Protected Health Information Security Sanction Policy (UBIT HIPAA)

Category: HIPAA
Responsible Office: UBIT HIPAA Compliance
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Approved by (Name/Title): J. Brice Bible, VPCIO
Date Established: December 2017
Date Last Revised: March 8, 2019
Date Posted: December 2017

As required by HIPAA, the University at Buffalo’s Information Technology (UBIT) implements policies and procedures to prevent, detect, contain, and correct information security violations. The university applies appropriate sanctions against its workforce members who fail to comply with policies and procedures that protect critical university data, including but not limited to HIPAA regulated data.

The University operates as a hybrid entity as defined by the U.S. Department of Health and Human Services Office of Civil Rights Health Insurance Portability and Accountability Act (HIPAA) Regulations. The hybrid entity’s designated functions at the university adheres to the United States Health Insurance Portability and Accountability Act (HIPAA) and New York State Department of Health Regulations.

UBIT performs functions that support UB’s operation as a hybrid entity, including functions that support UB’s HIPAA covered entities. As such, the UBIT workforce adheres to the United States Health Insurance Portability and Accountability Act (HIPAA) and New York State Department of Health Regulations.

A covered entity must have appropriate sanctions and apply appropriate sanctions against individuals affiliated with the University who fail to comply with the policies and procedures of the covered entity.

This policy applies to UBIT’s workforce members who access, process, and/or store university information containing Protected Health Information (PHI).

1. Compliance with applicable HIPAA security policies and procedures is required for the university to ensure the confidentiality, integrity, and availability of protected health information in any format (oral, paper, electronic, etc.).       
   
2. The University provides ongoing HIPAA training for workforce members regarding policies and procedures. Training is provided primarily via the university’s HIPAA training program, and is reinforced via in person training facilitated by the Compliance Officer and through email reminders.
3. The University enforces HIPAA and pertinent policy and procedures, violations of which shall be cause for corrective measures. Corrective measures will be administered to a degree commensurate with the violation and in compliance with applicable collective bargaining agreements and/or applicable laws, regulations, and policies.

Covered Entity
Health care organizations and other types of organizations/entities to which the HIPAA Regulations apply.

Electronic Protected Health Information (ePHI)
Refers to any protected health information (PHI) that is covered under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 security regulations and is produced, saved, transferred, or received in an electronic form.

Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of federal regulations that apply to health care providers which engage in certain electronic transactions, health plans, and health care clearing houses (covered entities). HIPAA provides protection of medical information (transaction standards, standard code sets, unique health identifiers, security and privacy). Federal legislation that requires the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. 

Protected Health Information (PHI)
Refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations. PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

HIPAA Compliance Officer: In conjunction with the HIPAA Security Officer, the Compliance Officer participates in ensuring security of PHI in any format is effective and enforced.

HIPAA Security and Privacy Officer: In conjunction with the Compliance Officer, participates in identifying potential violations and recommending appropriate sanctions.                                                                                                          

Human Resource Director: In conjunction with the Compliance Officer and the HIPAA Security and Privacy Officer, participates in identifying potential violations and recommending appropriate sanctions.

University at Buffalo Office of Employee Relations: In conjunction with the Compliance Officer and the HIPAA Security Officer, participates in identifying potential violations and recommending sanctions consistent with collective bargaining agreements.

UBIT Workforce: All members of the UBIT workforce must comply with the provisions of this policy.

University Documents

• Data Access Procedure
• Data Risk Classification Policy
• Privacy Policy
• Protection of University Data Policy
• UB HIPAA Homepage
  
• UBIT HIPAA Protected Health Information Security Policy

Related Links

• 45 CFR – Part §164.530 Administrative requirements
• 45 CFR – Part §164.308 Administrative safeguards
• 45 CFR – Part 164 Public Welfare. Subchapter C - Administrative Data Standards and Related Requirements
• NYS Department of Health, HIPAA Preemption Charts 
• HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, 164
  
• SUNY HIPAA Policy