| |
This page contains links to official policy and declaration statements
regarding HIPAA for the University at Buffalo
You will need to use the Adobe® Reader® to view these files. The
reader can be obtained from
http://www.adobe.com/
Covered & Non-covered Functions
 | UB: Covered Function and Business Associate determination criteria (revised
June 18, 2013;
.pdf) |
 | UB: Covered Function declaration (revised August 14, 2003;
.pdf) |
 | UB: Research as a non-covered function declaration (revised August 14,
2003;
.pdf) |
 | Declaration notes and
references |
Position statements
 | UB General Services and HIPAA covered function/Business Associate
activities: The University at Buffalo is a hybrid entity under HIPAA.
General Services deployed by the University such as telephony, data network,
data storage, email, etc., including the activities of University employees
associated with the provision of those Services, are not implemented,
operated or managed in a manner that is intended to be HIPAA compliant.
HIPAA compliant Services at the University are limited to those provided
within University HIPAA covered functions or to those governed by an
appropriately executed HIPAA Business Associate Contract. University HIPAA
covered functions, or other non-SUNY entities using University Services,
must take this fact into consideration when utilizing any University
Services or personnel in a manner which may directly or indirectly support
their own operations. It is the University's position that, unless
explicitly acknowledged in a separate HIPAA Business Associate Contract (for
non-SUNY entities), or in a formal extension of the University’s HIPAA
covered function declaration or covered function workforce, the consumers of
University Services are responsible for ensuring that such services will not
be used in any way that could be construed as making the University a HIPAA
Business Associate or as extending the University’s HIPAA covered function
activities. SUNY functions at UB intending to engage in Business
Associate activities must identify themselves to the UB Director of HIPAA
Compliance for review and approval prior to engaging in such activities. |
 | SUNY/UB Position statement: Entering into a Business Associate Agreement to cover student
training experiences. (revised March 24, 2004;
.pdf) |
Guidance
 | UB-Research: Alteration or Waiver of Authorization; guidance for the UB
IRB, UB covered functions, and external covered entities providing PHI to UB
researchers through this mechanism. (revised July 9, 2004;
pdf) |
 | UB-Research: Business Associate Contracts and Research; guidance for any
UB researcher considering entering into a business associate contract (aka
business associate agreement) with a HIPAA covered entity in order to
conduct research (revised September 19, 2004;
pdf) |
 | UB-Research: Limited Data Set / Data Use Agreements and Research;
guidance for any UB researcher considering entering into a data use
agreement (required in order to receive a limited data set) with a HIPAA
covered entity in order to conduct research (revised September 19, 2004;
pdf) |
|