Statement of Policy

Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.


This policy applies to sending e-mails containing confidential and/or protected information.


All WashU E-mail users are expected to comply with:

  • State laws
  • Federal laws
  • Washington University in St. Louis policies

WashU may permit access to review, monitor or disclose e-mail as it is necessary upon approval from Human Resources or the Office of the General Counsel.  Users are responsible for providing email not retained in the WashU email system that may be relevant upon request by Human Resources or the Office of the General Counsel.


All E-mail that travels across external networks will utilize an encryption mechanism to ensure the confidentiality of the data. Workforce members are responsible to password protect and encrypt attachments (Microsoft Office, Adobe PDF, etc.) and validate the recipients E-mail address.
Encryption exceptions are as follows:

  • WashU BJC communication – secure network
  • Patient has opted out of encryption per Email Consent Form
WashU e-mail signature line

Refer to the HIPAA Privacy Office for the security measures required to comply with privacy policies for information on creating Automatic Signatures.

External mail services
  • Workforce members will not provide his / her WashU login ID or password to another person or vendor due to potential security risks
  • Autoforwarding WashU E-mail accounts containing protected information to any external mail service (Google, Yahoo, etc.) is not permitted
  • Public E-mail services will not be used for patient care

Faculty, staff and students should not use their Washington University E-mail accounts for personal matters such as financial or banking transactions.

Title: E-Mail Security Policy
Version Number: 2.1
Creation Date: April 2, 2008
Reference Number: 02.06
Status: Final
Revision Date: February 22, 2017
Policy Owner: Information Security Office