This page provides details about UW‑Madison’s approach to compliance with the HIPAA Security Rule. This compliance program applies to any division, department, unit or project that uses electronic protected health information for the purpose of teaching, learning, research or administration. The support and management of the program may come from executive management, researchers, departmental directors and technologists.
Looking for info on the HIPAA Privacy Rule? Go to the UW‑Madison Office of Compliance HIPAA page.
HIPAA Security Requirements
The HIPAA Security Program is organized into 15 control families. Each control family has requirements that need to be implemented to align with the program. Each one of the families listed below link to additional information about requirements, processes, procedures in how to implement and maintain controls. Templates for some activities are also provided. Administrative and IT staff from UW-Madison departments that use ePHI for research, teaching and learning, and to support clinical needs should use this information to reduce cybersecurity risks associated with ePHI.
Access controls in place that ensures the right people have access to their respective data to do work.
Audits that have been completed, when and how the results were stored.
Agreements kept between two parties, how they are drawn up and how they are tracked.
HR processes around ensuring the right people are working under the unit.
Disaster Recovery Program
Ensuring a documented plan is laid out for the unit in the event of a disaster and all critical data points exist.
Encryption questions related to data at rest, data in transit and data in use.
HIPAA Risk Assessment records.
Tools and resources used to ensure that mistakes or unauthorized changes of data are minimized.
IT procedures used in daily operation within a unit to ensure the confidentiality, integrity and availability of IT assets.
Malicious Protection Program
Protections utilized to secure IT assets from malware.
Physical Security Program
Physical controls utilized to secure assets within a unit.
Security Incident Program
In the event of a security incident, documented action items taken by the unit. This is commonly found in a Security Incident Procedure created by the unit.
Training performed by the unit to ensure staff knows what to do during specific scenarios and what to look out for during an event.
IT Sanitization Program
Sanitization procedures of IT assets that meet government regulations. Processes to ensure secure disposal of data and devices.
UW-Madison Principle Investigators (PI) should complete the Joint Security and Privacy Checklist to evaluate their proposal to use or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.