This page provides details about UW‑Madison’s approach to compliance with the HIPAA Security Rule. This compliance program applies to any division, department, unit or project that uses electronic protected health information for the purpose of teaching, learning, research or administration. The support and management of the program may come from executive management, researchers, departmental directors and technologists.
Looking for info on the HIPAA Privacy Rule?
Start with the Master Guidance Workbook
The Master Guidance Workbook contains any overlap that there might be in the other programs. For example, an Asset Inventory may be a common theme across multiple programs. Instead of filling out the inventory multiple times, just fill it out once in the Master Guidance Workbook.
HIPAA Security Requirements
The HIPAA Security Program is organized into 15 control families. Each control family has requirements that need to be implemented to align with the program. Each one of the families listed below link to additional information about requirements, processes, procedures in how to implement and maintain controls. Templates for some activities are also provided. Administrative and IT staff from UW-Madison departments that use ePHI for research, teaching and learning, and to support clinical needs should use this information to reduce cybersecurity risks associated with ePHI.
Ensuring a documented plan is laid out for the unit in the event of a disaster and all critical data points exist.
In the event of a security incident, documented action items taken by the unit. This is commonly found in a Security Incident Procedure created by the unit.
Training performed by the unit to ensure staff knows what to do during specific scenarios and what to look out for during an event.
Forms & Details
(Link updated to use a new tool called OneTrust. Please authenticate with your firstname.lastname@example.org email address.) UW–Madison Principle Investigators (PI) should request a Joint Security and Privacy Review to evaluate their proposal to process or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment
In order for the UW–Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. A process has been developed that includes the steps that need to be taken before a folder in Box may contain PHI.