HIPAA Oversight: Officer and Coordinator Responsibilities

Layout for printing
Policy Number:
UW-125
Old Policy Number:
8.2
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

The Health Insurance Portability and Accountability Act (HIPAA) regulations consist of two key parts: the Privacy Rule and the Security Rule. Together, they establish national standards for the appropriate use, disclosure, and protection of Protected Health Information (PHI). To comply with these rules, HIPAA requires the appointment of a university HIPAA Privacy and Security Officer. UW-Madison also requires the appointment of a HIPAA Privacy and Security Coordinator at the unit level. This policy defines the roles and responsibilities of these four roles.

Definitions:
Business Associate
A person or entity that performs functions on behalf of a covered entity which involve the use of the covered entity's protected health information (PHI).
HIPAA Privacy Coordinator
A designated individual who works on HIPAA privacy matters for a school, college, division, department, or individual with duties further clarified in this policy and other related policies.
HIPAA Security Coordinator
A designated individual who works on HIPAA security matters for a school, college, division, department, or individual with duties further clarified in this policy and other related policies.
Protected Health Information (PHI)
Health information about an individual that contains at least one of the identifiers specified in the HIPAA regulations. PHI does not include student records held by educational institutions or employment records held by employers.
Stakeholders
For the purposes of this policy: UW–Madison leadership, UW–Madison’s HIPAA Privacy and Security Executive Board, UW-Madison Chief Information Security Officer, UW–Madison’s HIPAA Privacy and Security Officers, HIPAA Privacy and Security Coordinators, and others who support HIPAA-related efforts (e.g., trainers, developers, human resources staff, information technology staff, facilities managers).
UW-Madison Health Care Component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of the UW-Madison Health Care Component (UW HCC) for a listing of these units.
UW–Madison HIPAA Privacy Officer
The individual appointed by the university to be the privacy officer under 45 C.F.R. §164.530(a)(1)(i).
UW–Madison HIPAA Security Officer
The individual appointed by the university to be the security officer under 45 C.F.R. §164.308(a)(2).
Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
Scope:

This policy applies to all members of the University of Wisconsin–Madison Healthcare Component (UW HCC) and to UW-Madison units serving as business associates.

Policy:

  1. University HIPAA Privacy and Security Officers

    1. The University of Wisconsin-Madison (UW-Madison) HIPAA Privacy and Security Officers are responsible for the following within their respective areas of expertise (i.e., the Privacy Officer leads when the issue is primarily privacy related and the Security Officer leads when the issue is primarily security related):
      1. Co-Chair the UW–Madison HIPAA Privacy and Security Operations Committee
      2. Facilitate and lead the respective UW–Madison Privacy and Security Coordinators monthly meetings
      3. Advise on HIPAA privacy and security matters
        1. The Officers shall advise stakeholders as needed to ensure HIPAA compliance.
        2. The Officers may enlist additional expertise or assistance (e.g., experts, auditors) as needed.
      4. Develop, implement, and maintain shared policies and procedures

        The Officers shall develop, implement, and maintain all shared policies, procedures, and documentation related to HIPAA compliance efforts across the university. The Officers or their delegates shall specifically:

        1. In coordination with the UW-Madison Policy Library, retain every policy and procedure for six years from the date of creation or date it was last in effect, whichever is later.
        2. Make policies and procedures available for review to all workforce members to whom they apply.
        3. Periodically, and when otherwise necessary, review and update policies and procedures to respond to environmental or operational changes affecting the security of protected health information (PHI).
      5. Report, investigate, and respond to privacy and security incidents

        The Officers shall facilitate HIPAA incident reporting, investigation, and follow-up processes. The Officers or their delegates shall:

        1. Maintain a program encouraging workforce members to report possible inappropriate access, use, or disclosure of PHI.
        2. Promptly and consistently investigate incident reports.
          1. Investigations shall focus on determining if any unauthorized access to or use of PHI has occurred.
          2. Promptly report incidents to their privacy/security counterpart and relevant stakeholders.
        3. Work with HIPAA Privacy and Security Coordinators and relevant stakeholders to mitigate any harmful effects to the university and take steps to prevent a recurrence.
        4. Work with the appropriate dean or director, the Office of Human Resources, and their privacy/security counterpart to help ensure consistent and appropriate sanctions for workforce members who fail to comply with HIPAA policies and procedures.
      6. Facilitate internal assessments and external audits to validate compliance efforts among all units, in accordance with the Campus HIPAA Risk Assessment Service.
      7. Develop and implement shared workforce training as outlined in UW-137 HIPAA Privacy and Security Training.
      8. Perform other functions as designated in UW–Madison policies and procedures implementing the HIPAA Privacy and Security Rules. 
    2. The UW-Madison HIPAA Privacy Officer is responsible for:
      1. Designation of the UW-Madison Health Care Component (UW HCC)
      2. Managing breach analysis and required reporting
      3. Other functions as designated in UW-Madison policies and procedures implementing the HIPAA Privacy Rule
    3. The UW-Madison HIPAA Security Officer is responsible for:
      1. Coordinating access control, when central (i.e., university-level) security authorization and access controls are appropriate. The UW–Madison HIPAA Security Officer or their delegate shall implement procedures for:
        1. Initial authorization and granting of security access rights for workforce members to access specific information resources
        2. Timely modification of access rights as needed
        3. Timely termination of access rights, as driven by both events and periodic assessments to determine continued need
        4. Periodic user access attestation to ensure appropriate access maintained
      2. Audit, report, and document activities
        1. Document or receive a copy of all documents pertaining to HIPAA Security Rule compliance activities and assessments.
        2. Maintain HIPAA Security Rule compliance documents for six years from the date of creation or date they were last in effect, whichever is later.
        3. Assist the UW–Madison HIPAA Privacy Officer and HIPAA Privacy Coordinators in the administration and oversight of UW–Madison and external business associates and business associate agreements.
        4. Report HIPAA security compliance activities to the UW–Madison HIPAA Privacy Officer and university leadership.
      3. Other functions as designated in UW-Madison policies and procedures implementing the HIPAA Security Rule.

  2. Unit HIPAA Privacy and Security Coordinators

    1. Designation of Coordinators
      1. Each unit of the UW HCC shall designate a HIPAA Security Coordinator and a HIPAA Privacy Coordinator. In the event a designated coordinator role is empty, the UW-Madison HIPAA Privacy or Security Officer will act as the respective coordinator for that unit.
      2. Unit leadership shall ensure its HIPAA Privacy and Security Coordinator position descriptions reference this policy and/or include listings of the specific responsibilities enumerated in this policy.
      3. More than one person may be designated to function as a unit’s HIPAA Privacy or Security Coordinator if warranted, so long as they are qualified to perform the duties listed below.
      4. Any time there is a change to the unit’s coordinator designations, the unit’s leadership shall promptly notify the UW–Madison HIPAA Privacy and Security Officers.
    2. Privacy and Security Coordinator Responsibilities

      The unit HIPAA Privacy and Security Coordinators are responsible for the following within their respective areas of expertise (i.e., the Privacy Coordinator leads when the issue is primarily privacy-related and the Security Coordinator leads when the issue is primarily security-related):

      1. Encouraging the reporting of noncompliance with HIPAA policies and procedures within their unit, according to UW-131 Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured Protected Health Information.
      2. Reporting, investigating, and responding to HIPAA incidents affecting or potentially affecting their unit. The coordinators must:
        1. Promptly and consistently investigate incident reports in collaboration with stakeholders.
        2. Work with UW-Madison HIPAA Privacy and Security Officers and relevant stakeholders to mitigate any harmful effects to the university and take steps to prevent a recurrence.
        3. Work with the appropriate dean or director, the Office of Human Resources, the UW-Madison HIPAA Privacy and Security Officers, and their counterpart coordinator to help ensure consistent and appropriate sanctions for workforce members who fail to comply with HIPAA policies and procedures.
      3. Developing, implementing, and maintaining policies, procedures, and documentation to ensure their unit’s compliance with the provisions of the HIPAA Privacy and Security Rules. Coordinators must:
        1. Ensure the unit’s policies are not less restrictive than university policy.
        2. Report unit policies and procedures that are more restrictive than university-level policies to the UW–Madison HIPAA Privacy and Security Officers.
        3. Retain policies, procedures, and other respective documents for six years.
      4. Acting as point of contact for stakeholders and advising on matters of HIPAA compliance.
      5. Acting as the unit’s liaisons with UW–Madison HIPAA Privacy and Security Officers.
      6. Reporting on activities related to their respective areas of responsibility to their unit coordinator counterpart and leadership.
      7. Serving on the UW–Madison HIPAA Privacy and Security Operations Committee.
      8. Identifying resource needs and assisting with resource acquisition for their unit’s HIPAA compliance.
      9. Assisting UW–Madison’s HIPAA Privacy and Security Officers with developing and implementing shared workforce training.
      10. Working with their unit HIPAA Coordinator counterpart to develop and implement unit-specific training, when such is required.
      11. Other functions as designated in UW-Madison policies and procedures implementing the HIPAA Privacy Rule and Security Rule.
    3. The unit HIPAA Privacy Coordinators are responsible for:
      1. Working with stakeholders to ensure the unit’s workforce members complete role-appropriate HIPAA training by applicable deadlines.
      2. Performing other functions as designated in UW–Madison policies and procedures implementing the Privacy Rule
    4. The unit HIPAA Security Coordinators are responsible for:
      1. Coordinating access control in cases where such decisions are made at the unit level. The Security Coordinator or their designee shall implement procedures for:
        1. Initial authorization and granting of security access rights for unit workforce members to access specific unit information resources.
        2. Timely modification of access rights as needed.
        3. Timely termination of access rights, as driven by both events and periodic assessments to determine continued need.
        4. Periodic user access attestation to ensure appropriate access maintained.
      2. Assessing, reporting, and documenting activities (including for unit and external business associates) as follows:
        1. Facilitating assessments to improve unit compliance with the HIPAA Security Rule.
        2. Reviewing all documents for activities and assessments completed within their units to comply with the HIPAA Security Rule.
        3. Providing the UW–Madison HIPAA Security Officer with copies of all documents for activities and assessments completed by their unit to comply with the HIPAA Security Rule
      3. Performing other functions as designated in UW–Madison policies and procedures implementing the Security Rule.
Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs Compliance and Enterprise Risk Management
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
12-22-2014
Revised Dates:

12-08-2014: Effective date of the revised policy: 12-08-2014.

03-26-2020: Effective date of the revised policy: 03-26-2020.

03-01-2026: Effective date of the revised policy: 03-01-2026.

Retrieved:
05-05-2026 00:19:18