For additional FAQs about HIPAA in research, see the FAQs section of the “For Researchers” page.
HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the health care and insurance industries. As the name suggests, the legislation has several goals.
One of the objectives of the regulations (referred to as Administrative Simplification) is to improve the efficiency of the health care system through the increased use of electronic information systems. The law allows the Department of Health and Human Services (DHHS) to develop regulations that set universal standards for electronic transactions between health care providers and insurance companies.
Another key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards around the use of such information. DHHS requirements are incorporated into UW-Madison’s policies concerning the privacy, confidentiality, and security of protected health information.
What is HITECH?
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, went into effect as an Interim Final Rule on August 24, 2009, and was issued as a Final Rule on January 25, 2013, to promote the adoption and meaningful use of health information technology. The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
“Covered entity” is the term that the HIPAA regulations use to describe each of the businesses in the health care industry that are subject to HIPAA regulations. Specifically, covered entities are health plans, health care clearinghouses and health care providers (both institutions and individual providers) who transmit any health information in electronic form to carry out certain financial or administrative activities related to health care — such as submitting health care claims or encounter information, making health care payments, and coordinating benefits.
A “hybrid entity” means an institution with both HIPAA-covered and non-covered functions or “components”. UW-Madison is a hybrid entity. The HIPAA-covered functions of the institution are referred to as the “health care component.” For example, the clinical departments within the School of Medicine and Public Health are part of the UW-Madison Health Care Component (UW HCC) while the School of Education and the School of Human Ecology are not.
When two or more separate legal entities with common ownership or control designate themselves as a single entity for purposes of HIPAA, this is called an “affiliated covered entity” or an “ACE”. UW-Madison’s Health Care Component (except the Wisconsin State Laboratory of Hygiene and University Health Services), the University of Wisconsin Medical Foundation and the University of Wisconsin Hospital and Clinics Authority are an affiliated covered entity (UW ACE). This means that sharing of PHI among the parties of the UW ACE is a “use” and not a “disclosure.”
How do I know if I am subject to HIPAA?
Entities covered by HIPAA are health care providers, health plans (including employer-sponsored plans), and healthcare clearing houses (e.g., billing agents). Only parts of UW-Madison are covered by HIPAA. This is called being a “hybrid entity.” If you are an employee within one of the covered parts, e.g., those health care provider units within UW-Madison’s Health Care Component (UW HCC), then you are covered by HIPAA. You may be covered as part of the UW HCC if you are outside of one of the designated units of the UW HCC but, as part of your job duties at UW-Madison, you perform business support services on behalf of one or more of the units. You may also be covered by HIPAA if you are a researcher not within the UW HCC but you are collaborating on a study where the principal investigator is within the UW HCC. Finally, you may be covered as a business associate if you are performing certain services on behalf of another covered entity.
Protected health information or “PHI” is the term that HIPAA uses to describe the specific patient information that HIPAA is intended to protect. PHI is “individually identifiable health information” that is maintained or transmitted by a health care provider. PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act (“FERPA“).
Individually identifiable health information is information that is a subset of health information, including demographic information, collected from an individual and: (1) is created or received by a health care provider; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) either identifies the individual or can reasonably be used to identify the individual.
I suspect there has been a breach of patient or research subject privacy. What do I do?
If you suspect there has been a breach of patient or research subject privacy, report the incident as soon as possible using the online HIPAA Incident Report Form.
HIPAA incidents need to be reported as soon as they are discovered, even if the person who discovered the incident was not involved in causing the incident. After you complete the HIPAA Incident Report Form, UW-Madison’s HIPAA Privacy Officer and HIPAA Security Officer will begin investigating the incident and develop an appropriate plan for follow-up in accordance with UW-Madison’s policy about the Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured PHI.
In short, unless an exception is met under the HIPAA regulations, a health care provider may not use or disclose PHI without the authorization of the patient or the patient’s legally authorized representative. No authorization is required for health care providers to use or disclose PHI for treatment, payment or health care operations (e.g. quality review, reviewing qualifications of health care providers, training students, conducting legal review, and managing and operating the health care entity). Except for treatment, health care providers must use the minimum necessary amount of PHI.
While it is prudent to be cautious about sharing and releasing PHI, it is also important to remember that HIPAA allows for the exchange of PHI for purposes of treatment, payment, and health care operations. The HIPAA Privacy Rule is intended to protect patients’ health information, but not to impede or interfere with patient care or safety.
Treatment is the “provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party.” This includes:
- Consulting with the patient’s other healthcare providers;
- Providing PHI when referring or transferring a patient to a laboratory, nursing home, or outside provider or hospital;
- Sharing patient information with other workforce members involved in the patient’s care with a need to know the PHI;
- Discussing the patient’s condition or treatment regimen in the patient’s room with other health care providers or trainees (e.g. other faculty physicians, residents, medical students, or nurses);
Payment encompasses all activities to obtain payment or be reimbursed for services provided or the provision of health care. This includes:
- Determining eligibility, reviewing services, and adjudicating claims;
- All billing and collection activities, including those of another provider or covered entity for its treatment of the patient;
- Utilization review
Health Care Operations are “certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.” This includes:
- Case management, care coordination
- Quality assessments
- Accreditation, certification, licensing, and credentialing
- Legal, audit, privacy, compliance
- Business planning and development
- Administrative activities, including customer service, employee relations activities, transfer of assets, fundraising
- Education and training programs
- Abuse and neglect investigations
If the sharing is not for the purposes of treatment, payment or health care operations, then you may not share PHI unless you have authorization from the patient or there another legal basis which permits the sharing. If you are unsure whether another legal basis applies, do not share the PHI without contacting the UW-Madison Privacy Officer (contact information on the right side of this page) or the UW-Madison Office of Legal Affairs Health Law Team (608-263-7400).
Even if use or disclosure of PHI is permitted under the Privacy Rule, care must be taken to:
- Eliminate all of the personal identifiers which are not essential to the purpose for which the PHI is being used or disclosed.
- Use or disclose only the minimum necessary amount of PHI necessary to satisfy the purpose of the use or disclosure.
When using or disclosing PHI, or requesting PHI from another covered entity, a health care provider must make reasonable efforts to limit the PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. The minimum necessary standard does not apply to uses and disclosures for treatment, to the patient, subject to an authorization, as required by law, or to comply with the provisions of HIPAA.
“Use” means, with respect to individually identifiable health information, the sharing, utilization, examination, or analysis of such information within the covered entity that maintains such information. “Disclosure” means the release, transfer, access to, or divulging in any manner of information outside of the covered entity holding the information. In some cases, a covered entity must keep a log which accounts for disclosures of an individual’s PHI and must provide that log to the individual upon request. Uses of PHI within the covered entity do not require such accounting.
What are the limitations on how I can use PHI internally or disclose PHI externally?
When PHI is shared within the UW Affiliated Covered Entity (ACE), it is being “used.” When PHI is shared outside of the ACE (e.g. with someone outside of the UW-Madison Health Care Component, the UW Hospital and Clinics or the UW Medical Foundation) it is being “disclosed.”
The Privacy Rule allows the use or disclosure of PHI:
- For treatment (including treatment in the course of research)
- For payment
- For health care operations (including education programs)
- With authorization by the individual
- When compelled by law
In addition, all research is subject to special requirements under the Privacy Rule which govern the handling of PHI. Please see the For Researchers page for more information.
What does it mean to “account for disclosures” and what must be accounted for?
Individuals have certain rights with respect to their PHI, including the right to receive an accounting of all disclosures made to people or groups outside of the covered entity for purposes other than for treatment, payment, health care operations or with authorization by the individual. This means that individuals within the UW HCC must maintain records of disclosures they make outside the UW HCC (or outside of the UW ACE) for all other purposes (including for disclosures required by law) and make these records available to individuals when requested.
A business associate is an individual, not a member of the covered entity’s workforce, that creates, receives, maintains, or transmits PHI for a function or activity on behalf of the covered entity. Such activities may include claims processing or administration, data analysis, utilization review, quality assurance, and review of patient safety. A business associate may only use or disclose PHI as permitted by the contract between the business associate and the covered entity (commonly called a “Business Associate Agreement”) or as required by law. Under the HITECH Act, a business associate is now directly subject to the provisions of HIPAA, including its civil and criminal penalties, just as if the business associate were a covered entity.
What does it mean for health information to be “de-identified”?
“De-identified” means that the health information or data set does not identify an individual and that there is no reasonable basis to believe that the information in the data set can be used to identify an individual. Under HIPAA, health information is considered “de-identified” if 18 criteria are removed from the data set. These criteria include direct identifiers, such as name and address, but also include other indirect identifiers, such as dates directly related to the individual (e.g. date of birth, admission date, discharge date) and zip code. For UW-Madison’s policy on de-identification, click here.
No. If health information or a data set is “de-identified” as that term is defined in HIPAA, then it can be used or disclosed without patient authorization and without meeting an exception to the requirement for authorization under HIPAA.
In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, state and 5-digit zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Postal address information (other than town or city, state, and 5-digit zip code);
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
A covered entity may use or disclose a limited data set from its records containing PHI for research, public health, or health care operations, without patient authorization or (in the case of research) a waiver of authorization. To do so, the covered entity must execute a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.
How do I know what HIPAA training should be provided to the people in my department?
Refer to the Training page. All employees within the UW-Madison Health Care Component (UW HCC) must take training on an annual basis.
I was contacted by an attorney who represents my patient. Can I talk to him/her?
You may not speak with an attorney, even one that represents the patient, without a signed authorization from the patient. Please review the information available here about subpoenas and requests from attorneys, and contact the UW-Madison Office of Legal Affairs Health Law Team with any questions.
If the police officer is in the course of investigating child abuse and identifies the child by name, the officer is entitled to records or other information from a health care facility upon request. Health care providers may confirm with police who ask for a patient by name the presence of a patient in the health care facility, except when the patient is there for substance abuse treatment. In most other cases, police must have patient authorization or a court order to access records or other information about patients. Contact the UW-Madison Office of Legal Affairs Health Law Team for more information (608-263-7400).
Both HIPAA and Wisconsin law authorize, in response to a written request, the disclosure of any information (may be oral) or written material “reasonably related” to the injury which your patient claims was the result of a work-related accident. Such disclosure may be made to the employee, employer, worker’s compensation insurer, or the Wisconsin Department of Workforce Development or its representative. Please review the information available here about worker’s compensation matters, and contact the UW-Madison Office of Legal Affairs Health Law Team with any questions.
At present, only “Secured” Box folders may be used to store data or other information containing PHI; these folders are configured by HIPAA Security Coordinators to have more security than standard Box folders otherwise available through UW-Madison. Contact your HIPAA Privacy or Security Coordinator with questions about storing PHI in a Secured Box Folder.
Take care to protect PHI from accidental disclosure:
- Use a fax cover sheet when faxing PHI, double check the fax number to be sure it is correct, and be sure the intended recipient is available to pick up the fax when delivered.
- Keep all paper files containing PHI locked in file cabinets.
- If you print copies of documents with PHI, remove them immediately from any shared printer.
- Password-protect all portable devices that contain PHI, and password-protect all documents on such portable devices. DO NOT share passwords.
- Eliminate all names and other identifiers when creating presentations which include health information.
- Don’t refer to patient or research subject names and other identifiers in conversations with colleagues in public areas.
- Place computer screens so they are not readily visible by people passing by.
- Remember to erase the hard drives on all machines that scan and copy documents (e.g. fax machines, copiers, and scanners) before returning them to a vendor or sending them to SWAP.
What are the possible consequences to UW-Madison for violations of HIPAA?
UW-Madison, as a HIPAA covered entity, can be subject to significant civil monetary penalties, mandated corrective action plans, and monitoring by the federal government as a result of noncompliance with HIPAA. Breaches of PHI must be reported to the affected individual and to the federal government, and large breaches must also be reported to the local press.
What are the possible consequences to me as an employee for my violations of HIPAA?
Disciplinary action up to and including termination, depending on the nature of the violation, may be imposed for violations of HIPAA and for violations of the policies and procedures of UW-Madison regarding HIPAA and the privacy and security of PHI. Additionally, employees of covered entities may also be criminally liable for knowingly obtaining or disclosing PHI in violation of HIPAA. Fines can range up to $250,000 and imprisonment can be up to ten years for the most serious offenses (those which involve intent to personally gain from the violation or to maliciously harm the individual who is the subject of the PHI).
What are common ways that unintended HIPAA breaches occur?
Unintended HIPAA breaches frequently occur through the loss or theft of portable electronic devices (smartphones, laptops, portable hard drives) with unencrypted PHI, through phishing and other cybersecurity attacks, and through human errors involving misdirected PHI.
What is Phishing?
Phishing is the attempt to acquire login credentials such as usernames and passwords by masquerading as a trustworthy entity in an electronic communication, usually email. Phishing relies upon social engineering to complete its goal. Phishing attempts regularly occur at UW-Madison and can result in a breach of PHI. If you receive an email that you suspect is a phishing attempt, do not open it. If you open an email that you suspect is a phishing attempt, do not click on any links. The UW Office of Cybersecurity encourages you to learn how to recognize and report phishing attempts!
When necessary, emails containing PHI should only be sent inside of UW Health or inside UW-Madison’s Health Care Component (i.e., among email addresses ending in uwhealth.org or wisc.edu only). Any other emails sent containing PHI must be encrypted absent patient/subject consent.
- Never send PHI using external email accounts (e.g. Gmail, Yahoo, Hotmail).
- You are prohibited from aut0-forwarding your wisc.edu or uwhealth.org emails to any other accounts.
- Verify email addresses of intended recipients and pay close attention to any frequent contacts’ email addresses (to be sure an email doesn’t pre-populate with the wrong recipient’s address).
- Be sure research-related use of email complies with the IRB’s email guidance.
- See HIPAA Policy 8.6 for more information.
Where can I obtain assistance in de-identifying PHI, including images?
Please consult with the UW-Madison HIPAA Privacy or Security Officer for assistance.
What constitutes a strong password?
Strong passwords are long (at least 8 characters) and contain a mixture of upper and lower case characters, numbers and special characters. The UW-Madison password standard policy can be found here.
Am I ever allowed to share my password?
No, you are never allowed to share passwords. Please note that even your local IT staff should never request your password. If anyone asks you for your password, please report this to your supervisor and to UW IT security staff. If you feel that your password has been compromised in any way, please contact UW IT security staff.
How should I dispose of PHI or equipment on which PHI is contained?
PHI that is no longer needed for its intended use should be confidentially destroyed. PHI in hard copy should be placed in locked, confidential disposal bins or shredded. For assistance in the destruction of electronic PHI, please contact the UW-Madison HIPAA Privacy or Security Officer. Just “deleting” electronic data does not destroy the data. Please note that PHI may be contained in copier memory and must be destroyed before disposing of a copier. Examine all equipment being sent to SWAP (or otherwise being disposed of) to make sure it does not contain any CDs or other mobile devices that may contain PHI. Please carefully examine all file cabinets being sent to SWAP (or otherwise disposed of) to make sure that no documents remain in the drawers (or are stuck behind drawers). See Policy #8.7 “Destruction/Disposal of Protected Health Information” for more detail.
May I take PHI with me when I leave UW-Madison?
In most cases, you will not be allowed to take the PHI that you obtained as an employee of UW-Madison with you when you leave UW-Madison. Please consult with the UW-Madison HIPAA Privacy Officer for advice regarding the possibility of taking de-identified data or limited data sets when you leave UW-Madison.
Where can I get technical support for complying with the HIPAA security rule at UW-Madison?
Contact the HIPAA Security Officer or your unit’s HIPAA Security Coordinator with cybersecurity questions or for guidance on compliance with the Security Rule.
I need to store some PHI on a portable device, how should I encrypt it?
Only use USB drives that provide built-in encryption – many are available at the DoIT Tech Store. Standard mechanisms, such as bitlocker (PCs) and FileVault (Macs), can be used to encrypt laptops. Cell phones used to access or store PHI must be password protected and configured to allow a remote memory wipe. Any portable device that is to contain PHI must be registered with your IT department.
What is the difference between the HIPAA Security Officer and a HIPAA Security Coordinator?
Each unit in the UW-Madison Health Care Component has an assigned HIPAA Security Coordinator who acts as a liaison to the campus HIPAA Security Officer. In many cases, questions or situations related to HIPAA security can be addressed by the unit’s security coordinator. Similarly, each unit of the UW-Madison Health Care Component has an assigned HIPAA Privacy Coordinator who acts as a liaison to the campus HIPAA Privacy Officer — and questions related to HIPAA privacy can often be addressed by the unit’s privacy coordinator.