Compliance

SUNY System Fraud Hotline

SUNY Fraud Policy and Procedure

Campus Hotlines to Report Fraud

SUNY Compliance Initiative Participants

Seven Elements of an Effective Compliance Program

Internal Controls

Topics in Compliance

Athletics Compliance

Accessibility and Disability Services

Contracts Compliance

Ethics

Environmental Health and Safety Compliance

Export Controls

Financial Aid Fraud

FERPA Family Educational Rights and Privacy Act

HIPAA - Health Insurance Portability and Accountability Act

Fraud Policy and Procedure, SUNY

Human Resources Compliance

Internal Controls

International and Immigation Compliance

Mandated Reporting of Child Sexual Abuse

National Voter Registration Act

Project Sunlight NYS Law

Records Retention and Management

Research

State Authorization: Distance Learning Out-of-State Authority

Safe Act NYS Law

Violence Against Women Act & VAWA 2013 Reauthorization

Workplace Violence

NYS Training Mandates for all Employees

Federal Training Mandates for All Employees

Disclosure Requirements - State & Federal

Office of General Counsel

University Audit

HIPAA - Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) a.k.a. Kennedy-Kazenbaum
Enacted as a part of a broad Congressional attempt at health care reform

While HIPAA’s initial focus is to guarantee the portability of health insurance, the Act also is designed to:
1.    Reduce the costs and administrative burdens of health care by making possible the standardized electronic transmission of many administrative and financial transactions that are currently carried out on paper; and
2.    Protect the security and confidentiality of personally identifiable health information (PHI).
The State University of New York is considered a covered entity under HIPAA. As such, it must ensure that its operations are in compliance with the HIPAA regulations by the effective dates set forth in the regulations.

New: OCR Issued (via the OCR Privacy Listserv) NEW TOOLS to Educate Consumers and Providers about HIPAA Privacy and Security, April 29, 2013

  • Consumer Guidance:The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and health care providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
    Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule.  With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR's website here.
    • The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR's YouTube channel.  An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule's requirements. The videos are available on the HHS OCR YouTube Channel.
  • Healthcare Provider Modules: OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:

New: Guidance from Department of Health and Human Services on Dangerous Patients issued January 15, 2013

This newly released letter clarifies when patient information that would otherswise be protected under HIPAA can be shared with others.  The letter states the following: "The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes, such as when a provider seeks to warn or report that persons may be at risk of harm because of a patient. When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority."

SUNY Resources

SUNY HIPAA Compliance Checklist: Structures, Policies and Procedures Needed for HIPAA Compliance
Includes tools to help identify when a breach has occurred, as well as general information on HIPAA, and the policies and procedures needed when HIPAA is applicable.

SUNY Business Associate Agreement, Updated 2013 Version

SUNY Risk Assessment Tool (For Suspected Breaches)
This SUNY tool helps HIPAA-covered entities determine IF a breach has occurred.  this is the 2012 Risk Assessment version.  A new version, in compliance with new HIPAA rule will be forthcoming.

Privacy and Safety on Campus: A Legal Framework, Guidance on Information Sharing for Faculty, Staff & Law Enforcement, The State University of New York, Office of University Counsel, April 2008.

SUNY System Administration Powerpoint presentation on HIPAA's Applicability Across SUNY.  The presentation was prepared by SUNY System Administration employees Heather Eichin, Director of Director of Policy and Planning, and Kinsley Osei, Associate Counsel  in the Office of General Counsel.  The presentation was delivered to Campus Health Directors on May 23, 2012.  The presentation addresses questions relating to the applicability of HIPAA to SUNY’s non covered functions.

SUNY Procedure

SUNY Procedure 4200 HIPAA (Health Insurance Portability and Accountability Act)

SUNY System Websites

SUNY Privacy Policy Website

SUNY Notice of Privacy Practices

Applicable Laws & Regulations

The Law.Title II, Subtitle F of HIPAA

Privacy Act of 1974

NYS Information Security Breach and Notification Act

The American Reinvestment and Recovery Act of 2009

References to Best Practices & Other Supplemental Material

Government Resources

U.S. Department of Health and Human Services, Office For Civil Rights, Health Information Privacy (including HIPAA)

Centers for Medicare and Medicaid Services HIPAA General Information

New: Guidance from Department of Health and Human Services on Dangerous Patients issued January 15, 2013

HIPAA-REGS LIST-SERV

OCR Consumer Factsheets, April 2013
Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule.  With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule.
The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR's YouTube channel.  An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule's requirements. The videos are available on the HHS OCR YouTube Channel.

Healthcare Provider HIPAA Compliance Training Modules available through Medscape.org
OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules

Research

Department of Health and Human Services National Institutes of Health (HIPAA Privacy Rule Information for Researchers)

Other Resources

The U.S. Department of Health and Human Services HIPAA Privacy & Security Audit Program Website
Overview:  The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance.   Audits conducted during the pilot phase  began November 2011 and concluded in December 2012.

Article, Five Steps to Achieving HIPAA Compliance, Becker's Hospital Review
Earl Reber, Executive Director, eProtex | April 27, 2012

Want to Impress OCR During a HIPAA Audit? Write a Book, Health Data Management, Joseph Goedert, May 1, 2013 3:08pm

Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records

  • Issued November 2008. The guidance addresses the interplay between FERPA and the HIPAA Privacy Rule.
  • From the Intruduction: "The purpose of this guidance is to explain the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and to address apparent confusion on the part of school administrators, health care professionals, and others as to how these two laws apply to records maintained on students. It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations. While this guidance seeks to answer many questions that school officials and others have had about the intersection of these federal laws, ongoing discussions may cause more issues to emerge. Contact information for submitting additional questions or suggestions for purposes of informing future guidance is provided at the end of this document. The Departments of Education and Health and Human Services are committed to a continuing dialogue with school officials and other professionals on these important matters affecting the safety and security of our nation’s schools."

NACUA Resource Page on HIPAA (password protected for NACUA Members only)

Publications on Emerging Compliance Issues/ Concerns

Healthcare Industry’s Prioritization of Compliance Over Data Security Puts Patient Data at Risk, says New Study from Kroll Advisory Solutions, New York, NY (PRWEB) April 11, 2012

Health Privacy Issues Can Be Resolved Without Obstructing Care, Ken Terry, FierceHealthIT.com, April 9, 2012

HIPAA-Covered Campus Websites

University at Buffalo

SUNY Downstate Medical Center

SUNY Plattsburgh

SUNY Upstate Medical University

Where HIPAA Applies on Campuses:
The following is a comprehensive list of all of the HIPAA covered components of State operated campuses within the SUNY University system

 The list is current as of April 2008 and may be subject to change in the future. Questions about what components of community colleges are covered entities and subject to HIPAA may be referred to the State University of New York via e-mail privacy@suny.edu.

Campus Health Care Component

University at Buffalo

  • Center for Dental Studies School of (Dental Medicine)
  • Center for the Study of Pain School of (Dental Medicine)
  • Department of Oral and Maxillofacial Surgery (Dental Medicine)
  • Department of Oral Biology (Dental Medicine)
  • Department of Oral Diagnostic Sciences (Dental Medicine)
  • Department of Orthodontics (Dental Medicine)
  • Department of Pediatric and Community Dentist (Dental Medicine)
  • Department of Periodontics and Endodontics (Dental Medicine)
  • Department of Restorative Dentist (Dental Medicine)
  • Industry/University Center for Biosurfaces (Dental Medicine)
  • Infectious & Chronic Disease Center of Discovery (Dental Medicine)
  • Laser Research Center (Dental Medicine)
  • National Center for Fluoridation Policy and Research (Dental Medicine
  • School of Dental Medicine
  • School of Dental Medicine Clinic (Dental Medicine)
  • School of Dental Medicine Clinic Van (Dental Medicine)
  • South Campus Instrumentation Center (Dental Medicine)

Downstate Medical Center

  • College of Medicine - Brooklyn Free Clinic
  • Clinical Research /IRB/Privacy Board
  • Deans Office
  • DMC Administration
  • Finance
  • Graduate Medical Education
  • Information Services
  • Legal Counsel
  • Office of Compliance & Audit Services
  • Office of Contracts & Procurement
  • Office of Institutional Advancement
  • Office of Labor Relations
  • Presidential Area
  • Scientific Medical Instrumentation Center - SMIC
  • Student/Employee Health Services
  • University Hospital of Brooklyn (UHB)
  • University Physicians of Brooklyn, Inc. (UPB)

Fredonia

  • Youngerman Center for Communication Disorders
  • LoGrasso Student Health Center

College of Optometry

  • Clinical Research
  • Clinical Services
  • Security
  • Optometric Center

Plattsburgh

  • Alzheimer's Disease Assistance Center
  • Neuropsychology Clinic
  • Speech and Hearing Center
  • Traumatic Brain Injury Clinic
  • Center for Student Health and Psychological Services
  • Counseling Services Center
  • Athletic Training Facilities

Stony Brook University

  • Counseling Center
  • SBU Student Health Service
  • Clinical Psychology Department
  • Stony Brook University Hospital
  • HSC (Excluding Sayville Project & Dental)
  • HSC Sayville Project under the School of Social Welfare
  • Long Island State Veterans Home
  • Institution Review Board and Office of Research Compliance
  • School of Dental Medicine

SUNY System Administration (HYBRID HIPAA-Covered ENTITY)

Upstate Medical University

  • College of Graduate Studies
  • College of Health Professions
  • College of Medicine
  • College of Nursing
  • Employee Relations
  • Executive Council
  • Information Management Technology
  • Institution Compliance Office
  • Office of Diversity and Affirmative Action
  • Office of Internal Audit
  • Office of Public & Media Relations
  • Office of Public Safety
  • University Hospital (excluding Student/Employee Health,)
  • Human Subject Research
  • SUNY Office of University Counsel

The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements.  The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses.  Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete.    For complete compliance information, consult your campus compliance officials or the SUNY Compliance Administrator.  For legal advice, consult your lawyer.


Copyright © 2013 The State University of New York. All rights reserved.

SUNY is not responsible for the content of external Internet sites. SUNY External Site Disclaimer.

Last Update - 5/16/13