HIPAA Security Program

HIPAA Security Overview and Control Families

The Security Rule standards are divided into the following categories:

  • Administrative safeguards, which cover the policies, procedures and processes needed to protect ePHI, and the assignment or delegation of responsibility in meeting the standards.
  • Physical safeguards, which cover mechanisms to protect electronic systems, equipment, and data from environmental hazards and unauthorized intrusion.
  • Technical safeguards, which are processes used to protect data and control access to data such as authentication controls or encryption.

The HIPAA Security Program organizes these safeguards into and overview and 12 control families. Clicking on the tiles below will take you to a box folder containing information on the requirements, standards checklists, and a procedure template.

HIPAA Security Program overview

Processes and procedures of the HIPAA Security Program including the phase 1 and phase 2 risk assessments, Joint Security and Privacy Review, SecureBox, ResearchDrive for ePHI and other program information.

Auditing and logging

Processes and procedures for recording, monitoring, and examining activities within information systems to ensure the confidentiality, integrity, and availability of IT assets.

Business environment

Processes and procedures for identifying and managing organizational missions, objectives, stakeholders, and Human Resources.

Identity and access management

Processes and procedures necessary to authenticate and authorize users.

Risk Management and Compliance

Processes and procedures for identifying, assessing, and controlling threats while maintaining compliance.

Asset management

Processes and procedures for ensuring organizational assets are inventoried, documented, maintained, and disposed of properly.

Encryption and key management

Processes and procedures for secretly encoding data and managing encryption keys.

Incident response

Processes and procedures for ensuring timely response to detected cybersecurity events.

Security awareness training

Processes and procedures for providing and validating security education, training, and awareness.

Business continuity and disaster recovery

Processes and procedures for ensuring timely restoration of systems or assets affected by cybersecurity events.

External service providers and business associates

Processes and procedures for identifying, assessing, and managing supplier and third-party contracts and risks.

Physical security

Processes and procedures for safeguarding the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Vulnerability management and malicious protection

Processes and procedures for performing vulnerability analysis, detecting malicious software, and documenting resolution activities.

Report a HIPAA incident

UW–‍Madison faculty researchers, IT staff, and other staff are to report the acquisition, access, use, or disclosure of PHI. The UW‑Madison HIPAA Privacy Office and Security Officer will review and investigate reports.

Read the complete HIPAA reporting policy

Request a Joint Security & Privacy Review (JSPR)

UW–‍Madison Principle Investigators (PI) should request a Joint Security and Privacy Review to evaluate their proposal to process or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.

Document Storage for ePHI in SecureBox Folders

In order for the UW–⁠Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. A process has been developed that includes the steps that need to be taken before a folder in Box may contain PHI.