The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires covered entities to take appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Applies to all members of the UW-Madison Health Care Component and members of the UW-Madison campus who serve as Business Associates to other covered entities.
The units of the UW-Madison Health Care Component (UW HCC) and each entity or person at UW-Madison serving as a Business Associate for a covered entity must ensure the confidentiality, integrity, and availability of all Protected Health Information (PHI) by establishing the following documentation and procedural requirements.
Remote Access to PHI may be granted in accordance with the permissions and safeguards outlined in this policy.
Workstations and mobile devices used with PHI must be configured securely to protect the privacy, security, confidentiality, integrity, and availability of PHI. Secure configuration requirements may be found in the procedure document which supports this policy; secure configuration may be established and maintained by UW-Madison or the Unit within the UW HCC to which a user belongs or may be the responsibility of an end user when using a device not managed by UW-Madison or the UW HCC. Additional requirements exist for workstations and mobile devices used to remotely access PHI; please see UW-133 Remote Access to PHI.
Workstations and mobile devices used with PHI must be used in a secure fashion.
Unmanaged Mobile Devices must not be used to access PHI. Anyone who is a member of the UW HCC when accessing their UW email will only access their email via the Outlook client or Outlook web access on a device provided by their department or a device enrolled in an Approved Mobile Device Management (MDM) solution. If the department chooses to not support a certain type of device in MDM, then accessing email via a mobile device will only be done using the Outlook web access.As a member of the HCC these tools are expected to be used on devices issued or managed by UW Health or UW-Madison.
Physical and Virtual Machines enabled for Remote Desktop Service access must meet the requirements outlined in the UW-136 HIPAA Security - Workstation and Mobile Device Use and Security Configuration procedure.
Servers must be located in physically secure environments as described in policy UW-135 HIPAA Security Facilities Management, must be on secure networks with firewall protection as described below and must comply with requirements outlined in the UW-136 HIPAA Security - Workstation and Mobile Device Use and Security Configuration procedure.
Network devices must be located in physically secure environments as described in UW-135 HIPAA Security Facilities Management, and in the procedure supporting this policy.
All workstations and mobile devices used with PHI must be configured to automatically log off or lock after a pre-determined period of inactivity, not to exceed fifteen (15) minutes. Where automatic log off or locking is not configured administratively by an end user’s IT department, the automatic log off or locking must be configured by the User of such workstation or mobile device. Prior to leaving a workstation or mobile device unattended, a user must assure no PHI remains visible or available to others and must use a workstation or mobile device lock function.
All workstations and mobile devices used with PHI must be sanitized to remove such PHI prior to their re-use or disposal. Failure to sanitize workstations and mobile devices prior to their re-use or disposal may result in unauthorized access to the PHI on such workstations and mobile devices. For support with sanitization of workstations or mobile devices, users should contact their local IT department or refer to UW-130 Destruction/Disposal of Protected Health Information.
When PHI is accessed on any workstations and mobile devices, said device must be encrypted using a method of storage encryption appropriate for high-risk data.
PHI transmitted over any network must be encrypted to an approved standard for high-risk data. Wireless transmission is covered in UW-133 Remote Access to PHI.
Failing to comply with this policy may result in progressive discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional non-compliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.