This page provides details about UW‑Madison’s approach to compliance with the HIPAA Security Rule. This compliance program applies to any division, department, unit or project that uses electronic protected health information for the purpose of teaching, learning, research or administration. The support and management of the program may come from executive management, researchers, departmental directors and technologists.
Looking for info on the HIPAA Privacy Rule? Go to the UW‑Madison Office of Compliance HIPAA page.
HIPAA Security Requirements
The HIPAA Security Program is organized into 15 control families. Each control family has requirements that need to be implemented to align with the program. Each one of the families listed below link to additional information about requirements, processes, procedures in how to implement and maintain controls. Templates for some activities are also provided. Administrative and IT staff from UW-Madison departments that use ePHI for research, teaching and learning, and to support clinical needs should use this information to reduce cybersecurity risks associated with ePHI.
Ensuring a documented plan is laid out for the unit in the event of a disaster and all critical data points exist.
In the event of a security incident, documented action items taken by the unit. This is commonly found in a Security Incident Procedure created by the unit.
Training performed by the unit to ensure staff knows what to do during specific scenarios and what to look out for during an event.
Forms & Details
UW-Madison Principle Investigators (PI) should complete the Joint Security and Privacy Checklist to evaluate their proposal to use or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.
In order for the UW–Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. A process has been developed that includes the steps that need to be taken before a folder in Box may contain PHI.