Responsible Office: UBIT HIPAA Compliance
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Approved by (Name/Title): J. Brice Bible, VPCIO
Date Established: December 2017
Date Last Revised: March 8, 2019
Date Posted: December 2017
The UBIT HIPAA Protected Health Information Security Policy guides UBIT functions that are subject to the Health Insurance Portability and Accessibility Act (“HIPAA”) compliance requirements. This policy supplements other university and UBIT policies. For example, under the university’s Data Risk Classification Policy, individually identifiable health information that is subject to HIPAA is categorized as Category 1- Restricted information, meaning that it requires the greatest protection of all data types at the University and breaches of this data are potentially reportable to state and/or federal authorities.
HIPAA Reference: Standard: 164.530 (i)(1) Policies and procedures
The University at Buffalo’s Information Technology (UBIT) workforce must protect the confidentiality, integrity, and availability of health information, as required by law. All UBIT workforce members handling protected health information (PHI) are required to follow all applicable policies and procedures.
As required by HIPAA, a covered entity must have appropriate sanctions and apply appropriate sanctions against members of its workforce who fail to comply with the policies and procedures that protect critical university data, including but not limited, to HIPAA regulated data.
The University operates as a hybrid entity as defined by the U.S. Department of Health and Human Services Office of Civil Rights HIPAA Regulations. The hybrid entity’s designated functions at University at Buffalo adheres to HIPAA and New York State Department of Health Regulations.
UBIT performs functions that support UB’s operation as a hybrid entity, including functions that support UB’s HIPAA covered entities. As such, the UBIT workforce adheres to HIPAA and New York State Department of Health Regulations.
All members of the UBIT workforce affiliated with HIPAA covered functions and/or any regulated health information must adhere to all applicable policies and procedures. Violations will be handled in accordance with the UBIT HIPAA Protected Health Information Security Sanction Policy.
Health care organizations and other types of organizations/entities to which the HIPAA Regulations apply.
Electronic Protected Health Information (ePHI)
Refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of federal regulations that apply to health care providers which engage in certain electronic transactions, health plans, and health care clearing houses (covered entities). HIPAA provides protection of medical information (transaction standards, standard code sets, unique health identifiers, security and privacy). Federal legislation that requires the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
Protected Health Information (PHI)
Refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations. PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
UBIT HIPAA Compliance Office: The Compliance Officer will ensure sanctions are imposed on any University-affiliated individual who violates a HIPAA regulation, policy, and/or procedure.
UBIT Workforce: All members of the UBIT workforce must comply with the provisions of this policy.