*** Content Under Review ***  

*** See www.compliance.wisc.edu/hipaa for up-to-date content. ***

The UW-Madison HIPAA Compliance Program is updating policies, forms, FAQs, and guidelines to better serve your needs.  Additionally -- we are migrating content from these pages to www.compliance.wisc.edu/hipaa; once we complete the migration, this site will retire and visitors to these pages will be re-directed to that location.  Thank you in advance for your patience! 

Please forward your website improvement suggestions to hipaa@wisc.edu.   


 

For additional FAQs about HIPAA in research, see the FAQs section within the "For Researchers" tab.  For recently added FAQs related to data security, click here.

What is HIPAA?

What is HITECH?

What is a "covered entity"?

What is a "hybrid entity"?

What is an "affiliated covered entity"?

How do I know if I am subject to HIPAA?

What is PHI?

What is individually identifiable health information?

There has been a breach of patient privacy. What do I do?

How does HIPAA protect patient privacy?

When is it permissible to share PHI without patient authorization?

What else do I need to know about sharing of PHI?

What is the "minimum necessary" standard?

What is the difference between a "use" and a "disclosure"?

What are the limitations on how I can use PHI internally or disclose PHI externally?

What does it mean to "account for disclosures" and what must be accounted for?

What does it mean to be a business associate?

What does it mean for health information to be "de-identified"?

Do the restrictions on use and disclosure of PHI apply to de-identified data?

What is a limited data set?

What are the requirements for using a limited data set?

How do I know what HIPAA training should be provided to the people in my department?

I was contacted by an attorney who represents my patient. Can I talk to him/her?

A police officer contacted me asking for information about my patient. How much can I tell him/her?

My patient's insurance company is requesting information in relation to a Work Comp claim. What information may I provide?

Can I use Box to store data or other information containing PHI? 

What steps can I take to protect PHI from accidental disclosure? 

What are the possible consequences to UW-Madison for violations of HIPAA?  NEW!

What are the possible consequences to me as an employee for my violations of HIPAA?  NEW!

What are common ways that unintended HIPAA breaches occur? NEW!

What is “Phishing”? NEW!

May I use email to send PHI?  NEW!

Where can I obtain assistance in de-identifying PHI, including images?  NEW!

What constitutes a strong password?  NEW!

Am I ever allowed to share my password?  NEW!

How should I dispose of PHI or equipment on which PHI is contained?  NEW!

May I take PHI with me when I leave UW-Madison?  NEW!

Where can I get technical support for complying with the HIPAA security rule at UW-Madison?  NEW!

I need to store some PHI on a portable device, how should I encrypt it?  NEW!

What is the difference between the HIPAA Security Officer and a HIPAA Security Coordinator?  NEW!

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the health care and insurance industries. As the name suggests, the legislation has several goals.

One of the objectives of the regulations (referred to as Administrative Simplification) is to improve the efficiency of the health care system through the increased use of electronic information systems. The law allows the Department of Health and Human Services (DHHS) to develop regulations that set universal standards for electronic transactions between health care providers and insurance companies.

Another key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards. DHHS requirements are incorporated into both the UW-Madison's and UW Health's (UW School of Medicine and Public Health, UW Medical Foundation and UW Hospital and Clinics) policies concerning the privacy, confidentiality, and security of protected health information.

Top

What is HITECH?

The Health Information Technology for Economic and Clinical Health ("HITECH") Act, enacted as part of the American Recovery and Reinvestment Act of 2009, went into effect as an Interim Final Rule on August 24, 2009, and was issued as a Final Rule on January 25, 2013, to promote the adoption and meaningful use of health information technology.  The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Top

What is a "covered entity?"

“Covered entity” is the term that the HIPAA regulations use to describe the businesses in the health care industry that are subject to HIPAA regulations. Specifically, covered entities are health plans, health care clearinghouses and health care providers (both institutions and individual providers) who transmit any health information in electronic form to carry out financial or administrative activities related to health care.  For example, to submit health care claims or encounter information, to make health care payments, and to coordinate benefits.

Top

What is a "hybrid entity"?

A "hybrid entity" means an institution with both HIPAA-covered and non-covered functions or "components".  UW-Madison is a hybrid entity.  The HIPAA-covered functions of the institution are often referred to as the "health care component."  For example, the clinical departments within the School of Medicine and Public Health (e.g. Department of Medicine, Department of Surgery, etc.) are part of the UW-Madison Health Care Component (UW HCC) while the School of Education and the School of Human Ecology are not.

Top 

What is an "affiliated covered entity"?

When two or more separate legal entities with common ownership or control designate themselves as a single entity for purposes of HIPAA, this is called an "affiliated covered entity" or an "ACE".  UW-Madison's Health Care Component (except the Wisconsin State Laboratory of Hygiene and University Health Services), the University of Wisconsin Medical Foundation and the University of Wisconsin Hospital and Clinics Authority are an affiliated covered entity (UW ACE). This means that sharing of PHI among the parties is a "use" and not a "disclosure".

Top

How do I know if I am subject to HIPAA?

Entities covered by HIPAA are health care providers, health plans (including employer’s sponsored plans), and healthcare clearing houses (e.g., billing agent).   Only parts of UW-Madison are covered by HIPAA. This is called being a "hybrid entity."  If you are an employee within one of the covered parts, e.g., those health care provider units within UW-Madison’s Health Care Component (UW HCC), then you are covered by HIPAA.  You may be covered as part of the UW HCC if you are outside of one of the health care provider units but, as part of your job duties at UW-Madison, you perform business support services on behalf of one or more of the health care provider units.  You may also be covered by HIPAA if you are a researcher not within the UW HCC but you are collaborating on a study where the principal investigator is within the UW HCC.  Finally, you may be covered as a business associate if you are performing certain services on behalf of another covered entity.

Top

What is PHI?

Protected health information or "PHI" is the term that HIPAA uses to describe the specific patient information that HIPAA is intended to protect.  PHI is "individually identifiable health information" that is maintained or transmitted by a health care provider.  PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act (“FERPA”).  

Top

What is individually identifiable health information?

Individually identifiable health information is information that is a subset of health information, including demographic information, collected from an individual and: (1) is created or received by a health care provider; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) either identifies the individual or can reasonably be used to identify the individual.

Top

There has been a breach of patient privacy. What do I do?

If the personally identifiable health information in any way involves information technology (e.g. lost or stolen portable device, compromised server, etc.) you must immediately contact the DoIT Help Desk at 608-264-HELP (4357).  For any breach of personally identifiable health information, you must contact the UW-Madison HIPAA Privacy Officer, whose contact information is on the left side of this page.   If you are within the UW-Madison Health Care Component, you should also contact your unit’s Privacy Coordinator.

Privacy breaches need to be reported to the Privacy Officer as soon as they are discovered, even if the person who discovered the breach was not involved.   Any delay in reporting to the Privacy Officer may delay required reporting to patients and to the federal government.   Delayed reporting exposes you and UW-Madison to financial liability in the way of administrative fines and penalties.

Top

How does HIPAA protect patient privacy?

In short, unless an exception is met under the HIPAA regulations, a health care provider may not use or disclose PHI without the authorization of the patient or the patient's legally authorized representative.  No authorization is required for health care providers to use or disclose PHI for treatment, payment or health care operations (e.g. quality review, reviewing qualifications of health care providers, training students, conducting legal review, and managing and operating the health care entity). Except for treatment, health care providers must use the minimum necessary PHI.

Top

When is it permissible to share PHI?

While it is prudent to be cautious about sharing and releasing PHI, it is also important to remember that HIPAA allows for the exchange of PHI for purposes of treatment, payment, and health care operations. The HIPAA Privacy Rule is intended to protect patients' health information, but not to impede or interfere with patient care or safety.

Treatment is the "provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party." This includes:

  • Consulting with the patient’s other healthcare providers;
  • Providing PHI when referring or transferring a patient to a laboratory, nursing home, or outside provider or hospital;
  • Sharing patient information with other workforce members involved in the patient's care with a need to know (e.g. employees within the UW-Madison Health Care Component, University of Wisconsin Hospital and Clinics, and University of Wisconsin Medical Foundation);
  • Discussing the patient’s condition or treatment regimen in the patient’s room with other health care providers or trainees (e.g. other faculty physicians, nurses, residents, medical students);

Payment encompasses all activities to obtain payment or be reimbursed for services provided or the provision of health care. This includes:

  • Determining eligibility, reviewing services, and adjudicating claims;
  • All billing and collection activities, including those of another provider or covered entity for its treatment of the patient;
  • Utilization review

Health Care Operations are "certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment." This includes:

  • Case management, care coordination
  • Quality assessments
  • Accreditation, certification, licensing, and credentialing
  • Legal, audit, privacy, compliance
  • Business planning and development
  • Administrative activities, including customer service, employee relations activities, transfer of assets, fundraising
  • Education and training programs
  • Abuse and neglect investigations

Top

What else do I need to know about sharing of PHI?

If the sharing is not for the purposes of treatment, payment or health care operations, then you may not share PHI unless you have authorization from the patient or there another legal basis which permits the sharing.  If you are unsure whether another legal basis applies, do not share the PHI without contacting the UW-Madison Privacy Officer (contact information on the left side of this page) or the UW-Madison Office of Legal Affairs (608-263-7400).  

Even if use or disclosure of PHI is permitted under the Privacy Rule, care must be taken to:

  • Eliminate all of the personal identifiers which are not essential to the purpose for which the PHI is being used or disclosed.
  • Use or disclose only the minimum necessary amount of PHI necessary to satisfy the purpose of the use or disclosure.

Top

What is the "minimum necessary" standard?

When using or disclosing PHI, or requesting PHI from another covered entity, a health care provider must make reasonable efforts to limit the PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.  The minimum necessary rule does not apply to uses and disclosures for treatment, to the patient, subject to an authorization, as required by law, or to comply with the provisions of HIPAA.

Top

What is the difference between a "use" and a "disclosure"?

"Use" means, with respect to individually identifiable health information, the sharing, utilization, examination, or analysis of such information within the covered entity that maintains such information.  "Disclosure" means the release, transfer, access to, or divulging in any manner of information outside of the covered entity holding the information.  In some cases, a covered entity must keep a log which accounts for disclosures of an individual's PHI and must provide that log to the individual upon request.  Uses of PHI within the covered entity do not require such accounting.

Top

What are the limitations on how I can use PHI internally or disclose PHI externally?

When PHI is shared within the UW Affiliated Covered Entity (ACE), it is being "used."  When PHI is shared outside of the ACE (e.g. with someone outside of the UW-Madison Health Care Component, the UW Hospital and Clinics or the UW Medical Foundation) it is being "disclosed."
The Privacy Rule allows the use or disclosure of PHI:

  • For treatment (including treatment in the course of research)
  • For payment
  • For health care operations (including education programs)
  • With authorization by the individual
  • When compelled by law

In addition, all research is subject to special requirements under the Privacy Rule which govern the handling of PHI.   Please see the For Researchers tab for more information.

Top

What does it mean to "account for disclosures" and what must be accounted for?

Individuals have certain rights with respect to their PHI, including the right to receive an accounting of all disclosures made to people or groups outside of the covered entity for purposes other than for treatment, payment, health care operations or with authorization by the individual.   This means that individuals within the UW HCC must maintain records of disclosures they make outside the UW HCC (or outside of the UW ACE) for all other purposes (including for disclosures required by law) and make these records available to individuals when requested.

Top

What does it mean to be a business associate?

A business associate is an individual, not a member of the covered entity's workforce, that creates, receives, maintains, or transmits PHI for a function or activity on behalf of the covered entity.  Such activities may include claims processing or administration, data analysis, utilization review, quality assurance, and review of patient safety.  A business associate may only use or disclose PHI as permitted by the contract between the business associate and the covered entity (commonly called a "Business Associate Agreement") or as required by law.  Under the HITECH Act, a business associate is now directly subject to the provisions of HIPAA, including its civil and criminal penalties, just as if the business associate were a covered entity.

Top

What does it mean for health information to be "de-identified"?

"De-identified" means that the health information or data set does not identify an individual and that there is no reasonable basis to believe that the information in the data set can be used to identify an individual.  Under HIPAA, health information is considered "de-identified" if 18 criteria are removed from the data set.  These criteria include direct identifiers, such as name and address, but also include other indirect identifiers, such as dates directly related to the individual (e.g. date of birth, admission date, discharge date) and zip code.  For UW-Madison's policy on de-identification, click here.

Top 

Do the restrictions on use and disclosure of PHI apply to de-identified data?

No.  If health information or a data set is "de-identified" as that term is defined in HIPAA, then it can be used or disclosed without patient authorization and without meeting an exception to the requirement for authorization under HIPAA.

Top

What is a limited data set?

In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code.  A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; an
  • Full face photographic images and any comparable images.
Top

What are the requirements for using a limited data set?

A covered entity may use or disclose a limited data set from its records containing PHI for research, public health, or health care operations, without patient authorization or (in the case of research) a waiver of authorization.  To do so, the covered entity must execute a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.

Top

How do I know what HIPAA training should be provided to the people in my department?

Refer to the Training tab.   All employees within the Schools of Medicine and Public Health, Nursing and Pharmacy and within the UW-Madison Health Care Component (UW HCC) must take training on an annual basis.   The type of training required depends upon the employee’s level of access to PHI.   A series of questions directs the employee to the right training module.

Top

I was contacted by an attorney who represents my patient. Can I talk to him/her?

You may not speak with an attorney, even one that represents the patient, without a signed authorization from the patient.   Contact the UW-Madison Office of Legal Affairs, 608-263-7400, for a template authorization form.   If you receive a subpoena from an attorney regarding a patient, please call the UW-Madison Office of Legal Affairs.

Top

A police officer contacted me asking for information about my patient. How much can I tell him/her?

If the police officer is in the course of investigating child abuse and identifies the child by name, the officer is entitled to records or other information from a health care facility upon request.   Health care providers may confirm with police who ask for a patient by name the presence of a patient in the health care facility, except when the patient is there for substance abuse treatment.  In most other cases, police must have patient authorization or a court order to access records or other information about patients. Contact the UW-Madison Office of Legal Affairs, 608-263-7400, for more information.

Top

My patient's insurance company is requesting information in relation to a Work Comp claim. What information may I provide?

Both HIPAA and Wisconsin law authorize the disclosure of, in response to a written request, any information (may be oral) or written material “reasonably related” to the injury for which the employee claims was the result of a work accident.   Such disclosure may be made to the employee, employer, worker’s compensation insurer, or the Wisconsin Department of Workforce Development or its representative.

Top

Can I use Box to store data or other information containing PHI?

At present, only the School of Medicine and Public Health has been approved by the Chief Information Security Officer to use Box to store data or other information containing PHI. Certain mandatory access configurations and processes are required. The SMPH Security Coordinator is responsible for overseeing the implementation of the required controls. If you are within SMPH and would like to use Box to store PHI, you must contact the SMPH Security Coordinator for assistance. No other School or College is presently approved for use of Box for the storage of data or other information containing PHI.  

Top

What steps can I take to protect PHI from accidental disclosure?

Take care to protect PHI from accidental disclosure:

  • Use a fax cover sheet when faxing PHI, double check the fax number to be sure it is correct, and be sure the intended recipient is available to pick up the fax when delivered.
  • Keep all files containing PHI locked in file cabinets.
  • If you print copies of documents with PHI, remove them immediately from any shared printer.
  • Password protect all portable devices that contain PHI, and password protect all documents on such portable devices. DO NOT share passwords.
  • Eliminate all names and other identifiers when doing presentations which include health information.
  • Don’t share subject names and other identifiers in conversations with colleagues outside of your department or lab.
  • Place computer screens so they are not readily visible by people passing by.
  • Remember to “erase” the hard drives on all machines that scan and copy documents (e.g. fax machines, copiers, and scanners) before returning them to a vendor or sending them to SWAP.

Top

What are the possible consequences to UW-Madison for violations of HIPAA?

UW-Madison, as a HIPAA covered entity, can be subject to significant civil monetary penalties (for example, a prominent east-coast university was recently fined $1.5 million for HIPAA violations), mandated corrective action plans, and monitoring by the federal government as a result of noncompliance with HIPAA.   Breaches of PHI must be reported to the affected individual and to the federal government, and large breaches must also be reported to the local press.

Top

What are the possible consequences to me as an employee for my violations of HIPAA?

Disciplinary action up to and including termination, depending on the nature of the violation, may be imposed for the violation of HIPAA and/or the policies and procedures of UW-Madison regarding HIPAA. Additionally, employees of covered entities may also be criminally liable for knowingly obtaining or disclosing PHI in violation of HIPAA.  Fines can range up to $250,000 and imprisonment can be up to ten years for the most serious offenses (those which involve intent to personally gain from the violation or to maliciously harm the individual who is the subject of the PHI). 

Top

What are common ways that unintended HIPAA breaches occur?

The loss or theft of portable electronic devices (laptops, portable hard drives, smart phones) with unencrypted PHI is the most common source of large-scale breaches.   The most frequent breach of PHI results from giving a patient the wrong documentation (such as an after visit summary).   Other causes include computers infected with malware and stolen or phished passwords.

Top

What is “Phishing”?

Phishing is the attempt to acquire log on information such as usernames and passwords by masquerading as a trustworthy entity in an electronic communication, usually email.   Phishing relies upon social engineering to complete its goal. Phishing attempts regularly occur at UW-Madison and can result in a breach of PHI.   If you receive an email that you suspect is a phishing attempt, do not open.  If you open an email that you suspect is a phishing attempt, do not click on any links.  Additional information on phishing can be found on the website for the UW-Madison Chief Information Officer. 

Top

May I use email to send PHI?

You should not send PHI by e-mail if at all possible. When necessary, emails containing PHI should only be sent inside of UW Health or inside of “wisc.edu” (e.g. email addresses should end in uwhealth.org or wisc.edu only).   Any other emails sent containing PHI must be encrypted absent patient/subject consent.  Never send PHI using external email accounts (e.g. Gmail, Yahoo, Hotmail) and never have your work email automatically forwarded to personal email accounts.

Top

Where can I obtain assistance in de-identifying PHI, including images?

Please consult with the UW-Madison HIPAA Privacy or Security Officer.   It can be difficult technically and legally to de-identify certain types of data, including images.   For example, with images, just inserting a black box over identifiers is not sufficient, as this step can be easily reversed by the recipient.

Top

What constitutes a strong password?

Strong passwords are long (at least 8 characters) and contain a mixture of upper and lower case characters, numbers and special characters.   The UW-Madison password standard policy can be found here

Top

Am I ever allowed to share my password?

No, never.   Please note that even IT staff should never request your password. If anyone asks you for your password, please report this to your supervisor and UW IT security staff. If you feel that your password has been compromised in any way, please contact UW IT security staff.

Top

How should I dispose of PHI or equipment on which PHI is contained?

PHI that is no longer needed for its intended use should be confidentially destroyed. PHI in hard copy should be placed in locked, confidential disposal bins or shredded.  For assistance in the destruction of electronic PHI, please contact the UW-Madison HIPAA Privacy or Security Officer.   Just deleting electronic data does not destroy the data.   Please note that PHI may be contained in copier memory and must be destroyed before disposing of a copier.   Examine all equipment being sent to SWAP (or otherwise being disposed of) to make sure it does not contain any CDs or other mobile devices that may contain PHI.   Please carefully examine all file cabinets being sent to SWAP (or otherwise disposed of) to make sure that no documents remain in the drawers (or are stuck behind drawers).  See Policy #8.7 "Destruction/Disposal of Protected Health Information" for more detail.

Top

May I take PHI with me when I leave UW-Madison?

In most cases, you will not be allowed to take the PHI that you obtained as an employee of UW-Madison with you when you leave UW-Madison.   Please consult with the UW-Madison HIPAA Privacy Officer for advice regarding the possibility of taking de-identified data or limited data sets when you leave UW-Madison.

Top

Where can I get technical support for complying with the HIPAA security rule at UW-Madison?

Departmental IT support in the most health care component units can provide resources for securing data and workstations.  In all cases, the unit’s HIPAA Security Coordinator or the campus HIPAA Security Officer can provide guidance on compliance with the Security Rule.

Top

I need to store some PHI on a portable device, how should I encrypt it?

Only use USB drives that provide built in encryption - many are available at the DoIT Tech Store. Standard mechanisms, such as bitlocker (PCs) and FileVault (Macs), can be used to encrypt laptops.   Cell phones used to access or store PHI must be password protected and configured to allow a remote memory wipe.   Any portable device that is to contain PHI must be registered with your IT department.

Top

What is the difference between the HIPAA Security Officer and a HIPAA Security Coordinator?

Each unit in the UW-Madison health care component has an assigned HIPAA Security Coordinator who acts as a liaison to the campus HIPAA Security Officer.   In many cases, questions or situations related to HIPAA security can be addressed by the unit’s coordinator.

Top

CONTACT

 


HIPAA Privacy Officer

Amanda K. Reese

4170 Health Sciences Learning Center
750 Highland Avenue
Madison, WI 53705

(608) 262-2059

amanda.reese@wisc.edu


HIPAA Security Officer

Stefan Wahe 

Room 2164 Computer Science & Statistics
1210 W. Dayton Street
Madison, WI 53706

(608) 265-1177

stefan.wahe@wisc.edu


Anonymous Hotline (Anonymous Human Research Protection Hotline):
608-890-1273

To report an IT security incident or loss of sensitive data call the DoIT Help Desk: 
608-264-HELP (4357)