HIPAA O365 Controls - Controls implemented for the UW-Madison Health Care Component
In early 2019, the HIPAA Executive Board at UW-Madison approved the implementation of the following controls for the UW-Madison Health Care Component.
At UW-Madison, the HCC comprises the “covered entity” to which HIPAA regulations apply. To reduce the risk of inappropriate disclosure of sensitive and restricted data, the campus HIPAA Executive Board has approved the implementation of additional controls affecting Office 365. These controls include:
Restrictions on auto-forwarding email from wisc.edu addresses.
Prohibited use of Basic Authentication.
- Modern Authentication (also called Password Security at UW-Madison) provides additional security controls when compared to Basic Authentication, including no longer storing O365 credentials locally in email clients. It also allows the use of Multi-Factor Authentication. This significantly reduces the likelihood of credential compromise associated with O365 accounts. The control was implemented for the HCC in 2020.
Prohibited use of the POP email protocol.
- Post Office Protocol version 3 (POP3) is an older email protocol that does not support Modern Authentication. The control was implemented for the HCC in 2020.
Allow Local IT to better control email clients through the use of distributed Conditional Access.
- Conditional Access is the tool used within O365 that leverages user and device identity to make decisions, and enforce organizational policies. This could prevent a user from connecting to email and exposing sensitive data if using an unsupported email client or out of date operating system. This control is actively being investigated and will be deployed in the future.
Enforce encryption on mobile devices used to access wisc.edu email accounts.
- This control is dependent on a Mobile Device Management solution to be implemented for campus. MDM is being investigated and will be deployed in the future.
Develop and implement policy for data segregation, archiving, and use when individuals transition into new roles but continue utilizing the same wisc.edu email account (to prevent individuals from retaining access to PHI after a transition/termination of employment).
- This control is actively being investigated and will be deployed in the future.