Compliance Roles

Various State and Federal laws, as well as SUNY Policies, require that we designate an employee to fill a particular compliance function/ responsibility. The following is a comprehensive list of roles that Binghamton University is required to have in place, as well as information on the responsibilities and scope of the employee designated to fill the role.  

Federal Compliance Roles

Federal Compliance Roles for HIPAA Covered Entities

Binghamton University is not a HIPAA-covered entity as of this revision, however, should this designation change the following assignments have been made.

New York Compliance Roles (from New York State law and SUNY Policy)

Campus-specific Roles

 

Federally Mandated Compliance Roles

 TITLE IX COORDINATOR - FEDERAL LAW
"All educational institutions receiving Federal financial assistance must designate at least one employee to coordinate their efforts to comply with and carry out their responsibilities under Title IX of the Education Amendments of 1972, which prohibits sex discrimination in education programs and activities. These designated employees are generally referred to as Title IX coordinators. A school's Title IX coordinator or coordinators are expected to play a critical role in helping a school ensure that every person affected by its operations—including faculty, staff, and students—are aware of their legal rights under Title IX, and that the school and all of its employees, through its policies, procedures, and practices, complies with its legal obligations under Title IX. A school should ensure that the Title IX coordinator is given the visibility, training, authority, and support necessary to fulfill these responsibilities. The coordinator should not have other job responsibilities that may create a conflict of interest. Designating a full-time Title IX coordinator will minimize the risk of a conflict of interest."

Original Source: Justice.gov, archives, Role of a Title IX Coordinator, URL: https://www.justice.gov/archives/ovw/page/file/910301/download

 ADA COORDINATOR - FEDERAL LAW

Designating an ADA Coordinator
If a public entity has 50 or more employees, it is required to designate at least one responsible employee to coordinate ADA compliance.1 A government entity may elect to have more than one ADA Coordinator. Although the law does not refer to this person as an "ADA Coordinator," this term is commonly used in state and local governments across the country and will be used in this chapter.

The ADA Coordinator is responsible for coordinating the efforts of the government entity to comply with Title II and investigating any complaints that the entity has violated Title II. The name, office address, and telephone number of the ADA Coordinator must be provided to interested persons."

Source: ADA Best Practices Tool Kit for State and Local Governments, Chapter 2: ADA Coordinator, Notice & Grievance Procedure: Administrative Requirements Under Title II of the ADA

URL: http://www.ada.gov/pcatoolkit/chap2toolkit.htm

CAMPUS SECURITY AUTHORITIES - REQUIRED BY THE CLERY ACT  - FEDERAL LAW

Campus Security Authority (CSA) are defined by the Clery Handbook to include campus police/security and affiliated offices, those designated by the institution, and faculty and staff with significant responsibility for students and campus activities. 

The following description of the Campus Security Authority (CSA) and their role and designation comes from the NACUA Note on International Clery Act Obligations, written by SUNY Office of General Counsel Associate Counsel Joseph Storch, and publicly available on the Higher Education Compliance Alliance website:

Campus Security Authorities include police or security personnel, others with responsibility for security, and personnel with “significant responsibility for student and campus activities, including, but not limited to, student housing, student discipline and campus judicial proceedings.”  “Official” is defined rather broadly as “any person who has the authority and the duty to take action or respond to particular issues on behalf of the institution.” The individuals included above must be given the responsibilities of Campus Security Authorities. Institutions may also designate other personnel as Campus Security Authorities, by listing those individuals in the Annual Security Report as “an individual or organization to which students and employees should report criminal offenses.”  Pastoral and professional counselors who are so practicing when they receive a report of a crime are exempt from any requirements of Campus Security Authorities, even if they otherwise meet the requirements.

"Institutions must request statistics from all Campus Security Authorities each year to be included in the institution’s Annual Security Report.  Campus Security Authorities must forward to the individual or office responsible for Clery Act incident collection (usually Campus Police, Security, or Student Affairs) any allegations of Clery Act crimes that they believe were made in good faith.

"At a minimum for Clery Act purposes, the Campus Security Authority should disclose the details of the crime and the location where the crime occurred. The Campus Security Authority may disclose the name and contact information for the victim or individual reporting the crime, or may agree to keep that information confidential at the request of the victim or individual reporting the crime. All Campus Security Authorities should be trained in the obligations of Campus Security Authorities. In overseas programs, institutions may wish to designate all personnel working frequently with students as Campus Security Authorities, even if they do not meet the technical requirements. In that way, students abroad can feel they can speak to any institutional official overseas to report a crime. This is not a requirement, but is simply a good practice.

Federally Mandated Compliance Roles for HIPAA Covered Entities Only


PRIVACY OFFICER (FOR PURPOSES OF HIPAA - PERTAINS TO HIPAA COVERED ENTITLES ONLY)
The SUMMARY OF THE HIPAA PRIVACY RULE HIPAA Compliance Manual published by the United States Department of Health and Human Services states the following with regard to the designation of a privacy administration position:

Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices. The HIPAA Privacy regulations (45 CFR Part 164.530(a)(1) require the designation of a privacy official who is responsible for the development and implementation of the entity's privacy policies and procedures. 45 CFR Part 164.530(a)(1)(ii) further requires that a covered entity must "designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. Each SUNY campus should designate an individual to serve as the Privacy Official for that campus.

The Campus Privacy Official role is to:

  1. Oversee the HIPAA compliance activities of the campus, including the development, implementation and monitoring of campus HIPAA policies and procedures and workforce training;
  2. Serve as the campus resource for issues relating to HIPAA privacy;
  3. Work in concert with the Campus Security Official;
  4. Serve as the campus contact for issues/complaints relating to HIPAA privacy and be listed as the contact person on the campus' Notice of Privacy Practices; and
  5. Oversee campus responses to inquiries from patients and other outside parties. When the campus suspects that a HIPAA privacy violation has occurred, the University Privacy Officer should be notified of:
    1. the suspected breach;
    2. the investigation process that will be utilized;
    3. the findings of the investigation; and (d) the remediation steps that will be taken to prevent future incidents.

SECURITY OFFICER (FOR PURPOSES OF HIPAA, PERTAINS TO HIPAA COVERED ENTITIES ONLY)
STANDARD § 164.308(a)(2) requires assigned security responsibility.

In a SUMMARY OF THE HIPAA SECURITY RULE document published by the United States Department of Health and Human Services (HHS), covered entities must designate a Security Personnel. The summary states that "A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.

The details of this designation are further detailed in an HHS/ DOJ Guidance document on the HIPAA Security Rule which discusses the security standards and administrative standards of the rule. The document states the following with respect to STANDARD § 164.308(a)(2) and the assigned security responsibility requirement:

The second standard in the Administrative Safeguards section is Assigned Security Responsibility. There are no separate implementation specifications for this standard. The standard requires that covered entities:

"Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity." The purpose of this standard is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. Covered entities should be aware of the following when assigning security responsibility.

This requirement is comparable to the Privacy Rule standard at §164.530(a)(1), Personnel Designations, which requires all covered entities to designate a Privacy Official. The Security Official and Privacy Official can be the same person, but are not required to be. While one individual must be designated as having overall responsibility, other individuals in the covered entity may be assigned specific security responsibilities (e.g., facility security or network security). When making this decision covered entities should consider some basic questions. Sample questions for covered entities to consider:

Would it serve the organization's needs to designate the same individual as both the Privacy and Security Official (for example, in a small provider office)?
Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official?

How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization?

New York State Compliance Roles


AFFIRMATIVE ACTION OFFICER - NEW YORK STATE LAW
"New York State's policy is that equal opportunity will be assured in the State's personnel system and that affirmative action will be provided in the administration of that system in accordance with the requirements of the State's Human Rights Law, the mandates of Title VII of the Federal Civil Rights Act of 1964 as amended, and Executive Order No. 6 (1983). The Department of Civil Service is responsible for enforcing the Executive Order and for developing comprehensive statewide affirmative action policies, goals, objectives, and implementation strategies.

Executive Order No. 6 requires that each agency designate a full-time affirmative action officer and develop a written affirmative action program that includes specific goals and timetables for the prompt achievement of full and equal employment opportunities for minorities, women, disabled persons, and Vietnam era veterans at all occupational levels of State government.

Source: Governor's Office of Employee Relations, Handbook For Management/Confidential Employees.

CHIEF DIVERSITY OFFICER (CDO) - SUNY POLICY

According to the SUNY Diversity, Equity, and Inclusion Policy, the campus Chief Diversity Officer must "be a senior member of the campus administration, reporting directly to the president or provost" and will "work collaboratively with offices across campus including but not limited to, the offices of academic affairs, human resources, enrollment management, and admissions-to elevate inclusiveness and implement best practices related to diversity, equity and inclusion in such areas as the recruitment and retention of students and senior administrators, faculty and staff hires" and also "serve as part of a system-wide network of CDOs to support SUNY's overall diversity goals."

ENTERPRISE RISK MANAGEMENT ROLE - SUNY POLICY

The Enterprise Risk Management role was established by SUNY Policy, the Enterprise Risk Management Program Policy, Document No. 7502.  Each campus was required to designate an ERM role at their campus, and report to System Administration on the designation.  

Efforts to identify the specific dutie of the campus Enterprise Risk Management role are currently ongoing as the policy is developed into procedures for the campuses to follow.

INTERNAL CONTROLS OFFICER - NEW YORK STATE LAW AND SUNY POLICY
Each campus location must designate an Internal Control Officer. This Officer must coordinate with their campus each year to ensure compliance with the New York State Internal Controls Act, and to report to System Administrations System-wide Internal Controls Officer.

State Law:  Chapter 18 of the Consolidated Laws - Executive Law; Article 45 Internal Control Responsibilities of State Agencies

SUNY Policies and Procedures: SUNY Internal Control Program Policy, Doc. #7500

Pursuant to the New York State Government Accountability, Audit and Internal Control Act (Act) this policy outlines the State University of New York's (University) formalized program of internal control, which is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in achieving its goals and objectives.

SUNY Policies and Procedures: SUNY Internal Control Program Guidelines, Doc. #7501

"Designate an internal control officer at the University and campus levels to implement and review the University's/campuses' Internal Control Programs. The University and each of its affected campuses are required to designate an internal control officer. Based upon the internal control officer's other responsibilities, it may be necessary to delegate certain operational aspects of the campus' internal control program to designated staff (such as an internal control coordinator). The prescribed qualifications and responsibilities as they relate to the internal control efforts are outlined in Appendix C - Internal Control Responsibilities.

ETHICS OFFICER - STATE REQUIREMENT BY JCOPE, NYS ETHICS OVERSIGHT AGENCY, TO COMPLY WITH NEW YORK STATE LAW
While no provision of New York law says that we must have an Ethics Officer, the role is recognized by the oversight authority, the Joint Commission on Public Ethics, and Ethics Officers have many roles to ensure compliance with the laws that are within JCOPE's jurisdiction.

" The Joint Commission on Public Ethics ("JCOPE") administers and enforces the ethics laws that apply to appointees, officers and employees of New York State agencies, public authorities, public benefit corporations, and commissions ("Agency" or "Agencies"). The ethics laws apply to all of these covered persons, even those appointees who serve on an unpaid or per diem basis. Each Agency must designate an Ethics Officer to serve as the primary liaison to JCOPE.

OVERVIEW OF ETHICS OFFICER DUTIES AND RESPONSIBILITIES

  • Serves as liaison between the Agency and JCOPE for statutory and other administrative obligations.
  • Provides guidance to Agency officers and employees in the interpretation and implementation of ethics laws.
  • Promotes a culture of integrity by fostering awareness of ethics laws and obligations and serves as a resource on ethics questions.
  • Monitors ethics-related matters, including new laws, regulations, policies, and advisory opinions.
  • Evaluates allegations and refers complaints to JCOPE as appropriate.

In addition, the Ethics Officer has the responsibility to ensure that both the agency and its personnel comply with the legal obligations related to the following subjects:

  • Requirement to File an Annual Financial Disclosure Statement
  • Mandatory Ethics Training for FDS Filers
  • Approvals for Outside Activities
  • Approvals for Honoraria
  • Approvals for Official Activity Expense Payments
  • Acceptance of Gifts (including Widely Attended Events)

Source: JCOPE's Role of an Ethics Officer information document

RECORDS MANAGEMENT OFFICER - SUNY POLICY
The Records Management Officer role is established by SUNY Policy 6609, Records Retention and Disposition, pursuant to NYS Arts and Cultural Affairs Law Section 57.05 and Commissioner's Regulations 8 NYCRR Part 188. The policy requires a Records Management Officer at each location, and states as follows:

"Each campus should designate a local records management officer and notify the SUNY RMO of such designation. It is the responsibility of the campus RMO to report annually, by September 1 of each year, to the SUNY RMO on disposition actions taken by such campus during the previous academic year and to maintain the campus inventory of records. Requests for approval of retention schedules with shorter retention periods should be submitted by a campus through their local RMO to the SUNY RMO for transmittal to State Archives."

RECORDS ACCESS OFFICER/ FOIL OFFICER - SUNY POLICY AND NEW YORK STATE LAW
In accordance with SUNY Procedure, Document No. 6601, Compliance with the Freedom of Information Law (FOIL), the law, and the procedure codifying the law, "requires each campus and the system administration of the University to designate records access officers. Requests for information from the campus or the system administration should be directed to the respective records access officer at each location, as appropriate."

The term 'Records Access Officer' is synonymous with the term 'FOIL Officer.' The two roles are one in the same.

RESPONSIBLE UNIVERSITY OFFICIAL (CHILD PROTECTION POLICY) - SUNY POLICY
Pursuant to the SUNY Child Protection Policy, No. 6505, each campus must 'Designate a Responsible University Official for each Covered Activity' under the policy. The Responsible University Official is the employee of the University or University-affiliated organization, who has been designated by the Campus.

INFORMATION SECURITY OFFICER - SUNY POLICY
SUNY's Information Security Procedure, Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, requires that each campus establish an Information Security Officer, whose role is defined as "an assigned person (Officer) or group (Office) or coordinated function (Oversight) that understands the Campus's information security risk, the Program, and the meaning and intent of the University standards for information security and who presents professionally and legally sound and timely advice to executive management regarding appropriate action, ensuring the Program is exposed to outside, professional perspective, especially that of the University's central information security oversight function."

PRIVACY COMPLIANCE OFFICER - NEW YORK STATE LAW
The New York State Personal Privacy Protection Law (Public Officers Law §§91-99), with corresponding regulation 8 NYCRR Part 315, requires that SUNY System Administration and the SUNY State-Operated campuses each designate a Privacy Compliance Officer in order to comply fully with the provisions of article 6-A of the Public Officers Law, the Personal Privacy Protection Law. The regulation states as follows: "A privacy compliance officer shall be designated by the chief administrative officer of each State- operated campus. The name, title and business address of the campus privacy compliance officer may be obtained from the office of the chief administrative officer of each campus." SUNY's Compliance with the Personal Privacy Protection Law Policy (Doc. #6603 A. 1. (j)) codifies 8 NYCRR Part 315 by requiring that the University "designate a University employee who shall be responsible for ensuring that the agency complies with all of the provisions of the PPPL (the Privacy Compliance Officer)." The regulation also states that the "Privacy compliance officers are responsible for ensuring appropriate responses to requests for access to and for amendment or correction of records in accordance with the Personal Privacy Protection Law. The designation of privacy compliance officers shall not be construed to prohibit officials who have in the past been authorized to make records available or to amend or correct such records from continuing to do so. Privacy compliance offices shall ensure that personnel: (1) assist a data subject in identifying and requesting personal information, if necessary; (2) describe the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to the data subject; (3) take one of the following actions upon locating the record sought: (i) make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided; (ii) permit the data subject to copy the record; or (iii) deny access to the record in whole or in part and explain in writing the reasons therefor; (4) upon request for copies of records, make a copy available upon payment of 25 cents per page; (5) upon request, certify that a copy of a record is a true copy; or (6) upon request, certify that: (i) the university or campus does not have possession of the record sought; (ii) the university or campus cannot locate the record sought after having made a diligent search; or (iii) the information sought cannot be retrieved by use of the description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the university or campus." (8 NYCRR 315.2.(b))

DOMESTIC VIOLENCE LIAISON - SUNY POLICY TO COMPLY WITH THE NEW YORK STATE LAW ON DOMESTIC VIOLENCE
New York State Executive Order # 19, adopted in 2007, required that all State Agencies, including SUNY, adopt a Domestic Violence in the Workplace Policy. Each state agency was required to formulate and issue a Domestic Violence in the Workplace Policy by August 1, 2008, all while using the Office for the Prevention of Domestic Violence (OPDV) Model Domestic Violence and the Workplace Policy as a guide. Each SUNY Campus is required to review their policy ANNUALLY, and to submit any changes to the the SUNY System Affirmative Action Officer.

The SUNY Model Domestic Violence Policy that was written to serve as a model for campus local policies, required that each campus location designate a Domestic Violence liaison who would serve as a point person at the campus for reporting to System Administration on Domestic Violence issues. The Model Domestic Violence and the Workplace Policy template, available on the SUNY Compliance website Domestic Violence page, states the following with regard to the Domestic Violence campus role:

I. Workplace Safety Plans
By means of a domestic violence workplace safety response plan, [CAMPUS] shall make employees aware of their options and available resources and help employees safeguard each other and report domestic violence to designated officials.
a. The designated liaison between [CAMPUS] and SUNY System Administration is [NAME OR OFFICE TITLE OF DESIGNATED AGENT]. This liaison will ensure campus wide implementation of this policy, and serve as the primary liaison with System Administration regarding this policy. The System Administration designated liaison will communicate with the Office for the Prevention of Domestic Violence (OPDV) on behalf of campuses as it relates to reporting.

PROJECT SUNLIGHT LIAISON - NEW YORK STATE LAW
Project Sunlight, a component of the Public Integrity Reform Act of 2011 (Ch. 399, Part A, §4, L. 2011), is a New York State online database that provides the public with an opportunity to see what entities and individuals are interacting with government decision-makers at the various State entities. Effective January 1, 2013, State entities (including SUNY & SUNY State-operated campuses) are required to report to the OGS database 'appearances' by individuals/firms who 'appear' before State decision-makers or persons who advise decision-makers (decision makers and decision advisors are considered 'covered individuals' under the law). The Project Sunlight database, hosted by the NYS Office of General Services, aggregates the inputted data and makes it available to the public for viewing. A New York State Project Sunlight Policy was developed to clearly define what 'appearances' must be reported under the law.

Through Project Sunlight and the SUNY plan to outline compliance with the law, each campus is required to 'Designate one/several individuals responsible for entering data in the OGS Project Sunlight database.'