HIPAA Security Program

This page provides details about UW‑Madison’s approach to compliance with the HIPAA Security Rule. This compliance program applies to any division, department, unit or project that uses electronic protected health information for the purpose of teaching, learning, research or administration.  The support and management of the program may come from executive management, researchers, departmental directors and technologists.

Looking for info on the HIPAA Privacy Rule?

Start with the Master Guidance Workbook

The Master Guidance Workbook contains any overlap that there might be in the other programs. For example, an Asset Inventory may be a common theme across multiple programs. Instead of filling out the inventory multiple times, just fill it out once in the Master Guidance Workbook.

Access the Master Guidance Workbook

Learn how to use the Master Guidance Workbook

HIPAA IT Policy Inventory & Procedure Templates

HIPAA Security Requirements

The HIPAA Security Program is organized into 15 control families. Each control family has requirements that need to be implemented to align with the program. Each one of the families listed below link to additional information about requirements, processes, procedures in how to implement and maintain controls. Templates for some activities are also provided. Administrative and IT staff from UW-Madison departments that use ePHI for research, teaching and learning, and to support clinical needs should use this information to reduce cybersecurity risks associated with ePHI.


Access controls in place that ensures the right people have access to their respective data to do work.


Audits that have been completed, when and how the results were stored.

Business Associates

Agreements kept between two parties, how they are drawn up and how they are tracked.

Business Organization

HR processes around ensuring the right people are working under the unit.

Disaster Recovery

Ensuring a documented plan is laid out for the unit in the event of a disaster and all critical data points exist.


Encryption questions related to data at rest, data in transit and data in use, e.g., Office 365 message encryption.


HIPAA Risk Assessment records.


Tools and resources used to ensure that mistakes or unauthorized changes of data are minimized.

IT Operations

IT procedures used in daily operation within a unit to ensure the confidentiality, integrity and availability of IT assets.

Malicious Protection

Protections utilized to secure IT assets from malware.

Physical Security

Physical controls utilized to secure assets within a unit.

HIPAA Risk Assessment

Any risk assessments performed under the unit as well as results from the risk assessment process.

Security Incident

In the event of a security incident, documented action items taken by the unit. This is commonly found in a Security Incident Procedure created by the unit.


Training performed by the unit to ensure staff knows what to do during specific scenarios and what to look out for during an event.

IT Sanitization

Sanitization procedures of IT assets that meet government regulations. Processes to ensure secure disposal of data and devices.

Forms & Details

Line art image of a talk bubble with an exclamation mark

Report a HIPAA incident

UW-Madison faculty researchers, IT staff, and other staff are to report the acquisition, access, use, or disclosure of PHI. The UW‑Madison HIPAA Privacy Office and Security Officer will review and investigate reports.

Read the complete HIPAA reporting policy

Line art image of a piece of paper with a computer and checklist on it

Request a Joint Security & Privacy Review

(Link updated to use a new tool called OneTrust. Please authenticate with your netid@wisc.edu email address.) UW–Madison Principle Investigators (PI) should request a Joint Security and Privacy Review to evaluate their proposal to process or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment

Line art image of two computers with arrows going up and down between them

Document Storage for ePHI in SecureBox Folders

In order for the UW–⁠Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. A process has been developed that includes the steps that need to be taken before a folder in Box may contain PHI.