*** Content Under Review ***  

*** See www.compliance.wisc.edu/hipaa for up-to-date content. ***

The UW-Madison HIPAA Compliance Program is updating policies, forms, FAQs, and guidelines to better serve your needs.  Additionally -- we are migrating content from these pages to www.compliance.wisc.edu/hipaa; once we complete the migration, this site will retire and visitors to these pages will be re-directed to that location.  Thank you in advance for your patience! 

Please forward your website improvement suggestions to hipaa@wisc.edu.   



HIPAA Privacy Rule: Definitions


The Privacy Rule grants to a patient a right to request and receive an accounting for some “disclosures” of protected health information (“PHI”), including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a waiver of authorization. An accounting of disclosures is not required when a patient authorization is obtained.

Affiliated Covered Entity

UW-Madison is also one of three entities that have agreed to form an affiliated covered entity (“ACE”). These three entities have agreed to provide consistent protection of patient/subject/participant rights.
The ACE includes:

University Hospitals and Clinics (UWHC)
University of Wisconsin Medical Foundation (UWMF)
A subset of the UW-Madison Health Care Component (HCC)

  • The subset of the HCC in the ACE is comprised of the School of Medicine and Public Health (clinical departments only), the School of Nursing, the School of Pharmacy (clinical units only), the Waisman Center (clinical units only), the Athletic Department (athletic trainers and health information systems only).


A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule (e.g., includes required elements) and grants permission for the researcher to use and disclose the subject/participant’s protected health information to perform a research protocol.

Altered Authorization

An altered authorization is a form of waiver of authorization, in which an IRB permits a researcher to omit some of the required elements of an authorization.

Covered Entity

A covered entity, i.e., an entity to which the Privacy Rule applies, includes a health care provider (person or entity) that provides, bills for, or is paid for health care and transmits health information electronically.

Data Use Agreement

A data use agreement (“DUA”) is an agreement required by the Privacy Rule between a covered entity and a person or entity that receives a limited data set. The DUA must state that the recipient will use or disclose the information in the limited data set only for specific limited purposes.

De-identified Information

Information that does not allow an individual to be identified because specified identifiers have been removed. De-identification can be achieved by one of two ways:

    1. Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are:
      • Names;
      • Geographic subdivisions smaller than a State;
      • All elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used);
      • Telephone numbers;
      • FAX numbers;
      • Electronic mail addresses;
      • Social security numbers;
      • Medical record numbers;
      • Health plan beneficiary numbers;
      • Account numbers;
      • Certificate/license numbers;
      • Vehicle identifiers and serial numbers including license plates;
      • Device identifiers and serial numbers;
      • Web URLs;
      • Internet protocol addresses;
      • Biometric identifiers (including finger and voice prints);
      • Full face photos and comparable images;
      • Any unique identifying number, characteristic or code.
    2. Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented.

Disclosure of Protected Health Information

A “disclosure” of PHI is the sharing of that PHI outside of a covered entity. The sharing of PHI outside of the health care component or affiliated covered entity is a disclosure. In general, a disclosure of PHI requires an accounting at the request of the individual who is the subject of the PHI, unless that individual gave permission for the disclosure by signing a valid authorization.

Health Care Component

The covered units of UW-Madison (which include all the employees of those units and certain researchers outside those units participating in research projects of the covered unit as described below) are called the health care component or HCC. Currently the HCC includes the following units:

    • School of Medicine and Public Health (clinical departments only)
    • School of Pharmacy (clinical units only)
    • School of Nursing
    • University Health Services
    • Wisconsin State Laboratory of Hygiene
    • Athletic Department (athletic trainers and health information systems only)
    • Waisman Center (clinical units only)

The following are UW-Madison’s Internal Business Associate Units:

    • Accounting Services
    • Office of Legal Affairs 
    • SMPH Risk Management
    • Internal Audit
    • HIPAA Privacy and Security Officer
    • HIPAA Privacy and Security Coordinators
    • Health sciences schools’ senior administrators and support staff
    • Office of Clinical Trials
    • Health Sciences Institutional Review Board (members and staff)
    • Minimal Risk Institutional Review Board (members and staff)
    • Other individuals or departments may become an internal business associate for limited projects.

Researchers who have appointments in units outside the HCC and who conduct research involving protected health information in collaboration with researchers within the HCC are considered within the HCC for the purposes of that collaborative research. For example, scientists in the basic science departments of the Medical School or in the Waisman Center who collaborate with scientists or clinical faculty in the Medical School’s clinical departments are considered within the HCC for the purpose of the collaborative research.

Health Care Operations

Any of the following activities of the covered entity to the extent that the activities are related to those functions, the performance of which, makes the covered entity a health plan, health care provider, or health care clearinghouse:

    • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.
    • Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
    • Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
    • Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.
    • Business management and general administrative activities of the entity, including, but not limited to:
      • Management activities relating to implementation of and compliance with the requirements of the Privacy Rule.
      • Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that PHI is not disclosed to such policy holder, plan sponsor,
        or customer.
      • Resolution of internal grievances.
      • Creating de-identified health information or a limited data set and fundraising for the benefit of the covered entity.

Health Care Provider

A person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Hybrid Entity

UW-Madison is a special type of covered entity, called a “hybrid entity,” which means that for the purposes of implementing the Privacy Rule, UW-Madison has both HIPAA-covered and non HIPAA-covered units.

Limited Data Set

Protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

    • Name;
    • Postal address information, other than town or city, State, and zip code;
    • Telephone numbers;
    • Fax numbers;
    • Electronic mail addresses;
    • Social security numbers;
    • Medical record numbers;
    • Health plan beneficiary numbers;
    • Account numbers;
    • Certificate/license numbers;
    • Vehicle identifiers and serial numbers;
    • Device identifiers and serial numbers;
    • Web Universal Resource Locators (URLs);
    • Internet Protocol (IP) address numbers;
    • Biometric identifiers, including finger and voice prints; and
    • Full face photographic images and any comparable images.

Preparatory to Research Activities

The Privacy Rule regulates some of the typical activities done before submitting a protocol to an IRB for review. These activities are designated as “preparatory to research” in the Privacy Rule and are defined as:

    1. The development of research questions;
    2. The determination of study feasibility (in terms of the available number and eligibility of potential study participants);
    3. The development of eligibility (inclusion and exclusion) criteria; and
    4. The determination of eligibility for study participation of individual potential subjects.

The recruitment of subjects or participants is not a preparatory to research activity. A recruitment plan is part of a research protocol and requires IRB approval before contact or other information about subjects/participants may be collected. Recruitment is a research activity.

Protected Health Information

The Privacy Rule protects “individually identifiable health information,” referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:

Is created or received by a “covered entity,” including a health care provider, and

    1. Relates to the past, present, or future physical or mental health, or condition of an individual; or
    2. Relates to payment for an individual’s health care; or
    3. Relates to the provision of health care in the past, present, or future; and
    4. Identifies an individual or could be used for identifying an individual.

Psychotherapy Notes

Psychotherapy Notes are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

Psychotherapy Notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.


A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Use of Protected Health Information

A “use” of PHI is any sharing of that PHI within a covered entity. The sharing of PHI within the health care component (HCC) or within the affiliated covered entity (ACE) is a use. Uses, unlike disclosures, of PHI do not require an accounting at the request of the individual who is the subject of the PHI.

Waiver of Authorization

When obtaining subject/participant authorization is "impracticable," the IRB may approve a waiver of authorization for a researcher to use and disclose PHI. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.