A federal law, the intent of which is to protect the privacy and security of patient health information that is created and maintained by healthcare providers.
Any type of individually identifiable health information, whether electronically maintained, electronically transmitted, or in any other format (i.e., discussed orally, on paper, or other media, photographed, or otherwise duplicated).
HIPAA Privacy Officer: Christine Schorb
If you have a HIPAA Privacy question or concern, please either contact the HIPAA Privacy Office at firstname.lastname@example.org (314-747-4975) or contact your designated HIPAA Privacy Liaison. (See Privacy Liaison.) To report a HIPAA Incident, use the HIPAA Incident Report spreadsheet found at https://hipaa.wustl.edu/report-an-incident/ and email your report to email@example.com.
All WU Workforce members. This includes faculty, staff, volunteers, trainees, and students.
Only those Workforce members who need access for a work-related business purpose.
No, you are not permitted to look at your father’s record or any other family member’s record without a work-related business purpose. To be involved and assist in the health care of your parents, other family members, or friends, consider becoming a proxy of their MyChart account. (See MyChart FAQs for more information.)
**Physicians who are involved in the care of their immediate family members are permitted access to the patient’s medical record with the appropriate valid authorization or attestation document on file in the patient’s record.** (See Physician Access Guidelines.)
No, in this case, viewing your spouse’s lab results is not a work-related business purpose and is therefore prohibited. This is true even if the family member or other person gives you permission.
However, if you have been granted proxy access by the patient (e.g., your spouse, or parent) to their MyChart patient portal, you may use this to view the laboratory results. Additionally, patients can request a copy of their information via written authorization from the Health Information Releases Services department. (See Medical Records Request.)
Essentially any information that is patient-identifiable, even the patient’s address, is confidential and considered “PHI”. Also, the removal of the patient’s name does not mean the patient’s identity is protected; other information such as a medical record number, a zip code, or a date of birth could still be used for identification. (See HIPAA Identifiers.)
No, you must use your work access for work-related business purposes only. However, you may use the MyChart patient portal to access your own health information. You can also obtain a copy of your medical record by submitting a request to our Health Information Release Services Department. (See Medical Records Request.)
No, you may not access or view anyone’s health record unless you have a work-related business purpose to do so. Accessing an employee’s health record to get their address, telephone number, birthday, or any other information is not appropriate unless doing so is required for your job. Searching in the Patient Lookup feature in Epic accesses and shows PHI. This is considered access to PHI and requires a work-related business purpose. (See HPP-0011 Minimum Necessary Request, Use, and Disclosure of PHI Policy.)
No. Never share your login or password with anyone. Never allow someone else to use your Epic login credentials. Your login credentials are unique to you and are used to identify your activity within Epic.
Snooping means intentionally accessing patient information without a legitimate work-related business purpose. Snooping is prohibited by law and “WU” HIPAA Privacy policies and procedures, regardless of whether it is malicious, well intended, or out of curiosity. Employees/Workforce members who snoop or otherwise violate “WU” HIPAA Privacy policies are subject to disciplinary action, up to and including termination. (See WU HPP-0020 Sanctions for Non-Compliance with HIPAA Policies.)
FairWarning is a patient privacy intelligence technology that actively monitors and analyzes access to our patient information systems to detect potentially inappropriate access to patient information and other HIPAA privacy violations. Any potentially inappropriate activity that is detected is reviewed and investigated, as necessary. “WU” uses FairWarning to monitor for inappropriate access, such as snooping in a patient’s chart.
No. The HIPAA Privacy Regulations prohibit the use of “PHI” on social media without patient Authorization. This includes posts about specific patients, in addition to images or videos that may result in a patient being identified. Some examples of potential HIPAA violations using social media include:
- Sharing workplace frustrations online without the patient’s name, but with enough details that the patient can easily be identified.
- Disclosing “PHI” in response to negative comments posted online.
- Posting photographs or images that are taken from inside a healthcare facility where a patient or “PHI” is visible.
- DO NOT respond to negative comments from patients on social media.
- Keep your personal life separate from your professional life!
The HIPAA Privacy Rule and “WU” HIPAA Privacy Policies generally require that we access, use and disclose only the minimum amount of “PHI” necessary to complete a work-related duty and that we do so only when the “PHI” is needed for that specific task.
For example, if your job requires access to a patient’s demographic information, it would not be appropriate and would violate the “minimum necessary” standard to also access detailed clinical information in the patient’s record. (See HPP-0011 Minimum Necessary Request, Use, and Disclosure of PHI Policy.)
All forms of patient information whether handwritten, spoken, or electronic/digital are confidential and must be protected.
The HIPAA Rules require we enter into a Business Associate Agreement (BAA) with the vendor (organization/person/entity) to ensure that our PHI will be protected and safeguarded appropriately. First, check the “WU” Purchasing Services list of all current BAAs to see if your vendor already has a BAA with “WU” or if there is another vendor with a BAA who can perform the same services. If your vendor requires a BAA, it is your responsibility to forward a copy of the “WU” BAA template to your contact with the vendor for review and consideration. Any proposed changes should be forwarded to the HIPAA Privacy Office for approval and signature.
Dispose of confidential papers in the locked shred containers in your area. DO NOT dispose of PHI in recycling bins or regular trash containers. Make sure you always leave your workspace free of paper “PHI” before you leave at the end of the day.
Safeguard “PHI” at home just as you would if working on campus in your office.
- Make sure “PHI” is not visible to others.
- Make sure that family members and others are not able to read or access your computer.
- Conduct phone calls in an area where “PHI” cannot be overheard.
- Be mindful on video calls: Is “PHI” visible to people on the call? To people in your home?
- Use a headset for phone calls or video calls if you cannot prevent others in your home from overhearing the conversation.
- Make sure that all documents containing “PHI” are shredded using a crosscut shredder.
- As always, do not discuss “PHI” with others in your home.
Misdirected faxes received by “WU” health clinics and/or other “WU” business units/departments from non-“WU” health care facilities may expose “PHI” and other confidential information to individuals who are not authorized to see that information. In the event of this occurrence please proceed as follows:
- Notify the sender and return the fax if requested;
- Shred the original fax if not asked to return it to the sender.
- Contact the “WU” HIPAA Privacy Office at firstname.lastname@example.org with questions.