.

You may view the BMCHS Notice of Privacy Practices for Use of and Sharing of Protected Health Information for more information about your privacy rights as a patient.

Download the Notice of Patient Privacy Practices in English (PDF)

Please check back soon for translated versions of this notice in Haitian Creole, Portuguese, Spanish, Russian, and Vietnamese.

Also available are additional PDF forms which you may use to exercise your rights afforded by HIPAA.

• Authorization for Release of Protected Health Information (PHI)
• Authorization for Two-Way Exchange of Information
• Request for Accounting of Disclosures of Protected Heath Information (PHI)

Massachusetts Immunization Information System (MIIS)

BMCHS is participating in the Massachusetts Immunization Information System (MIIS), a secure registry managed by the Massachusetts Department of Public Health that tracks all immunizations given in the state.

The goal of the program is to enable providers to look up a patient’s immunization status to improve vaccine delivery.

Learn More about the Massachusetts Immunization Information System (MIIS).

Use of Artificial Intelligence (AI) in Care and Operations

We use AI tools to support patient care and improve operations. These tools may assist with imaging analysis, clinical documentation, patient communication, quality improvement, care coordination, and administrative functions. 

AI is designed to support — not replace — our clinicians. All medical decisions are made by qualified healthcare professionals who apply their independent judgment, with appropriate human oversight. 

We protect your information in accordance with HIPAA and applicable privacy laws. De-identified or limited data sets may be used to develop, test, and monitor AI tools to ensure they are safe and effective. 

All AI technologies undergo review and ongoing monitoring to meet our standards for safety, security, fairness, and quality. 

If you have questions about how AI is used in your care, please contact the Privacy Office at privacyofficer@bmc.org.  

Health Information Release Forms

• To obtain your own health information or send it to others: Authorization for Release of Protected Health Information (PHI)
• To make changes or additions to your health information: Request for Personal Information Correction/Change
• To request that a non-BMCHS provider should send information to BMCHS: Authorization to Obtain Protected Health Information (PHI) from a Non-BMC Healthcare Provider
• To allow BMCHS and non-BMCHS healthcare providers to communicate about your health information: Authorization for Two-Way Exchange of Information
• To release Substance Use Disorder Records under a Part 2 Program: Authorization for Release of Substance Use Disorder (SUD) Records
• To release Substance Use Disorder Records under a Part 2 Program for Legal Proceedings: Consent for Disclosure/Use of Substance Use Disorder (SUD) Records in Legal Proceedings
• To request a list of the individuals, institutions, or organizations to which BMCHS has disclosed your protected health information: Protected Health Information Disclosure List Request Form
• To release and obtain x-rays or other radiological images:
  • Contact the Radiology Department Film Library at 617.414.4884.
  • You will also need to complete this form: Authorization for Release of Protected Health Information (PHI)

If you experience any difficulties downloading the forms, please contact 617.414.4201.

Contact Our Privacy Officer

If you have questions or concerns regarding your privacy, or you would like to review your health information on-site or request changes or corrections to your health information, or file a breach of confidentiality complaint, you may contact our Privacy Officer:

Call: 617.414.1800

Email: privacyofficer@bmc.org

Regular business hours are Monday–Friday, 8:30 a.m. to 5:00 p.m.; after hours, please leave a message and your call will be returned on the next business day.

Email Our Privacy Officer

Mailing Address

Boston Medical Center 
Attn: HIPAA Privacy Officer 
960 Massachusetts Avenue 
Boston, MA 02118

Contact the Medical Records Department

BMC Health System Compliance Hotline

Call the Compliance Hotline at 800.586.2627. The hotline is available 24/7 and is operated by an outside company. Translation services are available. You can make an anonymous complaint if you wish. However, please understand that this may make it more difficult to investigate a complaint. All reports received on the hotline will be investigated and resolved.