In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Applies to all members of the UW HCC.
This policy addresses noncompliance by students with UW–Madison’s policies and procedures governing the confidentiality of protected health information under the HIPAA Privacy and Security Rules.
This policy applies to students in a clinical health professional training program at UW–Madison who have access to protected health information. Students who access protected health information in their role as employees (e.g., a student who is employed as a student hourly to answer phones in a clinical department) would be considered an employee, not a student, for purposes of this policy. In this case, refer to UW-138 Responding to Employee Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules.
It is the policy of UW–Madison to take appropriate steps to promote compliance with the requirements for maintaining the confidentiality of protected health information. UW–Madison takes seriously its requirements under HIPAA to protect the confidentiality of protected health information and will respond appropriately to violations of UW–Madison HIPAA policies and procedures.
The appropriate response to such violations will depend on a number of factors including the severity of the violation and the record of the student. The response will be decided after investigating the specific facts of the situation and may include, but is not limited to, such actions as system changes, additional education, a written reprimand, disciplinary probation, a suspension, and expulsion.
Students who are training in UW–Madison facilities who report, in good faith, violations of HIPAA policy requirements shall not be retaliated against. They may report any retaliation to their training program coordinator, department chair/director, the dean/director, the dean of students or the UW–Madison privacy officer. If reported to anyone other than the privacy officer, it shall be referred to the privacy officer. The privacy officer will determine who will investigate the matter.
Each school or college that educates students who will have access to protected health information as part of their health professional training program will develop a school-/college-based disciplinary policy/procedure that is consistent with UWS Chapter 14 and/or UWS Chapter 17. The policy/procedure will, at a minimum, address the following.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa
09-13-2014: Effective date of the revised policy: 09-13-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.