HIPAA O365 Controls - Controls implemented for the UW-Madison Health Care Component

In early 2019, the HIPAA Executive Board at UW-Madison approved the implementation of the following controls for the UW-Madison Health Care Component.

At UW-Madison, the HCC comprises the “covered entity” to which HIPAA regulations apply. To reduce the risk of inappropriate disclosure of sensitive and restricted data, the campus HIPAA Executive Board has approved the implementation of additional controls affecting Office 365. These controls include:


Restrictions on auto-forwarding email from wisc.edu addresses.

Prohibited use of Basic Authentication.

Prohibited use of the POP email protocol.

Allow Local IT to better control email clients through the use of distributed Conditional Access.

Enforce encryption on mobile devices used to access wisc.edu email accounts.

Develop and implement policy for data segregation, archiving, and use when individuals transition into new roles but continue utilizing the same wisc.edu email account (to prevent individuals from retaining access to PHI after a transition/termination of employment).