HIPAA Security Overview and Control Families
The Security Rule standards are divided into the following categories:
- Administrative safeguards, which cover the policies, procedures and processes needed to protect ePHI, and the assignment or delegation of responsibility in meeting the standards.
- Physical safeguards, which cover mechanisms to protect electronic systems, equipment, and data from environmental hazards and unauthorized intrusion.
- Technical safeguards, which are processes used to protect data and control access to data such as authentication controls or encryption.
The HIPAA Security Program organizes these safeguards into and overview and 12 control families. Clicking on the tiles below will take you to a box folder containing information on the requirements, standards checklists, and a procedure template.
HIPAA Security Program overview
Processes and procedures of the HIPAA Security Program including the phase 1 and phase 2 risk assessments, Joint Security and Privacy Review, SecureBox, ResearchDrive for ePHI and other program information.
Auditing and logging
Processes and procedures for recording, monitoring, and examining activities within information systems to ensure the confidentiality, integrity, and availability of IT assets.
Business environment
Processes and procedures for identifying and managing organizational missions, objectives, stakeholders, and Human Resources.
Identity and access management
Processes and procedures necessary to authenticate and authorize users.
Risk Management and Compliance
Processes and procedures for identifying, assessing, and controlling threats while maintaining compliance.
Asset management
Processes and procedures for ensuring organizational assets are inventoried, documented, maintained, and disposed of properly.
Encryption and key management
Processes and procedures for secretly encoding data and managing encryption keys.
Incident response
Processes and procedures for ensuring timely response to detected cybersecurity events.
Security awareness training
Processes and procedures for providing and validating security education, training, and awareness.
Business continuity and disaster recovery
Processes and procedures for ensuring timely restoration of systems or assets affected by cybersecurity events.
External service providers and business associates
Processes and procedures for identifying, assessing, and managing supplier and third-party contracts and risks.
Physical security
Processes and procedures for safeguarding the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Vulnerability management and malicious protection
Processes and procedures for performing vulnerability analysis, detecting malicious software, and documenting resolution activities.
Report a HIPAA incident
UW–Madison faculty researchers, IT staff, and other staff are to report the acquisition, access, use, or disclosure of PHI. The UW‑Madison HIPAA Privacy Office and Security Officer will review and investigate reports.
Request a Joint Security & Privacy Review (JSPR)
UW–Madison Principle Investigators (PI) should request a Joint Security and Privacy Review to evaluate their proposal to process or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.
Document Storage for ePHI in SecureBox Folders
In order for the UW–Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. A process has been developed that includes the steps that need to be taken before a folder in Box may contain PHI.