In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Health care operations do not include research and many fundraising and marketing activities. See UW-107 Uses and Disclosures of Protected Health Information for Marketing and UW-108 Uses and Disclosures of Protected Health Information for Fundraising for more information.
Applies to all members of the UW HCC.
Clinical education and training activities of UW–Madison students, including residents and fellows, are fundamental to the UW–Madison mission. In fulfilling that mission, UW–Madison uses protected health information for these activities only as permitted by HIPAA. The HIPAA Privacy Rule allows physicians and staff to use and disclose protected health information without a patient's written authorization for purposes related to treatment, payment, and health care operations. Health care operations include the conducting of “training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." As such, UW–Madison employees within the UW HCC or the University of Wisconsin Affiliated Covered Entity can use PHI, without a patient's written authorization, to teach medical residents, medical students, nursing students, and other clinical students or trainees, as further outlined in this document.
Uses of protected health information, as described below, can be made for the education and training of students, residents, and fellows within the workforce of the UW HCC or the UW ACE without obtaining patient authorization or providing the patient with an opportunity to agree or object to the use or disclosure:
UW–Madison employees and students may not disclose protected health information for case studies, articles, industry conferences/lectures, posters, flyers, or any other material or media unless:
In circumstances where a patient is to be photographed or videotaped specifically for educational or training purposes, the physician will seek the patient's authorization using a form substantially similar to the Authorization for Disclosure of Identifiable Medical Information for Publication available in the “Forms” tab at hipaa.wisc.edu. Only the minimum amount of protected health information should be recorded.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa.
07-25-2014: Effective date of the revised policy: 07-25-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.