What is Health Insurance Portability Accountability Act (HIPAA)?

A federal law, the intent of which is to protect the privacy and security of patient health information that is created and maintained by healthcare providers.

What is Protected Health Information (“PHI”)?

Any type of individually identifiable health information, whether electronically maintained, electronically transmitted, or in any other format (i.e., discussed orally, on paper, or other media, photographed, or otherwise duplicated).

Who is the Washington University (“WU”) HIPAA Privacy Officer?

HIPAA Privacy Officer: Christine Schorb

Who do I contact with a HIPAA question, and how do I report a HIPAA Incident?

If you have a HIPAA Privacy question or concern, please either contact the HIPAA Privacy Office at hipaa@wustl.edu (314-747-4975) or contact your designated HIPAA Privacy Liaison. (See Privacy Liaison.)  To report a HIPAA Incident, use the HIPAA Incident Report spreadsheet found at https://hipaa.wustl.edu/report-an-incident/ and email your report to hipaa@wustl.edu.

Who is responsible for maintaining a secure environment and patient privacy?

All WU Workforce members. This includes faculty, staff, volunteers, trainees, and students.

Who may access “WU” confidential health information?

Only those Workforce members who need access for a work-related business purpose.

Am I permitted to look up my sick father’s medical record?

No, you are not permitted to look at your father’s record or any other family member’s record without a work-related business purpose. To be involved and assist in the health care of your parents, other family members, or friends, consider becoming a proxy of their MyChart account. (See MyChart FAQs for more information.)

**Physicians who are involved in the care of their immediate family members are permitted access to the patient’s medical record with the appropriate valid authorization or attestation document on file in the patient’s record.** (See Physician Access Guidelines.)

My spouse asked me to look up their lab results. Am I allowed to do so in Epic?

No, in this case, viewing your spouse’s lab results is not a work-related business purpose and is therefore prohibited. This is true even if the family member or other person gives you permission.

However, if you have been granted proxy access by the patient (e.g., your spouse, or parent) to their MyChart patient portal, you may use this to view the laboratory results. Additionally, patients can request a copy of their information via written authorization from the Health Information Releases Services department. (See Medical Records Request.)

What other information about a patient is confidential? What about billing records?

Essentially any information that is patient-identifiable, even the patient’s address, is confidential and considered “PHI”. Also, the removal of the patient’s name does not mean the patient’s identity is protected; other information such as a medical record number, a zip code, or a date of birth could still be used for identification. (See HIPAA Identifiers.)

May I use my Epic work access to view my own health record?

No, you must use your work access for work-related business purposes only. However, you may use the MyChart patient portal to access your own health information. You can also obtain a copy of your medical record by submitting a request to our Health Information Release Services Department. (See Medical Records Request.)

My coworker is on medical leave. Can I look up their address in Epic to send them a card?

No, you may not access or view anyone’s health record unless you have a work-related business purpose to do so. Accessing an employee’s health record to get their address, telephone number, birthday, or any other information is not appropriate unless doing so is required for your job. Searching in the Patient Lookup feature in Epic accesses and shows PHI. This is considered access to PHI and requires a work-related business purpose. (See HPP-0011 Minimum Necessary Request, Use, and Disclosure of PHI Policy.)

A new coworker is waiting for their access to Epic. Can I share my login access to Epic with my coworker?

No. Never share your login or password with anyone. Never allow someone else to use your Epic login credentials. Your login credentials are unique to you and are used to identify your activity within Epic.

What is snooping?

Snooping means intentionally accessing patient information without a legitimate work-related business purpose. Snooping is prohibited by law and “WU” HIPAA Privacy policies and procedures, regardless of whether it is malicious, well intended, or out of curiosity. Employees/Workforce members who snoop or otherwise violate “WU” HIPAA Privacy policies are subject to disciplinary action, up to and including termination. (See WU HPP-0020 Sanctions for Non-Compliance with HIPAA Policies.)

What is FairWarning?

FairWarning is a patient privacy intelligence technology that actively monitors and analyzes access to our patient information systems to detect potentially inappropriate access to patient information and other HIPAA privacy violations. Any potentially inappropriate activity that is detected is reviewed and investigated, as necessary. “WU” uses FairWarning to monitor for inappropriate access, such as snooping in a patient’s chart.

May I post about patients on social media?

No. The HIPAA Privacy Regulations prohibit the use of “PHI” on social media without patient Authorization. This includes posts about specific patients, in addition to images or videos that may result in a patient being identified. Some examples of potential HIPAA violations using social media include:

  • Sharing workplace frustrations online without the patient’s name, but with enough details that the patient can easily be identified.
  • Disclosing “PHI” in response to negative comments posted online.
  • Posting photographs or images that are taken from inside a healthcare facility where a patient or “PHI” is visible.
  • DO NOT respond to negative comments from patients on social media.
  • Keep your personal life separate from your professional life!
What does “minimum necessary” mean?

The HIPAA Privacy Rule and “WU” HIPAA Privacy Policies generally require that we access, use and disclose only the minimum amount of “PHI” necessary to complete a work-related duty and that we do so only when the “PHI” is needed for that specific task.

For example, if your job requires access to a patient’s demographic information, it would not be appropriate and would violate the “minimum necessary” standard to also access detailed clinical information in the patient’s record. (See HPP-0011 Minimum Necessary Request, Use, and Disclosure of PHI Policy.)

Are handwritten notes and phone calls about patients considered confidential?

All forms of patient information whether handwritten, spoken, or electronic/digital are confidential and must be protected.

What should you do if a vendor/person/entity requires access to “PHI” to perform their services on behalf of Washington University?

The HIPAA Rules require we enter into a Business Associate Agreement (BAA) with the vendor (organization/person/entity) to ensure that our PHI will be protected and safeguarded appropriately. First, check the “WU” Purchasing Services list of all current BAAs to see if your vendor already has a BAA with “WU” or if there is another vendor with a BAA who can perform the same services. If your vendor requires a BAA, it is your responsibility to forward a copy of the “WU” BAA template to your contact with the vendor for review and consideration. Any proposed changes should be forwarded to the HIPAA Privacy Office for approval and signature.

How should you dispose of confidential information?

Dispose of confidential papers in the locked shred containers in your area. DO NOT dispose of PHI in recycling bins or regular trash containers. Make sure you always leave your workspace free of paper “PHI” before you leave at the end of the day.

What can I do to protect patient privacy while working from home?

Safeguard “PHI” at home just as you would if working on campus in your office.

  • Make sure “PHI” is not visible to others.
  • Make sure that family members and others are not able to read or access your computer.
  • Conduct phone calls in an area where “PHI” cannot be overheard.
  • Be mindful on video calls: Is “PHI” visible to people on the call? To people in your home?
  • Use a headset for phone calls or video calls if you cannot prevent others in your home from overhearing the conversation.
  • Make sure that all documents containing “PHI” are shredded using a crosscut shredder.
  • As always, do not discuss “PHI” with others in your home.
What should I do if I receive a fax containing “PHI” that was received in error?

Misdirected faxes received by “WU” health clinics and/or other “WU” business units/departments from non-“WU” health care facilities may expose “PHI” and other confidential information to individuals who are not authorized to see that information. In the event of this occurrence please proceed as follows:

  • Notify the sender and return the fax if requested;
  • Shred the original fax if not asked to return it to the sender.
  • Contact the “WU” HIPAA Privacy Office at hipaa@wustl.edu with questions.