HIPAA Security - Risk Assessment and Mitigation

Layout for printing

Policy Number:

UW-124

Old Policy Number:

8.1

Responsible Office:

Office of Compliance

University Policy

Rationale/​Purpose:

The Health Insurance Portability and Accountability Act (HIPAA) seeks to protect patient privacy and data security by regulating how health information – including electronic protected health information (ePHI) – is collected, used, and shared. As a healthcare provider, UW-Madison is required under HIPAA to establish certain administrative safeguards for handling ePHI. This policy addresses the established security management standard (45 C.F.R :§164.308[a][1][i]) and evaluation standard (45 C.F.R. §164.308[a][8]).

Definitions:

Business associate

A person or entity that performs functions on behalf of a covered entity which involve the use of the covered entity's protected health information (PHI).

Covered entity

A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Electronic protected health information (ePHI)

Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.

Risk

The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of ePHI, other confidential or proprietary electronic information, and other system assets.

Risk acceptance

A risk response strategy where an organization decides to accept a risk instead of eliminating, avoiding, or mitigating it, based on its tolerability and acceptability.

Risk assessment/analysis

The process that:

• Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place;
• Prioritizes risks; and
• Results in recommended possible actions/controls that could reduce or offset the determined risk.

Risk executive

An executive or director within a campus school, college, division, or functional unit, or in the line of authority above that unit. Must have the authority to accept the risk of operating an information technology system on behalf of the institution and to pay costs associated with adverse outcomes related to the risk.

Risk mitigation

A process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.

Threat

The potential for a particular threat source to cause loss or to successfully exploit a particular vulnerability. Threats are commonly categorized as:

• Environmental – internal fires, HVAC failure/temperature inadequacy, water pipe burst, power failure/fluctuation, etc.
• Human – hackers, data entry, workforce/ex-workforce members, impersonation, insertion of malicious code, theft, viruses, SPAM, vandalism, etc.
• Natural – fires, floods, electrical storms, tornados, etc.
• Technological – server failure, software failure, ancillary equipment failure, etc.
• Other – explosions, medical emergencies, misuse of resources, etc.

UW-Madison Health Care Component (UW HCC)

Those units of the University of Wisconsin–Madison that have been designated by the university as part of its health care component under HIPAA as outlined in UW-100 Designation of the UW-Madison Health Care Component (UW HCC).

Scope:

This policy applies to all members of the UW HCC. It also applies to UW-Madison business associates of covered entities, whether individuals or units (hereafter collectively referred to as “units”).

Policy:

1. Risk assessment and mitigation shall be carried out in collaboration with the UW-Madison Office of Cybersecurity.
2. Risk Assessment/Analysis
   1. To ensure HIPAA compliance and protect data, units must perform risk assessments and manage identified risks.
   2. Frequency
      1. Periodic assessments of each unit’s information system infrastructure shall be conducted according to HIPAA regulatory requirements.
      2. Ad hoc assessments shall be conducted at the direction of a unit’s HIPAA privacy or security coordinator, as defined and clarified in UW-125 HIPAA Security Oversight, or the university’s HIPAA privacy or security officer (the individual appointed by the university to be the privacy officer under 45 C.F.R. §164.530[a][1] or the security officer under 45 C.F.R. §164.308[a][2]).
      3. A full or partial risk assessment will generally be required any time:
         1. A new technology is to be purchased or integrated
         2. Significant changes occur that could affect a unit’s information systems (e.g., changes to business strategy, information sensitivity, threat awareness, legal obligations)
         3. Changes are made to physical security
3. Risk Mitigation and Acceptance of Residual Risk
   1. Each unit is responsible for addressing gaps identified through risk assessment.
   2. The Office of Cybersecurity shall provide advice on mitigation strategies.
   3. Any risk that remains after mitigation (i.e., residual risk) must be accepted by the unit’s risk executive. Risk acceptance and the reasoning for acceptance must be documented.
   4. Risk acceptance includes acknowledgement of financial, reputational, and resource risks and a commitment to bearing associated costs.

Related UW-Madison Policies:

UW-100 Designation of the UW–Madison Health Care Component

UW-116 Managing Business Associate Arrangements

UW-118 Use of and Safeguards for Protected Health Information by UW-Madison Internal Business Support Personnel

UW-125 HIPAA Security Oversight

UW-126 HIPAA Security Auditing

UW-127 HIPAA Security Contingency Planning

UW-129 Email Communication Involving Protected Health Information

UW-130 Destruction/Disposal of Protected Health Information

UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information

UW-132 HIPAA Security System Access

UW-134 HIPAA Security Data Management and Backup

UW-135 HIPAA Security Facilities Management

UW-137 HIPAA Privacy and Security Training

UW-138 Responding to Employee Noncompliance with Polices and Procedures Relating to the HIPAA Privacy and Security Rules

UW-139 Responding to Student Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules

UW-141 Designation of Unit Privacy and Security Coordinators

Related UW–Madison Documents, Web Pages, or Other Resources:

Office of Compliance Policies and Forms

External References:

45 C.F.R. §164.302-306 (HIPAA Security Rule – General Requirements)

45 C.F.R. §164.308 (HIPAA Security Rule – Administrative Safeguards)

45 C.F.R. §164.316(a-b) (HIPAA Security Rule – Documentation)

45 C.F.R. §164.530 (a)(1) (Standard: Personnel designations)

Policy Administration

Approval Authority:

Vice Chancellor for Legal Affairs

Policy Manager:

HIPAA Privacy Officer

Contact:

HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
HIPAA Security Officer -- Dharvesh Naraine, naraine@wisc.edu, (608) 262-1664

Effective Date:

12-22-2014

Revised Dates:

12-08-2014: Effective date of the revised policy: 12-08-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
10-19-2025

Retrieved:

02-11-2026 23:20:19