Uses and Disclosures of Protected Health Information for Education and Training

Layout for printing
Policy Number:
UW-106
Old Policy Number:
3.5
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

Clinical education and training activities of UW–Madison learners are fundamental to the UW–Madison mission. The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule allows workforce members to use and/or disclose protected health information (PHI) for “training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." This policy explains the requirements for using and disclosing PHI for education and training at UW-Madison.

Definitions:
Disclosure
The release of protected health information by an individual within the health care component (HCC) or affiliated covered entity (ACE) to a person or entity outside the HCC or ACE.
Protected health information (PHI)
Health information about an individual that contains at least one of the identifiers specified in the HIPAA regulations. PHI does not include student records held by educational institutions or employment records held by employers.
University of Wisconsin affiliated covered entity (UW ACE)
Those entities that have been designated by the university as part of its affiliated covered entity under HIPAA as outlined in UW-101 Designation of the University of Wisconsin Affiliated Covered Entity (UW ACE).
Use
The sharing, employment, application, utilization, examination, or analysis of protected health information by an individual within the UW HCC or the UW ACE.
UW-Madison Health Care Component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of the UW-Madison Health Care Component (UW HCC) for a listing of these units.
Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
Scope:

Applies to all members of the UW HCC.

Policy:
  1. Once PHI has been de-identified in compliance with UW-114 De-Identification of Protected Health Information Under the HIPAA Privacy Rule, it is no longer PHI and the additional requirements of this policy do not apply to such health information.
  2. Existing PHI from the UW HCC/ACE can be used for training & education without authorization when:
    1. The amount of PHI used is the minimum amount necessary to conduct the training; and
    2. The PHI is used by UW-Madison workforce members (e.g., employees, students, volunteers, trainees); and
    3. The PHI stays within the UW HCC and/or the UW ACE.
  3. Signed HIPAA Authorization (available on the Office of Compliance Forms page) is needed in the following circumstances:
    1. To obtain PHI (including photos and videos) from a patient/research participant specifically for educational or training purposes.
    2. To disclose PHI for education and training to one or more individuals who are not members of the UW-Madison workforce (e.g., conference posters, presentations, journal articles). 
Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
07-25-2014
Revised Dates:

07-25-2014: Effective date of the revised policy: 07-25-2014.

03-26-2020: Effective date of the revised policy: 03-26-2020.

09-19-2025: Effective date of the revised policy: 09-19-2025.

Retrieved:
03-31-2026 07:30:40