HIPAA Covered Function Designation Policy

Policy Information
Policy TitleHIPAA Covered Function Designation Policy
Responsible OfficeITS Information Security
Policy TypeLegal and Compliance
Policy Number905
Last Revision Date10/31/2024

Summary

Binghamton University designates covered functions that are required follow laws and regulations in order to protect the privacy, security, and integrity of protected health information.

Policy Statement

Binghamton University’s President designates certain areas as covered functions employing any of the following criteria:

  • An area that would meet the definition of a covered entity.
  • An area that is a business associate of an external covered entity.
  • An area that accesses PHI for research and/or education purposes.

Only areas designated as covered functions by Binghamton University may hold HIPAA Protected Health Information, PHI.

All other areas of Binghamton University will be considered non-covered functions. 

The campus shall appoint a HIPAA Privacy Officer and a HIPAA Security Officer. The HIPAA Privacy and Security Officers will periodically verify the status of the covered and non-covered components.  Binghamton University designated covered functions will designate a HIPAA Associate to oversee compliance with HIPAA and university policies.

Each area designated as HIPAA designated function will be subject to the HIPAA Privacy and Security policies, standards and procedures established by Binghamton University HIPAA Privacy and Security Officers.

Background

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a law intended to protect individually identifiable information relating to the physical or mental health of an individual, the provision of health care to the individual, or the payment for the provision of health care to the individual (“Protected Health Information”; or PHI). HIPAA applies to “Covered Entities,” which include health plans, health care clearing houses and health care providers that conduct specified transactions electronically (“Covered Entities”; or each a “Covered Entity” and their business associates.)  

The State University of New York (SUNY) is the covered entity for HIPAA purposes. SUNY is designated as a hybrid entity under HIPAA. SUNY is comprised of activities that are not components covered under HIPAA and designated covered functions covered under HIPAA. 

Binghamton University as a component of SUNY may designate campus covered functions as part of the SUNY hybrid entity. HIPAA requirements apply only to the Binghamton University HIPAA designated covered functions.

Applicability

This policy applies to all Binghamton University PHI data regardless of its form or location.

Contact Information

Michael Behun
HIPAA Privacy Officer
HIPAA Security Officer
Chief Information Security Officer
behun@binghamton.edu

Date Description Responsible Party
     
10/31/2024 Bi-annual review conducted.  No changes. ITS Information Security