On this page:


Business associate: A business associate is a person or entity that performs a function or activity involving the use or disclosure of individually identifiable health information on behalf of a covered entity, but is not a member of its workforce.

Category 1-Restricted Data: Protection of the data is required by law/regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.  Restricted data includes the definition of private information in the New York State Security and Breach Notification Act as a foundation: bank account/credit card/debit card numbers, Social Security Numbers, state-issued driver license numbers, and state-issued non-driver identification numbers. To this list, the university policy adds protected health information (PHI) as defined and regulated by HIPAA, computer passwords, other computer access protection data, and passport numbers.  Category 1- Restricted data are exempt from disclosure/release under the New York State Freedom of Information Law (FOIL). The Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents, see the New York State Information Security Policy.) Individuals who access, process, store, or in any other way handle Category 1- Restricted data are required to implement controls and security measures as required by relevant laws and/or regulations in addition to any university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation should be enacted.

Covered entity: Health care organizations and other types of organizations/entities to which the HIPAA Security Standard applies.

Data stewards: The responsible university officials who have planning and policy-level responsibilities for data in their functional areas are considered data stewards. Data stewards, as individuals, have management responsibilities for defined elements of institutional data.

Data users: Individuals who need and use university data as part of their assigned duties or in fulfillment of their role in the university community.

Electronic Protected Health Information (ePHI): Refers to any refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.

Protected Health Information (PHI): The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.