HIPAA Computer Compliance

The Health Insurance Privacy and Accountability Act (HIPAA) went into effect in April, 2003. This law requires health care systems and their business partners and affiliates to manage Protected Health Information (PHI) or Electronic Protected Health Information (EPHI) in a confidential, private and sensitive nature. HIPAA documents set strict parameters within which patient’s health information may be shared, stored, transmitted and discarded. All these parameters are described by the Washington University HIPAA security policies.

Even though we are not a clinical department, there is the potential that PHI or EPHI may exist in some fashion in a research laboratory or research database. For this reason, we are required to be vigilant in monitoring our operations and to take steps to comply with the law in the event that any researcher in this department should begin receiving, storing and/or using protected health information. Vigilance can be achieved by increasing your level of awareness by reading the HIPAA security policies. Please be aware that the entire Washington University School of Medicine is considered a HIPAA covered entity and that HIPAA policies and regulations fully apply no matter where you might be in the complex.

At least once a year, all employees and faculty will be reminded via this notice about HIPAA. You must be aware of these policies and help ensure their compliance. Also, at least annually, each faculty member will be asked to certify whether or not any PHI exists in their operation. If your laboratory comes into possession of any such information in the meantime, please contact Philippe Breton (314-747-2968, pbreton@wustl.edu) or Lise Westfall (314-362-7057, Lise@wustl.edu) immediately so we can take steps to ensure that this information is protected according to the law. Penalties for non-compliance are significant.

Please review the HIPAA policies and the glossary of terms to remind you what kinds of information are protected.