HIPAA - Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) a.k.a. Kennedy-Kazenbaum
Enacted as a part of a broad Congressional attempt at health care reform
While HIPAA’s initial focus is to guarantee the portability of health insurance, the Act also is designed to:
1. Reduce the costs and administrative burdens of health care by making possible the standardized electronic transmission of many administrative and financial transactions that are currently carried out on paper; and
2. Protect the security and confidentiality of personally identifiable health information (PHI).
The State University of New York is considered a covered entity under HIPAA. As such, it must ensure that its operations are in compliance with the HIPAA regulations by the effective dates set forth in the regulations.
New: OCR Issued (via the OCR Privacy Listserv) NEW TOOLS to Educate Consumers and Providers about HIPAA Privacy and Security, April 29, 2013
- Consumer Guidance:The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and health care providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule. With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR's website here.
- The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR's YouTube channel. An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule's requirements. The videos are available on the HHS OCR YouTube Channel.
- Healthcare Provider Modules: OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
This newly released letter clarifies when patient information that would otherswise be protected under HIPAA can be shared with others. The letter states the following: "The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes, such as when a provider seeks to warn or report that persons may be at risk of harm because of a patient. When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority."
SUNY HIPAA Compliance Checklist: Structures, Policies and Procedures Needed for HIPAA Compliance
Includes tools to help identify when a breach has occurred, as well as general information on HIPAA, and the policies and procedures needed when HIPAA is applicable.
SUNY Business Associate Agreement, Updated 2013 Version
SUNY Risk Assessment Tool (For Suspected Breaches)
This SUNY tool helps HIPAA-covered entities determine IF a breach has occurred. This tool helped SUNY HIPAA-covered entities determine IF a breach has occurred PRIOR to the Final 2013 HIPAA Omnibus rule. After the passing of the HIPAA 2013 Omnibus Rule, the final rule on Breach Notification replaced the previous breach notification rule's "harm" threshold (which was reflected in the Risk Assessment tool) with a more objective standard. The final rule says a risk assessment for determining the probability that PHI was compromised should consider at least four factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated. In the final breach rule, HHS notes: "We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."
Privacy and Safety on Campus: A Legal Framework, Guidance on Information Sharing for Faculty, Staff & Law Enforcement, The State University of New York, Office of University Counsel, April 2008.
SUNY System Administration Powerpoint presentation on HIPAA's Applicability Across SUNY. The presentation was prepared by SUNY System Administration employees Heather Eichin, Director of Director of Policy and Planning, and Kinsley Osei, Associate Counsel in the Office of General Counsel. The presentation was delivered to Campus Health Directors on May 23, 2012. The presentation addresses questions relating to the applicability of HIPAA to SUNY’s non covered functions.
SUNY Procedure 4200 HIPAA (Health Insurance Portability and Accountability Act)
SUNY System Websites
SUNY Notice of Privacy Practices
Applicable Laws & Regulations
The Law.Title II, Subtitle F of HIPAA
Privacy Act of 1974
NYS Information Security Breach and Notification Act
The American Reinvestment and Recovery Act of 2009
References to Best Practices & Other Supplemental Material
U.S. Department of Health and Human Services, Office For Civil Rights, Health Information Privacy (including HIPAA)
Centers for Medicare and Medicaid Services HIPAA General Information
New: Guidance from Department of Health and Human Services on Dangerous Patients issued January 15, 2013
OCR Consumer Factsheets, April 2013
Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule. With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule.
The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR's YouTube channel. An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule's requirements. The videos are available on the HHS OCR YouTube Channel.
Healthcare Provider HIPAA Compliance Training Modules available through Medscape.org
OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules
Department of Health and Human Services National Institutes of Health (HIPAA Privacy Rule Information for Researchers)
The U.S. Department of Health and Human Services HIPAA Privacy & Security Audit Program Website
Overview: The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began November 2011 and concluded in December 2012.
Article, Five Steps to Achieving HIPAA Compliance, Becker's Hospital Review
Earl Reber, Executive Director, eProtex | April 27, 2012
Want to Impress OCR During a HIPAA Audit? Write a Book, Health Data Management, 1, 2013 3:08pm
Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records
- Issued November 2008. The guidance addresses the interplay between FERPA and the HIPAA Privacy Rule.
- From the Intruduction: "The purpose of this guidance is to explain the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and to address apparent confusion on the part of school administrators, health care professionals, and others as to how these two laws apply to records maintained on students. It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations. While this guidance seeks to answer many questions that school officials and others have had about the intersection of these federal laws, ongoing discussions may cause more issues to emerge. Contact information for submitting additional questions or suggestions for purposes of informing future guidance is provided at the end of this document. The Departments of Education and Health and Human Services are committed to a continuing dialogue with school officials and other professionals on these important matters affecting the safety and security of our nation’s schools."
NACUA Resource Page on HIPAA (password protected for NACUA Members only)
Publications on Emerging Compliance Issues/ Concerns
Healthcare Industry’s Prioritization of Compliance Over Data Security Puts Patient Data at Risk, says New Study from Kroll Advisory Solutions, New York, NY (PRWEB) April 11, 2012
Health Privacy Issues Can Be Resolved Without Obstructing Care, Ken Terry, FierceHealthIT.com, April 9, 2012
HIPAA-Covered Campus Websites
University at Buffalo
SUNY Downstate Medical Center
SUNY Upstate Medical University
Where HIPAA Applies on Campuses:
The following is a comprehensive list of all of the HIPAA covered components of State operated campuses within the SUNY University system
The list is current as of April 2008 and may be subject to change in the future. Questions about what components of community colleges are covered entities and subject to HIPAA may be referred to the State University of New York via e-mail firstname.lastname@example.org.
Campus Health Care Component
University at Buffalo
- Center for Dental Studies School of (Dental Medicine)
- Center for the Study of Pain School of (Dental Medicine)
- Department of Oral and Maxillofacial Surgery (Dental Medicine)
- Department of Oral Biology (Dental Medicine)
- Department of Oral Diagnostic Sciences (Dental Medicine)
- Department of Orthodontics (Dental Medicine)
- Department of Pediatric and Community Dentist (Dental Medicine)
- Department of Periodontics and Endodontics (Dental Medicine)
- Department of Restorative Dentist (Dental Medicine)
- Industry/University Center for Biosurfaces (Dental Medicine)
- Infectious & Chronic Disease Center of Discovery (Dental Medicine)
- Laser Research Center (Dental Medicine)
- National Center for Fluoridation Policy and Research (Dental Medicine
- School of Dental Medicine
- School of Dental Medicine Clinic (Dental Medicine)
- School of Dental Medicine Clinic Van (Dental Medicine)
- South Campus Instrumentation Center (Dental Medicine)
Downstate Medical Center
- College of Medicine - Brooklyn Free Clinic
- Clinical Research /IRB/Privacy Board
- Deans Office
- DMC Administration
- Graduate Medical Education
- Information Services
- Legal Counsel
- Office of Compliance & Audit Services
- Office of Contracts & Procurement
- Office of Institutional Advancement
- Office of Labor Relations
- Presidential Area
- Scientific Medical Instrumentation Center - SMIC
- Student/Employee Health Services
- University Hospital of Brooklyn (UHB)
- University Physicians of Brooklyn, Inc. (UPB)
- Youngerman Center for Communication Disorders
- LoGrasso Student Health Center
College of Optometry
- Clinical Research
- Clinical Services
- Optometric Center
- Alzheimer's Disease Assistance Center
- Neuropsychology Clinic
- Speech and Hearing Center
- Traumatic Brain Injury Clinic
- Center for Student Health and Psychological Services
- Counseling Services Center
- Athletic Training Facilities
Stony Brook University
- Counseling Center
- SBU Student Health Service
- Clinical Psychology Department
- Stony Brook University Hospital
- HSC (Excluding Sayville Project & Dental)
- HSC Sayville Project under the School of Social Welfare
- Long Island State Veterans Home
- Institution Review Board and Office of Research Compliance
- School of Dental Medicine
SUNY System Administration (HYBRID HIPAA-Covered ENTITY)
Upstate Medical University
- College of Graduate Studies
- College of Health Professions
- College of Medicine
- College of Nursing
- Employee Relations
- Executive Council
- Information Management Technology
- Institution Compliance Office
- Office of Diversity and Affirmative Action
- Office of Internal Audit
- Office of Public & Media Relations
- Office of Public Safety
- University Hospital (excluding Student/Employee Health,)
- Human Subject Research
- SUNY Office of University Counsel
The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials or the SUNY Compliance Administrator. For legal advice, consult your lawyer.