Harvard University homepage
HARVARD.EDU

Home / About / Privacy and Compliance /

Notice of Privacy Practices

Effective Date: April 2003, last revised August 2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

  1. HARVARD UNIVERSITY HEALTH SERVICES (“HEALTH SERVICES”) IS COMMITTED TO PROTECTING THE PRIVACY OF OUR PATIENTS

We understand that your medical information is personal, and that protecting that information is important. We are required by law to maintain the privacy of your medical information, to give you this notice of our legal duties and our privacy practices regarding your medical information, and to follow the terms of this notice, and to notify you in the event you are affected by a breach of your unsecured medical information.

To Students:

Although the Health Insurance Portability and Accountability Act privacy regulations do not apply to your medical records, those records are protected under state privacy laws, other federal laws, and in most instances will be treated in the same manner described in the HUHS Notice of Privacy Practices, with certain exceptions. In particular, students should note that there may be special student privacy rights that apply to them that are described in their Schools’ student handbooks. To the extent that any conflict exists between the privacy rights contained in this notice and the privacy rights contained in applicable student handbooks, the privacy rights contained in the student handbooks will control.

  1. WHO WILL FOLLOW THIS NOTICE

This notice applies to HUHS, all our departments and units, including Dillon Field House, the Center for Wellness and Health Promotion, and our satellite clinics at the Law School and the Medical Area. It applies to our employees, physicians, and other clinicians, trainees, and volunteers.

  1. USES AND DISCLOSURES OF YOUR MEDICAL INFORMATION WITHOUT YOUR WRITTEN CONSENT OR AUTHORIZATION

The following categories show the different ways we may use and disclose to others your medical information without obtaining your written consent or authorization. For each category of uses or disclosures, we provide some examples. Your medical information will not be used or disclosed without your written consent or authorization for purposes other than those described in this Section. Section IV and Section V of this notice describe our policy regarding uses and disclosures of your medical information for which your consent or authorization is required.

  1. Use and Disclosures for Treatment, Payment, and Healthcare Operations: In general, we may use your medical information to treat you, obtain payment for services provided to you, and to conduct our “healthcare operations” (as detailed below) without your written consent or authorization
  1. For Treatment: Your medical information may be used by us to provide you with medical treatment or services – for example, to diagnose and treat your injury or illness. We may share information about you with HUHS doctors, nurses, technicians, or other healthcare professionals involved in taking care of you which includes, but is not limited to, healthcare professionals at Dillon Field House and the Center for Wellness and Health Promotion. We also may share your medical information with non-HUHS healthcare providers without your consent in an emergency situation. In addition, we may contact you via telephone/voice mail or letter to remind you that you have an upcoming appointment for an office visit, lab test, or other treatment. We may also tell you about alternative treatments or health-related services that may be of interest to you.
  2. For Payment: Your medical information may be used by us so that we can receive payment from you, your insurance company, or a third party for providing you with needed healthcare services – for example, to file claims and obtain payment from your insurance company.
  3. For Healthcare Operations: Your medical information may be used for our “healthcare operations” which include our internal administration and planning and various activities that improve the quality and cost-effectiveness of the care that we deliver to you. For example, we may use your medical information to evaluate the quality and competence of our physicians, nurses, and other health care workers, and we may provide medical information to our Privacy Officer in order to resolve any complaints you may have. In addition, your medical information may be disclosed by us for certain types of our healthcare operations, including any peer review or utilization review activities we undertake. Some of the information may be shared with outside parties who perform these health care operations or other services on behalf of us (“business associates”). We will obtain assurances from our business associates that they will appropriately safeguard your medical information.
  1. Use and Disclosure for Other Reasons: In addition to payment, treatment, and healthcare operations, we may use or disclose your medical information without your written consent or authorization for purposes such as the following:
  1. Research: We may use and disclose medical information about you when a waiver of authorization is obtained from an Institutional Review Board. Otherwise, we will only use or disclose your information for research with your written authorization. However, we may use your medical information to identify you as a potential research study subject but will not conduct any research without a proper authorization from you or a waiver of authorization from an Institutional Review Board.
  2. To Avert a Serious Threat to Health or Safety: We may use and disclose medical information about you when necessary to prevent a serious danger to you or others. Any disclosure, however, would only be to someone able to help prevent the threat.
  3. Organ and Tissue Donation: If you are an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
  4. Military and Veterans: If you are a member of the armed forces, we may release medical information about you as required by military command authorities.
  5. Workers’ Compensation: We may release medical information about you to your employer and/or the Massachusetts Industrial Accident Board as required under Massachusetts law addressing work-related illnesses and injuries or workplace medical surveillance. We do require that you sign an authorization for this purpose.
  6. Public Health Risks: We may disclose medical information about you for the following public health activities: to report health information to public health authorities for the purpose of preventing or controlling disease, injury, or disability; to report reactions to medications or problems with products and services under the jurisdiction of the U.S. Food and Drug Administration; to report information related to the birth and subsequent health of an infant to state government agencies; to file a death certificate and report fetal deaths; and to notify the appropriate government authority if we believe you are a victim of child abuse or neglect, an elderly victim of abuse, a disabled victim of abuse, or a victim of rape or sexual assault.
  7. Health Oversight Activities: We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs (such as Medicare and Medicaid), and compliance with civil laws.
  8. Lawsuits and Disputes: We may disclose medical information about you in response to a subpoena if you are a named party in a lawsuit. In addition, we may also disclose your medical information in response to a lawful order from a court. We will take reasonable steps to notify you or your attorney before responding to such requests.
  9. Law Enforcement: We may release medical information as part of law enforcement activities: in investigations of criminal conduct or of victims of crime; in response to court orders; in emergency circumstances; or when required to do so by law.
  10. Coroners, Medical Examiners, and Funeral Directors: We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about HUHS patients to funeral directors as necessary to carry out their duties.
  11. National Security: We may release medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations, or for intelligence, counterintelligence, and other national security activities authorized by law.
  12. Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you in limited circumstances.
  13. As Required by Law: We will disclose medical information about you when required to do so by federal, state, or local law.
  1. DISCLOSURES REQUIRING YOUR CONSENT OR AUTHORIZATION
  1. Disclosures Requiring Your Consent:
  • Individuals Involved in Your Care: With your consent (verbal or written) we may release information about you (except Highly Confidential Information) to a family member or friend who is involved in your care. We may also release information about you to such an individual in a medical emergency without your consent if you are incapacitated if, in our professional judgment, we determine that the release of information is in your best interests.
  • Certain Uses of Your Medical Information: Your prior authorization is required for most uses and disclosures of your medical information for marketing purposes, and for the sale of your medical information.
  1. Disclosures of Your Highly Confidential Information: As discussed above, your written authorization is generally not needed when we use or share your medical information for treatment, payment, or health care operations. However, some kinds of information are considered so sensitive that federal or state law provides special privacy protections for them. This means that, even if the particular information relates to treatment, payment, or health care operations, we may need to get your written authorization in order to disclose (and in some cases, to use) that information unless the use or disclosure is otherwise permitted by law. There are special protections under federal or state law for medical information that: (1) is about HIV/AIDS status; (2) is about genetic testing; (3) constitutes confidential communications with a psychologist, or psychotherapy notes taken by a mental health provider during counseling sessions; (4) is about substance abuse (alcohol or drug); (5) is about certain sexually transmitted diseases; (6) is an abortion consent form(s); (7) constitutes mammography records; (8) is about the treatment or diagnosis of emancipated minors; (9) is about research involving controlled substances.
  • If you are an emancipated minor, special legal protections apply to certain information relating to your treatment or diagnosis, and therefore such information will not be disclosed to your parent or guardian without your consent. Your consent is not required, however, if a physician reasonably believes your condition to be so serious that your life or limb is endangered. Under such circumstances, we may notify your parents or legal guardian of the condition and will inform you of this notification. Please note that if you are a parent or legal guardian of an emancipated minor, certain portions of the emancipated minor’s medical record may not be accessible to you (for example, abortion information, sexually transmitted disease information). In addition, portions of a minor’s records relating to drug dependency medical services (excluding methadone maintenance therapy) will not be available to you, regardless of whether the minor is emancipated.
  1. Other Uses of Your Medical Information: Other uses and disclosures of your medical information not covered by this notice will be made only with your written authorization.
  1. YOUR RIGHTS REGARDING MEDICAL INFORMATION ABOUT YOU

You have the following rights regarding your own medical information:

  1. Right to Revoke Authorization: You may revoke your written authorization, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to the Privacy Officer identified below.
  2. Right to Inspect and Copy: You have the right to inspect and to make a copy of your medical record file and billing records maintained by us. All requests for access must be made in writing and submitted to the Medical Records Department or to a representative at one of the Satellite Clinics where your record is maintained. If you request a copy of the information, we may charge a reasonable fee for the costs of copying and postage. Under limited circumstances, we may deny your request to access and copy certain information (for example, psychotherapy notes). In the event we use or maintain an electronic health record with respect to your medical information, you shall have the right to obtain a copy of such information in an electronic format and, if you choose, to direct us to transmit such copy directly to another recipient. HUHS maintains medical records for at least 20 years after your final treatment, as required by law; a copy of the HUHS medical record retention policy is available upon request.
  3. Right to Request Amendment: If you feel that medical information we have about you in your medical record file or billing record is incorrect or incomplete, you may ask us to amend the information. To request an amendment, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request. You may obtain a form for this purpose from the Privacy Officer. We may deny your request for an amendment if the information contained in your medical record file or billing record is accurate and complete or if other special circumstances apply, although you may submit a written statement disagreeing with our denial.
  4. Right to an Accounting of Disclosures: You have the right to a list or report of certain disclosures we make of your medical information. This does not include disclosures for purposes of treatment, payment, or health care operations, disclosures for which you provided written authorization, sharing your information with persons involved in your care, sharing information for national security or intelligence purposes, or to correctional institutions and law enforcement officials who have custody of you, among other exceptions. To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer. Your request must state a time period that may not be longer than six years prior to the request date. The first list you request within a 12-month period will be free. For additional lists during the same 12-month period, we may charge you for the cost of providing the list. We will notify you of the cost involved, and you may choose to withdraw or modify your request at the time before any costs are incurred.
  5. Right to Request Restrictions: You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment, or health care operations. We will comply with your restriction requests if the disclosure is not related to your treatment and the services to which your medical information relates have been paid out of pocket and in full. You have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment of your care, such as a family member or friend. We are not required to agree to your request. You also have the right to request a restriction on our use of your medical information to notify or assist in the notification of someone involved in your care regarding your location and general condition. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. To request restrictions, you must make your request in writing to our Privacy Officer. In your request, you must state (1) what use or disclosure you want to limit, (2) what information you want to limit, and/or (3) to whom you want the limits to apply. No agreement to comply with a requested restriction shall be effective unless an authorized representative of HUHS signs the agreement.
  6. Right to Request Confidential Communications: You have the right to request, and we will accommodate, any reasonable written request to receive medical information by alternative means of communication or alternative locations.
  7. Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice at any time, even if you have agreed to receive this notice electronically. To obtain a paper copy of this notice, please request one from our Medical Records Department.
  8. Right to Notice of Breach: In the unlikely event of a breach of unsecured medical information which causes you a significant risk of financial, reputational, or other harm, we shall notify you of such breach. We will send you written notice of the breach via first class mail to your last known address, unless you have indicated a preference for email. The notice will include, among other things, a brief description of what happened, a brief description of the types of unsecured medical information that was disclosed in the breach, steps that you should take to protect yourself from potential harm resulting from the breach, a brief description of our actions taken to investigate the breach, mitigate the harm and protect against further breaches and contact procedures to learn additional information.
  1. CHANGES TO THIS NOTICE

We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in patient waiting areas and on our internet site at www.huhs.harvard.edu. The notice will contain the effective date in the top left-hand corner of the first page.

  1. COMPLAINTS

If you believe your privacy rights have been violated or we are not in compliance with these privacy practices, you may file a complaint with our Patient Advocate or Privacy Officer at the address listed below or with the Secretary of the Department of Health and Human Services. All complaints must be submitted in writing. The Privacy Officer and HUHS will investigate all complaints. You will not be penalized in any way for making a complaint.

Complaints filed with the Secretary of the Department of Health and Human Services must be in writing and must be sent within 180 days of when you knew (or should have known) that the act or omission occurred to the Office of Civil Rights, U.S. Department of Health and Human Services, JFK Building – Room 1875, Government Center, Boston, MA 02203. Your letter must include the name of the hospital or provider and a description of the acts or omissions that you believe are in violation of privacy requirements.

  1. CONTACT INFORMATION

You may contact us at:

HUHS Patient Advocate
Harvard University Health Services
75 Mount Auburn Street
Cambridge, MA 02138
Telephone: (617) 495-7583

HUHS Privacy Officer
Harvard University Health Services
75 Mount Auburn Street
Cambridge, MA 02138
Telephone: (617) 496-1630