In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the new Federal privacy standards.
Applies to all members of the UW-Madison Health Care Component
The HIPAA Privacy Rule and HITECH regulations permits a covered entity to disclose protected health information to a business associate, and may allow the business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance in the form of a business associate agreement that the business associate will appropriately safeguard the information. UW-Madison follows the HIPAA Privacy Rule when, in the role of a business associate, it receives protected health information from external parties that qualify as a covered entity. This document prescribes procedures for handling such arrangements with external parties when UW-Madison functions in the role of a business associates.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
07-20-2014: Effective date of the revised policy: 07-20-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.