In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Applies to all members of the UW HCC.
It is the policy of UW–Madison that the units of the UW HCC and each unit within UW–Madison that is a business associate of a covered entity (hereafter collectively referred to as “units”) ensure the confidentiality, integrity, and availability of all protected health information by establishing the following documentation and procedural requirements.
Forms and signatures may be paper or electronic.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S.Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
UW-100 Designation of UW-Madison Health Care Component
UW-109 The Minimum Necessary Standard
UW-125 HIPAA Security Oversight
UW-126 HIPAA Security Auditing
UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information
UW-135 HIPAA Security Facilities Management
Additional information may be found at www.compliance.wisc.edu/hipaa
45 C.F.R. §164.308(a)(1)(i) (HIPAA Security Rule – Security Management Process)
45 C.F.R. §164.308(a)(3)(ii)(A) (HIPAA Security Rule – Supervision)
45 C.F.R. §164.308(a)(3)(ii)(B) (HIPAA Security Rule – Workforce) Clearance Procedures
45 C.F.R. §164.308(a)(3)(ii)(C) (HIPAA Security Rule – Termination Procedures)
45 C.F.R. §164.308(a)(4)(ii)(B-C) (HIPAA Security Rule – Access Authorization)
45 C.F.R. §164.312(a)(2)(i) (HIPAA Security Rule – Unique User Identification)
45 C.F.R. § 164.312(d) (HIPAA Security Rule – Person or Entity Authentication)
45 C.F.R. §164.316(a-b) (HIPAA Security Rule – Documentation)
45 CFR Subpart D (HITECH Act) Resources
HIPAA Collaborative of Wisconsin “System Access” policy template
02-21-2018: Effective date of the revised policy: 02-21-2018.
03-26-2020: Effective date of the revised policy: 03-26-2020.