|
Table of Contents
Statement of Policy
Reason for Policy
Who Should Know This Policy
Related Documents
Contacts
Definitions
Procedures
Responsibilities
Statement of Policy
Purdue University endeavors to preserve the privacy and confidentiality
of the protected health information and medical records maintained
by its various schools and departments. It strives to fulfill
this responsibility in accordance with state and federal statutes
and regulations. Further, Purdue acknowledges its general
obligations of trust and confidentiality reposed in its employees
and students who are responsible for medical or mental health
treatment at the University. As a hybrid entity under the
Health Insurance Portability and Accountability Act of 1996
(HIPAA), Purdue will ensure that its designated “covered
components” comply fully with the requirements of 45
C.F.R. Parts 160, 164, which are the HIPAA Privacy Regulations.
Declaration of Hybrid Entity Status and Designation
of Covered Components
Purdue University is a hybrid entity under the HIPAA Privacy
Regulations. Purdue’s primary purpose is education;
however, Purdue does have departments and covered components
that provide covered healthcare services, and Purdue has self-insured
health plans. Purdue also has offices or departments that
provide business support to the healthcare provider and health
plan covered components, and these business support offices
or departments have or may have access to protected medical
and health information. Purdue University, therefore, has
surveyed its departments to identify and designate its covered
components. Designated covered components at the writing of
this policy include the following:
Healthcare Provider Covered Components –
- Purdue Student Health Center
- Purdue Pharmacy
- Purdue's School of Nursing Nursing Centers
- Purdue's SLHS Audiology and Speech-Language Clinics
- Lafayette Street Family Planning Clinic
- IPFW Dental Hygiene Clinic
- Lafayette Street Dental Clinic
Health Plan Covered Components –
- Medical Benefits Plan(s)
- Vision Plan
- Pharmacy Plan(s)
- Health Care Flexible Spending Account Plan
- Employee Assistance Programs
- Employee Wellness
- WorkLife
Business Support Covered Components –
- Accounts Receivable
- E-Commerce & Credit Card Operations
- Central Files
- Internal Audit
- Information Technology at Purdue (only the following areas):
- Infrastructure Operations - Production Services
- UNIX Platform Administration
- Windows Platform Administration
- Infrastructure Systems - Database Administration
- Customer Relations - Desktop Computing Support
- Enterprise Applications
- Security & Privacy
- ITap Customer Service Center
- Public Records Office
- Printing Services
- School of Nursing Business Office
- Insurance Services Enterprise
- OnePurdue Initiative
- Environmental Health
- Pharmacy, Nursing and Health Sciences Technical Services
- IPFW School of Health Sciences Business Office
- Student Services Workstation Technology
- Business Services Computing
- IPFW Information Technology Services
- Calumet Computing Technology and Information Services
- North Central Information Services
- North Central Accounting
- RCHE-Health Outcomes and Policy Research Center
- SLHS Business and Main Offices
- SLHS Electronics and Technical Support
The full list of covered components at Purdue University
may be found at the following Web site: www.purdue.edu/hipaa.
Reason for Policy
Effective April 14, 2003, Purdue University’s covered
components are required to comply with the HIPAA Privacy Regulations.
Purdue University adopts this policy to ensure such compliance.
Who Should Know This Policy
- Office of the President
- Office of the Provost
- Executive Vice President and Treasurer
- Chancellors
- Deans
- Directors/department heads/chairs/employees of
covered components
- All other employees and students who may have contact
with protected
health information held by a covered component
|
- Privacy officer and staff
- Research administration
- Vice Presidents
- Vice Chancellors
|
Related Documents
Contacts
Definitions
| Business associates |
Persons or entities that
provide services or assist the covered entity in the performance
of an activity or function involving the use of protected
health information or other regulated activities.
|
| Covered components |
Areas of the University that have
been designated and are required to comply with the HIPAA
Privacy Regulations. |
| Health information |
Anything created or received by a
healthcare provider, health plan, public health authority,
employer, life insurer, school or university, or healthcare
clearinghouse that relates to the past, present, or future
physical or mental health or condition of an individual;
or the past, present, or future payment for the provision
of healthcare to an individual.
|
| HIPAA |
Health Insurance Portability and Accountability
Act of 1996, which mandates significant change in the
laws and regulations governing the provision of health
benefits, the delivery and payment of healthcare services,
and the security and confidentiality of individually identifiable,
protected health information in written, electronic, or
oral formats.
|
| Hybrid entity |
A covered entity whose business activities
include both covered and non-covered functions and that
designates those healthcare and other covered components
that must comply with the HIPAA Privacy Regulations.
|
| Individually identifiable
health information |
Information that identifies or reasonably
can be used to identify the individual and relates to:
- the past, present, or future physical or mental
health or condition of an individual;
- the provision of healthcare to the individual;
or
the past, present, or future payment for the provision
of healthcare
|
| Protected health information
|
Individually identifiable health information,
in any form, received or created as a consequence of providing
healthcare services or health plan benefits (including
demographic information). Protected health information
may include information used for research purposes, if
that information identifies or could be used to identify
a human research subject. |
Procedures
Notices of Privacy Practices
Notices of Privacy Practices will specify
how Purdue uses and discloses protected health information.
The notices will be revised as needed.
Each covered component will distribute the
applicable Notice of Privacy Practices to all of its affected
patients and employees. Notices will also be posted on the
Purdue University Web site and at each primary entrance or
area of each applicable covered component. Staff of each covered
component will be familiar with the applicable notice(s) and
will comply with the practices described in the notice(s).
Designation of Additional Covered Components
Additional covered components may be designated by the privacy
officer after the effective date of this policy, depending
upon the services they provide and how they transact business
and transmit information. The privacy officer will monitor
the activities of the various departments and campuses and
will update or modify the list of designated covered components
as needed. An updated list of covered components shall be
reflected in the Notice(s) of Privacy Practices and shall
also be posted on the Purdue web site and available upon request
from the privacy officer.
Addressing and Resolving Privacy Complaints
The privacy officer will develop and distribute a Privacy
Complaint Form. All covered components will use the form for
purposes of receiving complaints regarding Purdue’s
privacy practices and compliance with the HIPAA Privacy Regulations.
The form will direct the user to submit the completed form
to the privacy officer at the location provided on the form.
The form will also provide information about how the user
may file a complaint directly with the Department of Health
and Human Services.
Upon receipt of a completed Privacy Complaint Form, the privacy
officer will immediately forward a copy of the form to the
appropriate personnel in the affected covered component and
request an investigation. The privacy officer or his or her
designee will work with the affected covered component to
fully investigate and respond to the complaint.
Responsibilities
Covered Components
Each covered component will develop and
implement procedures to ensure the security and privacy of
protected health information and to ensure compliance with
this policy and the HIPAA Privacy Regulations. Each covered
component will work with the privacy officer to develop appropriate
procedures and train its personnel regarding the procedures.
The department head or director of each covered component
and the privacy officer must approve all procedures prior
to implementation.
Privacy Officer
The privacy officer will develop and implement
policies and procedures to ensure the University complies
with the HIPAA Privacy Regulations. The privacy officer will
ensure that all affected employees and students are trained
and will receive, investigate, and resolve any privacy complaints
received by Purdue University.
The privacy officer will oversee the development
of Notice(s) of Privacy Practices for Purdue’s covered
components that provide healthcare services and for Purdue’s
covered health plans. The privacy officer will develop a Privacy
Complaint Form for University-wide use.
In addition, the privacy officer, in consultation
with legal counsel as needed, will develop and distribute
other appropriate forms required by the HIPAA Privacy Regulations.
These include, but are not limited to, individual authorizations,
appropriate business associate agreements, employee and student
confidentiality agreements, limited data set agreements, chain
of trust agreements, and research authorizations.
The privacy officer may assign other persons
to assist with any of these responsibilities and may designate
someone to act as privacy officer at the regional campuses
or in the absence or unavailability of the privacy officer.
|
