Medical Records Releases
If a patient would like to receive a copy of their medical records, they can do so by following the instructions on the Washington University Physicians website.
Notice of Privacy Practices
Privacy Guidelines
Follow these “HIPAA Hints” when handling of the most common privacy issues.
- Encourage patients to use the patient portal for secure electronic communication with their providers.
- If email must be used to transmit PHI/PII outside of the secure WUSM/BJC/SLCH environment, the email or the attachment with PHI/PII must be encrypted.
- To encrypt your email and attachments make sure you insert [Secure] in square brackets in the subject line of your email.
- Prior to emailing PHI to a patient, obtain the patient’s consent. Our consent form explains the risks associated with email communication and informs the patient that email communications are considered part of the medical record.
- Always use a cover sheet and do not include PHI on the fax cover sheet.
- The fax cover sheet should include the Sender’s name, facility, telephone, and fax number; the number of pages being faxed, including the cover sheet; the intended recipient’s name, facility, telephone, and fax number.
- Confidentiality statement.
- Documents that contain sensitive PHI (mental health, substance abuse treatment, HIV/AIDS, sexually transmitted diseases) should not be faxed.
- Confirm the fax number with the recipient prior to sending PHI.
- Secure paper charts and other written materials containing PHI/PII so that they are not in view or easily accessed by persons who do not have a need to know the information.
- Place them in an overhead bin or a drawer. When that is not possible, place the documents in a closed file folder or turn the over to minimize incidental disclosure of PHI/PII.
- Make sure printers, copiers, and fax machines are located in a secure area. Promptly remove documents containing PHI.
- Do not leave documents containing PHI in public areas (conference rooms, cafeterias, restrooms) or other areas where the PHI could be accessed by a person who does not have a business need to view the information.
- Do not discuss PHI in public areas such as waiting rooms, elevators, cafeterias, or hallways/links.
- Keep your voice down when discussing PHI in open areas such as patient registration/check-in.
- Share only the minimum necessary to accomplish the task at hand.
- Dispose of all documents containing PHI in an approved Shred-It container once the document is no longer needed.
- Do not dispose of PHI in blue recycling containers or in waste receptacles.
- Any personal receptacles/boxes used at your desk to store discarded PHI during the day must be emptied into an approved Shred-It container at the end of business each day.
- Provide the patient with the appropriate paperwork for their request.
- Send requests for copies and access to medical records to the Health Information Release Services team; send requests for amendments to the Health Information Management Department; and send requests for restrictions to the HIPAA Privacy Office.
- Each of these requests has defined timelines in which we must respond to the patient.
- Contact the HIPAA Privacy Office for assistance, at hipaa@wustl.edu or 314-747-4925.
General Do’s and Don’ts for Protecting Patient Privacy
Access to PHI: HIPAA and Personal Representatives of Patients