Medical Records Releases

If a patient would like to receive a copy of their medical records, they can do so by following the instructions on the Washington University Physicians website.

Notice of Privacy Practices

View English version »

View other languages »

Privacy Guidelines

Follow these “HIPAA Hints” when handling of the most common privacy issues.

Emailing protected health information (PHI)
  • Encourage patients to use the patient portal for secure electronic communication with their providers.
  • If email must be used to transmit PHI/PII outside of the secure WUSM/BJC/SLCH environment, the email or the attachment with PHI/PII must be encrypted.
  • To encrypt your email and attachments make sure you insert [Secure] in square brackets in the subject line of your email.
  • Prior to emailing PHI to a patient, obtain the patient’s consent. Our consent form explains the risks associated with email communication and informs the patient that email communications are considered part of the medical record.
Faxing PHI
  • Always use a cover sheet and do not include PHI on the fax cover sheet.
  • The fax cover sheet should include the Sender’s name, facility, telephone, and fax number; the number of pages being faxed, including the cover sheet; the intended recipient’s name, facility, telephone, and fax number.
  • Confidentiality statement.
  • Documents that contain sensitive PHI (mental health, substance abuse treatment, HIV/AIDS, sexually transmitted diseases) should not be faxed.
  • Confirm the fax number with the recipient prior to sending PHI.
Protecting PHI from public viewing
  • Secure paper charts and other written materials containing PHI/PII so that they are not in view or easily accessed by persons who do not have a need to know the information.
  • Place them in an overhead bin or a drawer.  When that is not possible, place the documents in a closed file folder or turn the over to minimize incidental disclosure of PHI/PII.
  • Make sure printers, copiers, and fax machines are located in a secure area.  Promptly remove documents containing PHI.
  • Do not leave documents containing PHI in public areas (conference rooms, cafeterias, restrooms) or other areas where the PHI could be accessed by a person who does not have a business need to view the information.
Preventing incidental verbal disclosures of PHI
  • Do not discuss PHI in public areas such as waiting rooms, elevators, cafeterias, or hallways/links.
  • Keep your voice down when discussing PHI in open areas such as patient registration/check-in.
  • Share only the minimum necessary to accomplish the task at hand.
Disposal of documents containing PHI
  • Dispose of all documents containing PHI in an approved Shred-It container once the document is no longer needed.
  • Do not dispose of PHI in blue recycling containers or in waste receptacles.
  • Any personal receptacles/boxes used at your desk to store discarded PHI during the day must be emptied into an approved Shred-It container at the end of business each day.
Responding to patient requests for records, amendments, and restrictions
  • Provide the patient with the appropriate paperwork for their request.
  • Send requests for copies and access to medical records to the Health Information Release Services team; send requests for amendments to the Health Information Management Department; and send requests for restrictions to the HIPAA Privacy Office.
  • Each of these requests has defined timelines in which we must respond to the patient.
  • Contact the HIPAA Privacy Office for assistance, at hipaa@wustl.edu or 314-747-4925.
Downloadable HIPAA Hints Handouts/Posters

General Do’s and Don’ts for Protecting Patient Privacy

Sending an Email with PHI

Faxing PHI

Access to PHI: HIPAA and Personal Representatives of Patients

Handling Disclosures of PHI to Law Enforcement