The Health Insurance Portability and Accountability Act (HIPAA), signed into law on August 21, 1996, includes complex regulations especially regarding the privacy and security of health information. NYU's Board of Trustees designated the University as a "hybrid entity" under HIPAA with three health care delivery units (covered components): the School of Medicine, College of Dentistry, and University Health Center (since renamed the Student Health Center). NYU's 12 non-health care delivery units consist of other designated University administrative units to the extent that each performs activities that may involve access to individually identifiable health information in supporting the three covered components. In order to comply with the standards and implementation specifications that comprise the administrative, physical, and technical safeguards and the organizational, procedural, and documentation requirements of the HIPAA Security Regulations, NYU has developed a set of 19 policies and accompanying definitions. The NYU School of Medicine follows HIPAA-related policies and procedures created specifically for its environment; School of Medicine compliance with HIPAA is coordinated through Langone Medical Center.
In addition, NYU has developed the IT Security Information Breach Notification Policy and Plan to comply with the HIPAA Security Regulations and with Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act (ARRA) of 2009, as amended or superseded from time to time.
If you are downloading one or more policies, please also download "Policy 1. Overview: Policies, Procedures, and Documentation" (which includes information applicable to all the policies) and the definitions (which clarify the meanings of various terms in the policies). Click the links below to download a PDF version of each policy and the accompanying definitions file (Adobe Acrobat Reader required).
- Table of Contents (17K PDF)
- Definition of Terms (50K PDF)
- Policy 1. Overview: Policies, Procedures, and Documentation (38K PDF)
- Policy 2. Security Management Process (221K PDF)
- Policy 3. Assigned Security Responsibility (32K PDF)
- Policy 4. Workforce Security (49K PDF)
- Policy 5. Information Access Management (38K PDF)
- Policy 6. Security Awareness and Training (198K PDF)
- Policy 7. Security Incident Procedures (32K PDF)
- Policy 8. Contingency Plan (205K PDF)
- Policy 9. Evaluation (32K PDF)
- Policy 10. Business Associate Contracts and Other Arrangements (76K PDF)
- Policy 11. Facility Access Controls (207K PDF)
- Policy 12. Workstation Use (30K PDF)
- Policy 13. Workstation Security (26K PDF)
- Policy 14. Device and Media Controls (37K PDF)
- Policy 15. Access Control (45K PDF)
- Policy 16. Audit Controls (26K PDF)
- Policy 17. Integrity Controls (31K PDF)
- Policy 18. Person or Entity Authentication (30K PDF)
- Policy 19. Transmission Security (34K PDF)
See also the Policy Against Information Blocking of Electronic Health information. This policy is related to NYU's HIPAA Policies and supports provision of informed care for patients by removing obstacles they encounter when trying to access, exchange, or use their own electronic health information (EHI).
About This Policy
Effective Date Supersedes N/A Issuing Authority Executive Vice President; Vice President for Information Technology and Global University Chief Information Officer Responsible Officer Executive Vice President; Vice President for Information Technology and Global University Chief Information Officer