University of Wisconsin–Madison

HIPAA Security Program

This page provides details about UW‑Madison’s approach to compliance with the HIPAA Security Rule. This compliance program applies to any division, department, unit or project that uses electronic protected health information for the purpose of teaching, learning, research or administration.  The support and management of the program may come from executive management, researchers, departmental directors and technologists.

Looking for info on the HIPAA Privacy Rule? Go to the UW‑Madison Office of Compliance HIPAA page.

HIPAA Security Requirements

The HIPAA Security Program is organized into 15 control families. Each control family has requirements that need to be implemented to align with the program. Each one of the families listed below link to additional information about requirements, processes, procedures in how to implement and maintain controls. Templates for some activities are also provided. Administrative and IT staff from UW-Madison departments that use ePHI for research, teaching and learning, and to support clinical needs should use this information to reduce cybersecurity risks associated with ePHI.

Access Program

Access controls in place that ensures the right people have access to their respective data to do work.

Audit Program

Audits that have been completed, when and how the results were stored.

Business Associates

Agreements kept between two parties, how they are drawn up and how they are tracked.

Business Organization

HR processes around ensuring the right people are working under the unit.

Disaster Recovery Program

Ensuring a documented plan is laid out for the unit in the event of a disaster and all critical data points exist.

Encryption Program

Encryption questions related to data at rest, data in transit and data in use.

HIPAA Program

HIPAA Risk Assessment records.

Integrity Program

Tools and resources used to ensure that mistakes or unauthorized changes of data are minimized.

IT Operations

IT procedures used in daily operation within a unit to ensure the confidentiality, integrity and availability of IT assets.

Malicious Protection Program

Protections utilized to secure IT assets from malware.

Physical Security Program

Physical controls utilized to secure assets within a unit.

Risk Assessment Program

Any risk assessments performed under the unit and results from the assessment.

Security Incident Program

In the event of a security incident, documented action items taken by the unit. This is commonly found in a Security Incident Procedure created by the unit.

Training Program

Training performed by the unit to ensure staff knows what to do during specific scenarios and what to look out for during an event.

IT Sanitization Program

Sanitization procedures of IT assets that meet government regulations. Processes to ensure secure disposal of data and devices.

HIPAA forms

Report an incident icon

Report a HIPAA incident

UW-Madison faculty researchers, IT staff, and other staff are to report the acquisition, access, use, or disclosure of PHI. The UW‑Madison HIPAA Privacy Office and Security Officer will review and investigate reports.

Read the complete HIPAA reporting policy

Glyph representing checklist

Complete the Joint Security & Privacy Checklist

UW-Madison Principle Investigators (PI) should complete the Joint Security and Privacy Checklist to evaluate their  proposal to use or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.