The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), was enacted in part to protect health information by establishing privacy and security standards for the use and disclosure of Protected Health Information (PHI). Privacy standards address how PHI can be used, while security standards address how PHI must be protected.
UW-Madison is a “hybrid covered entity” for HIPAA compliance purposes, meaning only certain campus units are subject to HIPAA. These units are known collectively as the UW-Madison Health Care Component (UW HCC). The units of the UW HCC are listed in HIPAA Policy UW-100. Most HCC units are also part of the University of Wisconsin Affiliated Covered Entity (UW ACE) with UW Health entities to facilitate freer exchange of PHI (defined in HIPAA Policy UW-101).
UW-Madison’s HIPAA program is composed of privacy and security representatives from across the UW HCC units and is structured hierarchically to ensure compliance and cross-communication. The HIPAA Privacy & Security Operations Committee is responsible for the daily work of protecting UW-Madison patient and research participant PHI. The committee is co-chaired by the HIPAA Privacy Officer within the Office of Compliance and the HIPAA Security Officer within the Office of Cybersecurity. The entire HIPAA program is overseen by the HIPAA Privacy and Security Executive Board.
Where to Find More Information on HIPAA Privacy and Security
For HIPAA security (including information on risk assessments), visit the Office of Cybersecurity’s HIPAA Security Program webpage.
For HIPAA privacy, navigate using the menu on the right-hand side of this page.