HIPAA Identifiers

HIPAA identifiers are 18 points of information that can be used to identify an individual or combined with other information to identify an individual.

HIPAA Hints: Privacy Guidelines

The Washington University HIPAA Privacy Office has created HIPAA Hints to provide guidance for some of the most common privacy issues.


Patient Communication Form Email Authorization Form Media Authorization Form Medical Records Release Form Request for Alternative Methods of Communication Request for Restriction to Health Plan (Self-Pay) Request for Amendment of Protected Health Information Form Request for Restrictions on Use or Disclosure of Protected Health Information Form Washington University Business Associate Agreement Request for Accounting of […]

HIPAA Privacy Information

Centered on your privacy Washington University health care providers respect the confidentiality of our patient’s health information by observing the highest standards of ethics and integrity. Our Notice of Privacy Practices describes your rights under HIPAA and how Washington University may use and disclose your protected health information.  If you have not reviewed our Notice of Privacy Practices. […]

HIPAA Privacy Training

Workforce members at the Medical School are also required to complete HIPAA 101, a set of online training modules that cover the HIPAA Privacy, Security and Breach Notification Rule. Classroom and online refresher training is also available.  Refresher courses include topics such as: HIPAA 101:  Privacy Matters – Protecting Patient Privacy through Data Security Encryption […]

HIPAA Patient Forms and Rights

HIPAA provides patients with several rights, all described in our Notice of Privacy Practices.  The HIPAA Privacy Office works with our clinical departments, physicians, and Health Information Release Services to facilitate requests related to your rights under HIPAA.  These rights include: The right to request a copy of your medical records from Washington University Physicians for yourself or […]

HIPAA Health and Patient Information Policies

Health and Patient Information Policies Washington University expects all employees and contractors who interact with our patients and/or their protected health information to understand and comply with our policies and procedures related to the HIPAA Privacy and Security Rule. These policies and procedures are designed to help our workforce understand the requirements for the appropriate […]

Control Zone

A control zone is a categorical designation applied to infrastructure . . .

Policy 100 Information Security Program

The policy is the foundation of the policy library. It establishes the charge and mission of the Office of Information Security (OIS) to protect the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).

Keeping Information Security Simple – “Using Code Words to Defeat the AI Menace”

Open Letter

Letter from the CISO, Vol 3 Issue 9  Washington University Community:  Artificial Intelligence is a tool  Artificial Intelligence, or AI, has received a lot of attention and interest over the past year, primarily due to the great advances in productivity and quality it seems to promise. WashU IT is excited to be helping the university […]

Security Guidance for Automatic Transcription Services

convert online voice messages into text using neural networks or AI online bot

Many WashU community members create audio and video recordings in research, during meetings, while attending lectures, and in other circumstances. These recordings can be indispensable to a project because they document what was said with perfect fidelity for future reference and analysis. A transcript of the recording is even more helpful, making it easy to […]


Compliance in cyber security means meeting certain standards and obeying by regulations…

Business Associate Agreement (BAA) Explained

HIPAA Compliant

If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI. Who is a Business Associate? It is a person or entity outside of WashU who creates, receives, maintains, or […]

Personal Device Security Policy

The policy and associated guidance provide requirements for using personal devices to access, create, host, and transmit confidential and/or protected information.

Media Reuse and Disposal Policy

The policy and associated guidance provide requirements for reuse or disposal of WashU systems containing protected or confidential information.

Information Security Risk Management Policy

The policy and associated guidance provide a common methodology and organized approach to Information Security risk management whether based on regulatory compliance requirement or a threat to the university.

Electronic Messaging Security Policy

The policy and associated guidance provide direction for electronic messages (i.e. email, chat, and other electronic messages) containing WashU confidential and/or protected information.

Computer Use Policy

This policy and associated guidance provide direction for appropriate use of computer systems, networks, and information at WashU.

WEBINAR: Exciting Days in the Office of Information Security with CISO, Chris Shull

Curious about attempted cybercrime at WashU? Join our webinar to learn about how WashU protects its users and systems from online threats.   Chris Shull, Chief Information Security Officer, will talk about the comprehensive preventive, detective, and responsive defenses we are building in response to the wide range of Information Security challenges we face. One […]

WEBINAR: Careers in Cybersecurity with Brian Allen

Did you know that there are more than three million open positions in cybersecurity today? There is a huge demand for cybersecurity professionals today, and the Bureau of Labor Statistics predicts that this trend will continue for the next decade and beyond. This high demand means opportunity, competitive salaries, and job security.  Effective cybersecurity requires […]

WEBINAR: Phishing Incidents and their Impact to the University with Jason Murray

Curious about attempted cybercrime at WashU? Join our webinar to learn about how WashU protects its users and systems from online threats.   Information Security Assistant Director and Architect for Digital Forensics and Incident Response, Jason Murray, will discuss incidents and vulnerabilities detected on the WashU network during the last year and the new tools […]

WEBINAR: Security in Research with Michael Mayer

Do you want to know how security plays into research at WashU?  Please join Michael Mayer, Information Security Analyst III, with the Office of Information Security, and bring your questions about how to secure your research. Mark your calendars and join us via Zoom on October 11 at 12 pm CST. This webinar is exclusively […]

Wonderful OneTrust

The Information Security Governance, Risk, and Compliance (GRC) team, led by Assistant Director, Denise Woodward, handles many types of security-related requests from the WashU community. When researchers need a security review of the tools they’re using for a study, when a department wants to adopt new technology, or when someone requires a specialized solution for […]

Protected Health Information (PHI)

Protected health information (PHI) refers to health data created, kept, or shared by HIPAA-covered entities and their commercial partners in the provision of healthcare, healthcare operations, and payment for such services.

IRB Security Review

In the IRB Security Review process, our team works with research coordinators to evaluate security risks involved in the research process.

Keeping Information Security Simple – Privacy – Free isn’t free: If you aren’t paying for it, you and your data are the product being sold!

Letter from the CISO, Vol 1 Issue 8 Washington University Community: This is the National Cybersecurity Alliance’s Data Privacy Week (https://staysafeonline.org/data-privacy-week/), and because security is closely related to privacy, I thought I’d say a few things about it. The “right to privacy” was defined by Justice Louis Brandeis in an 1890 article as the right […]

Threats to Your Research Data and Intellectual Property

World intellectual property day and education concept

Your research data and intellectual property are valuable, not only in the pursuit of knowledge for the betterment of society but also to cybercriminals who seek to steal it or hold it for ransom. According to the Federal Bureau of Investigation , intellectual property theft is a growing threat in the digital era, and much […]

Meet Your InfoSec Team: James Gagliarducci, Information Security Director

James Photo

James Gagliarducci, Director of Information Security, an electrical engineer by training and a security whiz by experience and certification, started out designing radar systems for the Department of Defense. He joined WashU IT as a network engineer in the 90s. Remembering those days, James says, “I loved it.” When the Health Insurance Portability and Accountability […]

Protected Data

Protected data refers to data regulated by federal, state, and local legislation.

Phishing 101

Email phishing has long been the method of choice for many cybercriminals who seek to exploit vulnerabilities for personal gain. These attacks are continually revised and refreshed to take advantage of current trends and new strategies used to socially engineer their victims.  Phishing works so well because it takes advantage of human emotion, convincing unsuspecting […]

Thank You for Participating in Cybersecurity Awareness Month 2020

The Office of Information Security extends its gratitude to the faculty, staff, and students who participated in the events and activities of Cybersecurity Awareness Month 2020! During the month of October, we hosted a slate of webinars and presentations to help our community stay informed and empowered in the digital era. This year, our program […]

WEBINAR: Securely Managing Protected Information

The HIPAA Privacy Office, WashU IT, and the Office of Information Security invite you to attend a one-hour discussion and Q&A about safely handling protected data and using WUSTLBox to develop a secure workflow. Hosts will include Christine Schorb, HIPAA Privacy Officer, Eric Suiter, Systems Engineer with expertise in WUSTLBox, and Kevin Hardcastle, Chief Information […]

Protect Yourself from Social Engineering

The Office of Information Security continuously works to protect our community from a wide variety of phishing activity and other security threats. Currently, the majority of the phishing threats we see involve some form of social engineering. What is social engineering? Social engineering attempts to manipulate people by exploiting psychology and emotions such as fear, […]

Tax Deadline Extension and Phishing Scams

As a result of the COVID-19 pandemic, the deadline for filing state and federal tax returns is postponed until July 15, 2020. As the deadline approaches, we want to make you aware of the more common tax fraud scams that our office sees each year. We have also compiled some helpful resources to assist you […]

Tax Time is Open Season for Phishing Scams

Tax season is here again, and with it comes an uptick in scammers using phishing emails designed to steal personal information from their victims in order to commit tax fraud. We encourage you to use extreme caution with any email correspondences requesting personal information. Please refrain from opening any attachments or following any links in […]

NCSAM Retrospective

The Office of Information Security recently wrapped up a month of exciting activities and events across Washington University campuses for National Cybersecurity Awareness Month. We are grateful to everyone who took the time to participate in this year’s events, and we are already looking forward to next year’s program. During October 2019, the Office of […]

Security Controls

The Office of Information Security  (OIS) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied and tailored within Washington University (WashU) departments and schools. Controls will be assigned to create protection levels. Control […]

Secure Storage and Communication Services

Before using external websites or cloud services to store, create or transmit WashU confidential or Protected information please review the tables below for approved services. If what you are looking for is not listed, the following reviews are needed. Collaboration Reference the tables below to determine which collaboration service is best for storing and sharing your data. […]

Vulnerability Assessment

The scanner is capable of meeting all the requirements outlined for RA-5 priorities low, medium, high. The appliance performs assessments against system security policies and identifies vulnerabilities with CVE scoring. It has customizable templates that measure compliance with SOX, PCI DSS, HIPAA, ISO 27002, FISMA, and FDCC (Federal Desktop Core Configuration) baseline. It supports content […]


Document /ˈdä-kyə-mənt/ noun a computer file containing information input by a computer user and usually created with an application (such as a spreadsheet or word processor) In the course of a year, WashU students, faculty and staff create millions of electronic documents related to the academic, research, clinical and/or administrative work done at the university. Not all of […]


phish∙ing /’fiSHiNG/ noun the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers Phishing is an illegal way that criminals gather private information for the purposes of sending spam, sending phishing e-mails, logging onto university systems and […]