Compliance with HIPAA Privacy and Security Regulations (S-10)

Standard: S-10
Responsible Executive: Vice President for Ethics and Compliance
Responsible Office: Office of the Vice President for Information Technology and Office of Legal Counsel
Date Issued: May 1, 2018
Date Last Revised: January 11, 2023

TABLE OF CONTENTS

Individuals and Entities Affected by This Standard
Contacts
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

The Covered Components and individuals who work in any of the Covered Components listed on the HIPAA Compliance website, are affected by this policy.

CONTACTS

STATEMENT OF STANDARD

Purdue University is a Hybrid Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Purdue’s primary purpose is education; however, Purdue does have departments and Covered Components that provide covered health care services, and Purdue has self-insured health plans. Purdue also has offices or departments that provide business support to the Covered Components at Purdue and to covered entities outside of Purdue, and these business support offices or departments may have access to Protected Health Information.

As a Hybrid Entity under HIPAA, Purdue University’s Covered Components are required to comply fully with the HIPAA Privacy and Security Regulations (45 C.F.R., Parts 160, 162 and 164). Covered Components must also comply with federal notification regulations in the event of a breach of unsecured Protected Health Information as required under section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

Purdue University regularly surveys its departments to identify and designate its Covered Components. The comprehensive list of Covered Components at Purdue University can be found on the HIPAA Compliance website.

RESPONSIBILITIES

Covered Components

• Develop and implement departmental procedures, in compliance with University HIPAA procedures, to ensure the security and privacy of Protected Health Information and ensure compliance with this policy and the HIPAA Privacy and Security Regulations. Although ultimate responsibility for implementation of a compliance program lies with the Privacy and Security Officers, representatives from each of the Covered Components are responsible for implementation and maintenance of the specified requirements of HIPAA in their specific operation. 
• Work with the Privacy and Security Officers or their respective designees to review and implement appropriate procedures and train its personnel regarding said procedures. The department head or director of each Covered Component and the Privacy Officer for HIPAA privacy and Security Officer for HIPAA security procedures must approve all HIPAA-related procedures prior to implementation.
• Determine and document the staff that are included in the Covered Component and determine which roles need access to Protected Health Information to do their work.
• Identify Business Associates that have access to Purdue’s Protected Health Information and notify Purdue’s Privacy Officer prior to providing information to these associates.
• Implement and maintain the specified requirements of the HIPAA Security Rule in their specific operation.

Privacy Officer

• Develop and implement policies, procedures and forms to ensure that the University complies with the HIPAA Privacy Regulations, breach notification regulations under the HITECH Act, and other modifications as required by law.
• Ensure that all affected employees, students or others are trained.
• Receive, investigate and attempt to resolve any privacy complaints received by Purdue University.
• Identify reportable breaches of Protected Health Information, report to Health and Human Services, as required, and coordinate the reporting of breaches to individuals.
• Provide the content for the Notice(s) of Privacy Practices and distribute them to the University’s Covered Components that provide health care services and to Purdue’s covered health plans and their members.
• Maintain agreements with Business Associates that have access to Purdue’s Protected Health Information.
• Work with Sponsored Program Services, Purchasing, Purdue’s Institutional Review Board and others to ensure that agreements, required by the HIPAA Privacy Rule, are in place and that HIPAA requirements included in agreements are appropriate.
• Consult with the University community on how the HIPAA Privacy Rule requirements impact departmental procedures and future projects. 
• Identify changes in HIPAA coverage status at Purdue University. Designate new areas as HIPAA Covered Components, implementing compliance procedures in those areas, and remove areas no longer required to comply from the official list of Covered Components.
• Assign other persons as needed to assist with any of these responsibilities in his or her absence or unavailability.

Security Officer

• Develop, implement and oversee Purdue University’s compliance with the policies and procedures required by the HIPAA Security Rule.
• Work with the HIPAA Privacy Officer to identify potential breaches of electronic Protected Health Information, facilitating the required reporting to individuals and Health and Human Services.
• Assign other persons as needed to assist with any of these responsibilities in his or her absence or unavailability.

DEFINITIONS

All defined terms are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

Business Associates
Persons or entities, other than in the capacity of a member of the Covered Entity’s workforce, that provide or assist the Covered Entity in the performance of certain of the Covered Entity’s business functions involving the use of its Protected Health Information.

Covered Components
Areas of the University that have been designated and are required to comply with the HIPAA Privacy and Security Regulations. The complete listing can be found on the HIPAA Compliance website.

Covered Entity
An entity that has been designated and is required to comply with the HIPAA Privacy and Security Regulations.

Health Information
Anything created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, their agents, Business Associates or the business associate’s subcontractors, that relates to the:

• past, present or future physical or mental health or condition of an individual;
• the provision of health care to the individual; or
• the past, present or future payment for the provision of health care to an individual.

HIPAA
The Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of health care services and the security and confidentiality of Individually Identifiable and Protected Health Information in written, electronic or oral formats.

Hybrid Entity
A Covered Entity whose business activities include both covered and non-covered functions and that designates certain health care, health plan and other Covered Components that must comply with the HIPAA Privacy and Security Regulations.

Individually Identifiable Health Information
A subset of Health Information that identifies or reasonably can be used to identify the individual.

Privacy Officer
As required by the HIPAA Privacy Rule, the individual responsible for the development and implementation of the policies and procedures required by the HIPAA Privacy Rule for Purdue University and who is the primary contact for receiving complaints, identifying and making required notifications for breaches of Protected Health Information and is able to provide further information about matters covered by the Notices of Privacy Practices. Associate Legal Counsel for Public Safety and Security serves in this role.

Protected Health Information
Individually Identifiable Health Information, in any form, received or created by a Covered Entity its agents or Business Associates or the Business Associates’ subcontractors as a consequence of providing health care services or health plan benefits (including demographic information). Protected Health Information may include information used for research purposes, if that information contains Protected Health Information.

Security Officer
As required by the HIPAA Security Rule, the individual responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule for Purdue University and for identifying and reporting breaches of electronic Protected Health Information to the Privacy Officer and facilitating the required reporting associated with these breaches. The Chief Information Security Officer (CISO) serves in this role.

RELATED DOCUMENTS, FORMS AND TOOLS

This standard is issued in support of the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4), as amended or superseded.

Procedures and Forms:

• HIPAA Breach Notification Procedures (PDF)
• HIPAA Complaint Report form (PDF)
• Notices of Privacy Practices
• Procedures for Reporting a Security Incident

Additional HIPAA privacy compliance information, training and procedures may be accessed at the HIPAA Compliance website.

U.S. Department of Health and Human Services Health Information Privacy

HISTORY AND UPDATES

January 11, 2023: Updated responsible offices, definitions for Privacy and Security Officers, and hyperlinks for related documents.

May 1, 2018: This standard supersedes the policy of the same name (number VIII.A.1), dated January 20, 2017. Responsibilities have been updated to reflect the removal of procedures from the document.

APPENDIX

There are no appendices to this standard.