HIPAA FAQs

The United States Department of Health and Human Services provides a database of Frequently Asked Questions for HIPAA-related issues.

In addition, questions and answers for Purdue-related issues follow:

Who are the covered entities at Purdue and how were they determined?

Surveys were conducted University-wide to determine who on campus should be covered by the HIPAA regulations.

To be designated a covered entity, an area must be considered a:

  • a health care provider who conducts certain transactions in electronic form
  • a health care clearinghouse
  • a health plan

There are a set of 8 very specific transactions that must be transmitted by the healthcare provider electronically to qualify them as a covered component.

These are Purdue's covered entities.

The business components are considered an extension of the covered components as they support the transmission of transactions that are generated from the covered entities.

This list will be continuously revised as changes occur in the environment.


A divorced mother brought her daughter in for a hearing test. The mother expressed that the father is not involved in the child's treatment. There is no record of the father being involved in the treatment at least at this health care site. The father has requested through e-mail the results of the daughter's hearing test. Should the health care facility provide the information?

Under Indiana law, a parent (including custodial and non-custodial) is entitled to access his/her child's medical records, unless there is a court order barring such disclosure. The dad should sign an authorization form, authorizing the release of the child's records to him and should be told of any fees for sending the information, if any. The father should also provide a copy of the child's birth certificate or decree of divorce to prove that he is the father. The information should be mailed using postal mail, not e-mailed.


A covered entity received a letter from an insurance underwriter requesting the medical records for a former Purdue student. The student is starting a job and the company is checking the student's medical history in order for them to provide coverage. The letter stated that the underwriter is not required to get a signed consent from the student, quoting the HIPAA statement, "A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payments, or health care operations."

This is incorrect. The underwriter needs to have the student sign an authorization to use and disclose.


If a patient asks a covered entity to leave the results of a test on their answering machine, is it okay to do this?

Make the patient aware that there is a risk that someone else in the household may hear the result. If they are still okay, then leave the message and document that the request was made.


If a patient calls to discuss treatment and another patient is nearby is this a violation of privacy?

It is best to arrange to talk to the patient at an alternative time or ask the other patient to step out of the office while the discussion is occurring. If it is difficult to make other arrangements to contact the patient and you make a good effort not to divulge personally identifiable information, then it is okay to continue the conversation.