Boston University is required by the Health Insurance Portability and Accountability Act (HIPAA) to ensure the privacy and security of all “Protected Health Information” or “PHI” created, received, maintained, or transmitted by or for its health care providers and self-insured health plans that are subject to HIPAA. This Policy is intended to guide components at Boston University that are covered by HIPAA (“HIPAA Covered Components”) to rigorously implement all HIPAA-mandated requirements as they are subject to enforcement by the federal government.

Regardless of where or in what form (paper, electronic or otherwise) University data is stored, it remains the property of the University and the University’s HIPAA Covered Components are responsible for ensuring proper protection.

University policy around HIPAA is outlined in the policy section below. This page is intended as serving as a resource for both policy and what BUMC-IT/IS&T services are approved for storing, accessing or processing HIPAA data.

Boston University HIPAA Policies:

Boston University’s HIPAA policies on privacy and security of Protected Health Information is found here.

Restricted Use-Approved Services:

The following services are all approved for use with HIPAA and other Restricted Use data.


Microsoft One Drive – Is cloud-based storage hosted with Microsoft. Details about this service can be found here. BU security information specifically related to One Drive can be found here.

BUMC Y Drive – The BUMC Y drive is an on-premise file server for BUMC faculty and staff. Details about the service can be found here.

Full Disk Encryption – Laptop encryption is a valuable and critical tool for protecting data at rest. Full Disk Encryption protects data stored on your laptop if your laptop were to become lost or stolen. Details about this service can be found here.

DataMotion SecureMail – Email communication is ubiquitous but is often insecure. Our SecureMail portal allows for a secure exchange of emails between you and anyone else (members of the BU community or those outside of BU). Details about this service can be found here.


Mobile Security – Sensitive data sent through email can end up on our smartphones and tablets though email sync. Because of this, these devices should be protected in the same manner as laptops – with passwords and encryption. Documentation on how to set a pin/password on your phone and encrypt it can be found here.

Applications/Survey Tools

FreezerPro – FreezerPro allows users to track their frozen samples through an intuitive, fast, reliable and secure Web-based application. Features include automatic alerts of low number of sample aliquots, sample expiration date, sample volume or freeze-thaw count along with reporting. Details about this service can be found here.

REDCap – REDCap is a free, secure, web-based application designed to support data capture for research studies. Details about this service can be found here.

Consulting Services

In addition to these service offerings, we offer consultation for security related questions pertaining to your project, grant, data request, or any general questions that you have. To engage us, contact us here.

Policy Resources:

The following links provide additional details related to University policy regarding HIPAA and data security in general.