Health Information

The information below describes different categories of “health information” that may be in the possession of the University and the way in which it is managed by the University. Health information is governed in similar ways to Institutional Data and has overlap with Research Data.

Health Information at UW Madison 

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. PHI can be HIPAA regulated if the data originate from covered entities.

    • HIPAA regulated information is any PHI created by designated health care providers.

      • UW Madison is a “hybrid entity” for HIPAA compliance purposes. This means only some areas of campus produce protected health information regulated by HIPAA. The portions of campus subject to HIPAA comprise the UW Madison Health Care Component (UW HCC) are listed in HIPAA Policy UW 100.
      • UW Madison is also part of an Affiliated Covered Entity (ACE) with UW Health and its subsidiaries as designated in HIPAA Policy UW 101.
    • Non HIPAA regulated is health information generated outside of the UW HCC/ACE.
      • UW Speech and Hearing Clinic, Counseling Psychology Training Clinic, MEDiC Clinic
      • Youth program participant information

Other health information

Health information found in other domains, including health information for employees (e.g., disability status, workers comp) and health information in the student record is not PHI but still must be securely managed and controlled.

UW Madison HIPAA Compliance Program

The UW Madison Office of Compliance manages the HIPAA Compliance program and governance structures for PHI data.

Questions: Reach out to the campus HIPAA Privacy Officer or your unit’s designated Privacy and/or Security Coordinators. See list of HIPAA – Privacy & Security Coordinators.