Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules create a framework to protect the privacy and security of patient and health plan member health information. Purdue University supports the goals of HIPAA and documents its commitment to comply with these laws in its Compliance with HIPAA Privacy Regulations policy.

What is "Protected Health Information (PHI)"?

Protected Health Information means Individually Identifiable Health Information, which means information that is a subset of health information, including demographic information, collected from an individual, and:

  1. Is created or received by a health care provider, health plan, employer or health care clearing house, and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and
  3. That identifies the individual, or
  4. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

When is Health Information NOT Protected by HIPAA?

Information is not Protected Health Information if:

  1. The information is NOT received from a HIPAA-covered entity AND the person receiving the information is NOT a staff member of a HIPAA-covered entity,
  2. The information is part of the employment records that a covered entity maintains solely in its capacity as an employer (e.g. employee leave information, FMLA documents, return to work documentation, accommodation records),
  3. The information is part of the education records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA),
  4. The health information is about individuals who have been deceased for more than 50 years,
  5. The information is de-identified, as defined by HIPAA:
    1. The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
      • Names;
      • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
        • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
        • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
      • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
      • Telephone numbers;
      • Fax numbers;
      • Electronic mail addresses;
      • Social security numbers;
      • Medical record numbers;
      • Health plan beneficiary numbers;
      • Account numbers;
      • Certificate/license numbers;
      • Vehicle identifiers and serial numbers, including license plate numbers;
      • Device identifiers and serial numbers;
      • Web Universal Resource Locators (URLs);
      • Internet Protocol (IP) address numbers;
      • Biometric identifiers, including finger and voice prints;
      • Full face photographic images and any comparable images; and
      • Any other unique identifying number, characteristic, or code, except as permitted by the Privacy Rule; and
    2. The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Relationship to FERPA

The definition of "protected health information" under the Privacy Regulations (but not the Transaction Standards or the Security Regulations) contains an exception for education records covered under FERPA ("Family Educational Rights and Privacy", 20 U.S.C. 1232g). The designation of the "covered components" of the University therefore exclude those departments where the only records maintained contain student health information which is already protected by FERPA. However, if the department maintains both student and non-student protected health information, the department must comply with both regulations. FERPA and HIPAA have different requirements, so simply complying with one regulation does not ensure that compliance with the other regulation is not necessary.

Frequently Asked Questions

Who are the covered entities at Purdue and how were they determined?

Surveys were conducted University-wide to determine who on campus should be covered by the HIPAA regulations.

To be designated a covered entity, an area must be considered a:

  • a health care provider who conducts certain transactions in electronic form
  • a health care clearinghouse
  • a health plan

There are a set of 8 very specific transactions that must be transmitted by the healthcare provider electronically to qualify them as a covered component.  Purdue University's covered entities can be found below.

The business components are considered an extension of the covered components as they support the transmission of transactions that are generated from the covered entities.

This list will be continuously revised as changes occur in the environment.

A divorced mother brought her daughter in for a hearing test. The mother expressed that the father is not involved in the child's treatment. There is no record of the father being involved in the treatment at least at this health care site. The father has requested through e-mail the results of the daughter's hearing test. Should the health care facility provide the information?

Under Indiana law, a parent (including custodial and non-custodial) is entitled to access his/her child's medical records, unless there is a court order barring such disclosure. The dad should sign an authorization form, authorizing the release of the child's records to him and should be told of any fees for sending the information, if any. The father should also provide a copy of the child's birth certificate or decree of divorce to prove that he is the father. The information should be mailed using postal mail, not e-mailed.

A covered entity received a letter from an insurance underwriter requesting the medical records for a former Purdue student. The student is starting a job and the company is checking the student's medical history in order for them to provide coverage. The letter stated that the underwriter is not required to get a signed consent from the student, quoting the HIPAA statement, "A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payments, or health care operations."

This is incorrect. The underwriter needs to have the student sign an authorization to use and disclose.

If a patient asks a covered entity to leave the results of a test on their answering machine, is it okay to do this?

Make the patient aware that there is a risk that someone else in the household may hear the result. If they are still okay, then leave the message and document that the request was made.

If a patient calls to discuss treatment and another patient is nearby is this a violation of privacy?

It is best to arrange to talk to the patient at an alternative time or ask the other patient to step out of the office while the discussion is occurring. If it is difficult to make other arrangements to contact the patient and you make a good effort not to divulge personally identifiable information, then it is okay to continue the conversation.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Office of Legal Counsel

Trouble with this page? Disability-related accessibility issue? Please contact Office of Legal Counsel at legalcounsel@purdue.edu.