Before using external websites or cloud services to store, create or transmit WashU confidential or Protected information the following reviews are needed.

  • Contact the data owner to verify data classification and inquire about intellectual property
  • All of the following services have been released by public affairs unless otherwise noted
  • Please request an Information Security Risk review.
  • FaceTime and other similar communication tools for clinical patient care have been evaluated by Washington University School of Medicine.  These “on demand” video tools are not appropriate for clinical use or patient care.
  • Storage of PHI may require a signed Business Associates Agreement (BAA). Please work with the HIPAA Privacy Office and Resource Management to discuss prior to storing information, purchasing a product, or signing any contracts (Please note this is not the original record).

Collaboration

Reference the tables below to determine which collaboration service is best for storing and sharing your data. We have divided these services into four subcategories: storage, teamwork, cloud, and services that are not approved for confidential or protected data.

Storage

PHIPIIHRLegalFinancial
WashU Research Data Storage
WUSTL Box
WURN (public)
WURN (private)
OneDrive (WashU instance)
Lab Archives
SharePoint
Files and Storage Service1
Footnotes

1. Files and Storage Service also has the ITAR protection

Teamwork

PHIPIIHRLegalFinancial
Teams(WashU)1
Zoom (WashU HIPAA instance)
Footnotes

1. Teams is prohibited for patient visits. Teams can be used among our team members to collaborate internally on patient care issues, but is not meant for direct patient care

Cloud

PHIPIIHRLegalFinancial
WashU Cloud Computing Service
Amazon Web Services (WashU) (DLT)
Azure (WashU instance)
ServiceNow
Google Cloud Platform (WashU)

Services not approved for confidential or protected data

  • PCI Certified Storage1
  • Amazon Web Services (AWS)2
  • Azure – Government (FEDRAMP)3
  • Google Drive
  • Drop Box
  • iCloud
Footnotes

1. As the name implies, PCI Certifies Storage also has the PCI protection

2. Amazon Web Services – Government (FEDRAMP) is a separate service that has FISMA protections, but it has no other protections and is not confidential.

3. This service also has FISMA protections, but it has not been released by public affairs

Communication

Type 1

Type 1 communication services has some protection and confidentiality tools. Reference the table below to determine if the communication service you are using is appropriate.

PHIPIIHRLegalFinancial
EPIC – Haiku, Canto
Teams (WashU) Internal1
Epharmix
AMS Connect – Encrypted Pager
Footnotes

1. Teams is prohibited for patient visits. Teams can be used among our team members to collaborate internally on patient care issues, but is not meant for direct patient care

Type 2

Type 2 Communication services are not approved for protected or confidential data.

List of Services

  • WashU Sites
  • Commercial Email (i.e, Gmail, Yahoo)
  • Slack
  • SMS text
  • Social Media Direct Message (i.e. Facebook, Twitter)
  • iMessage (Apple)
  • Android Message
  • Basic Pager
  • Facetime

Survey

PHIPIIHRLegalFinancial
RedCap
RedCap Cloud
Qualtrics1
Footnotes

1. Research use only. Not for clinical care.