In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the new Federal privacy standards.
Covered Employees and Agents: UW-Madison Employees/Appointees (of all classifications, paid or unpaid) and volunteers employed in or assigned to a defined unit of the UW- Madison Health Care Component, as well as employees/appointees throughout the entire School of Medicine and Public Health, the entire School of Pharmacy, and the entire Waisman Center facility located at 1500 Highland Avenue, Madison, Wisconsin.
For purposes of this policy, the term “employee” as described above includes students in their roles as employees (e.g., student hourly, student assistant). For example, a student who is employed as a student hourly to answer phones in a clinical department of the School of Medicine and Public Health would be considered an employee for purposes of this policy.
Applies to all members of the UW-Madison Health Care Component.
The University of Wisconsin-Madison is committed to maintaining the privacy, confidentiality and security of patients’ and research subjects’ protected health information (“PHI,” defined below) in accordance with HIPAA. To that end, UW-Madison requires that all “covered” employees, agents, and students, as described in this document, complete HIPAA training once before accessing PHI and thereafter when UW-Madison requires training on approximately an annual basis. This policy also describes when covered external research personnel must take UW-Madison’s HIPAA training.
This policy describes the HIPAA Privacy and Security Rule training requirements at UW-Madison.
Retraining shall occur annually. Retraining may occur more frequently if material changes are made to HIPAA regulations and UW-Madison’s HIPAA Privacy or HIPAA Security Officer determines retraining is necessary to ensure compliance with HIPAA regulations.
Retraining may also be required by leadership of an individual UW HCC unit. Such retraining may be required, for example, as a corrective action in the event of HIPAA breaches or to address performance concerns and/or HIPAA policy violations.
HIPAA Privacy and Security Training for Students Participating in a Clinical Health Professional Training Program at a non-UW-Madison Health Care Facility
The training of students who have access to PHI at health care facilities outside UW-Madison as part of their academic program is the responsibility of each health care facility unless there is a contractual agreement between a facility and UW-Madison requiring otherwise.
HIPAA Privacy and Security Training for Covered External Research Personnel
Covered External Research Personnel are required to take UW-Madison’s HIPAA training if they have not already completed HIPAA training as required by their institution or employer and either III.1 or III.2, below, applies.
Because UW-Madison is required to ensure compliance with HIPAA regulations, periodic audits will be conducted to ensure completion of training and termination of access for failures to complete training in accordance with this policy.
Academic Curriculum Content
While this policy requires training Covered Students who will have access to PHI in their facility, it is not the intent of this policy to mandate the inclusion of HIPAA requirements in the curriculum of academic departments. That is solely an academic decision.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional non- compliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa
08-21-2014: Effective date of the revised policy: 08-21-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
07-14-2020: Effective date of the revised policy: 07-14-2020.