Everyone has received HIPAA training. Use it as a guide for all patient data security.

All EPHI (Electronic Protected Health Information) should be the minimum needed to complete the task.

Emailing EPHI

  • Emailing a single patient's data within the University & BJC is OK. This can be done using a standard non-encrypted message.
  • Emailing a single patient's EPHI outside the University & BJC is NOT OK, unless the data is encrypted.
  • Emailing multiple amounts of EPHI inside or outside the University & BJC is NOT OK, unless the data is encrypted. Tips on how to encrypt data are located on the HIPAA Privacy Office's Website.

Storing EPHI

  • All data with EPHI that are associated with your role as an employee of the University must be stored on files.wustl.edu or RIS. This data includes Epic/Billing, research/subject, clinical systems output or extracts. There are no exceptions. For clarification you can contact Nic Labbee or your local Division Administrator.
  • Desktop computers that access clinical systems (they may retain EPHI in local storage caches) should be encrypted. Please understand that this is a requirement of the University.

Transmitting EPHI (for presentations, for authorized transfers outside the University, etc.)

  • Please use an encrypted USB device or laptop. Contact the WUIT Helpdesk if you have a laptop (purchased with Department funds) that needs encrypting.
  • Delete the EPHI immediately upon completion of the task.

EPHI on mobile devices

  • A password on the device is required.
  • The Department's standard devices are the iPad and iPhone. They have encryption enabled automatically.
  • Android devices are made by many different vendors and are hard to quantify. The end user must encrypt the device to use our email system.
  • Delete the EPHI immediately upon completion of the task.

Helpful Links

WUDA HIPAA Privacy Officer

Linda Yun can be reached via email

WUDA HIPAA Security Officer

Nic Labbee can be reached via email