The HIPAA Privacy and Security Rules require entities, including WashU, to implement certain safeguards when communicating Protected Health Information electronically (ePHI). Consequently, WashU workforce members must ensure the confidentiality and integrity of ePHI by following the university-approved best practices and safeguards for electronic communications.
For Patient Communications:
- Utilize the Epic MyChart patient portal as your primary tool for all communications with patients. MyChart helps ensure that conversations with patients are secure and properly documented in their electronic health records.
For Provider-to-Provider Communications:
- Utilize Epic Secure Chat for communications between providers. Secure Chat facilitates efficient and secure conversations among healthcare providers.
For Email Communications Containing PHI:
- When sending emails containing PHI to addresses outside the WU or BJC email domains, encryption is essential to maintaining security.
- To encrypt an email, place ” [secure] ” in the subject line.
- This encryption practice applies to various recipients, including referring or consulting physicians, therapy providers, pharmacies, vendors, and research sponsors/monitors/collaborators.
- Do not include PHI in the subject line of the email.
As a reminder, SMS text messages are not secure and cannot contain PHI. Text messaging can be used for clinical communication as long as no HIPAA identifiers (e.g., name, medical record number, room number) are included. For example, texting ‘Your post-op patient has arrived at the clinic’ is complaint as it contains no HIPAA identifiers. However, ‘Abraham Lincoln has arrived at the clinic’ would not be compliant because it contains a HIPAA identifier.
By implementing these safeguards, we can protect ePHI from unauthorized access and maintain the privacy and security of patient information. For guidance on clinical communications associated with services provided outside the Epic environment, please contact the HIPAA Privacy Office for guidance at hipaa@wustl.edu.