The units of the UW-Madison Health Care Component (UW HCC) and each entity or person at UW-Madison serving as a Business Associate for a covered entity must ensure the confidentiality, integrity, and availability of all Protected Health Information (PHI) by establishing the following documentation and procedural requirements. It is up to the entity or person to also follow other standards, guidelines, and requirements that may not be associated with UW-Madison.
Remote Access to PHI may be granted in accordance with the permissions and safeguards outlined in this policy.
- Remote access to PHI is a privilege and is granted only to remote users who have a defined need for such access, and to those who demonstrate continued compliance with UW-Madison’s established safeguards which protect the confidentiality, integrity, and availability of information resources.
- The technical ability to access data remotely does not constitute authorization to do so. Remote access to PHI must be requested and approved by the Unit using the Remote Access Authorization Form (or equivalent).
- Responsibility for compliance with this policy will be assigned in the Unit’s Safeguard Implementation Plan (or the equivalent) as described in UW-124 HIPAA Security Risk Management.
- Additional restrictions on system access, configuration and use are included in UW-132 HIPAA Security System Access and UW-136 Workstation and Mobile Device Use and Security Configuration Use of email is subject to UW-129 Email Communication Involving PHI.
Determining whether access is remote
This policy applies to Remote Access to PHI in UW HCC systems (referred to hereafter as “Remote Access”). Remote Access typically means access to a UW-Madison network or resource from outside of a defined network perimeter. Access from within the physical bounds of a Unit’s worksite is usually not facilitated via remote access, however there may be exceptions. Contact IT support staff if there is any question about what is or is not considered remote access.
Groups Granted Remote Access
The following groups of people may be considered Remote Access Users for the purpose of this policy:
Workforce members with permanent Remote Access.
These users typically have an ongoing need to access data remotely. Their remote access offers the same level of file, folder, and application access as their on-site access.
Workforce members with temporary Remote Access.
These users typically request short-term remote access due to time away from the office. Access for these users is typically restricted to only that information, which is necessary for task completion during that time, and may be limited.
External Research Collaborators.
External Research Collaborators may need to access data remotely. Access for these users is typically restricted to data relevant to the collaboration.
Vendors offering product support with no access to PHI.
These users have varied access depending upon the systems needed for application or system support, but do not have access to any PHI in the applications or systems.
Vendors offering product support and other Business Associates with access to PHI.
These users have varied access to PHI depending on the application or system supported. Appropriate Business Associate Agreements must be on file prior to allowing access.
Gaining Remote Access
- Remote Access is requested by completing a “Remote Access Authorization” form (or equivalent). See UW-132 HIPAA Security System Access.
- Remote Access is strictly controlled and made available only to those with defined business, research, or educational needs, in accordance with UW-Madison policies and procedures, and with approval by the UW-Madison HIPAA Security Officer or designee(s).
- Remote Access Users are responsible for adhering to applicable UW-Madison policies and procedures, and may only use Remote Access for work-related, research, or educational purposes sanctioned by UW-Madison.
- Business associates and vendors may be granted Remote Access to the network if and to the extent they have a contract or agreement with UW-Madison which requires the provision of remote access to provide services under such contract or agreement.
- It is each Remote Access User’s responsibility to ensure that their remote worksite meets configuration standards established by UW-Madison. See UW-132 HIPAA Security System Access, and UW-136 Workstation and Mobile Device Use and Security Configuration.
Equipment, Software, and Hardware
- Remote Access Users will only be allowed access using equipment and media that meets the requirements of this policy as well as UW-132 HIPAA Security System Access and UW-136 Workstation and Mobile Device Use and Security Configuration.
- Devices and remote services must meet the requirements regardless of ownership. Each Remote Access User must have their Unit’s approval to establish remote access using any device or service not owned by or leased to UW-Madison.
- Remote Access Users are responsible for the purchase, setup, maintenance, and support of any device or service not owned or managed by UW-Madison or the involved Unit. This equipment must meet the requirements outlined in this policy.
- Printing a document to a remote printer is not allowed without the involved Unit’s approval.
- Mobile devices (as defined below) have additional security and configuration requirements (e.g., password management, malware protection, patching and updating of operating systems and applications) and therefore cannot be used to access, store, or transmit PHI unless managed by UW-Madison, or approved in writing by the appropriate HIPAA Security Coordinator.
Security and Privacy
- Remote Access Users must take necessary precautions to secure all UW-Madison’s equipment and data in their possession.
- Workstation requirements shall meet both the Endpoint Management Policy (UW-526) requirements and the requirements outlined in the UW-136 procedure.
- Copying of confidential information, including PHI, to personal media (hard drive, USB, cd, etc.) is strictly prohibited, unless the HIPAA Security Coordinator for the involved Unit has granted prior approval and the personal media meets security requirements. See UW-134, HIPAA Security Data Management and Backup.
- The involved Unit and UW-Madison must maintain logs of activities performed by Remote Access Users while connected to UW-Madison’s network as described in UW-126 HIPAA Security Auditing. System administrators must review this documentation and/or use automated intrusion detection systems to detect suspicious activity; this documentation must be made available to the involved Unit’s HIPAA Security Coordinator, to the UW-Madison Office of Cybersecurity, and to UW-Madison’s HIPAA Security and HIPAA Privacy Officers upon request.
Electronic Data Security
- VPN or a secure Remote Access Solution e.g., Citrix, Remote Desktop Connection, etc., that can meet the UW-136 Workstation and Mobile Device Use and Security Configuration is required for both wireless and wired connections used for Remote Access. For questions, contact the involved Unit’s HIPAA Security Coordinator.
- Transferring data to UW-Madison requires the use of an approved VPN connection or web-based portal to ensure the confidentiality and integrity of the data being transmitted.
- VPN technology must use industry security standards of configuration and encryption, for example, NIST SP 800-113, FIPS 140-2 and FIPS 140-3.
- Web-based portals must use industry security standards of configuration and encryption, for example NIST SP 800-52 Rev.2 and Qualys SSL Labs SSL Testing tool.
- Remote Access Users may not circumvent established procedures when transmitting data to UW-Madison.
- The PHI in email communications must be encrypted. Additional restrictions on email apply. See UW-129 Email Communication Involving Protected Health Information.
Confidential Business Information / PHI:
Documents that contain confidential business information or PHI shall be managed in accordance with applicable UW-Madison policies which include, but are not limited to, UW-128, UW-130, and UW-131: “Security of Faxed, Printed, and Copied Documents Containing PHI,” “Destruction/Disposal of PHI,” and “Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured PHI,” respectively.
Consequences for Non-Compliance
Failing to comply with this policy may result in progressive discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional non-compliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.