The "Health Insurance Portability and Accountability Act of
1996" (HIPAA) is a set of federal regulations that apply to health
care providers which engage in certain electronic transactions,
health plans, and health care clearing houses (covered
HIPAA provides protection of our medical information
(transaction standards, standard code sets, unique health
identifiers, security and privacy). As individuals, our doctors
often give us HIPAA documentation during routine visits. As an
institution, UB needs to be aware of how HIPAA affects the
information we handle.
The privacy and security sections of HIPAA are designed to
protect Individually Identifiable Health Information within a
covered entity in a number of ways, including providing for the
confidentiality of Protected Health Information in any form (i.e.
verbal, written, electronic). The security section also deals
with electronic integrity and availability of information. It also
covers protecting against "reasonably anticipated" uses and
disclosures of electronic information, as well as dealing with
threats or hazards to the security, availability and integrity of
electronic data. The regulations address these issues in a
technology independent manner.
Violation of HIPAA can result in civil and criminal penalties
that can cost UB both money and prestige. Like all private
information, it's essential that we handle it carefully while
performing our job duties.
Fortunately, at UB, the number of areas required to comply with
HIPAA is small. For the purposes of HIPAA, SUNY is the
“entity” that UB resides within. SUNY is a "hybrid
entity" under HIPAA, meaning it has some functions which fall under
HIPAA and some that don't. The UB School of Dental Medicine is the
only SUNY function that falls under HIPAA at the University.
There are also non-SUNY functions at UB that fall under HIPAA,
which include the Research Foundation function, associated with
maintenance of the RF health plan, and the clinical practice plans
affiliated with the medical and dental schools. While there
are other entities at UB which fit the definition of Health Care
Provider (for example, Student Health and the Psychological
Services Center), they do not engage in the electronic transactions
which would place them under HIPAA, so their activities are not
governed by it. It remains a unit responsibility to identify itself
to UB's Director of HIPAA compliance (see below) if it is a Health
Care Provider that will begin to undertake electronic transactions
that will necessitate its compliance with HIPAA.
Outside of these areas, the largest impact HIPAA has is on UB
researchers seeking data from HIPAA covered entities. HIPAA permits
covered entities to release protected information to researchers in
a limited number of ways. However, once this information has left a
covered entity and is delivered to a UB researcher in a manner
permitted by HIPAA, the information is no longer governed by HIPAA
(except in rare instances where the release mechanism is
contractual in nature).
Questions about HIPAA in relation to UB activities can be
Director of HIPAA Compliance
173 Biomedical Education Building, South Campus
(716) 829-3172 x2