HIPAA Security – Remote Access to Protected Health Information

Layout for printing
Policy Number:
UW-133
Old Policy Number:
8.10
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires covered entities to take appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Definitions:
Business associate
A person or entity that performs functions on behalf of a covered entity which involve the use of the covered entity's protected health information (PHI).
Business associate agreement
Contractual terms required by the HIPAA regulations between a covered entity and a business associate that specifies how the business associate can use protected health information (PHI).
Covered entity
A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Host based firewall
Firewall software that is installed on individual workstations and mobile devices.
Mobile device
A portable computing device running a mobile device operating system, including, but not limited to, mobile phones, music players, and tablets. Common mobile device operating systems include Apple iOS and Google Android.
Protected health information (PHI)
Health information about an individual that contains at least one of the identifiers specified in the HIPAA regulations. PHI does not include student records held by educational institutions or employment records held by employers.
Privileged access controls
Includes unique user IDs and user privilege restriction mechanisms such as directory and file access permission, and role-based access control mechanisms.
Remote access
Remote access is the ability to gain access to a UW-Madison network resource from outside of a defined network perimeter.
Remote access user
A member of the UW HCC workforce for whom remote access is provisioned.
UW-Madison Health Care Component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of the UW-Madison Health Care Component (UW HCC) for a listing of these units.
Vendors
Persons or organizations who market or sell products or services. Examples include, but are not limited to the following:
  • Pharmaceutical representatives,
  • Equipment repair service personnel,
  • Food services, and
  • Independent contractors.
Virtual desktop infrastructure
Hosting of desktop computing environments on a central server. A desktop image is run within a virtual machine on the server and the output is delivered to the client endpoint over a network.
Virtual Private Network (VPN)
A private network that connects computers over the Internet and encrypts their communications.
Web-based portal
A secure website offering access to applications and/or data without establishing a direct connection between the computer and the hosting system.
Workforce
Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
Workstation
Any electronic computing device that is used to perform the work and duties for which a person was hired. Workstation devices may include but are not limited to laptop or desktop computers, virtual machines, mobile devices, and/or other devices that could access or store work-related data.
Scope:

Applies to all members of the UW-Madison Health Care Component and members of the UW-Madison campus who serve as Business Associates to other covered entities.

Policy:

Policy Summary

The units of the UW-Madison Health Care Component (UW HCC) and each entity or person at UW-Madison serving as a Business Associate for a covered entity must ensure the confidentiality, integrity, and availability of all Protected Health Information (PHI) by establishing the following documentation and procedural requirements. It is up to the entity or person to also follow other standards, guidelines, and requirements that may not be associated with UW-Madison.

Remote Access to PHI may be granted in accordance with the permissions and safeguards outlined in this policy. 

Policy Detail

  1. Determining whether access is remote

    This policy applies to Remote Access to PHI in UW HCC systems (referred to hereafter as “Remote Access”). Remote Access typically means access to a UW-Madison network or resource from outside of a defined network perimeter. Access from within the physical bounds of a Unit’s worksite is usually not facilitated via remote access, however there may be exceptions. Contact IT support staff if there is any question about what is or is not considered remote access.

  2. Groups Granted Remote Access  

    The following groups of people may be considered Remote Access Users for the purpose of this policy:

    1. Workforce members with permanent Remote Access.

      These users typically have an ongoing need to access data remotely. Their remote access offers the same level of file, folder, and application access as their on-site access.

    2. Workforce members with temporary Remote Access.

      These users typically request short-term remote access due to time away from the office. Access for these users is typically restricted to only that information, which is necessary for task completion during that time, and may be limited.

    3. External Research Collaborators.

      External Research Collaborators may need to access data remotely. Access for these users is typically restricted to data relevant to the collaboration.

    4. Vendors offering product support with no access to PHI.

      These users have varied access depending upon the systems needed for application or system support, but do not have access to any PHI in the applications or systems.

    5. Vendors offering product support and other Business Associates with access to PHI.

      These users have varied access to PHI depending on the application or system supported. Appropriate Business Associate Agreements must be on file prior to allowing access.

  3. Gaining Remote Access

    1. Remote Access is requested by completing a “Remote Access Authorization” form (or equivalent). See UW-132 HIPAA Security System Access.
    2. Remote Access is strictly controlled and made available only to those with defined business, research, or educational needs, in accordance with UW-Madison policies and procedures, and with approval by the UW-Madison HIPAA Security Officer or designee(s).
    3. Remote Access Users are responsible for adhering to applicable UW-Madison policies and procedures, and may only use Remote Access for work-related, research, or educational purposes sanctioned by UW-Madison.
    4. Business associates and vendors may be granted Remote Access to the network if and to the extent they have a contract or agreement with UW-Madison which requires the provision of remote access to provide services under such contract or agreement.
    5. It is each Remote Access User’s responsibility to ensure that their remote worksite meets configuration standards established by UW-Madison. See UW-132 HIPAA Security System Access, and UW-136 Workstation and Mobile Device Use and Security Configuration.

  4. Equipment, Software, and Hardware

    1. Remote Access Users will only be allowed access using equipment and media that meets the requirements of this policy as well as UW-132 HIPAA Security System Access and UW-136 Workstation and Mobile Device Use and Security Configuration.
    2. Devices and remote services must meet the requirements regardless of ownership. Each Remote Access User must have their Unit’s approval to establish remote access using any device or service not owned by or leased to UW-Madison.
      1. Remote Access Users are responsible for the purchase, setup, maintenance, and support of any device or service not owned or managed by UW-Madison or the involved Unit. This equipment must meet the requirements outlined in this policy.
    3. Printing a document to a remote printer is not allowed without the involved Unit’s approval.
    4. Mobile devices (as defined below) have additional security and configuration requirements (e.g., password management, malware protection, patching and updating of operating systems and applications) and therefore cannot be used to access, store, or transmit PHI unless managed by UW-Madison, or approved in writing by the appropriate HIPAA Security Coordinator.

  5. Security and Privacy

    1. Remote Access Users must take necessary precautions to secure all UW-Madison’s equipment and data in their possession.
    2. Workstation requirements shall meet the requirements outlined in UW-526 Endpoint Management and Security and the requirements outlined in the UW-136 procedure.
    3. Copying of confidential information, including PHI, to personal media (hard drive, USB, CD, etc.) is strictly prohibited, unless the HIPAA Security Coordinator for the involved Unit has granted prior approval and the personal media meets security requirements. See UW-134, HIPAA Security Data Management and Backup.
    4. The involved Unit and UW-Madison must maintain logs of activities performed by Remote Access Users while connected to UW-Madison’s network as described in UW-126 HIPAA Security Auditing. System administrators must review this documentation and/or use automated intrusion detection systems to detect suspicious activity; this documentation must be made available to the involved Unit’s HIPAA Security Coordinator, to the UW-Madison Office of Cybersecurity, and to UW-Madison’s HIPAA Security and HIPAA Privacy Officers upon request.  

  6. Electronic Data Security 

    1. VPN or a secure Remote Access Solution e.g., Citrix, Remote Desktop Connection, etc., that can meet the UW-136 Workstation and Mobile Device Use and Security Configuration is required for both wireless and wired connections used for Remote Access. For questions, contact the involved Unit’s HIPAA Security Coordinator.
    2. Transferring data to UW-Madison requires the use of an approved VPN connection or web-based portal to ensure the confidentiality and integrity of the data being transmitted.
      1. VPN technology must use industry security standards of configuration and encryption, for example, NIST SP 800-113, FIPS 140-2 and FIPS 140-3.
      2. Web-based portals must use industry security standards of configuration and encryption, for example NIST SP 800-52 Rev.2 and Qualys SSL Labs SSL Testing tool.
      3. Remote Access Users may not circumvent established procedures when transmitting data to UW-Madison.
    3. The PHI in email communications must be encrypted. Additional restrictions on email apply. See UW-129 Email Communication Involving Protected Health Information.

  7. Confidential Business Information / PHI:

    Documents that contain confidential business information or PHI shall be managed in accordance with applicable UW-Madison policies which include, but are not limited to, UW-128, UW-130, and UW-131: “Security of Faxed, Printed, and Copied Documents Containing PHI,” “Destruction/Disposal of PHI,” and “Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured PHI,” respectively.

Consequences for Non-Compliance

Failing to comply with this policy may result in progressive discipline for the individual(s) responsible for such non-compliance.

Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional non-compliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
10-20-2021
Revised Dates:

10-20-21

Retrieved:
02-11-2026 23:27:09