In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Applies to all members of the UW HCC.
HIPAA regulations apply to businesses and individuals in the health care industry such as health plans and health care providers. These are called “covered entities,” meaning they are ‘covered’ by HIPAA. UW–Madison is a “hybrid entity” because the campus includes both units that perform HIPAA-covered functions (such as providing health care) and units that do not.
As a hybrid entity, UW–Madison has designated its units that perform covered functions and individuals or units that perform support functions on behalf of those designated units as its "health care component."
School of Medicine and Public Health (SMPH), as outlined below.
The following departments, institutes, and centers, in their entirety:
Wisconsin Alzheimer’s Institute (known as “WAI”)
The following “central” SMPH administrative personnel and offices:
Researchers and other key personnel on human subjects protocols.
Researchers and other key personnel employed by UW–Madison and holding appointments outside units of the HCC designated above are members of the HCC when they conduct research involving the use of protected health information in collaboration with researchers with appointments in any unit of the HCC designated above. Membership in the HCC lasts for the duration of such research.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa.
09-22-2014: Effective date of the revised policy: 09-22-2014.
11-29-2017: Effective date of the revised policy: 11-29-2017.
03-26-2020: Effective date of the revised policy: 03-26-2020.
07-14-2020: Effective date of the revised policy: 07-14-2020.
03-30-2021: Effective date of the revised policy: 03-30-2021.
05-17-2021: Effective date of the revised policy: 05-17-2021.