Medical Records Releases

If a patient would like to receive a copy of their medical records, they can do so by following the instructions on the Washington University Physicians website.

Notice of Privacy Practices

View English version »

View other languages »

Privacy Guidelines

Follow these “HIPAA Hints” when handling of the most common privacy issues.

Emailing protected health information (PHI)

  • Encourage patients to use the patient portal for secure electronic communication with their provider.
  • If email must be used to transmit PHI/PII outside of the secure WUSM/BJC/SLCH environment, the email or the attachment with PHI/PII must be encrypted.
  • Prior to emailing PHI to a patient, obtain the patient’s consent. Our consent form explains the risks associated with email communication and informs the patient that email communications are considered part of the medical record.

Faxing PHI

  • Always use a cover sheet and do not include PHI on the fax cover sheet.
  • The fax cover sheet should include: Sender’s name, facility, telephone and fax number; number of pages being faxed, including the cover sheet; intended recipient’s name, facility, telephone, and fax number.
  • Confidentiality statement.
  • Documents that contain sensitive PHI (mental health, substance abuse treatment, HIV/AIDS, sexually transmitted diseases) should not be faxed.
  • Confirm the fax number with the recipient prior to sending PHI.

Protecting PHI from public viewing

  • Secure paper charts and other written materials containing PHI/PII so that they are not in view or easily accessed by persons who do not have a need to know the information.
  • Place them in an overhead bin or a drawer.  When that is not possible, place the documents in a closed file folder or turn the over to minimize incidental disclosure of PHI/PII.
  • Make sure printers, copiers, and fax machines are located in a secure area.  Promptly remove documents containing PHI.
  • Do not leave documents containing PHI in public areas (conference rooms, cafeterias, restrooms) or other areas where the PHI could be accessed by a person who does not have a business need to view the information.

Preventing incidental verbal disclosures of PHI

  • Do not discuss PHI in public areas such as waiting rooms, elevators, cafeterias, or hallways/links.
  • Keep your voice down when discussing PHI in open areas such as patient registration/check-in.
  • Share only the minimum necessary to accomplish the task at hand.

Disposal of documents containing PHI

  • Dispose of all documents containing PHI in an approved Shred-It container once the document is no longer needed.
  • Do not dispose of PHI in blue recycling container or in waste receptacles.
  • Any personal receptacles/boxes used to store discarded PHI during the day must be emptied into an approved Shred-It container at the end of business each day.

Responding to patient requests for records, amendments, and restrictions

  • Provide the patient with the appropriate paperwork for their request.
  • Send requests for medical records to the Health Information Release Services team; send requests for amendments and/or restriction to the HIPAA Privacy Office.
  • Each of these requests have defined timelines in which we must respond to the patient.
  • Contact the HIPAA Privacy Office for assistance.
  • Download HIPAA Hints Handouts/Posters.