In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.to other units.
Applies to all members of the UW HCC.
UW–Madison is committed to protecting the privacy and security of individually identifiable health information obtained in the course of providing clinical care, in accordance with the HIPAA Privacy Rule and the HITECH regulations. UW–Madison has designated certain units of campus that function in whole or in part as health care providers as its HCC under HIPAA. Certain other individuals or units of campus provide business support functions for or on behalf of the health care units within the HCC. These individuals or units are part of the HCC when providing those support services. All units included within the HCC, including those providing business support functions, must comply with the relevant requirements of the HIPAA Privacy Rule. This policy outlines the permitted uses and disclosures of, and the required safeguards for, protected health information held by UW–Madison personnel providing business support functions to other units.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
09-25-2014: Effective date of the revised policy: 09-25-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.