HIPAA Security Oversight

Layout for printing
Policy Number:
UW-125
Old Policy Number:
8.2
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:
Business associate
A person or entity not affiliated with UW–Madison that performs or assists in performing, for or on behalf of any unit in the UW–Madison health care component (UW HCC), business support functions/services that involve the use of protected health information (PHI).
Electronic protected health information (ePHI)
Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
HIPAA privacy coordinator of a unit
A designated individual who serves in that role for a school, college, division, department, or individual, as defined in UW-141 Designation of Unit Privacy and Security Coordinators with duties further clarified in UW-125 Security Oversight and other related policies.
HIPAA security coordinator of a unit
A designated individual who serves in that role for a school, college, division, department, or individual, as defined in UW-141 Designation of Unit Privacy and Security Coordinators with duties further clarified in UW-125 HIPAA Security Oversight and other related policies.
Protected health information (PHI)
Health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. Protected health information does not include student records held by educational institutions or employment records held by employers. 
UWMadison health care component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW–Madison Health Care Component for a listing of these units.
UWMadison HIPAA privacy and security program coordinator
A designated individual who serves in that role for all units, with duties that include but are not limited to those identified in UW-125 HIPAA Security Oversight and other related policies.
Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

  1. In accordance with the standards set forth in the HIPAA Security and HITECH Omnibus Rules, UW–Madison is committed to ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) it creates, receives, maintains, or transmits.To that end, UW–Madison has a designated HIPAA security officer to coordinate the appropriate HIPAA security development, implementation, and oversight of the units of the UW HCC and each individual or unit at UW–Madison that is a business associate of a covered entity (hereafter collectively referred to as “units”). The UW–Madison HIPAA security officer is responsible for:
    1. Advising UW–Madison leadership, including the UW–Madison HIPAA privacy officer, the HIPAA privacy coordinator of each unit, and the HIPAA security coordinator of each unit on all matters related to HIPAA security;
    2. The development, implementation, and maintenance of all shared policies, procedures, and documentation related to efforts toward HIPAA security compliance;
    3. Security incident reporting and investigation, and participation in incident response; and
    4. Facilitation of security audits, maintenance of security documents required by the security rule, assisting in the administration and oversight of business associates, and reporting of HIPAA security compliance efforts to the UW–Madison HIPAA privacy officer and university leadership.
  2. Each unit has a designated HIPAA security coordinator as described in UW-141 Designation of Unit Privacy and Security Coordinators. In addition to the duties specified in UW-141, the HIPAA security coordinator of a unit is responsible for the development, implementation, and maintenance of all local policies, procedures, and documentation related to efforts toward HIPAA security compliance in the unit, and has other HIPAA security oversight duties described in section III.2. and in other related policies.
  3. Each unit has a designated HIPAA privacy coordinator as described in UW-141 Designation of Unit Privacy and Security Coordinators. In addition to the duties specified in UW-141, the HIPAA privacy coordinator of a unit has other HIPAA security oversight duties described in section III.3. and in other related policies.
  4. In some units, there may be privacy or security sub-coordinators who have the same duties within their subunits.

Policy Details

  1. UW–Madison HIPAA Security Officer Responsibilities

    The Security Officer, in collaboration with the UW-Madison HIPAA Privacy Officer, is responsible for facilitating the development, implementation, and oversight of all activities pertaining to UW–Madison efforts to be compliant with the HIPAA security regulations. The intent of these oversight activities is to maintain the confidentiality, integrity, and availability of ePHI. The responsibilities of the UW-Madison HIPAA Security Officer include, but are not limited to the following:

    1. The UW–Madison HIPAA security officer is a co-chair of the UW–Madison HIPAA Privacy and Security Operations Committee.
    2. Advisory Duties. The UW–Madison HIPAA security officer provides advice and expertise on all matters related to HIPAA security.
      1. The Security Officer is advisory to:
        1. UW–Madison leadership;
        2. The UW–Madison HIPAA Privacy and Security Executive Board;
        3. The UW–Madison HIPAA privacy officer;
        4. The HIPAA privacy coordinator of each unit;
        5. The HIPAA security coordinator of each unit; and
        6. Anyone who is supporting the HIPAA-related work of the above, such as trainers, developers, human resources staff, information technology staff, facilities managers, etc.
      2. Advice may be solicited or unsolicited. The security officer will take the initiative to provide needed advice whenever and to whoever seems appropriate in order to help accomplish HIPAA security compliance at UW–Madison.
      3. The security officer may arrange for additional expertise or assistance as needed, such as security experts, security auditors, etc.
    3. Policies and Procedures. The UW–Madison HIPAA security officer develops, implements, and maintains the shared HIPAA security policies and procedures that apply to all units. The security officer or delegate:
      1. Establishes, updates, and maintains the shared policies and procedures written to comply with the Security Rule.
      2. Retains the policies and procedures for six years from the date of creation or date it was last in effect, whichever is later.
      3. Provides copies of the policies and procedures to management, and has them available for review by all other workforce members to which they apply.
      4. Periodically, and as necessary, reviews and updates the shared policies and procedures in order to respond to environmental or operational changes affecting the security of electronic protected health information.
    4. Security Incident Reporting, Investigation, and Follow-Up. The UW–Madison HIPAA security officer facilitates HIPAA security incident reporting, investigation, and follow-up processes for electronic protected health information. The security officer or delegate:
      1. Maintains a program promoting workforce members to report possible security breaches or other noncompliance with security policies and procedures.
      2. Promptly, properly, and consistently investigates and addresses reports of possible security breaches and takes steps to prevent a recurrence. This investigation focuses on determining what unauthorized access or use of electronic protected health information has occurred (if any). It is distinct from, but related to, the investigation facilitated by the UW–Madison HIPAA privacy officer that focuses on the involvement of workforce members in a privacy or security breach or violation of privacy and security policies and procedures which could result in notification to affected individuals or the application of sanctions to workforce members. Care must be taken while investigating a possible security breach so that later investigation of workforce member involvement is not compromised.
      3. Promptly reports possible security breaches to the UW–Madison HIPAA privacy officer and other designated officials.
      4. Works with HIPAA security coordinators and IT staff to mitigate to the extent practicable, any harmful effects known to UW–Madison of a use or disclosure of electronic protected health information in violation of HIPAA security policies and procedures.
      5. Works in consultation with the appropriate dean or division director, the Office of Human Resources, and the UW–Madison HIPAA privacy officer to help ensure consistent and appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
    5. Incident Response. The UW–Madison HIPAA security officer participates in the incident response process. The security officer or delegate:
      1. Is immediately informed of a report of a possible privacy or security breach as outlined in Section III.1. of UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information.
      2. Remains engaged and continues to receive updates on each active privacy or security response until the security officer or delegate determines that electronic protected health information was not involved in the breach.
      3. Serves on any administrative or leadership team that recommends the appropriate response to a possible breach involving electronic protected health information.
    6. Authorization and Access Control. In cases where central (UW–Madison level) security authorization and access controls are appropriate, the UW–Madison HIPAA security officer or delegate implements procedures for:
      1. Initial authorization and granting of security access rights for workforce members so they can access specific information resources.
      2. Timely modification of access rights as the need for access changes.
      3. Termination of access rights in a timely manner, including both event-driven termination and periodic assessments to find those authorizations or access rights that are no longer necessary.
    7. Auditing, Reporting, and Documentation. The UW–Madison HIPAA security officer or delegate:
      1. Facilitates security assessments and audits to validate security compliance efforts among all units, including both internal assessments and external audits.
      2. Documents or receives a copy of all documents pertaining to all activities and assessments completed to comply with the Security Rule, and maintains those documents for six years from the date of creation or date it was last in effect, whichever is later.
      3. Assists the UW–Madison HIPAA privacy officer and the HIPAA privacy coordinator of each unit in the administration and oversight of business associates and agreements, including both business associates at UW–Madison and those external to UW–Madison.
      4. Provides timely reports of HIPAA security compliance activities to the UW–Madison HIPAA privacy officer and university leadership.

  2. Responsibilities of the HIPAA Security Coordinator of a Unit

    Some responsibilities of the HIPAA security coordinator are specified in UW-141 Designation of Unit Privacy and Security Coordinators. The HIPAA security coordinator has additional security oversight duties that include, but are not limited to:

    1. The HIPAA security coordinator of a unit is a member of the UW–Madison HIPAA Privacy and Security Operations Committee.
    2. Advisory Duties. The HIPAA security coordinator is advisory to:
      1. Leadership of the unit;
      2. The HIPAA privacy coordinator of the unit;
      3. The HIPAA security sub-coordinators of the unit (if any); and
      4. Anyone who is supporting the HIPAA-related work of the above, such as Human Resources staff, Information Technology staff, facilities managers, etc.
    3. Policies and Procedures.
      1. The HIPAA security coordinator of a unit develops, implements, and maintains any HIPAA security policies and procedures that apply specifically to that unit.
      2. When a unit’s policy must differ from the shared policies, the unit’s policy may not be less restrictive. Local policies must be reported to the UW–Madison HIPAA security officer so they can be incorporated as exceptions to the shared policies and procedures.
      3. When a procedure must differ from similar procedures specified in the shared policies and procedures, the unit’s procedure must be reported to the UW–Madison HIPAA security officer for possible inclusion as an exception to the shared policies and procedures. The security officer will determine if inclusion is warranted.
    4. Security Incident Reporting and Investigation. After a possible security incident is reported, the HIPAA security coordinator of the unit will immediately be informed if that possible security incident involves the security coordinator’s unit.
    5. Incident Investigation and Response. The HIPAA security coordinator of the unit:
      1. May be asked to serve on a team that investigates or makes recommendations regarding the appropriate response to an incident.
      2. Will be informed of the result of any security incident investigation and the response of the institution.
    6. Authorization and Access Control. In cases where security authorization and access control decisions are made by the unit, the HIPAA security coordinator or designee implements procedures for:
      1. Initial authorization and granting of security access rights for unit workforce members so they can access specific information resources in the unit.
      2. Timely modification of access rights as the need for access changes.
      3. Termination of security access rights in a timely manner, including both event-driven termination and periodic audits to find those authorizations or access rights that are no longer necessary.
    7. Assessment, Reporting, and Documentation. The HIPAA security coordinator or designee of a unit:
      1. Facilitates self-assessments to improve Security Rule compliance efforts in the unit.
      2. Documents or receives a copy of all documents pertaining to all activities and assessments completed by the unit to comply with the Security Rule, and forwards a copy of all of these to the UW–Madison HIPAA security officer (in electronic form if available.)
      3. Assists the HIPAA privacy coordinator of the unit in the administration and oversight of business associates and agreements in place with the unit, including both business associates at UW–Madison and those external to UW-Madison.
      4. Provides timely reports of HIPAA security compliance activities in the unit to the HIPAA privacy coordinator and leadership of the unit.
    8.  Identifying and Assisting in the Acquisition of Necessary Resources. This includes resources for:
      1. The security compliance-related activities and facilities of the unit; and
      2. The unit’s contribution to security compliance-related activities and facilities that are shared with other units.

  3. Security-Related Duties of the HIPAA Privacy Coordinator of a Unit

    Some duties of the HIPAA privacy coordinator are specified in UW-141 Designation of Unit Privacy and Security Coordinators. The privacy coordinator has additional security oversight duties that include, but are not limited to:

    1. The HIPAA security coordinator of a unit is a member of the UW–Madison HIPAA Privacy and Security Operations Committee.
    2. Facilitating Appropriate Supervision of Unit Workforce Members with Respect to HIPAA Privacy and Security Matters. The HIPAA privacy coordinator works with leaders to implement the following:
      1. It is the responsibility of all leaders (e.g., team leaders, supervisors, managers, directors, senior leaders, etc.) to supervise all workforce members, including third-party vendors, contractors, or other users of the unit’s systems, applications, servers, workstations, etc. that contain electronic protected health information.
      2. Leaders monitor workstations and applications for unauthorized use, tampering, and theft and report noncompliance according to UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information.
      3. Leaders assist the UW–Madison HIPAA security officer, the unit’s HIPAA privacy coordinator, and HIPAA security coordinator to ensure appropriate role-based access is provided to all workforce members.
      4. Leaders take all reasonable steps to hire, retain, and promote workforce members and provide access to workforce members who comply with the security policies and procedures.
    3. Assisting in Appropriate Investigation of Unit Workforce Members with Respect to HIPAA Privacy and Security Matters. At the direction of the UW–Madison HIPAA privacy officer, the HIPAA privacy coordinator of a unit assists in the appropriate investigation of any unit workforce member who may be in noncompliance with HIPAA privacy and security policies and procedures. This investigation focuses on the involvement of workforce members in a possible privacy or security breach or violation of privacy and security policies and procedures which could result in notification to affected individuals or the application of sanctions to workforce members. This is distinct from but related to the investigation of a possible security breach which focuses on determining what unauthorized access or use of electronic protected health information has occurred (if any.) While the timely investigation of workforce member involvement is important, care must be taken to avoid damaging evidence that might indicate the nature and extent of the possible breach.
      1. The HIPAA privacy coordinator of a unit works with leaders to foster a culture by which all workforce members and any others with system access report noncompliance with policies and procedures. UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information describes the reporting process.
      2. At the direction of the UW–Madison HIPAA privacy officer, the HIPAA privacy coordinator of a unit assists in facilitating a timely and thorough investigation of all reported violations of privacy and security policies and procedures in the unit. The privacy coordinator or delegate may request the assistance of others such as Human Resources staff, the workforce member’s supervisor, other workforce members, or vendor/contractors as needed. The result is the formation of a team of investigators appropriate to the situation.
      3. Investigations are conducted as described in UW-138 Responding to Employee Noncompliance with Policies and Procedures Relating to HIPAA Privacy and Security Rules and UW-139 Responding to Student Noncompliance with Policies and Procedures Relating to HIPAA Privacy and Security Rules.
    4. Identifying and Assisting in Acquisition of Necessary Resources. This includes resources for:
      1. The security compliance-related activities and facilities of the unit; and
      2. The unit’s contribution to security compliance-related activities and facilities that are shared with other units.

  4. Workforce Training

    The UW–Madison HIPAA privacy officer and UW–Madison HIPAA security officer are jointly responsible for the development and implementation of privacy and security training that is shared by all units. The HIPAA privacy coordinator and HIPAA security coordinator of each unit provide assistance and are also responsible for the development and implementation of training that is specific to the unit (when such is required). Privacy and security training is described in UW-137 HIPAA Privacy and Security Training.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:

Additional information may be found at www.compliance.wisc.edu/hipaa

External References:

45 CFR §164.308(a)(1)(ii)(C) (HIPAA Security Rule – Sanction Policy)

45 CFR §164.308(a)(2) (HIPAA Security Rule – Assigned Security Responsibility)

45 CFR §164.308(a)(3)(ii)(A) (HIPAA Security Rule – Authorization and/or Supervision)

45 CFR §164.308(a)(4) (HIPAA Security Rule – Information Access Management)

45 CFR §164.308(a)(4)(ii)(B) (HIPAA Security Rule – Access Authorization)

45 CFR §164.308(a)(4)(ii)(C) (HIPAA Security Rule – Access Establishment and Modification)

45 CFR §164.308(a)(5)(i) (HIPAA Security Rule – Security Awareness and Training)

45 CFR §164.308(a)(5)(ii)(A) (HIPAA Security Rule – Security Reminders)

45 CFR §164.308(a)(6)(i-ii) (HIPAA Security Rule – Response and Reporting)

45 CFR §164.316(a-b) (HIPAA Security Rule – Documentation)

HIPAA Collaborative of Wisconsin Security Oversight Policy

HIPAA Collaborative of Wisconsin Security Oversight Whitepaper

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
12-22-2014
Revised Dates:

12-08-2014: Effective date of the revised policy: 12-08-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:
04-24-2024 19:45:28