Before using external websites or cloud services to store, create or transmit WashU confidential or Protected information the following reviews are needed.
- Contact the data owner to verify data classification and inquire about intellectual property
- All of the following services have been released by public affairs unless otherwise noted
- Please request an Information Security Risk review.
- FaceTime and other similar communication tools for clinical patient care have been evaluated by Washington University School of Medicine. These “on demand” video tools are not appropriate for clinical use or patient care.
- Storage of PHI may require a signed Business Associates Agreement (BAA). Please work with the HIPAA Privacy Office and Resource Management to discuss prior to storing information, purchasing a product, or signing any contracts (Please note this is not the original record).
Collaboration
Reference the tables below to determine which collaboration service is best for storing and sharing your data. We have divided these services into four subcategories: storage, teamwork, cloud, and services that are not approved for confidential or protected data.
Storage
| PHI | PII | HR | Legal | Financial | |
| WashU Research Data Storage | ✔ | ✔ | ✔ | ✔ | ✔ |
| WUSTL Box | ✔ | ✔ | ✔ | ✔ | ✔ |
| WURN (public) | |||||
| WURN (private) | ✔ | ✔ | ✔ | ✔ | |
| OneDrive (WashU instance) | ✔ | ✔ | ✔ | ✔ | ✔ |
| Lab Archives | ✔ | ✔ | ✔ | ✔ | ✔ |
| SharePoint | ✔ | ✔ | ✔ | ✔ | ✔ |
| Files and Storage Service1 | ✔ | ✔ | ✔ | ✔ | ✔ |
Footnotes
1. Files and Storage Service also has the ITAR protection
Teamwork
| PHI | PII | HR | Legal | Financial | |
| Teams(WashU)1 | ✔ | ✔ | ✔ | ✔ | |
| Zoom (WashU HIPAA instance) | ✔ | ✔ | ✔ | ✔ | ✔ |
Footnotes
1. Teams is prohibited for patient visits. Teams can be used among our team members to collaborate internally on patient care issues, but is not meant for direct patient care
Cloud
| PHI | PII | HR | Legal | Financial | |
| WashU Cloud Computing Service | ✔ | ✔ | ✔ | ✔ | ✔ |
| Amazon Web Services (WashU) (DLT) | ✔ | ✔ | ✔ | ✔ | ✔ |
| Azure (WashU instance) | ✔ | ✔ | ✔ | ✔ | ✔ |
| ServiceNow | ✔ | ✔ | ✔ | ||
| Google Cloud Platform (WashU) | ✔ |
Services not approved for confidential or protected data
- PCI Certified Storage1
- Amazon Web Services (AWS)2
- Azure – Government (FEDRAMP)3
- Google Drive
- Drop Box
- iCloud
Footnotes
1. As the name implies, PCI Certifies Storage also has the PCI protection
2. Amazon Web Services – Government (FEDRAMP) is a separate service that has FISMA protections, but it has no other protections and is not confidential.
3. This service also has FISMA protections, but it has not been released by public affairs
Communication
Type 1
Type 1 communication services has some protection and confidentiality tools. Reference the table below to determine if the communication service you are using is appropriate.
| PHI | PII | HR | Legal | Financial | |
| EPIC – Haiku, Canto | ✔ | ✔ | |||
| Teams (WashU) Internal1 | ✔ | ✔ | ✔ | ✔ | |
| Epharmix | ✔ | ✔ | ✔ | ✔ | ✔ |
| AMS Connect – Encrypted Pager | ✔ | ✔ | ✔ | ✔ |
Footnotes
1. Teams is prohibited for patient visits. Teams can be used among our team members to collaborate internally on patient care issues, but is not meant for direct patient care
Type 2
Type 2 Communication services are not approved for protected or confidential data.
List of Services
- WashU Sites
- Commercial Email (i.e, Gmail, Yahoo)
- Slack
- SMS text
- Social Media Direct Message (i.e. Facebook, Twitter)
- iMessage (Apple)
- Android Message
- Basic Pager
- Facetime
Survey
| PHI | PII | HR | Legal | Financial | |
| RedCap | ✔ | ✔ | ✔ | ✔ | ✔ |
| RedCap Cloud | ✔ | ✔ | ✔ | ✔ | ✔ |
| JotForm | ✔ | ✔ | ✔ | ✔ | ✔ |
| Qualtrics1 | ✔ | ✔ | ✔ |
Footnotes
1. Research use only. Not for clinical care.