Back to Top


Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) a.k.a. Kennedy-Kazenbaum
Enacted as a part of a broad Congressional attempt at health care reform

While HIPAA’s initial focus is to guarantee the portability of health insurance, the Act also is designed to:

  1. Reduce the costs and administrative burdens of health care by making possible the standardized electronic transmission of many administrative and financial transactions that are currently carried out on paper; and
  2. Protect the security and confidentiality of personally identifiable health information (PHI).

The State University of New York is considered a covered entity under HIPAA. As such, it must ensure that its operations are in compliance with the HIPAA regulations by the effective dates set forth in the regulations.

OCR Issued (via the OCR Privacy Listserv) NEW TOOLS to Educate Consumers and Providers about HIPAA Privacy and Security, April 29, 2013

Guidance from Department of Health and Human Services:

Dangerous Patients, issued January 15, 2013

This letter clarifies when patient information that would otherswise be protected under HIPAA can be shared with others.

The letter states the following:

"The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes, such as when a provider seeks to warn or report that persons may be at risk of harm because of a patient. When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority."

SUNY Resources

SUNY HIPAA Compliance Checklist:Structures, Policies and Procedures Needed for HIPAA Compliance
Includes tools to help identify when a breach has occurred, as well as general information on HIPAA, and the policies and procedures needed when HIPAA is applicable.

SUNY Business Associate Agreement, Updated 2013 Version

SUNY Risk Assessment Tool (For Suspected Breaches)

This SUNY tool helps HIPAA-covered entities determine IF a breach has occurred. This tool helped SUNY HIPAA-covered entities determine IF a breach has occurred PRIOR to the Final 2013 HIPAA Omnibus rule.  After the passing of the HIPAA 2013 Omnibus Rule, the final rule on Breach Notification replaced the previous breach notification rule's "harm" threshold (which was reflected in the Risk Assessment tool) with a more objective standard. The final rule says a risk assessment for determining the probability that PHI was compromised should consider at least four factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated.  In the final breach rule, HHS notes: "We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."

Privacy and Safety on Campus: A Legal Framework, Guidance on Information Sharing for Faculty, Staff & Law Enforcement, The State University of New York, Office of University Counsel, April 2008.

SUNY System Administration Powerpoint presentation on HIPAA's Applicability Across SUNY.

The presentation was prepared by SUNY System Administration employees Heather Eichin, Director of Director of Policy and Planning, and Kinsley Osei, Associate Counsel  in the Office of General Counsel.  The presentation was delivered to Campus Health Directors on May 23, 2012.  The presentation addresses questions relating to the applicability of HIPAA to SUNY’s non covered functions.

SUNY Procedure

SUNY Procedure 4200 HIPAA (Health Insurance Portability and Accountability Act)

SUNY System Websites

SUNY Privacy Policy Website

SUNY Notice of Privacy Practices

Applicable Laws & Regulations

The Law.Title II, Subtitle F of HIPAA

Privacy Act of 1974

NYS Information Security Breach and Notification Act

The American Reinvestment and Recovery Act of 2009

References to Best Practices & Other Supplemental Material

Government Resources

U.S. Department of Health and Human Services, Office For Civil Rights, Health Information Privacy (including HIPAA)

Centers for Medicare and Medicaid Services HIPAA General Information

Guidance from Department of Health and Human Services on Dangerous Patients, issued January 15, 2013


OCR Consumer Factsheets, April 2013

Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule.  With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule.  The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR's YouTube channel.  An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule's requirements. The videos are available on the HHS OCR YouTube Channel.

Healthcare Provider HIPAA Compliance Training Modules available through
OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules

  1. Patient Privacy: A Guide for Providers
  2. HIPAA and You: Building a Culture of Compliance
  3. Examining Compliance with the HIPAA Privacy Rule


Department of Health and Human Services National Institutes of Health (HIPAA Privacy Rule Information for Researchers)

Other Resources

The U.S. Department of Health and Human Services HIPAA Privacy & Security Audit Program Website

Overview:  The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance.   Audits conducted during the pilot phase  began November 2011 and concluded in December 2012.

Article - Five Steps to Achieving HIPAA Compliance, Becker's Hospital Review, Earl Reber, Executive Director, eProtex,  April 27, 2012

Want to Impress OCR During a HIPAA Audit? Write a Book, Health Data Management, Joseph Goedert, May 1, 2013 3:08pm

Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records

NACUA Resource Page on HIPAA (password protected for NACUA Members only)

Publications on Emerging Compliance Issues/Concerns

Healthcare Industry’s Prioritization of Compliance Over Data Security Puts Patient Data at Risk, says New Study from Kroll Advisory Solutions, New York, NY (PRWEB) April 11, 2012

Health Privacy Issues Can Be Resolved Without Obstructing Care, Ken Terry,, April 9, 2012

HIPAA-Covered Campus Websites

University at Buffalo

SUNY Downstate Medical Center

SUNY Plattsburgh

SUNY Upstate Medical University

Where HIPAA Applies on Campuses:

The following is a comprehensive list of all of the HIPAA covered components of State operated campuses within the SUNY University system

 The list is current as of April 2008 and may be subject to change in the future. Questions about what components of community colleges are covered entities and subject to HIPAA may be referred to the State University of New York via e-mail

Campus Health Care Component

University at Buffalo

Downstate Medical Center


College of Optometry


Stony Brook University

SUNY System Administration (HYBRID HIPAA-Covered ENTITY)

Upstate Medical University

∧ Back to Top  

The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials. For legal advice, consult your lawyer.