Health Information in this domain is institutional data covered by HIPAA and other medical data privacy laws, as well as data relating to the health or health care of a person that is not covered by a particular law. Research data may also be covered by HIPAA and other privacy laws. Researchers can find HIPAA guidance on the Office of Compliance webpage.
Data Domain Scope
There are 2 main categories of health information at UW-Madison: HIPAA covered PHI, and non-HIPAA covered health information. Both are personal data that should be handled with care, privacy, and security.
HIPAA PHI
PHI (Protected Health Information) is a particular type of health information that is regulated by HIPAA, a federal law that protects the privacy of certain health information. PHI is identifiable information about a person’s health or health care that is handled by a HIPAA-covered organization or a vendor working on its behalf.
- The UW Madison Office of Compliance manages the HIPAA Compliance program and governance structures for PHI data, including the HIPAA Privacy and Security Executive Committee and Operations Committee.
- The portion of UW Madison subject to HIPAA is called the UW Madison Health Care Component (UW HCC). UW HCC units are listed in HIPAA Policy UW-100.
- UW Madison is also part of an Affiliated Covered Entity (ACE) with UW Health and its subsidiaries as designated in HIPAA Policy UW-101.
- Questions about HIPAA? Reach out to the campus HIPAA Privacy Officer or your unit’s designated Privacy and/or Security Coordinators.
Other health information
Some health information is generated, used, and/or stored outside of the UW HCC/ACE. While it may still be data related to people and their health, it is not PHI because it is not regulated by HIPAA (please contact the HIPAA Privacy Officer to confirm). It must still be securely managed and controlled and may be subject to other laws. The following is other health information that is non-PHI. Governance of this data may be shared across more than one domain.
- Health information of employees (e.g., disability status, workers comp, FMLA)
- Health information in student records (e.g., University Health Services records, medical withdrawal documentation and related notes)
- Health-related program participant data (e.g. accommodation requests or dietary limitations that reveal or imply a medical condition) collected for:
- Youth programs
- Adult outreach programs
- Data generated by human health clinics including the UW Speech and Hearing Clinic, Counseling Psychology Training Clinic, MEDiC Clinic, and others.
- Incidental, self-disclosed employee and student health data (e.g. health condition shared with supervisor via Outlook, medical appointment information shared with instructor via Canvas)
Data Trustee
Data Trustees are university officials with authority over institutional data, as designated by Data Governance Council. Data trustees are accountable for managing, protecting, and ensuring the integrity and usefulness of institutional data and for upholding UW-Madison policies, UW System policies, state laws, and federal laws applicable to the institutional data.
The Data Trustee for the Health Information data domain is the Director of the Office of Compliance who oversees the HIPAA Privacy Program.
Institutional Data Stewards
Institutional data stewards, who are assigned by and accountable to Data Trustees, help define, implement, and enforce data management policies and procedures within their specific data domain. Institutional data stewards have delegated responsibility for all aspects of how data is acquired, used, stored, and protected throughout its entire lifecycle from acquisition through disposition.
The Institutional Data Steward(s) for the Health Information data domain, as assigned by the Data Trustee, is Jack Talaska, HIPAA Privacy Officer.
Data Systems
Institutional Data Stewards identify and classify the data systems where data from their data domain resides. Within the Health Information domain these are:
| System | Classification |
| Health Link (SMPH/UW Health) | Restricted/High Risk |
| Point and Click (UHS) | Restricted/High Risk |
| Medicat (Athletics) | Restricted/High Risk |
| Platform X (SMPH) | Restricted/High Risk |
| REDCap | Restricted/High Risk |
| Workday | Restricted/High Risk |
| Secure Box | Restricted/High Risk |
Data Classification Rationale
UW System Administrative Policy 1031 and UW-Madison policy UW-504 require that data be classified according to its risk. Within the Health Information data domain, the classification rationales are:
| Classification | Classification Rationale |
| Restricted / High Risk | Rationale: Health information is classified as Restricted when it is governed by a medical records privacy law at the Federal (HIPAA) or State (Wis. Stats. 146.82 and 51.30) level.
Examples: UHS records from the patient medical record. Athletics records from the patient medical record. MEDiC Clinic records. |
| Sensitive / Moderate Risk | Rationale: Health information is classified as Sensitive when it is information about a person’s health or healthcare, but is not strictly governed by a medical records privacy law at the State or Federal level.
Examples: Identifiable employee or program participant health information in the person’s file. Notes or other information about student health in the student’s file with the administration or instructors/advisors. |
| Internal / Low Risk | Rationale: Health information is classified as Internal when it is de-identified.
Examples: Case specific |
| Public / Low Risk | Rationale: Health information is classified as Public when it is aggregate or statistical health data.
Examples: Healthy Minds survey results, Color of Drinking survey results |