Web Accessibility - AMP - HIPAA Web Content and the Accessibility Management Platform (AMP)

Information for faculty and staff who work in the UW-Madison HIPAA Health Care Component, or in a UW-Madison unit that is a HIPAA business associate.

IMPORTANT:

  1. There is no Business Associates Agreement (BAA) with SSB Bart
  2. Do not use the Accessibility Management Platform (AMP) web interface to evaluate a page or pages that might contain PHI. Scanning pages visible to the general public is OK.  
  3. Carefully inspect the page to assure there is no PHI visible before you evaluate the page using the AMP Firefox extension. Only trained staff should attempt this on pages that might contain PHI.

Background:

  • The Accessibility Management Platform (AMP) from SSB Bart Group is “software as a service.”
  • The software runs on remote servers owned and operated by SSB Bart Group on AWS (Amazon Web Services)
  • When the AMP software is evaluating a web page, data from the web page is transmitted and temporarily stored on the remote servers.
  • A screenshot of the current page is taken
  • SSB Bart Group is not authorized to handle UW-Madison PHI, as there is no Business Associates Agreement (BAA) with them.

The AMP Firefox extension

IMPORTANT: Carefully inspect the page to ensure there is no PHI before you evaluate the page with the Firefox extension.

  • The AMP Firefox extension can evaluate only one page at time.
  • A page that is not visible to the general public can be evaluated.
  • Whatever the web browser can see, the Firefox extension can see.
  • In order to evaluate the page, the Firefox extension transmits data to the SSB Bart Group remote servers, including any PHI that is visible to the browser while evaluating the page.
  • SSB Bart Group is not authorized to handle UW-Madison PHI.

The AMP Web Interface

IMPORTANT: Do not use the AMP web interface to evaluate pages that could contain PHI.

Pages visible to general public:

  • It is safe to use the AMP web interface to evaluate pages that are visible to the general public.
  • When using the AMP web interface, the AMP software can normally only see web pages that are visible to the general public.

Pages not visible to general public:

  • There are additional tools that can allow AMP to see protected web pages by “logging in” as an authorized user. Doing this is risky.
  • It is difficult and often impossible to be certain there is no PHI visible on all the pages scanned while using the AMP web interface.
  • Do not use additional tools to allow the AMP software to scan protected web pages that might contain PHI.



Keywords:web accessibility, AMP, accessibility management platform, ssb bart group, HIPAA web content, security, sensitive data, Testing web pages using AMP that contains HIPAA web content, accessibility testing, accessibility test, baa, business associates agreement   Doc ID:50803
Owner:Sandi A.Group:Accessibility
Created:2015-04-23 14:31 CDTUpdated:2016-08-10 09:41 CDT
Sites:Accessibility, DoIT Help Desk
Feedback:  0   0