Skip to content


Documents and Resources

All HCCG workforce members are personally responsible for ensuring the privacy and security of all patient, confidential, restricted, research data, student information or proprietary information to which they are given access. Please click here to download the agreement.

Access is provided only to individuals whose access has been approved by a UW HCCG Administrator, Director or under a Business Associate Agreement. Please click here to download the agreement.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

The HIPAA Security Rule requires healthcare providers to protect patients’ electronically stored, protected health information (known as “ePHI”) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.

Read frequently asked questions about HIPAA for individuals and professionals.

Please click here to register for HIPAA training in the UW Medicine Compliance Learning Portal (CLP) or send an email to UW Medicine Compliance at

The University provides individuals with disabilities equal access to programs, services and/or activities, please click here to know more.

Please click here for: Grievance and Dispute Resolution Resources.

Healthcare organizations are required to perform a periodic evaluation of their compliance with the HIPAA Security Rule. Compliance with this requirement is frequently reviewed during a HIPAA audit or in conjunction with breach inquiry from the Office for Civil Rights (OCR).

The Compliance and Risk Services Privacy office recommends the Healthcare Components Group (HCCG) units to conduct a risk assessment to ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards. 

The HCCG units can download the HIPAA Security Risk Assessment Tool (SRA Tool) to help guide through the risk assessment process, since it’s designed to help providers conduct a security risk assessment. A risk assessment also helps reveal areas where each HCCG unit protected health information (PHI) could be at risk.

A business associate (BA) is an outside entity (or individual) that is not part of the University of Washington (or their workforce) that performs a service or activity for or on behalf of the University of Washington that involves the use or disclosure of PHI. Please click here to download the BAA template.

Please click here to review and download the University of Washington Non-UW Medicine Healthcare Components and University of Washington UW Medicine Healthcare Components.

UW Medicine has established a comprehensive Patient Information Privacy Compliance Program related to the HIPAA Privacy Rule, the Washington State Uniform Health Care Act, and various other federal and state privacy laws. Please click here to review the policies.

A combination of state and federal laws protects the privacy of a patient’s medical records, including the Health Insurance Portability and Accountability Act (HIPAA). Washington medical records laws state that only the patient may authorize disclosure of medical records to anyone other than health care providers, penal institution officials, or public health authorities.