The Health Insurance Portability and Accountability Act (HIPAA), signed into law on August 21, 1996, includes complex regulations especially regarding the privacy and security of health information. NYU's Board of Trustees designated the University as a "hybrid entity" under HIPAA with three health care delivery units (covered components): the School of Medicine, College of Dentistry, and University Health Center (since renamed the Student Health Center). NYU's 12 non-health care delivery units consist of other designated University administrative units to the extent that each performs activities that may involve access to individually identifiable health information in supporting the three covered components. In order to comply with the standards and implementation specifications that comprise the administrative, physical, and technical safeguards and the organizational, procedural, and documentation requirements of the HIPAA Security Regulations, NYU has developed a set of 19 policies and accompanying definitions. The NYU School of Medicine follows HIPAA-related policies and procedures created specifically for its environment; School of Medicine compliance with HIPAA is coordinated through Langone Medical Center.
In addition, NYU has developed the IT Security Information Breach Notification Procedure to comply with the HIPAA Security Regulations and with Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act (ARRA) of 2009, as amended or superseded from time to time.
If you are downloading one or more policies, please also download "Policy 1. Overview: Policies, Procedures, and Documentation" (which includes information applicable to all the policies) and the definitions (which clarify the meanings of various terms in the policies).
Click the links below to download a PDF version of each policy and the accompanying definitions file (Adobe Reader required).
- Table of Contents (12K PDF)
- Definition of Terms (37K PDF)
- Policy 1. Overview: Policies, Procedures, and Documentation (33K PDF)
- Policy 2. Security Management Process (53K PDF)
- Policy 3. Assigned Security Responsibility (29K PDF)
- Policy 4. Workforce Security (41K PDF)
- Policy 5. Information Access Management (33K PDF)
- Policy 6. Security Awareness and Training (41K PDF)
- Policy 7. Security Incident Procedures (29K PDF)
- Policy 8. Contingency Plan (45K PDF)
- Policy 9. Evaluation (29K PDF)
- Policy 10. Business Associate Contracts and Other Arrangements (53K PDF)
- Policy 11. Facility Access Controls (41K PDF)
- Policy 12. Workstation Use (25K PDF)
- Policy 13. Workstation Security (20K PDF)
- Policy 14. Device and Media Controls (29K PDF)
- Policy 15. Access Control (37K PDF)
- Policy 16. Audit Controls (20K PDF)
- Policy 17. Integrity (25K PDF)
- Policy 18. Person or Entity Authentication (25K PDF)
- Policy 19. Transmission Security (29K PDF)