Designation of Unit Privacy and Security Coordinators

Layout for printing
Policy Number:
UW-141
Old Policy Number:
10.2
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:
Unit
A health care provider unit of the UW–Madison campus that has been designated as part of the UW–Madison health care component.
UWMadison health care component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units. 
UWMadison HIPAA privacy officer
The individual appointed by UW–Madison to be the privacy officer as required by the HIPAA Privacy Rule.
Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

UW–Madison ensures the successful implementation of its policies and procedures created to comply with the privacy and security regulations (the Privacy Rule and the Security Rule, respectively) of the Health Insurance Portability and Accountability Act (HIPAA), by requiring the designated units of the UW HCC to designate HIPAA Privacy and Security Coordinators to oversee policy implementation by such units.

Policy Detail

  1. HIPAA Privacy Coordinator. The Dean or Director of each Unit must designate a person or person(s) to act as the Unit’s HIPAA Privacy Coordinator. The UW-Madison HIPAA Privacy Officer or designee functions in this role for the “central campus” administrative personnel and offices named at Section VIII of UW-100 Designation of UW-Madison Health Care Component.
  2. The HIPAA Privacy Coordinator shall be responsible for the following:
    1. Ensuring that their Unit has developed procedures as required by campus policies to ensure compliance with the Privacy Rule;
    2. Acting as a point of contact for faculty, staff, and students within the Unit regarding issues related to privacy and Privacy Rule compliance;
    3. Acting as a point of contact for complaints that arise from patients, research subjects, or other individuals or offices regarding HIPAA-covered functions or activities within the Unit;
    4. Acting as the Unit’s liaison with the UW-Madison HIPAA Privacy Officer regarding issues related to privacy and Privacy Rule compliance;
    5. Ensuring that each workforce member (as that term is defined by HIPAA) within the Unit takes the appropriate level of HIPAA training by the applicable deadline;
    6. Performing other functions as designated in the UW-Madison policies implementing the Privacy Rule; and
    7. Making reports to the UW-Madison Privacy Officer, as requested, on the items above.
  3. HIPAA Security Coordinator. The Dean or Director of each Unit within the UW HCC must designate a person or person(s) to act as the Unit’s HIPAA Security Coordinator. The HIPAA Security Officer functions in this role for the “central campus” administrative personnel and offices named at Section VIII of UW-100 Designation of UW-Madison Health Care Component.
  4. The HIPAA Security Coordinator shall be responsible for the following:
    1. Ensuring that their Unit has developed procedures as required by campus policies to ensure compliance with: (a) the security/technical safeguards provisions of the Privacy Rule; and (b) the Security Rule;
    2. Acting as a point of contact for faculty, staff, and students within the Unit regarding issues related to information technology security and Security Rule compliance;
    3. Acting as the Unit’s liaison with the UW-Madison HIPAA Security Officer regarding issues related to information technology security and Security Rule compliance;
    4. Performing other functions as designated in the UW-Madison policies implementing the Security Rule; and
    5. Making reports to the UW-Madison HIPAA Security Officer, as requested, on the items above.
  5. Designation of Coordinators.
    1. The Dean or Director of each Unit shall designate the Unit’s HIPAA Privacy and Security Coordinators and shall notify the UW-Madison HIPAA Privacy Officer and HIPAA Security Officer of these designations promptly upon any change.
    2. A Unit may designate the same person to serve as its HIPAA Privacy and HIPAA Security Coordinators, and may designate more than one person to function as a HIPAA Security Coordinator if the needs of the Unit warrant doing so and so long as the obligations stated in Section IV. of this policy are met.

  6. Documentation Requirements

    The Dean or Director of each Unit shall ensure the Position Description for its designated HIPAA Privacy and Security Coordinators references this policy and/or includes a listing of the specific responsibilities enumerated in this policy.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:

Additional information may be found at www.compliance.wisc.edu/hipaa

External References:

45 C.F.R. § 164.504(c)(3)

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
04-01-2003
Revised Dates:

09-03-2014: Effective date of the revised policy: 09-03-2014.
11-22-2019: Effective date of the revised policy: 11-22-2019.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:
02-09-2025 23:36:18