The Health Insurance Portability and Accountability Act (HIPAA), signed into law on August 21, 1996, includes complex regulations especially regarding the privacy and security of health information. NYU's Board of Trustees designated the University as a "hybrid entity" under HIPAA with three health care delivery units (covered components): the School of Medicine, College of Dentistry, and University Health Center (since renamed the Student Health Center). NYU's 12 non-health care delivery units consist of other designated University administrative units to the extent that each performs activities that may involve access to individually identifiable health information in supporting the three covered components. In order to comply with the standards and implementation specifications that comprise the administrative, physical, and technical safeguards and the organizational, procedural, and documentation requirements of the HIPAA Security Regulations, NYU has developed a set of 19 policies and accompanying definitions.
In addition, NYU has developed a Protected Health Information Breach Notification Policy to comply with Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act (ARRA) of 2009.
If you are downloading one or more policies, please also download "Policy 1. Overview: Policies, Procedures, and Documentation" (which includes information applicable to all the policies) and the definitions (which clarify the meanings of various terms in the policies).
Click the links below to download a PDF version of each policy and the accompanying definitions file (Adobe Reader required).
- Definition of Terms (40K PDF)
- Policy 1. Overview: Policies, Procedures, and Documentation (40K PDF)
- Policy 2. Security Management Process (72K PDF)
- Policy 3. Assigned Security Responsibility (32K PDF)
- Policy 4. Workforce Security (52K PDF)
- Policy 5. Information Access Management (40K PDF)
- Policy 6. Security Awareness and Training (52K PDF)
- Policy 7. Security Incident Procedures (32K PDF)
- Policy 8. Contingency Plan (56K PDF)
- Policy 9. Evaluation (32K PDF)
- Policy 10. Business Associate Contracts and Other Arrangements (48K PDF)
- Policy 11. Facility Access Controls (52K PDF)
- Policy 12. Workstation Use (32K PDF)
- Policy 13. Workstation Security (28K PDF)
- Policy 14. Device and Media Controls (36K PDF)
- Policy 15. Access Control (48K PDF)
- Policy 16. Audit Controls (28K PDF)
- Policy 17. Integrity (32K PDF)
- Policy 18. Person or Entity Authentication (32K PDF)
- Policy 19. Transmission Security (36K PDF)