Everyone has received HIPAA training. Use it as a guide for all patient data security.

All EPHI (Electronic Protected Health Information) should be the minimum needed to complete the task.

Emailing EPHI

  • Emailing a single patient's data within the University & BJC is OK. This can be done using a standard non-encrypted message.
  • Emailing a single patient's EPHI outside the University & BJC is NOT OK, unless the data is encrypted.
  • Emailing multiple amounts of EPHI inside or outside the University & BJC is NOT OK, unless the data is encrypted. Tips on how to encrypt data are located on the HIPAA Privacy Office's Website.

Storing EPHI

  • All data with EPHI that are associated with your role as an employee of the University must be stored on our "WUDA" file servers (typically the S: or R: drives). This data includes IDX/Billing, research/subject, clinical systems output or extracts. There are no exceptions. For clarification you can contact Randy Branson or your local Division Administrator.
  • Desktop computers that access clinical systems (they may retain EPHI in local storage caches) should be encrypted. This work is being done now by Information Services. It will continue for some time. Please understand that this is a requirement of the University.

Transmitting EPHI (for presentations, for authorized transfers outside the University, etc.)

  • Please use an encrypted USB device or laptop. Information Services has distributed over 100 USB thumb drives that meet the requirement – please use them. Contact the PAIS Helpdesk if you have a laptop (purchased with Department funds) that needs encrypting.
  • Delete the EPHI immediately upon completion of the task.

EPHI on mobile devices

  • A password on the device is required.
  • The Department's standard devices are the iPad and iPhone. They have encryption enabled automatically (iPhone 3GS & later and all iPads).
  • Android devices are made by many different vendors and are hard to quantify. The end user must encrypt the device to use our email system.
  • Delete the EPHI immediately upon completion of the task.

WUDA HIPAA Privacy Officer

Kelly Nessel can be reached via email or by phone at (314) 362-2340

WUDA HIPAA Security Officer

Randy Branson is available by email or by phone at (314) 286-1053