*** Content Under Review ***
*** See www.compliance.wisc.edu/hipaa for up-to-date content. ***
The UW-Madison HIPAA Compliance Program is updating policies, forms, FAQs, and guidelines to better serve your needs. Additionally -- we are migrating content from these pages to www.compliance.wisc.edu/hipaa; once we complete the migration, this site will retire and visitors to these pages will be re-directed to that location. Thank you in advance for your patience!
Please forward your website improvement suggestions to email@example.com.
For definitions of common HIPAA terms, click here.
HIPAA establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of protected health information (PHI) in violation of HIPAA.
- Rules Concerning the Use and Disclosure
of Protected Health Information
HIPAA contains detailed requirements for the use or disclosure of PHI. Covered entities may only use and disclose PHI as permitted by HIPAA or more protective state rules. UW-Madison is what is called a "hybrid entity"; it has HIPAA-covered and non-covered parts or "components". Employees and agents working within a HIPAA-covered component must take UW-Madison's HIPAA training on an annual basis. Violations of UW-Madison's rules or policies outlining HIPAA's statutory requirements could result in discipline up to and including termination.
UW-Madison must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. For routine disclosures, this may be achieved by creating policies and procedures that limit the PHI to be disclosed. For other disclosures, an individualized review will be required. When treating providers are sharing PHI for treatment purposes, this minimum necessary requirement does not apply. To ensure that only the minimum necessary PHI is used or disclosed, UW-Madison defines role-based access to PHI to ensure that the right people are handling PHI in the appropriate way.
HIPAA also addresses use of PHI for research purposes. HIPAA requires a patient authorization or an IRB waiver of the authorization for the use, disclosure or creation of identifiable health information for research.
An authorization is not required for research using only “deidentified” data. If a researcher uses health information from which direct identifiers have been removed, then no authorization is required but the researcher must enter into a data use agreement with the covered entity that holds the records. For further information see the "For Researchers" tab.
Marketing and Fundraising
HIPAA addresses the need for covered entities to respect patient confidentiality when performing marketing or development activities. Consistent with current UW-Madison practice, these activities should be conducted in a responsible manner and should be in accordance with HIPAA policies. These policies apply to all individuals in any office, department or section which seeks to use PHI for marketing and fundraising purposes on behalf of UW-Madison.
- Business Associates
Contractors that handle protected health information while providing a function or activity for a covered component at UW-Madison must satisfy certain HIPAA requirements. All contracts must require that contractors, called business associates, use appropriate safeguards to prevent use or disclosure of the information other than as permitted by the contract. UW-Madison may be held responsible for the actions of its business associates if: (a) it knew of a pattern of activity of the business associate that violated the contract; and (b) failed to take reasonable steps to correct the problem.
The privacy rule creates five individual rights:
- Right to a notice of a covered entity’s privacy practices.
- Right to request restrictions and confidential communications concerning protected health information.
- Right to obtain access to protected health information for inspection and copying.
- Right to obtain an accounting of certain disclosures.
- Right to request amendment of protected health information.
Covered entities like UW-Madison are required to comply with a number of administrative requirements, including the following:
- Designation of a privacy official responsible for development of policies and procedures for the use and disclosure of protected health information.
- Implementation of an internal complaint process to handle complaints relating to privacy rules and to explain privacy procedures.
- Workforce training.
- Implementation of administrative, technical and physical safeguards to protect the confidentiality and integrity of PHI.
- Development and enforcement of sanctions for failure to comply with policies and procedures.
- Development of procedures to mitigate adverse effects of a prohibited use or disclosure.
- Development and enforcement of a policy prohibiting retaliation against a person for exercising individual rights or filing a complaint.
UW-Madison is required to apply the security standards to all health information pertaining to an individual that is electronically maintained or transmitted. The Security Rule outlines the general security measures, including administrative, technical and physical safeguards. Under the Security Rule, UW-Madison must:
- Assign responsibility for security to a person or organization.
- Assess security risks and determine the major threats to the security and privacy of PHI.
- Establish a program to address physical security, personnel security, technical security controls, and security incident response and disaster recovery.
- Certify the effectiveness of security controls.
- Develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual’s status, change of status or termination.
- Implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication, and entity authentication.