New York University Skip to Content Skip to Search Skip to Navigation Skip to Sub Navigation

POLICY

HIPAA Policies

The Health Insurance Portability and Accountability Act (HIPAA), signed into law on August 21, 1996, includes complex regulations especially regarding the privacy and security of health information. NYU's Board of Trustees designated the University as a "hybrid entity" under HIPAA with three health care delivery units (covered components): the School of Medicine, College of Dentistry, and University Health Center (since renamed the Student Health Center). NYU's 12 non-health care delivery units consist of other designated University administrative units to the extent that each performs activities that may involve access to individually identifiable health information in supporting the three covered components. In order to comply with the standards and implementation specifications that comprise the administrative, physical, and technical safeguards and the organizational, procedural, and documentation requirements of the HIPAA Security Regulations, NYU has developed a set of 19 policies and accompanying definitions. The NYU School of Medicine follows HIPAA-related policies and procedures created specifically for its environment; School of Medicine compliance with HIPAA is coordinated through Langone Medical Center.

In addition, NYU has developed the IT Security Information Breach Notification Procedure to comply with the HIPAA Security Regulations and with Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act (ARRA) of 2009, as amended or superseded from time to time.

If you are downloading one or more policies, please also download "Policy 1. Overview: Policies, Procedures, and Documentation" (which includes information applicable to all the policies) and the definitions (which clarify the meanings of various terms in the policies).

Click the links below to download a PDF version of each policy and the accompanying definitions file (Adobe Reader required).

 

 

 

 

Enactment Date:  January 2005
 
History: Policies Updated August 2013
 
Cross References:

About This Policy

Effective Date: January 01, 2005
Issuing Authority: Executive Vice President for Health; Vice President, Information Technology and Chief Information Technology Officer
Responsible Officer: Executive Vice President for Health; Vice President, Information Technology and Chief Information Technology Officer
Office Name: Information Technology Services

Please refer to the "Purpose of this Policy" section of each policy posted to the left for details.

Affected by these policies are all covered components that may be designated by the University from time to time, including the NYU School of Medicine, NYU College of Dentistry, and the Student Health Center, and areas designated part of the health care component of the University from time to time but only to the extent that each component performs activities that would make such component a business associate of a component of the University that performs covered functions if the two components were separate legal entities (i.e., support components), including the Office of the Bursar, Controller’s Division, including Accounts Payable, Information Technology Services, Office of Insurance and Risk Management, Internal Audit, Office of Compliance and Risk Management, Office of General Counsel, Office of Sponsored Programs, University Relations and Public Affairs, Public Safety, Treasury Applications, and University Development and Alumni Relations. The NYU School of Medicine follows HIPAA-related policies and procedures created specifically for its environment; School of Medicine compliance with HIPAA is coordinated through Langone Medical Center. These policies affect all NYU workforce members in covered components. These policies affect all NYU workforce members in covered components.

Please refer to the "Definition of Terms" document posted to the left for details.

NYU Footer