Compliance with HIPPAA Privacy Regulations (VI.2.1)
Statement of Policy
Reason for Policy
Who Should Know This Policy
Related Documents
Contacts
Definitions
Procedures
Responsibilities
Purdue University endeavors to preserve the privacy and confidentiality of the protected health information and medical records maintained by its various schools and departments. It strives to fulfill this responsibility in accordance with state and federal statutes and regulations. Further, Purdue acknowledges its general obligations of trust and confidentiality reposed in its employees and students who are responsible for medical or mental health treatment at the University. As a hybrid entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Purdue will ensure that its designated “covered components” comply fully with the requirements of 45 C.F.R. Parts 160, 164, which are the HIPAA Privacy Regulations.
Declaration of Hybrid Entity Status and Designation of Covered Components
Purdue University is a hybrid entity under the HIPAA Privacy Regulations. Purdue’s primary purpose is education; however, Purdue does have departments and covered components that provide covered healthcare services, and Purdue has self-insured health plans. Purdue also has offices or departments that provide business support to the healthcare provider and health plan covered components, and these business support offices or departments have or may have access to protected medical and health information. Purdue University, therefore, has surveyed its departments to identify and designate its covered components. Designated covered components at the writing of this policy include the following:
Healthcare Provider Covered Components –
- Purdue Student Health Center
- Purdue Pharmacy
- Purdue's School of Nursing Nursing Centers
- Purdue's SLHS Audiology and Speech-Language Clinics
- Lafayette Street Family Planning Clinic
- IPFW Dental Hygiene Clinic
- Lafayette Street Dental Clinic
Health Plan Covered Components –
- Medical Benefits Plan(s)
- Vision Plan
- Pharmacy Plan(s)
- Health Care Flexible Spending Account Plan
- Employee Assistance Programs
- Employee Wellness
- WorkLife
Business Support Covered Components –
- Accounts Receivable
- E-Commerce & Credit Card Operations
- Central Files
- Internal Audit
- Information Technology at Purdue (only the following areas)
- Infrastructure Operations - Production Services
- UNIX Platform Administration
- Windows Platform Administration
- Infrastructure Systems - Database Administration
- Customer Relations - Desktop Computing Support
- Enterprise Applications
- Security & Privacy
- ITap Customer Service Center
- Public Records Office
- Printing Services
- School of Nursing Business Office
- Insurance Services Enterprise
- OnePurdue Initiative
- Environmental Health
- Pharmacy, Nursing and Health Sciences Technical Services
- IPFW School of Health Sciences Business Office
- Student Services Workstation Technology
- Business Services Consulting
- IPFW Information Technology Services
- Calumet Computing Technology and Information Services
- North Central Information Services
- North Central Accounting
- RCHE-Health Outcomes and Policy Research Center
- SLHS Business and Main Offices
- SLHS Electronics and Technical Support
The full list of covered components at Purdue University may be found at the following Web site: www.purdue.edu/hipaa.
Effective April 14, 2003, Purdue University’s covered components are required to comply with the HIPAA Privacy Regulations. Purdue University adopts this policy to ensure such compliance.
|
|
| Subject | Contact | Telephone | |
| All Questions | Privacy Officer | 765-494-7113 | hipaa-privacy@purdue.edu |
| Business associates | Persons or entities that provide services
or assist the covered entity in the performance of an activity or function
involving the use of protected health information or other regulated activities. |
|
| Covered components | Areas of the University that have been designated and are required to comply with the HIPAA Privacy Regulations. | |
| Health information | Anything created or received by a healthcare provider,
health plan, public health authority, employer, life insurer, school or
university, or healthcare clearinghouse that relates to the past, present,
or future physical or mental health or condition of an individual; or the
past, present, or future payment for the provision of healthcare to an
individual. |
|
| HIPAA | Health Insurance Portability and Accountability Act
of 1996, which mandates significant change in the laws and regulations
governing the provision of health benefits, the delivery and payment of
healthcare services, and the security and confidentiality of individually
identifiable, protected health information in written, electronic, or oral
formats. |
|
| Hybrid entity | A covered entity whose business activities include
both covered and non-covered functions and that designates those healthcare
and other covered components that must comply with the HIPAA Privacy Regulations. |
|
| Individually identifiable health information | Information that identifies or reasonably can be used to identify the individual and relates to:
|
|
| Protected health information | Individually identifiable health information, in any form, received or created as a consequence of providing healthcare services or health plan benefits (including demographic information). Protected health information may include information used for research purposes, if that information identifies or could be used to identify a human research subject. | |
Notices of Privacy Practices
Notices of Privacy Practices will specify how Purdue uses and discloses protected health information. The notices will be revised as needed.
Each covered component will distribute the applicable Notice
of Privacy Practices to all of its affected patients and employees. Notices
will also be posted on the Purdue University Web site and at each primary entrance
or area of each applicable covered component. Staff of each covered component
will be familiar with the applicable notice(s) and will comply with the practices
described in the notice(s).
Designation of Additional Covered Components
Additional covered components may be designated by the privacy officer after
the effective date of this policy, depending upon the services they provide
and how they transact business and transmit information. The privacy officer
will monitor the activities of the various departments and campuses and will
update or modify the list of designated covered components as needed. An updated
list of covered components shall be reflected in the Notice(s) of Privacy Practices
and shall also be posted on the Purdue web site and available upon request
from the privacy officer.
Addressing and Resolving Privacy Complaints
The privacy officer will develop and distribute a Privacy Complaint Form. All covered components will use the form for purposes of receiving complaints regarding Purdue’s privacy practices and compliance with the HIPAA Privacy Regulations. The form will direct the user to submit the completed form to the privacy officer at the location provided on the form. The form will also provide information about how the user may file a complaint directly with the Department of Health and Human Services.
Upon receipt of a completed Privacy Complaint Form, the privacy officer will immediately forward a copy of the form to the appropriate personnel in the affected covered component and request an investigation. The privacy officer or his or her designee will work with the affected covered component to fully investigate and respond to the complaint.
Covered Components
Each covered component will develop and implement procedures to ensure the security and privacy of protected health information and to ensure compliance with this policy and the HIPAA Privacy Regulations. Each covered component will work with the privacy officer to develop appropriate procedures and train its personnel regarding the procedures. The department head or director of each covered component and the privacy officer must approve all procedures prior to implementation.
Privacy Officer
The privacy officer will develop and implement policies and procedures to ensure the University complies with the HIPAA Privacy Regulations. The privacy officer will ensure that all affected employees and students are trained and will receive, investigate, and resolve any privacy complaints received by Purdue University.
The privacy officer will oversee the development of Notice(s) of Privacy Practices for Purdue’s covered components that provide healthcare services and for Purdue’s covered health plans. The privacy officer will develop a Privacy Complaint Form for University-wide use.
In addition, the privacy officer, in consultation with legal counsel as needed, will develop and distribute other appropriate forms required by the HIPAA Privacy Regulations. These include, but are not limited to, individual authorizations, appropriate business associate agreements, employee and student confidentiality agreements, limited data set agreements, chain of trust agreements, and research authorizations.
The privacy officer may assign other persons to assist with any of these responsibilities and may designate someone to act as privacy officer at the regional campuses or in the absence or unavailability of the privacy officer.