UB HIPAA Overview
Formal UB HIPAA declaration and position statements may be found here.
The University at Buffalo is a sub-component of the State University of New York. For the purposes of HIPAA, SUNY is the covered entity. SUNY has designated itself a hybrid covered entity which means it is comprised of some functions that fall under HIPAA and other functions that do not.
The University at Buffalo is required to identify to SUNY which functions it engages in that will fall under the SUNY HIPAA covered function umbrella. With the passage of the "Health Information Technology for Economic and Clinical Health Act" (HITECH) within "Title XIII of the American Reinvestment and Recovery Act of 2009" the University at Buffalo must also identify SUNY functions acting as HIPAA Business Associates. These designation occurs at the campus level through unit self-identification to the office of the UB Director for HIPAA Compliance and must be kept current.
The standard for determining a SUNY HIPAA covered function at the University at Buffalo is as follows
Health Care Providers
It is important to note that when the health care is provided by an entity other than the University (hospital, academic practice plan physician, etc.) it is that entity, and not the SUNY HIPAA health care covered function, which is the HIPAA covered entity. The teaching/research affiliation that may exist between these entities and the University does not bring their independent health care provision activities into the University's HIPAA covered function. The University at Buffalo will only have SUNY health care covered functions to the extent that its state employees provide health care that results in covered electronic transactions as part of their normal job functions as defined by their professional obligation to SUNY.
For employees with multiple employers, such as practice plan physicians, this approach may result in situations where the employee finds themselves wearing both a covered entity hat as health care provider, and a non-covered entity hat as a University at Buffalo faculty member / researcher. It is important that they understand what activities are permitted under HIPAA within each of their various roles.
Research conducted by UB faculty members is an activity that is part of their professional obligation to UB. Consequently such research "belongs" to UB and must be considered by UB when formulating the UB/SUNY covered entity declaration. The research function at UB has been defined as a non-covered function with respect to HIPAA. However, research that occurs in conjunction with the provision of health care, when that health care is part of the UB or an external entity's HIPAA covered function, will be required to obtain information from that covered function in a manner prescribed by HIPAA (or more stringent NYS law). The UB IRB will ensure that the HIPAA appropriate transfer mechanism is in place before approving such research. To determine the mechanism appropriate for a specific research project, use this worksheet.
A better understanding of the rationale behind considering research and the provision of health care as separate functions that may occur together, as opposed to a single function, can be obtained by reviewing "Part A: Boundaries Between Practice & Research" of the April 18, 1979 Bellmont report which is available from the federal Office for Human Research Protections web site here.
Student Health / Student Counseling
These programs at UB are not required to comply with HIPAA. However, they have elected to adopt compliance with the HIPAA regulations as a "best practice".
SUNY HIPAA Covered Functions at UB
These functions have been formally declared as SUNY covered functions under HIPAA and are legally obligated to comply with all aspects of the regulations. If you are aware of a function that you believe falls under HIPAA at the University which is not listed here, please let us know by sending Email to (remove spaces) hipaa-compliance @ buffalo.edu. Any unit intending to engage in SUNY HIPAA Covered Function activities must be reviewed and approved by the UB Director of HIPAA Compliance prior to engaging in any such activities.
SUNY HIPAA Business Associates at UB
These functions are identified by services provided to HIPAA covered entities, or Business Associates of HIPAA covered entities, and are required to comply with portions of HIPAA as a matter of law. If you are aware of a function that you believe qualifies as a HIPAA Business Associate at the University, please let us know by sending Email to (remove spaces) hipaa-compliance @ buffalo.edu. Any unit intending to engage in SUNY Business Associate activities must be reviewed and approved by the UB Director of HIPAA Compliance prior to engaging in any such activities.
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.