Who should use this document: This document is for those individuals who are appointed or enrolled outside the Health Care Component (HCC), not brought into the HCC by other policy or regulation, and would like to receive access to protected health information (PHI) under a contractual agreement.
When it should be used: This document should be used prior to making any arrangements/plans to receive or use PHI (e.g. submitting an IRB protocol, entering into a contract/agreement to receive PHI, agreeing to participate in a quality assurance project).
Introduction to UW-Madison’s Health Care Component (HCC)
UW-Madison is a hybrid covered entity under the HIPAA regulations; this means that only some parts of the organization are subject to HIPAA. These parts of the organization are known as the Health Care Component (HCC) and are defined in policy.
Protected health information (PHI) subject to HIPAA is most commonly used by individuals appointed and/or enrolled in an HCC unit. PHI includes health information containing one or more identifiers that is maintained by or came from a covered entity subject to the HIPAA regulations. A limited dataset of PHI is data where the only identifiers are dates and geographic information no more specific than a five digit zip code.
In some circumstances, it may be possible for individuals employed/appointed outside the HCC to work with PHI pursuant to a contractual agreement, but additional steps must be taken in these cases. This document outlines the HIPAA privacy and security steps that must be taken to allow individuals not employed/appointed by or collaborating with the HCC to work with PHI. These steps will differ somewhat depending on the source of the data and are needed to ensure that PHI is being handled appropriately and in compliance with the law and regulations.
Step 1: HIPAA Training
All staff using PHI must complete the most recent version of UW-Madison’s HIPAA Privacy and Security Training before they can access PHI. Individuals outside of the UW HCC must self-enroll in the training.
Training completion can be verified using the VCR Training Information Lookup Tool. Compliance checks are performed by compliance staff to ensure training has been completed.
Step 2: Cybersecurity
The HIPAA Security Rule requires the use of certain safeguards to ensure that PHI remains secure at all times. This means that staff need to ensure that all software/tools and devices used with PHI have been vetted by campus cybersecurity staff to ensure HIPAA’s Security Rule requirements have been met.
Software/Tools and Data Storage:
For those individuals appointed or enrolled outside of the HCC, the most efficient way forward from a cybersecurity perspective is to only utilize tools from the Approved Tools list for storing and transferring PHI. All tools listed on the Approved Tools list have gone through a cybersecurity risk assessment and do not require further review. For the items on this list that are under the “Use with Caution” section, please reach out to the HIPAA Security Officer for guidance.
Any additional technology and tools that are needed and not on the Approved Tools list must undergo a cybersecurity risk assessment for use with PHI, as required per UW-503 Cybersecurity Risk Management. It may also be necessary to enter into a Business Associate Agreement with the tool’s vendor. This agreement provides the basis for them to access PHI. Please note that if you choose to use technology or tools not on the Approved Tools list, this will be a longer process.
To submit a request for a cybersecurity risk assessment, a questionnaire will need to be completed and submitted in OneTrust. Please work with the HIPAA Security Officer for any questions. Approval from the appropriate Risk Executive is required prior to use of technology or tools that are not on the Approved Tools list. This is part of the standard cybersecurity risk assessment process.
The Approved Tools list only includes tools used widely across campus, so it is possible Cybersecurity has assessed other tools for use with PHI that are not listed. If you would like to use a tool that you think may have been previously assessed, please reach out to Cybersecurity to confirm assessment status and steps needed to use the tool.
Devices:
All computers/endpoints need to be in compliance with UW-526 Endpoint Management and Security and Endpoint Management and Security Policy Standards. This means that individuals outside the UW HCC need to obtain validation of the device that was issued to them by their UW-Madison department. Personal devices should not be used to work with PHI.
Individuals should inform their local IT that they need to validate their UW-Madison issued device. Local IT staff may then need to update the device to ensure compliance with HIPAA’s security requirements. Validation of this work by the HIPAA Security Officer is then needed.
Step 3: Ensuring there is a contractual basis to receive PHI
There always needs to be a legal basis in the HIPAA regulations for receiving or using PHI. Sometimes this legal basis can be one of two types of contracts specified in the HIPAA regulations. These contracts are known as data use agreements (DUAs) and Business Associate Agreements (BAAs). Each agreement is only applicable in certain circumstances and needs to be fully signed by appropriate individuals from both organizations before any PHI can be used.
At UW-Madison, contracts cannot be signed by the PI or other staff members. Contracts must be signed by UW-Madison individuals with signatory authority. In the research setting this will often be a representative from Research and Sponsored Programs. Outside the research context, or within the research context when funds are being exchanged, this will often be a representative from Purchasing.
These contractual agreements are the primary means through which individuals outside the HCC can obtain PHI. Please consult the HIPAA Privacy Officer to determine the appropriateness of obtaining PHI through any other means you may be considering.
Data Use Agreements
Individuals at UW-Madison may receive a limited data set (LDS) of PHI from the UW HCC or another organization (including UW Health) when an appropriate data use agreement (DUA) is signed. The DUA ensures that the individuals working with the PHI will only use or disclose it for the purposes specified in the agreement.
If the PHI is coming from an external entity, the entity providing the PHI will typically provide the agreement template. If the external entity does not provide a template, UW-Madison encourages staff to use Federal Demonstration Project DUA templates to reduce review and execution timelines.
If the PHI is coming from the UW HCC, the Internal DUA should be used. This form is needed, because UW-Madison cannot sign a contract with itself. As a result, this form is unique in that it needs to be signed by the PI/project leader and does not require an individual with signatory authority.
Business Associate Agreements
Less frequently, individuals appointed or enrolled outside of the UW HCC may use PHI from an external entity (including UW Health) in order to provide services to that entity.
An example might include performing data analysis for an insurance company. In these circumstances, UW-Madison is acting as a business associate under the HIPAA regulations. Before receiving PHI from an external entity, HIPAA and UW-Madison policy require business associates to provide contractual assurances that they will only use a covered entity’s PHI for the purposes specified in the contract. These assurances must be documented in a Business Associate Agreement (BAA).
UW-Madison policy also requires individuals affiliated with UW-Madison and acting as business associates to complete the Checklist for UW-Madison Business Associates prior to receiving an external entity’s PHI. More information, including the checklist, can be found on the Office of Compliance’s “For Business Associates” page. This includes the required Cybersecurity review as described in Step 2 above.
Step 4: Further Sharing
PHI acquired under a DUA or BAA can only be used for the purposes specified in the relevant agreement. Aside from using service providers that have a BAA with UW-Madison (e.g. using Secure Box to store PHI), it is unlikely that these agreements will allow for further sharing of PHI.
It may be possible to further share de-identified data. However, the HIPAA Privacy Officer should be consulted before further sharing any data. The Privacy Officer will help to validate the classification of the data involved (i.e. de-identified, an LDS of PHI, or PHI with identifiers not allowed in an LDS) and confirm the appropriateness of the sharing.