New York University Skip to Content Skip to Search Skip to Navigation Skip to Sub Navigation
Main Navigation

POLICY

HIPAA Policies

The Health Insurance Portability and Accountability Act (HIPAA), signed into law on August 21, 1996, includes complex regulations especially regarding the privacy and security of health information. NYU's Board of Trustees designated the University as a "hybrid entity" under HIPAA with three health care delivery units (covered components): the School of Medicine, College of Dentistry, and University Health Center (since renamed the Student Health Center). NYU's 12 non-health care delivery units consist of other designated University administrative units to the extent that each performs activities that may involve access to individually identifiable health information in supporting the three covered components. In order to comply with the standards and implementation specifications that comprise the administrative, physical, and technical safeguards and the organizational, procedural, and documentation requirements of the HIPAA Security Regulations, NYU has developed a set of 19 policies and accompanying definitions.

In addition, NYU has developed a Protected Health Information Breach Notification Policy to comply with Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act (ARRA) of 2009.

If you are downloading one or more policies, please also download "Policy 1. Overview: Policies, Procedures, and Documentation" (which includes information applicable to all the policies) and the definitions (which clarify the meanings of various terms in the policies).

Click the links below to download a PDF version of each policy and the accompanying definitions file (Adobe Reader required).

About This Policy

Effective Date: January 01, 2005
Issuing Authority: Executive Vice President for Finance & Information Technology
Responsible Officer: Vice President for Information Technology and Chief Information Technology Officer for NYU New York
Office Name: Information Technology Services
Button: display or hide Purpose of the Policy

New York University is designated a hybrid organization under HIPAA. As such, its covered components are required to safeguard EPHI in accordance with the Security Regulations promulgated pursuant to HIPAA. These policies reflect New York University’s commitment to comply with such Regulations.

Button: display or hide Who needs to know this policy

Affected by these policies are all covered components that may be designated by the University from time to time, including the NYU School of Medicine, NYU College of Dentistry, and the University Health Center, and areas designated part of the health care component of the University from time to time but only to the extent that each component performs activities that would make such component a business associate of a component of the University that performs covered functions if the two components were separate legal entities, including the Bursar’s Office, Controller’s Division, including Accounts Payable, Information Technology Services, Insurance Department, Internal Audit, Office of the Chief Compliance Officer, Office of Legal Counsel, Office of Sponsored Programs, Press Office/Public Affairs, Public Safety, Treasurer’s Office, and University Development and Alumni Relations. These policies affect all NYU workforce members in covered components.

Button: display or hide Policy Definitions

(Please see the unique PDF link to the left or click here.)

NYU Footer