Who's HIPAA is it, anyway?
HIPAA applies to three specific categories of covered entities: Health care providers who engage in HIPAA defined standard electronic transactions, health plans, and health care clearinghouses. In a hybrid entity such as the University, HIPAA further provides the option of declaring health care providers as part of the University's covered function whether or not they engage in the HIPAA defined standard electronic transactions.
HIPAA declarations, if warranted, must be made by each separate corporate entity, i.e., the State University of New York, the University at Buffalo Foundation, the Research Foundation, Sub-Board I, the Medical practice plans, the Dental practice plans, etc.
In this mixed environment, the University has adopted a policy meant to minimize the heterogeneity of HIPAA approaches in areas that do and do not fall under HIPAA, to meet the requirements of HIPAA, and to avoid unnecessarily burdening aspects of operations which need not fall under HIPAA. For research, this policy results in a splitting of research into two components - the provision of health care, and all other aspects of the research. For UB's formal HIPAA declaration of its covered components, click here.
To establish some uniformity in the application of HIPAA to research and the treatment of human research subjects, the University has adopted the position that any research involving the provision of health care, or that acquires protected health information from 3rd party entities, whether or not it falls formally under HIPAA, is required to employ a "HIPAA appropriate" mechanism for acquiring data. This policy is enforced by the IRB, which will not approve a research protocol involving the provision of health care until such a mechanism has been established by the investigator and approved by the IRB. Investigators may use this worksheet to determine which mechanism is appropriate for their particular protocol.
Whether additional aspects of HIPAA come into play, beyond those governing the acquisition of information for use in research, will depend on whether the research is occurring within a University defined covered function as described below.
Research & covered function determination
As mentioned above, the impact of HIPAA on research is determined by considering research as consisting of two components - the provision of health care and the remainder of the research activity. This component breakdown holds even when the two functions are combined together within a single research protocol. The impact of HIPAA on these two functions can then be determined as follows:
What entity is performing the research component?
For faculty members of the University, this question has only one answer: The University faculty member is performing the research under the auspices of the University, no matter where the research activity takes place. Consequently the University's covered function designation determines whether or not the research component falls within the University's HIPAA covered function.
What entity is providing the health care component?
This will have one of two answers:
Use the following chart to determine whether or not HIPAA governs the handling of protected health information beyond the common acquisition mechanism required of all research involving the provision of health care:
A - UB responsible for provision of health care (i.e., provision of health care is part of the researcher's professional obligation to SUNY) and research. Activity is entirely governed by UB's health care covered function designation.
B - UB responsible for research, 3rd party responsible for provision of health care.
C - Not applicable. All research engaged in by a University faculty member is "owned" by the University for purposes of covered function determination with respect to the research component of an activity.
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.