HIPAA Procurement Policy

Category: HIPAA Security
Responsible Office: UBIT HIPAA Compliance
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Approved by (Name/Title): J. Brice Bible, VPCIO
Date Established:
April 16, 2018

On this page:


CATEGORY: Organizational Requirements

TYPE: Required Implementation Specification for Business Associate Contracts and Other Arrangements

CITATION: 45 CFR 164.314(a)(2)(i)

The University at Buffalo Information Technology (UBIT) operates as a covered entity as defined by the U.S. Department of Health and Human Services Office of Civil Rights. HIPAA Regulation Text 45 CFR 164.314(a)(1) requires a covered entity to ensure that a contract or other arrangement required by §164.308(b)(3) Business Associate Contracts and Other Arrangements must meet the requirements of paragraph §164.314(a)(2)(i) Business Associate Contracts and §164.314(a)(2)(ii) Other Arrangements of this section, as applicable.


UBIT reviews and evaluates the procurement of software and services for compliance with policies governing HIPAA-regulated data.


This policy applies to the UBIT SUNY HIPAA covered function.


Workforce Members: Adhere to all policies and procedures as written.

Procurement Services: Ensures that HIPAA compliance needs are reviewed before procurement of software or services.

HIPAA Security and Privacy Official: Reviews and evaluates UBIT purchases for software and/or systems that may affect UB covered function HIPAA compliance in consultation with other UB covered function Privacy and Security Officials as appropriate. If a BAA is deemed appropriate by Privacy and Security Officials, consults with UB Office of HIPAA Compliance for confirmation of the need for a BAA.  Once confirmed, ensures that the SUNY BAA template provided by the UB Office of HIPAA Compliance is in the procurement request.  Any vendor requests to modify the prescribed SUNY BAA template will be referred to the UB Office of HPAA Compliance.  Ensure that approval for final form BAAs, (SUNY template, or approved by University Counsel through UB Office of HIPAA Compliance) have been communicated by the UB Office of HIPAA Compliance to appropriate campus signatory authorities and that the BAA has been executed prior to utilizing the underlying services for using/disclosing/maintaining/transmitting or providing access to UBIT SUNY covered function HIPAA regulated data.  Track underlying contract terminations/expirations and vendor compliance with BAA terms for termination.  Track underlying contract renewals and ensure current SUNY BAA template, or language alteration approved through UB Office of HIPAA Compliance, is implemented for contract renewals.

Contact Information

HIPAA Security and Privacy Officer
Website: http://www.buffalo.edu/ubit.html

University at Buffalo
Director of HIPAA Compliance

Brian Murphy
409 Abbott Hall
Buffalo, NY 14214-8000
Phone: 716-829-3172
Email: hipaa-compliance@buffalo.edu

Vice President and Chief Information Officer
J. Brice Bible
517 Capen Hall
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html