HIPAA

Organizational Issues

Who's HIPAA is it, anyway?

HIPAA applies to three specific categories of covered entities: Health care providers who engage in HIPAA defined standard electronic transactions, health plans, and health care clearinghouses.  In a hybrid entity such as the University, HIPAA further provides the option of declaring health care providers as part of the University's covered function whether or not they engage in the HIPAA defined standard electronic transactions.

HIPAA declarations, if warranted, must be made by each separate corporate entity, i.e., the State University of New York, the University at Buffalo Foundation, the Research Foundation, Sub-Board I, the Medical practice plans, the Dental practice plans, etc.

In this mixed environment, the University has adopted a policy meant to minimize the heterogeneity of HIPAA approaches in areas that do and do not fall under HIPAA, to meet the requirements of HIPAA, and to avoid unnecessarily burdening aspects of operations which need not fall under HIPAA.  For research, this policy results in a splitting of research into two components - the provision of health care, and all other aspects of the research.  For UB's formal HIPAA declaration of its covered components, click here.

To establish some uniformity in the application of HIPAA to research and the treatment of human research subjects, the University has adopted the position that any research involving the provision of health care, or that acquires protected health information from 3rd party entities, whether or not it falls formally under HIPAA, is required to employ a "HIPAA appropriate" mechanism for acquiring data.  This policy is enforced by the IRB, which will not approve a research protocol involving the provision of health care until such a mechanism has been established by the investigator and approved by the IRB.  Investigators may use this worksheet to determine which mechanism is appropriate for their particular protocol.

Whether additional aspects of HIPAA come into play, beyond those governing the acquisition of information for use in research, will depend on whether the research is occurring within a University defined covered function as described below. 

Research & covered function determination

As mentioned above, the impact of HIPAA on research is determined by considering research as consisting of two components - the provision of health care and the remainder of the research activity.  This component breakdown holds even when the two functions are combined together within a single research protocol.  The impact of HIPAA on these two functions can then be determined as follows: 

What entity is performing the research component?

For faculty members of the University, this question has only one answer: The University faculty member is performing the research under the auspices of the University, no matter where the research activity takes place.  Consequently the University's covered function designation determines whether or not the research component falls within the University's HIPAA covered function.

What entity is providing  the health care component?

This will have one of two answers:

bulletThe University: when the individual is a health care provider as part of their professional obligation associated with their employment by the University.
bullet3rd party: when the health care provider is employed to provide health care by a corporate entity that is separate from the University, such as one of the UB medical or UB dental practice plans, one of the UB affiliated hospitals, or private practice.

Use the following chart to determine whether or not HIPAA governs the handling of protected health information beyond the common acquisition mechanism required of all research involving the provision of health care:

HIPAA impact on faculty researchers RESEARCH "OWNERSHIP"
UB 3rd Party
HEALTH CARE PROVIDER UB A C
3rd Party B C

A - UB responsible for provision of health care (i.e., provision of health care is part of the researcher's professional obligation to SUNY) and research.  Activity is entirely governed by UB's health care covered function designation.

bulletWithin a University covered health care function:
bulletHIPAA appropriate mechanism for acquiring data (required by HIPAA)
bulletUniversity research function - HIPAA impact on research function is determined by the University function providing health care:
bulletOption A: Research declared as part of the covered function.  All HIPAA regulations (privacy, security) govern research activity use of protected health information (option A adopted by the UB school of Dental Medicine)
bulletOption B: Research function must be segregated from the health care function in accordance with HIPAA.  The remainder of HIPAA regulations apply according to a UB policy decision as determined by "HIPAA as best practices Quality Improvement" initiative.
bulletWithin a University non-covered health care function:
bulletHIPAA appropriate mechanism for acquiring data (required by IRB)
bulletThe remainder of HIPAA regulations apply according to a UB policy decision as determined by "HIPAA as best practices Quality Improvement" initiative.

B - UB responsible for research, 3rd party responsible for provision of health care.

bulletWithin a 3rd party Health Care covered function:
bulletHIPAA appropriate mechanism for releasing data to researcher (required by HIPAA)
bulletAll HIPAA regulations (privacy, security) govern provision of health care
bulletResearch component is defined by University policy not to be part of the University's covered function since the University is not providing health care.  Remainder of HIPAA regulations as determined by "HIPAA as best practices Quality Improvement" initiative.
bulletWithin a 3rd party Health Care non-covered function
bulletHIPAA appropriate mechanism for acquiring data (required by IRB)
bulletResearch component is defined by University policy not to be part of the University's covered function since the University is not providing health care.  Remainder of HIPAA regulations as determined by "HIPAA as best practices Quality Improvement" initiative.

C - Not applicable.  All research engaged in by a University faculty member is "owned" by the University for purposes of covered function determination with respect to the research component of an activity.

This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter