In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the new Federal privacy standards.
Unattended areas where PHI is easily visible or obtained.
Sensitive Areas are those which contain PHI which is locked or otherwise adequately secured to limit access to those who are authorized. Sensitive areas may be unlocked and unattended for periods of time. These areas include, but are not limited to the following examples:
Applies to all members of the UW-Madison Health Care Component.
It is the policy of the University of Wisconsin-Madison that the units of the UW-Madison Health Care Component and each unit within UW-Madison that is a Business Associate of a covered entity (hereafter collectively referred to as “units”) ensure the confidentiality, integrity, and availability of all protected health information (PHI) by establishing the following documentation and procedural requirements.
In either case, follow up by reporting the unauthorized access as described in (III.2) below.
Identifying PHI Security Risk(s) when Changing the Physical Facilities
Prior to approving plans to repair, modify, or schedule maintenance of physical facilities, the Lead Project Coordinator works with the Facilities/Building Services/Security Manager, to determine whether or not the scheduled maintenance, repairs, changes, or the construction process itself, materially increases the security risk to PHI. These security risks include, but are not limited to, work completed on the internal and/or external perimeter of the facilities (entryways, doors, locks, controlled access systems, walls, removing windows, etc.) and may result in:
An increase in risk is material if the risk determination changes from “low” to “medium” or from “medium” to “high” as measured by the risk assessment procedure currently in use, (such as the example risk assessment procedure described in UW-124 HIPAA Security Risk Management).
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional non- compliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa
08-21-2015: Effective date of the revised policy: 08-21-2015.
03-26-2020: Effective date of the revised policy: 03-26-2020.