Compliance with HIPAA Privacy and Security Regulations (VIII.A.1)
Volume VIII: Records
Chapter A: Records
Responsible Executive: Executive Vice President for Business and Finance, Treasurer
Responsible Offices: Purdue University Student Health Center and Office of the Vice President for Information Technology
Originally Issued: April 10, 2003
Most Recently Revised: November 18, 2011
Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Who Should Know This Policy
Website Address for This Policy
Related Documents, Forms and Tools
History and Updates
Purdue University is a Hybrid Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Purdue’s primary purpose is education; however, Purdue does have departments and Covered Components that provide covered health care services, and Purdue has self-insured health plans. Purdue also has offices or departments that provide business support to the health care provider and health plan Covered Components at Purdue and to covered entities outside of Purdue, and these business support offices or departments have or may have access to Protected Health Information.
As a Hybrid Entity under HIPAA, Purdue University’s Covered Components are required to comply fully with the requirements of 45 C.F.R., Parts 160, 162 and 164, which are the HIPAA Privacy and Security Regulations. Covered Components are further required to comply with federal notification regulations in the event of a breach of unsecured Protected Health Information as required under section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Purdue University regularly surveys its departments to identify and designate its Covered Components. The comprehensive list of Covered Components at Purdue University can be found on the HIPAA Compliance website.
Purdue University endeavors to preserve the privacy, security, and confidentiality of the Protected Health Information and medical records maintained by its various schools and departments at all of Purdue’s campuses. It strives to fulfill this responsibility in accordance with state and federal statutes and regulations. Further, Purdue acknowledges its general obligations of trust and confidentiality reposed in its employees and students who are responsible for medical or mental health treatment at the University.
The Covered Components and individuals who work in any of the Covered Components listed on the HIPAA Compliance website are affected by this policy.
- Vice Presidents
- Department Heads/Chairs
- Employees of covered Components
- All other employees and students who may have contact with Protected Health Information held by a Covered Component
- Privacy Officer and Staff
- Security Officer and Staff
- Research Administration
- Business Associates
This policy does not apply to units of Purdue University that are not listed as Covered Components on the HIPAA Compliance website.
|Policy Clarification||Privacy Officerfirstname.lastname@example.org|
|All HIPAA Privacy Questions||Privacy Officeremail@example.com|
|All HIPAA Security Questions||Chief Information Security Officerfirstname.lastname@example.org|
Persons or entities that provide services or assist the covered entity in the performance of an activity or function involving the use of Protected Health Information or other regulated activities.
Chief Information Security Officer (CISO)
The staff member who holds the position with this title on the West Lafayette campus.
Areas of the University that have been designated and are required to comply with the HIPAA Privacy and Security Regulations. The complete listing can be found on the HIPAA Compliance website.
Anything created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual.
The Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of health care services and the security and confidentiality of Individually Identifiable and Protected Health Information in written, electronic or oral formats.
A covered entity whose business activities include both covered and non-covered functions and that designates health care and other Covered Components that must comply with the HIPAA Privacy and Security Regulations.
Individually Identifiable Health Information
Information that identifies or reasonably can be used to identify the individual and relates to the:
- Past, present or future physical or mental health or condition of an individual;
- Provision of healthcare to the individual; or
- Past, present or future payment for the provision of health care.
Notice(s) of Privacy Practices
A document that specifies how a covered health care provider or covered health plan uses and discloses Protected Health Information and the rights of individuals related to this information.
As required by the HIPAA Privacy Rule, the individual responsible for the development and implementation of HIPAA policies and procedures for Purdue University and who is the primary contact for receiving complaints and is able to provide further information about matters covered by the Notices of Privacy Practices. The HIPAA privacy compliance director on the West Lafayette campus serves in this role.
Protected Health Information
Individually Identifiable Health Information, in any form, received or created as a consequence of providing health care services or health plan benefits (including demographic information). Protected Health Information may include information used for research purposes, if that information contains Protected Health Information.
Purdue, University and Purdue University
Any campus, unit, program, association or entity of Purdue University, including but not limited to Indiana University-Purdue University Fort Wayne, Purdue University Calumet, Purdue University North Central, Purdue University West Lafayette, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide.
As required by the HIPAA Security Rule, the individual responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule for Purdue University. The CISO serves as the University’s Security Officer.
Develop and implement procedures to ensure the security and privacy of Protected Health Information and ensure compliance with this policy and the HIPAA Privacy and Security Regulations.
Work with the Privacy Officer or his or her designee to review and implement appropriate procedures and train its personnel regarding said procedures. The department head or director of each Covered Component and the Privacy Officer must approve all procedures prior to implementation.
Identify Business Associates that have access to Purdue’s Protected Health Information and notify Purdue’s Privacy Officer prior to providing information to these associates.
Implement and maintain the specified requirements of the HIPAA Security Rule in their specific operation.
Develop and implement policies and procedures to ensure the University complies with the HIPAA Privacy Regulations and breach notification regulations under the HITECH ACT.
Train all affected employees, students or others.
Receive, investigate and attempt to resolve any privacy complaints received by Purdue University.
Provide the content for the Notice(s) of Privacy Practices and distribute them to the University’s Covered Components that provide health care services and to Purdue’s covered health plans and their members.
Maintain an appropriate Privacy Complaint Form for University-wide use.
In consultation with legal counsel as needed, develop and distribute other appropriate forms required by the HIPAA Privacy Regulations. These include, but are not limited to, individual authorizations; appropriate Business Associate agreements; employee, visitor and student confidentiality agreements; limited data set agreements; and research authorizations.
Maintain agreements with Business Associates that have access to Purdue’s Protected Health Information.
Assign other persons as needed to assist with any of these responsibilities in his or her absence or unavailability.
Develop, implement and oversee Purdue University’s compliance with the policies and procedures required by the HIPAA Security Rule. Although ultimate responsibility for compliance lies with the CISO, representatives from each of the Covered Components are responsible for implementation and maintenance of the specified requirements of the HIPAA Security Rule in their specific operation.
Assign other persons as needed to assist with any of these responsibilities in his or her absence or unavailability.
Notices of Privacy Practices
The Privacy Officer will maintain Notices of Privacy Practices and distribute them to the University’s Covered Components that provide health care services and to Purdue’s covered health plans and their members.
Each health care provider or health plan Covered Component will distribute the applicable Notice of Privacy Practices to all of its affected patients and employees. Notices will also be posted on the Purdue University HIPAA website and at each primary entrance or area of each applicable health care provider Covered Component. Staff of each Covered Component will be familiar with the applicable notice(s) and will comply with the practices described in the notice(s).
Designation of Additional Covered Components
The Privacy Officer will monitor the activities of the various campuses and departments and will update or modify the list of designated Covered Components as needed, depending upon the services they provide to the University and how they transact business and transmit information.
An updated list of Covered Components will be reflected, where applicable, in the Notice(s) of Privacy Practices, posted on the Purdue HIPAA website and available upon request from the Privacy Officer.
Addressing and Resolving Privacy Complaints
The Privacy Officer will develop and distribute a HIPAA Privacy Complaint Report form. All Covered Components will use the form for purposes of receiving complaints regarding Purdue’s privacy practices and compliance with the HIPAA Privacy Regulations. The form will direct the user to submit the completed form to the Privacy Officer at the location provided on the form. The form will also provide information about how the user may file a complaint directly with the Department of Health and Human Services.
Upon receipt of a completed HIPAA Privacy Complaint Report form, the Privacy Officer will forward a copy of the form to the appropriate personnel in the affected Covered Component and request an investigation. The Privacy Officer or his or her designee will work with the affected Covered Component to fully investigate and respond to the complaint.
Addressing and Resolving Security Complaints
Complaints related to University compliance with the HIPAA Security Rule will be reported according to the procedures outlined on the Secure Purdue website for
Identifying and Addressing Breaches
The Privacy Officer will maintain a HIPAA Breach Notification Policy with associated procedures to ensure compliance with the breach notification regulations under the HITECH Act. Should the inappropriate use or disclosure of Protected Health Information be reported, the HIPAA Breach Notification Policy will be followed to identify whether a breach has occurred and determine what notifications may be required.
HIPAA Breach Notification Policy:
HIPAA Compliance website: www.purdue.edu/hipaa
HIPAA Complaint Report form:
Notices of Privacy Practices:
- Family Health Clinics of Carroll County and Monon: www.purdue.edu/hipaa/primary_menu/npps/NPP-mononcarrolclinics.pdf
- Nursing Center for Family Health: www.purdue.edu/hipaa/primary_menu/npps/NPP-ncfh.pdf
- Purdue Health Care Providers: www.purdue.edu/hipaa/primary_menu/npps/NPP-healthcareproviders.pdf
- Purdue University Health Plans: www.purdue.edu/hipaa/primary_menu/npps/NPP-healthplans.pdf
- Purdue's Lafayette Street Family Planning Clinic: www.purdue.edu/hipaa/primary_menu/npps/NPP-lafayettestfamplanningclinic.pdf
- Purdue Fort Wayne Dental Clinics: www.purdue.edu/hipaa/primary_menu/npps/NPP-ipfwdentalclinics.pdf
Procedures for Reporting a Security Incident: www.purdue.edu/securepurdue/bestPractices/securityIncident.cfm
November 18, 2011: Policy number changed to VIII.A.1 (formerly VI.2.1) and website address updated.
November 1, 2011: Policy converted to new template, HIPAA Security Rule Compliance added, and list of Covered Components removed from text of policy.
October 27, 2009: Links in Related Documents updated.
August 1, 2009: List of Covered Components updated.
October 6, 2008: List of Covered Components updated.
September 30, 2008: List of Covered Components updated.
May 14, 2008: List of Covered Components updated.
April 1, 2008: List of Covered Components updated.
February 1, 2008: List of Covered Components updated.
September 5, 2007: List of Covered Components updated.
September 4, 2007: List of Covered Components updated.
January 17, 2007: List of Covered Components updated.
November 1, 2006: List of Covered Components updated.
October 1, 2006: List of Covered Components updated.
September 1, 2006: List of Covered Components updated.
August 1, 2006: List of Covered Components updated.
June 22, 2006: List of Covered Components updated.
April 4, 2006: List of Covered Components updated.
January 1, 2006: List of Covered Components updated.
September 5, 2005: List of Covered Components updated.
September 13, 2004: List of Covered Components updated.
August 9, 2004: List of Covered Components updated.
July 19, 2004: List of Covered Components updated.
May 3, 2004: List of Covered Components updated.
March 15, 2004: List of Covered Components updated.