Patient Rights

Rights Regarding Your Health Information


Purdue University endeavors to preserve the privacy, security, and confidentiality of the Protected Health Information and medical records maintained by its various schools and departments at all of Purdue’s campuses. It strives to fulfill this responsibility in accordance with state and federal statutes and regulations. Further, Purdue acknowledges its general obligations of trust and confidentiality reposed in its employees and students who are responsible for medical or mental health treatment at the University.

The Right to Request Limits on Uses and Disclosures of Your Health Information

You have the right to ask Purdue’s Health Care Providers or Purdue’s Health Plans to limit the use and disclosure of your health information. If you or another family member or person on your behalf have paid your health care provider in full for a particular health care service or item and specifically request that we not disclose information about this health care item or service to your health plan for payment or healthcare operations purposes, we will agree to this request. We generally cannot restrict disclosure of information needed for health care treatment purposes. For other restrictions, we will consider your request but we do not have to accept it. If we do, we will put any limits in writing and abide by them except in emergency situations where the information is needed. You may not limit the uses and disclosures that we are legally required to make.

The Right to Choose How We Send Health Information to You

You have the right to ask that we send your health information to you at an alternate address (for example, sending information to your work address rather than your home address) or by alternate means (for example, by fax instead of regular mail). We must agree to your request if we can easily provide it in the format you requested.

The Right to See and Get Copies of Your Health Information

In most cases, you have the right to look at or get copies of your health information that we have, but you must make the request in writing. If we maintain an electronic copy of your medical, mental health or billing records, and you request an electronic copy of your record, we will provide you with access to the electronic information in the electronic format requested by you, if it is readily producible, or, if not, in a readable electronic format as agreed to by Purdue’s Health Care Providers or Health Plans and you. We will provide you with some kind of readable electronic copy and images, will be included, if requested. If we do not have your health information but we know who does, we will tell you how to get it. We will respond to you within 30 days after receiving your written request. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reasons for the denial and explain your right to have the denial reviewed. If you request copies of your health information, we will charge you a reasonable fee as permitted by Indiana law. Instead of providing the health information you requested, we may provide you with a summary or explanation of the health information. We will only do this if you agree to receive information in that form and if you agree to pay the cost in advance.

The Right to Get a List of Certain Disclosures We Have Made

You have the right to request a list of instances in which we have disclosed your health information. The list will not include uses or disclosures made for treatment, payment, and health care operation, or information given to your family or friends with your permission or in your presence without objection. It will also not include disclosures made directly to you or when you have given us a written authorization for the release of health information. The list will also not include information released for national security purposes or given to correctional institutions. To obtain this list, you must make a request in writing to the Privacy Officer listed at the top of this notice. The list we will give you will include disclosures made in the last six years unless you request a shorter time. We will provide the list to you upon request once each year at no charge.

The Right to Amend or Update Your Health Information

If you believe that there is a mistake in your health information or that a piece of important information is missing, you have the right to request that we amend the existing information. You must provide the request and your reason for the request in writing to the Privacy Officer listed at the top of this notice. We may deny your request in writing if the health information is: 1) correct and complete; 2) not created by us; 3) not allowed to be disclosed, or 4) not part of our records. Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you do not file a statement of disagreement, you have the right to ask that your request and our denial be attached to all future disclosures of your health information. If we approve your request, we will make the change to your health information, tell you that we have done it, and tell others that need to know about the change to your health information.

The Right to Receive Breach Notification

If any of Purdue’s Health Care Providers or Purdue’s Health Plans or any of its Business Associates or the Business Associate’s subcontractors experiences a breach of your health information (as defined by HIPAA laws) that compromises the security or privacy of your health information, you will be notified of the breach and about any steps you should take to protect yourself from potential harm resulting from the breach.

Request for Restriction of the Use or Disclosure of Protected Health Information

It is the policy of Purdue University to permit an individual or their representative to request a restriction of the use and disclosure of their protected health information (PHI) to carry out treatment, payment or healthcare operations or for involvement in the individual’s care and notification purposes, and for the request to be promptly reviewed. 

If an individual requests a restriction of the disclosure of their PHI, Purdue covered components must comply with the requested restriction, if (1) the disclosure is to a health plan for purposes of carrying out payment or health care operations, is not for purposes of carrying out treatment and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual, has paid the covered component in full. The restriction includes prohibition of disclosures to the individual’s health plan and also business associates of the health plan and may include only the health care items or services for which the restriction was requested and where the items were paid in full.

Regarding other requested restrictions, Purdue University is not required to agree to the restriction. However, if the HIPAA Privacy Officer agrees to such restriction, Purdue may not use or disclose the PHI in violation of the restriction. If the individual who requested the restriction is in need of emergency treatment and the restricted information is needed to provide the emergency treatment, Purdue may use the restricted information or may disclose the information to a health care provider to provide such treatment and must request that the health care provider not further use or disclose the information.

Any restriction agreed to by Purdue is not effective to prevent the following uses or disclosures permitted or required in the HIPAA Privacy Rule: uses or disclosures to the Secretary of Health and Human Services; facility directory information; required by law, for public health activities, about victims of abuse, neglect or domestic violence, for health oversight activities, for judicial or administrative proceedings, for enforcement purposes, about decedents, for cadaveric organ, eye or tissue donation purposes, for research purposes, to avert a serious threat to health or safety, or for specialized government functions.

Please refer to the policy and procedure regarding the request for the restriction of the use or disclosure of PHI for more information.  The form for this type of request can be found here.

Complaint Process

Each covered entity must provide a process for individuals to report complaints about the covered entity's compliance with the HIPAA Privacy Regulations. Purdue adopted a process for individuals to complain about its policies and procedures, and any non-compliance with those policies or procedures, or the HIPAA Privacy Regulations. The process must include documentation of complaints received and their disposition, if any, and sanctions for any members of its workforce who fail to comply with the policies, procedures, or regulations.  Please refer to the Purdue University HIPAA Complaint Procedure and Purdue University HIPAA Complaint Report for more information.  


Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Office of Legal Counsel

Trouble with this page? Disability-related accessibility issue? Please contact Office of Legal Counsel at