The "Health Insurance Portability and Accountability Act of
1996" (HIPAA) is a set of federal regulations that apply to health
care providers which engage in certain electronic transactions,
health plans, and health care clearing houses (covered
HIPAA provides protection of our medical information (transaction standards, standard code sets, unique health identifiers, security and privacy). As individuals, our doctors often give us HIPAA documentation during routine visits. As an institution, UB needs to be aware of how HIPAA affects the information we handle.
The privacy and security sections of HIPAA are designed to protect Individually Identifiable Health Information within a covered entity in a number of ways, including providing for the confidentiality of Protected Health Information in any form (i.e. verbal, written, electronic). The security section also deals with electronic integrity and availability of information. It also covers protecting against "reasonably anticipated" uses and disclosures of electronic information, as well as dealing with threats or hazards to the security, availability and integrity of electronic data. The regulations address these issues in a technology independent manner.
Violation of HIPAA can result in civil and criminal penalties that can cost UB both money and prestige. Like all private information, it's essential that we handle it carefully while performing our job duties.
Fortunately, at UB, the number of areas required to comply with HIPAA is small. For the purposes of HIPAA, SUNY is the “entity” that UB resides within. SUNY is a "hybrid entity" under HIPAA, meaning it has some functions which fall under HIPAA and some that don't. The UB School of Dental Medicine is the only SUNY function that falls under HIPAA at the University.
There are also non-SUNY functions at UB that fall under HIPAA, which include the Research Foundation function, associated with maintenance of the RF health plan, and the clinical practice plans affiliated with the medical and dental schools. While there are other entities at UB which fit the definition of Health Care Provider (for example, Student Health and the Psychological Services Center), they do not engage in the electronic transactions which would place them under HIPAA, so their activities are not governed by it. It remains a unit responsibility to identify itself to UB's Director of HIPAA compliance (see below) if it is a Health Care Provider that will begin to undertake electronic transactions that will necessitate its compliance with HIPAA.
Outside of these areas, the largest impact HIPAA has is on UB researchers seeking data from HIPAA covered entities. HIPAA permits covered entities to release protected information to researchers in a limited number of ways. However, once this information has left a covered entity and is delivered to a UB researcher in a manner permitted by HIPAA, the information is no longer governed by HIPAA (except in rare instances where the release mechanism is contractual in nature).
Questions about HIPAA in relation to UB activities can be directed to:
Director of HIPAA Compliance
173 Biomedical Education Building, South Campus
(716) 829-3172 x2