Covered Components

Purdue University is a "hybrid entity" under the HIPAA Privacy Regulations. Purdue's primary purpose is education. However, Purdue does have departments or components that provide covered functions. Purdue University therefore has surveyed and investigated those departments that provide healthcare services or health plans, as well as those departments that provide business assistance to the healthcare/health plan components. For purposes of the HIPAA regulations, the following departments, plans or programs shall be designated as "covered components" and shall comply fully with the HIPAA Privacy Rule and the procedures and practices outlined in this Implementation Guide, as well as, any policies adopted pursuant to this Implementation Guide:

Healthcare Provider Covered Components

  1. Purdue University Student Health Center
  2. Purdue University Counseling and Psychological Services
  3. Purdue Pharmacy
  4. Purdue's North Central Nursing Clinics
  5. Nursing Center for Family Health
  6. Purdue's SLHS Audiology and Speech-Language Clinics
  7. Purdue Sports Medicine WL

Health Plan Covered Components

  1. Purdue Self-Insured Medical Benefits Plan(s)
  2. Vision Plan
  3. Pharmacy Plan(s)
  4. Health Care Flexible Spending Account Plan
  5. Health Care Retirement Accounts
  6. Employee Wellness Programs

Business Support Covered Components

  1. Student and Receivables Business Services
  2. Central Files
  3. Internal Audit
  4. Information Technology at Purdue (only the following areas)
    • IT Security and Policy
    • IT Infrastructure Services
    • IT Enterprise Solutions
    • IT End User Experience
    • IT Research Computing
  5. Public Records Office
  6. School of Nursing Business Office
  7. Risk Management
  8. Pharmacy IT
  9. PFW Information Technology Services
  10. PNW Hammond Technological Infrastructure Services
  11. PNW Hammond Fitness Center
  12. PNW Hammond Procurement & General Services
  13. PNW Westville Information Services
  14. PNW Westville Purchasing
  15. PNW Westville Bursar
  16. Regenstrief Center for Healthcare Engineering
  17. RCHE-Health Outcomes and Policy Research Center
  18. SLHS Business and Main Offices
  19. SLHS Electronics and Technical Support
  20. Bursar
  21. Health and Human Sciences IT
  22. Healthcare Advisors
  23. Center for Medication Safety Advancement
  24. Technology Statewide Business Offices
  25. Digital Education
  26. Comptroller
  27. Treasury Operations
  28. Payment Processing
  29. Purdue Recycling
  30. Legal Counsel for Purdue University

Purdue Internal Business Associates

  1. HHS Minnesota DHS Evaluation Projects
  2. Center for Cancer Research
  3. PGY1 Community-Based Pharmacy

Effective as of February 2020

Please visit the Centers for Medicare and Medicaid Services for more information on covered components.

Documentation and Retention

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations require that:

A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of HIPAA. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.


A covered entity must:

  • Maintain the policies and procedures in written or electronic form;
  • If a communication is required to be in writing, maintain such writing, or an electronic copy, as documentation; and
  • If an action, activity, or designation is required to be documented, maintain a written or electronic record of such action, activity, or designation.


A covered entity must retain the required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.

HIPAA retention requirements apply to specific documentation retained by Purdue’s HIPAA Covered Components and may include:

  • HIPAA Policies and Procedures
  • HIPAA Privacy or Security complaints
  • Notice of Privacy Practices
  • Authorization to Use/Disclose/Release Form
  • Record of Disclosure and Inadvertent Disclosure
  • Confidentiality Agreements
  • Training Rosters
  • Confidential Destruction Certificates
  • Acknowledgement of the Receipt of the Notice of Privacy Practices
  • Written Requests for Medical Records
  • Request of Privacy Protection of Protected Health Information (PHI)
  • Request of Amendment of PHI from an Individual or Entity
  • Designation of Individuals Who are Involved in My Payment or Treatment Decision
  • Written Disciplinary Actions Related to HIPAA Violations
  • System Activity Review Documentation
  • HIPAA Privacy or Security Assessment Documentation
  • System Account or Access Request Forms
  • Building Key Request Forms
  • Certification of Compliance with HIPAA Privacy Rule Regarding Activities Preparatory to Research
  • Data Use Agreements
  • Application for Waiver of Authorization or Modification of Authorization under HIPAA Privacy Rule
  • IRB Approval of Request for waiver, Partial Waiver or Modification of Individual Authorization for Disclosure of Protected Health Information
  • Any other documentation, written or electronic, related to a HIPAA action, activity, or designation that is required to be documented.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Office of Legal Counsel

Trouble with this page? Disability-related accessibility issue? Please contact Office of Legal Counsel at