Policies & Procedures

Washington University expects all employees and contractors who interact with our patients and/or their protected health information to understand and comply with our policies and procedures related to the HIPAA Privacy and Security Rules.

These policies and procedures are designed to help our workforce understand the requirements for the appropriate use and disclosure of protected health information (PHI), patient rights, and breach notification.

Patient Rights

The HIPAA Patient Rights Policies include the WashU policies for:

  • HPP-0005 Right of Access to PHI-WUSM (NEW) Policy | Form
  • HPP-0005 Right of Access to PHI-WUPI (NEW) Policy | Form
  • HPP-0006 Accounting for Disclosures of PHI-WUSM (NEW) Policy | Form
  • HPP-0006 Accounting for Disclosures of PHI-WUPI (NEW) Policy | Form
  • HPP-0007 Amendment of Protected Health Information-WUSM (NEW) Policy | Form
  • HPP-0007 Amendment of Protected Health Information-WUPI (NEW) Policy |Form
  • Appropriate Methods of Communicating PHI Policy | ProcedureForm
  • HPP-0015 Notice of Privacy Practices (NEW) Policy 
  • HPP-0018 Restrictions on Use or Disclosure of PHI (NEW) Policy | Form
  • HPP-0022 Breach Notification (NEW) Policy

Use and Disclosure of PHI

The Policies for the Use and Disclosure of Protected Health Information include the WashU policies for:

  • HPP-0001 Scope of HIPAA Compliance (NEW) Policy
  • HPP-0002 Designation of HIPAA Privacy Officer (NEW) Policy
  • HPP-0003 WU HIPAA Organizational Structure (NEW) Policy
  • HPP-0004 Privacy Complaints (NEW) Policy
  • Authorization Required for Use and Disclosure of PHI-WUSM Policy | Procedure | Form
  • Authorization Required for Use and Disclosure of PHI-WUPI Policy | Procedure | Form
  • HPP-0009 Business Associates (NEW) Policy 
  • HPP-0011 Use or Disclosure of PHI in Fundraising (NEW) Policy 
  • HPP-0012 Use or Disclosure of PHI in Marketing (NEW) Policy 
  • HPP-0013 Use or Disclosure of PHI in Media Relations (NEW) Policy | Form
  • HPP-0014 Minimum Necessary Request, Use or Disclosure of PHI (NEW) Policy 
  • HPP-0016 Permitted, Required, and Prohibited Uses or Disclosures of PHI without an Authorization (NEW) Policy 
  • HPP-0017 Use or Disclosure of PHI in Research (NEW) Policy 
  • HPP-0019 Sanctions for Non-compliance with HIPAA Policies (NEW) Policy
  • HPP-0020 Photography/Videography for Clinical, Research & Teaching Purposes (NEW) PolicyForm
  • HPP-0021 Engagement of Visiting Learners or Observers (NEW) Policy
  • HPP-0023 HIPAA Privacy and Information Security Training of Workforce Members (NEW) Policy
  • HPP-0024 HIPAA Privacy Incident Reporting (NEW) Policy
  • Security Measures Required to Comply with Privacy Policy

Office of Information Security

Policies, Standards, and Guidelines can be found here.