HIPAA and Faculty / Students
UB Covered Entity Status
Of the various student and professional programs associated with schools at the University, only those associated with the School of Dental Medicine occur within a University at Buffalo (State University of New York) HIPAA covered function. The programs in the schools of Medicine and Biomedical Sciences, Pharmacy, Nursing, and Public Health & Health Professions as well as the other schools at UB are not within a covered function at the University and are not required to comply with HIPAA. More information about UB covered functions can be found here.
Many of the programs at the University send students into covered entities. In fact, the University has approximately 3,000 clinical affiliation agreements with various entities associated with such programs. Within any of these affiliates who are covered entities, the students will be bound by the HIPAA policies and procedures of those affiliates.
HIPAA defines students within a covered entity as part of that entity's workforce and requires the entity to train them in the HIPAA policies and procedures specific to that entity. In order to reduce that burden for the covered entities, UB will be following the SUNY recommended approach of providing a general introduction to HIPAA to all students entering such facilities. The format of that training is up to the individual programs. On-line, web-based training is available for use by the University community (more information).
In addition students and faculty should never remove individually identifiable health information from such facilities unless specifically authorized, in a HIPAA appropriate fashion, by the subject of that information. De-identified information may be removed for educational purposes. See this page for more information as to what constitutes individual identifiers under HIPAA.
Student Training & Business Associate Agreements
SUNY requires that formal student affiliation agreements, approved by University Counsel, be executed with third party entities when students are sent from UB to those entities in order to receive educational experiences requisite to obtaining their degree.
Some of these affiliates must comply with HIPAA and they are interpreting the regulations as requiring them to have Business Associate Agreements (BAAs) with the University in order to permit students to access protected health information in their facilities.
It is the position of the UB and SUNY that BAAs are not appropriate in this circumstance. In addition guidance from the Office of Civil Rights (OCR), the entity charged with enforcing the HIPAA privacy rule, has made it clear that business associate agreements are only appropriate in situations where the business associate is providing a service to the entity required to comply with HIPAA. Since UB is not providing services to these affiliates, a BAA is inappropriate. The official UB/SUNY position statement for this may be found here.
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.