In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
For purposes of this policy, the term “employee” as described above includes students in their roles as employees (e.g., student hourly, student assistant). For example, a student who is employed as a student hourly to answer phones in a clinical department of the School of Medicine and Public Health would be considered an employee for purposes of this policy.
Applies to all members of the UW HCC.
UW–Madison is committed to maintaining the privacy, confidentiality, and security of patients’ and research subjects’ protected health information in accordance with HIPAA. To that end, UW-Madison requires that all “covered” employees, agents, and students, as described in this document, complete HIPAA training once before accessing PHI and thereafter when UW-Madison requires training on approximately an annual basis. This policy also describes when covered external research personnel must take UW–Madison’s HIPAA training.
This policy describes the HIPAA Privacy and Security Rule training requirements at UW–Madison.
Retraining shall occur annually. Retraining may occur more frequently if material changes are made to HIPAA regulations and UW–Madison’s HIPAA privacy and/or security officer determines retraining is necessary to ensure compliance with HIPAA regulations.
Retraining may also be required by the leadership of an individual UW HCC unit. Such retraining may be required, for example, as a corrective action in the event of HIPAA breaches or to address performance concerns and/or HIPAA policy violations.
HIPAA Privacy and Security Training for Students Participating in a Clinical Health Professional Training Program at a non-UW–Madison Health Care Facility
The training of students who have access to protected health information at health care facilities outside UW–Madison as part of their academic program is the responsibility of each health care facility unless there is a contractual agreement between a facility and UW–Madison requiring otherwise.
HIPAA Privacy and Security Training for Covered External Research Personnel
Covered external research personnel are required to take UW–Madison’s HIPAA training if they have not already completed HIPAA training as required by their institution or employer and either III.1 or III.2, below, applies.
Because UW–Madison is required to ensure compliance with HIPAA regulations, periodic audits will be conducted to ensure completion of training and termination of access for failures to complete training in accordance with this policy.
Academic Curriculum Content
While this policy requires training covered students who will have access to protected health information in their facility, it is not the intent of this policy to mandate the inclusion of HIPAA requirements in the curriculum of academic departments. That is solely an academic decision.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa
08-21-2014: Effective date of the revised policy: 08-21-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
07-14-2020: Effective date of the revised policy: 07-14-2020.