Policies
This is an accordion element with a series of buttons that open and close related content panels.
HIPAA Privacy and Security Policies
UW-Madison’s policies are under review and continue to be updated as to Security Rule provisions. Please check back periodically for updates.
- 1.1 (UW-100) Designation of the UW-Madison Health Care Component (UW HCC)
- 1.2 (UW-101) Designation of the University of Wisconsin Affiliated Covered Entity (UW ACE)
- 2.1 (UW-102) Notice of Privacy Practices (NPP) Distribution and Acknowledgement
Related Form: Acknowledgement of Receipt of Notice of Privacy Practices - 3.2 (UW-103) Uses and Disclosures of Protected Health Information That Require Patient Authorization
Related Form: Authorization for Disclosure of Medical Information (General Purpose) - 3.3 (UW-104) Uses and Disclosures of PHI Not Requiring Patient Authorization
- 3.4 (UW-105) Uses and Disclosures of PHI That Require Providing Patient with an Opportunity to Agree or Object
- 3.5 (UW-106) Uses and Disclosures of Protected Health Information for Education and Training
Related Form: Authorization for Disclosure of Medical Information for Publication - 3.6 (UW-107) Uses and Disclosures of Protected Health Information for Marketing
- 3.7 (UW-108) Uses and Disclosures of Protected Health Information for Fundraising
Related Form: Authorization for Use/Disclosure of Medical Info for Marketing or Fundraising - 3.8 (UW-109) The Minimum Necessary Standard
- 3.9 (UW-110) Verifying Identity and Authority of Persons Seeking Disclosure of a Patient’s PHI
- 3.10 (UW-111) Designated Record Set
- 3.11 (UW-112) Sale of Protected Health Information Generally Prohibited
- 4.1 (UW-113) Designation of IRBs as Privacy Boards
- 5.1 (UW-114) De-identification of Protected Health Information Under the HIPAA Privacy Rule
- 5.2 (UW-115) Creation of a Limited Data Set Under the HIPAA Privacy Rule
- 6.1 (UW-116) Managing Arrangements with Business Associates of the University of Wisconsin-Madison
- 6.2 (UW-117) Managing Business Associate Arrangements When the University of Wisconsin-Madison is the BA
Related Form: Business Associate Agreement
Related Form: Certification that PHI Destroyed or Destruction Infeasible
Related Form: Checklist for UW-Madison Business Associates - 6.3 (UW-118) Use of and Safeguards for PHI by UW-Madison Internal Business Support Personnel
- 7.1 (UW-119) Requests by Patients for an Accounting of Certain Disclosures
- 7.2 (UW-120) Requests by Patients to Amend Protected Health Information
- 7.3 (UW-121) Requests by Patients for Alternative Confidential Communications
Related Form: Alternative Confidential Communication Request Form
Related Form: Letter Accepting Individual’s Request for Alt. Confidential Communications
Related Form: Letter Denying Individual’s Request for Alt. Confidential Communications - 7.4 (UW-122) Requests by Patients for Access to Inspect and Obtain a Copy of Protected Health Information
- 7.5 (UW-123) Requests by Patients for Restrictions on Uses and Disclosures of Protected Health Information
- 8.1 (UW-124) HIPAA Security Risk Management
- 8.2 (UW-125) HIPAA Security Oversight
- 8.3 (UW-126) HIPAA Security Auditing
- 8.4 (UW-127) HIPAA Security Contingency Planning
- 8.5 (UW-128) Security of Faxed, Printed, and Copied Documents Containing Protected Health Information
- 8.6 (UW-129) Email Communications Involving Protected Health Information
- 8.7 (UW-130) Destruction/Disposal of Protected Health Information
- 8.8 (UW-131) Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured PHI
- 8.9 (UW-132) HIPAA Security System Access
- 8.10 (UW-133) HIPAA Security – Remote Access to Protected Health Information
- 8.11 (UW-134) HIPAA Security Data Management and Backup
- 8.12 (UW-135) HIPAA Security Facilities Management
- 8.13 (UW-136) HIPAA Security – Workstation and Mobile Device Use and Security Configuration
- 9.1 (UW-137) HIPAA Privacy and Security Training
- 9.2 (UW-138) Responding to Employee Noncompliance with Policies and Procedures Relating to HIPAA Privacy and Security Rules
- 9.3 (UW-139) Responding to Student Noncompliance with Policies and Procedures Relating to HIPAA Privacy and Security Rules
- 10.1 (UW-140) Complaints Under the HIPAA Privacy Rule
Related Form: Patient Privacy Complaint - 10.2 (UW-141) Designation of Unit Privacy and Security Coordinators
UW-Madison Disciplinary Policies
UW-Madison faculty and staff may be subject to discipline, up to and including termination, for violations of HIPAA regulations and/or applicable rules and policies relating to HIPAA. Disciplinary procedures differ among the various classes of employees at UW-Madison. Please see below:
- Faculty Policies and Procedures (See FPP Chapter 9)
- Academic Staff Policies and Procedures (See ASPP Chapter 6)
- Classified Staff Policies and Procedures (See Chapter 18)
Forms
This is an accordion element with a series of buttons that open and close related content panels.
Authorizations and Related Instructions
- Authorization for Disclosure of Medical Information (General Purpose)
- Authorization for Disclosure of Medical Information (General Purpose; Spanish)
- Authorization for Disclosure of Medical Information in Conference Presentation or Publication
- Authorization for Use or Disclosure of Medical Information for Marketing or Fundraising
Contracts and Related Forms
- Business Associate Agreement (July 2020)
- Business Associate Agreement – UW as Bus Assoc (June 2018)
- Data Use Agreement (DUA) for Disclosure of a Limited Data Set (LDS)
- Data Use Agreement (DUA) for Receipt of a Limited Data Set (LDS)
- Certification that PHI Destroyed or Destruction Infeasible
- Checklist for UW-Madison Business Associates
Access to Protected Health Information
Acknowledgement for Receipt of Notice of Privacy Practices
Fax Cover Sheet Example
Sample Tracking and Disclosure Reports
ACCOUNTING OF DISCLOSURES
- Sample Disclosure Tracking Log
- Sample Request for Accounting of Disclosures
- Sample Reports of Disclosures to Third Parties
ALTERNATIVE CONFIDENTIAL COMMUNICATIONS
- Alternative Confidential Communication Request Form
- Letter Accepting Individual’s Request for Alt. Confidential Communications
- Letter Denying Individual’s Request for Alt. Confidential Communications
AMENDMENT OF PROTECTED HEALTH INFORMATION
- Sample Request for Amendment of Health Information
- Sample Request for Notification of Amendment
- Sample Letter Notifying of Need for 30 Day Extension
- Sample Letter Accepting Amendment
- Sample Letter Denying Amendment
- Sample Letter Responding to Statement of Disagreement
INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION
- Sample Letter Notifying of Need for 30 Day Extension
- Sample Letter Denying Request to Obtain a Copy of PHI