Covered Components
Purdue University is a "hybrid entity" under the HIPAA Privacy Regulations. Purdue's primary purpose is education. However, Purdue does have departments or components that provide covered functions. Purdue University therefore has surveyed and investigated those departments that provide healthcare services or health plans, as well as those departments that provide business assistance to the healthcare/health plan components. For purposes of the HIPAA regulations, the following departments, plans or programs shall be designated as "covered components" and shall comply fully with the HIPAA Privacy Rule and the procedures and practices outlined in this Implementation Guide, as well as, any policies adopted pursuant to this Implementation Guide:
Healthcare Provider Covered Components
- Purdue University Student Health Center
- Purdue University Counseling and Psychological Services
- Purdue Pharmacy
- Purdue's North Central Nursing Clinics
- Nursing Center for Family Health
- Purdue's SLHS Audiology and Speech-Language Clinics
- Purdue Sports Medicine WL
Health Plan Covered Components
- Purdue Self-Insured Medical Benefits Plan(s)
- Vision Plan
- Pharmacy Plan(s)
- Health Care Flexible Spending Account Plan
- Health Care Retirement Accounts
- Employee Wellness Programs
Business Support Covered Components
- Student and Receivables Business Services
- Central Files
- Internal Audit
- Information Technology at Purdue (only the following areas)
- IT Security and Policy
- IT Infrastructure Services
- IT Enterprise Solutions
- IT End User Experience
- IT Research Computing
- Public Records Office
- School of Nursing Business Office
- Risk Management
- Pharmacy IT
- PFW Information Technology Services
- PNW Hammond Technological Infrastructure Services
- PNW Hammond Fitness Center
- PNW Hammond Procurement & General Services
- PNW Westville Information Services
- PNW Westville Purchasing
- PNW Westville Bursar
- Regenstrief Center for Healthcare Engineering
- RCHE-Health Outcomes and Policy Research Center
- SLHS Business and Main Offices
- SLHS Electronics and Technical Support
- Bursar
- Health and Human Sciences IT
- Healthcare Advisors
- Center for Medication Safety Advancement
- Technology Statewide Business Offices
- Digital Education
- Comptroller
- Treasury Operations
- Payment Processing
- Purdue Recycling
- Legal Counsel for Purdue University
Purdue Internal Business Associates
- HHS Minnesota DHS Evaluation Projects
- Center for Cancer Research
- PGY1 Community-Based Pharmacy
Effective as of February 2020
Please visit the Centers for Medicare and Medicaid Services for more information on covered components.
Documentation and Retention
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations require that:
A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of HIPAA. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.
Documentation
A covered entity must:
- Maintain the policies and procedures in written or electronic form;
- If a communication is required to be in writing, maintain such writing, or an electronic copy, as documentation; and
- If an action, activity, or designation is required to be documented, maintain a written or electronic record of such action, activity, or designation.
Retention
A covered entity must retain the required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.
HIPAA retention requirements apply to specific documentation retained by Purdue’s HIPAA Covered Components and may include:
- HIPAA Policies and Procedures
- HIPAA Privacy or Security complaints
- Notice of Privacy Practices
- Authorization to Use/Disclose/Release Form
- Record of Disclosure and Inadvertent Disclosure
- Confidentiality Agreements
- Training Rosters
- Confidential Destruction Certificates
- Acknowledgement of the Receipt of the Notice of Privacy Practices
- Written Requests for Medical Records
- Request of Privacy Protection of Protected Health Information (PHI)
- Request of Amendment of PHI from an Individual or Entity
- Designation of Individuals Who are Involved in My Payment or Treatment Decision
- Written Disciplinary Actions Related to HIPAA Violations
- System Activity Review Documentation
- HIPAA Privacy or Security Assessment Documentation
- System Account or Access Request Forms
- Building Key Request Forms
- Certification of Compliance with HIPAA Privacy Rule Regarding Activities Preparatory to Research
- Data Use Agreements
- Application for Waiver of Authorization or Modification of Authorization under HIPAA Privacy Rule
- IRB Approval of Request for waiver, Partial Waiver or Modification of Individual Authorization for Disclosure of Protected Health Information
- Any other documentation, written or electronic, related to a HIPAA action, activity, or designation that is required to be documented.