HIPAA M365 Controls - Controls implemented for the UW-Madison Health Care Component
In early 2019, the HIPAA Executive Board at UW-Madison approved the implementation of the following controls for the UW-Madison Health Care Component.
At UW-Madison, the HCC comprises the covered entity to which HIPAA regulations apply. To reduce the risk of inappropriate disclosure of sensitive and restricted data, the campus HIPAA Executive Board has approved the implementation of additional controls affecting Microsoft 365. These controls include:
Restrictions on auto-forwarding email from wisc.edu addresses.
- Auto-forwarding to domains outside of the UW-Madison Health Care Component and/or the UW-Madison Affiliated Covered Entity is not permitted. Auto-forwarding between our wisc.edu addresses and these domains creates a potential for HIPAA Privacy Rule violations. The control was implemented for the HCC in 2020.
- See also: HIPAA M365 Controls - Domains approved for M365 auto-forwarding within Health Care Component
Prohibited use of Basic Authentication.
- Modern Authentication (also called Password Security at UW-Madison) provides additional security controls when compared to Basic Authentication, including no longer storing M365 credentials locally in email clients. It also allows the use of Multi-Factor Authentication. This significantly reduces the likelihood of credential compromise associated with M365 accounts. The control was implemented for the HCC in 2020.
Prohibited use of the POP email protocol.
- Post Office Protocol version 3 (POP3) is an older email protocol that does not support Modern Authentication. The control was implemented for the HCC in 2020.
Allow Local IT to better control email clients through the use of distributed Conditional Access.
- Conditional Access is the tool used within M365 that leverages user and device identity to make decisions, and enforce organizational policies. This could prevent a user from connecting to email and exposing sensitive data if using an unsupported email client or out of date operating system. This control is actively being investigated and will be deployed in the future.
Enforce encryption on mobile devices used to access wisc.edu email accounts.
- This control is dependent on a Mobile Device Management solution to be implemented for campus. MDM is being investigated and will be deployed in the future.
Develop and implement policy for data segregation, archiving, and use when individuals transition into new roles but continue utilizing the same wisc.edu email account (to prevent individuals from retaining access to PHI after a transition/termination of employment).
- This control is actively being investigated and will be deployed in the future.