*** Content Under Review ***
*** See www.compliance.wisc.edu/hipaa for up-to-date content. ***
The UW-Madison HIPAA Compliance Program is updating policies, forms, FAQs, and guidelines to better serve your needs. Additionally -- we are migrating content from these pages to www.compliance.wisc.edu/hipaa; once we complete the migration, this site will retire and visitors to these pages will be re-directed to that location. Thank you in advance for your patience!
Please forward your website improvement suggestions to firstname.lastname@example.org.
UW-Madison employees and agents wishing to create, obtain or maintain protected health information, while performing services for a covered entity as a business associate, must familiarize themselves with the information below; this includes business associate training and making certain certifications before UW-Madison will execute a business associate agreement for such services.
While business associates have always been contractually obligated to comply with provisions in HIPAA, under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which is a part of the American Recovery and Reinvestment Act of 2009, business associates are now directly regulated by certain provisions of the HIPAA Privacy and Security Rules. Examples of new regulations applicable to business associates include:
- The implementation of administrative, physical and technical safeguards for electronic protected health information under the HIPAA Security Rule, and development of related policies, procedures and documentation standards;
- Notification to the covered entity of any breach of unsecured protected health information;
- New restrictions on marketing communications; and
- Compliance audits by the Department of Health and Human Services.
Policies and Procedures
I. Training Objectives
- Understand the purpose and scope of HIPAA and the importance of HIPAA compliance.
- Recognize and understand important defined terms.
- Understand how HIPAA impacts your role as a Business Associate, recognize common HIPAA issues that you may encounter as a Business Associate, and understand your responsibilities as a Business Associate with respect to HIPAA compliance.
- Know where to look and/or whom to contact if you need additional information or assistance related to HIPAA compliance.
II. The History of HIPAA
- When that person or entity:
- Performs certain functions or activities on behalf of a Covered Entity; or
- Provides services to a Covered Entity; and
- When, in the course of performing that function or providing that service, the person or entity creates, receives, maintains or transmits Protected Health Information.
- A health plan; or
- A health care clearing house; or
- A health care provider.
- The information is created or received by a CE; and
- The information relates to the past, present or future:
- Health or health condition of an individual; or
- Health care provided to an individual; or
- Payment by an individual for health care; and
- The information identifies the individual or could reasonably be used to identify the individual.
- Any geographic subdivision smaller than a State
- Any element of a date for a date directly related to the individual, including, for example: birth date, discharge date, date of death, any age over 89 or any part of any date indicating an age over 89
- Telephone number
- Fax number
- Email address
- Health plan beneficiary number
- Account number
- Certificate of license number
- Vehicle identification number, vehicle serial number, or license plate number
- Device identifiers and serial numbers
- IP address number
- Biometric identifiers, including fingerprints and voiceprints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
IV. Business Associate Agreements
- Deadlines for Security Incident and Breach Notification
- BAs are required to notify CEs of security incidents and breaches of unsecured PHI without unreasonable delay, but in no event later than 60 days after it is discovered. CEs often request shorter, more specific deadlines for providing this notice. When deciding whether to agree to a CE’s request for a shorter deadline, be sure that responding in that shortened timeframe is operationally feasible.
- Permitted Uses and Disclosures of PHI
- BAs are permitted to use and disclose PHI for any reason which is required by law. A BA may not use or disclose PHI for any other reason unless that reason is permitted or required under the BAA. If you anticipate wanting to use the PHI for a specific purpose, be sure to include language in the BAA which permits you to use and disclose PHI for that purpose.
V. Security Rule Responsibilities & Common Issues
- Ensure the confidentiality, integrity, and availability of electronic PHI; and
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such electronic PHI; and
- Protect against any reasonably anticipated uses or disclosures of such electronic PHI that are not permitted or required under the Privacy Rule; and
- Ensure that its workforce complies with the Security Rule.
- Providing security awareness training;
- Developing a security management process, including performing a risk assessment;
- Auditing and monitoring relevant IS activity;
- Implementing and enforcing certain access- and security-related policies and procedures;
- Limiting physical access to certain areas by use of badge access controls;
- Conducting periodic risk assessments;
- Implementing security measures sufficient to reduce risks and vulnerabilities; and
- Implementing and complying with a disciplinary/sanctions policy.
VI. Privacy Rule Responsibilities & Common Issues
- May only use or disclose PHI to the extent that the use or disclosure is either required by law or permitted by the BAA or by any other underlying contact between the CE and BA.
- Disclosures required by law include:
- Disclosures to the Secretary of the Department of Health and Human Services during an investigation by the Secretary; and
- Disclosures to a patient pursuant to the patient’s request for an electronic copy of PHI.
- Disclosures required by law include:
- Must, even to the extent that a use or disclosure is permissible because it is required by law or permitted by the contract between the CE and BA, only use and/or disclose the minimum amount of PHI necessary to perform the services requested under the underlying contract between the CE and BA. This means that a BA must ensure that:
- Only individuals performing services under the contract between the BA and CE have access to the PHI; and
- The individual(s) performing services under the contract understand that they must limit their uses and disclosures to the minimum necessary to perform their assigned tasks.
- Are required to make PHI available to patients as required under the Privacy Rule.
- Has reviewed the business associate agreement and understands his or her responsibilities; and
- Has reviewed the above Business Associate Training.