Home Contacts Site Map
UB HIPAA overview
Up UB HIPAA overview UB declarations Researchers Faculty-Students Business Associates HIPAA Training

UB HIPAA Overview

Formal Declarations

Formal UB HIPAA declaration and position statements may be found here.


The University at Buffalo is a sub-component of the State University of New York.  For the purposes of HIPAA, SUNY is the covered entity.  SUNY has designated itself a hybrid covered entity which means it is comprised of some functions that fall under HIPAA and other functions that do not.

The University at Buffalo is required to identify to SUNY which functions it engages in that will fall under the SUNY HIPAA covered function umbrella.  With the passage of the "Health Information Technology for Economic and Clinical Health Act" (HITECH) within "Title XIII of the American Reinvestment and Recovery Act of 2009" the University at Buffalo must also identify SUNY functions acting as HIPAA Business Associates.  These designation occurs at the campus level through unit self-identification to the office of the UB Director for HIPAA Compliance and must be kept current.

The standard for determining a SUNY HIPAA covered function at the University at Buffalo is as follows

bulletHealth Plan functions
bulletHealth Care Clearing House functions
bulletHealth Care Provider functions that engage in specific electronic transactions, defined in the regulations, where the health care provider provides the health care generating those transactions as part of their professional obligation to SUNY.

Health Care Providers

It is important to note that when the health care is provided by an entity other than the University (hospital, academic practice plan physician, etc.) it is that entity, and not the SUNY HIPAA health care covered function, which is the HIPAA covered entity.  The teaching/research affiliation that may exist between these entities and the University does not bring their independent health care provision activities into the University's HIPAA covered function.  The University at Buffalo will only have SUNY health care covered functions to the extent that its state employees provide health care that results in covered electronic transactions as part of their normal job functions as defined by their professional obligation to SUNY.

For employees with multiple employers, such as practice plan physicians, this approach may result in situations where the employee finds themselves wearing both a covered entity hat as health care provider, and a non-covered entity hat as a University at Buffalo faculty member / researcher.  It is important that they understand what activities are permitted under HIPAA within each of their various roles.


Research conducted by UB faculty members is an activity that is part of their professional obligation to UB.  Consequently such research "belongs" to UB and must be considered by UB when formulating the UB/SUNY covered entity declaration.  The research function at UB has been defined as a non-covered function with respect to HIPAA.  However, research that occurs in conjunction with the provision of health care, when that health care is part of the UB or an external entity's HIPAA covered function, will be required to obtain information from that covered function in a manner prescribed by HIPAA (or more stringent NYS law).  The UB IRB will ensure that the HIPAA appropriate transfer mechanism is in place before approving such research.  To determine the mechanism appropriate for a specific research project, use this worksheet.

A better understanding of the rationale behind considering research and the provision of health care as separate functions that may occur together, as opposed to a single function, can be obtained by reviewing "Part A: Boundaries Between Practice & Research" of the April 18, 1979 Bellmont report which is available from the federal Office for Human Research Protections web site here.

Student Health / Student Counseling

These programs at UB are not required to comply with HIPAA.  However, they have elected to adopt compliance with the HIPAA regulations as a "best practice".

SUNY HIPAA Covered Functions at UB

These functions have been formally declared as SUNY covered functions under HIPAA and are legally obligated to comply with all aspects of the regulations.  If you are aware of a function that you believe falls under HIPAA at the University which is not listed here, please let us know by sending Email to (remove spaces) hipaa-compliance @ buffalo.edu.  Any unit intending to engage in SUNY HIPAA Covered Function activities must be reviewed and approved by the UB Director of HIPAA Compliance prior to engaging in any such activities.

bulletSchool of Dental Medicine
bulletClinical Operations (whether or not they engage in covered electronic transactions)
bulletEducational Operations

SUNY HIPAA Business Associates at UB

These functions are identified by services provided to HIPAA covered entities, or Business Associates of HIPAA covered entities, and are required to comply with  portions of HIPAA as a matter of law.  If you are aware of a function that you believe qualifies as a HIPAA Business Associate at the University, please let us know by sending Email to (remove spaces) hipaa-compliance @ buffalo.edu.  Any unit intending to engage in SUNY Business Associate activities must be reviewed and approved by the UB Director of HIPAA Compliance prior to engaging in any such activities.  


This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter