Student Health Services adheres strictly to the federal Health Information Portability and Accountability Act (HIPAA). This federal law mandates the confidentiality of medical information and records for students over 18 years of age.
Patient medical information is private and will only be shared with others if given permission by the patient. Student Health Services and Mental Health Services will not share medical information with parents, faculty, or deans without consent. Student Health Services providers are restricted from taking part in academic evaluations and/or performance reviews of students. The Student Health Service has contracted with numerous mental health providers on-campus and off to ensure confidentiality.
Students have a right to expect that the staff, physicians, and mental health providers will follow a strict code of practice on confidentiality and are mindful of standards of professional conduct designed to keep sensitive personal information confidential. This includes keeping confidential information under secure conditions, limiting access, shredding rather than throwing away sensitive documents, not leaving sensitive documents exposed on desktops, and not discussing sensitive information on the telephone when unauthorized persons are present.
On the issue of confidentiality in matters relating to student health and welfare, while emphasizing the responsibility to respect privacy, the policy also advises on those extremely rare circumstances when it would be appropriate to share information with third parties who have a clear need to know that there are specific concerns about a student, e.g. where there is a significant danger of a student harming themselves or others.
These guidelines have been drawn up by Washington University School of Medicine (WUSM) Student Health Services in order to clarify the issue of confidentiality. They are intended for all staff and providers contracted at WUSM Student Health Services who come into contact with students. The WUSM Student Health Service is committed to delivering quality health care services, including protecting the confidentiality of patient health and financial information from unauthorized use or disclosure. WUSM Student Health is required by both federal and state law to protect the privacy of its patients.
WUSM Student Health Service employees, including all physicians and contracted providers, conduct their activities in such a way as to:
- Meet applicable federal, state, and local rules and regulations
- Reflect creditably on and be in accordance with administrative university policies for personal and professional conduct
- Comply with university policies and procedures relating to ethical business practices and legal compliance
Confidentiality of medical records
Medical records are considered privileged communication and will not be released without your written consent, with the exception of communicable diseases. The state statute requires notification to the official Public Health Agency for epidemiological purposes. All psychotherapy notes are defined by federal law as those notes of a mental health provider documenting or analyzing conversations during a private counseling session or a group counseling session and that are kept separated from the rest of the medical record. The patient files from these interactions are confidential.
The Occupational Safety and Health Act requires that records relating to students/employees exposed to toxic substances or harmful physical agents must be retained for at least 30 years after exposure. This requirement includes any and all other health records of the exposed student/employee. The definition of exposure is: human blood or body fluids, animal, TB conversion. Student records containing invasive procedures and/or pathology reports are required to be maintained for ten years. Student Health will maintain all designated medical records set for graduated/withdrawn student for a minimum of 10 years, 30 years for students defined as exposed. All account payable records will be maintained for five years.
WUSM Student Health Services acknowledges the interplay between FERPA and HIPAA:
When a student turns 18 years old or enters a postsecondary institution at any age, all rights afforded to parents under FERPA transfer to the student. Postsecondary institutions that provide health or medical services to students may share student medical treatment records with parents under the circumstances described by FERPA. While these records may otherwise be governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy rule excludes student medical treatment records and other records protected by FERPA.
Commitment to confidentiality
Privacy is important to WUSM Student Health Services. We believe that patient confidentiality is an essential aspect of excellent medical and mental health care, and each patient can be assured that all health information is treated confidentially and protected to the fullest expect permissible by law. Our staff members adhere to the following laws, policies, and practices:
- Notice of Privacy Practices
- Family Educational Rights and Privacy Act (FERPA)
- Patient Rights and Responsibilities
- Limitations on email: Student Health cannot guarantee the privacy of email communications – email should not be used for urgent or time-sensitive issues.
- Secure messaging: Students and Student Health staff have access to the school email system and can communicate directly with our staff via [secure] messages.
- When scheduling an appointment the patient is informed the physician name and professional status. The student has the right to refuse to be examined, observed, or treated by any staff without jeopardizing access to care. Upon request, Student Health Services may provide appointment with another health care provider or facility as it relates to care or treatment.
All psychotherapy notes are defined by federal law as those notes of a mental health provider documenting or analyzing conversations during a private counseling session or a group counseling session and that are kept separated from the rest of the medical record. The patient files from these interactions are confidential.
Release of Protected Health Information (PHI)
Students at Washington University School of Medicine have the right to access his or her own medical records. These records are available in the Student Health Services office. Student health records can be obtained by calling (314) 362-3523. A written consent is necessary for release. Student Health Services may charge a fee for the copying of requested protected health information (PHI). This fee will be based on the cost of the labor and supplies involved in copying the requested PHI, the postage for mailing the copies, and a retrieval fee to obtain the requested PHI. In addition, if the student requests a summary of the requested PHI in lieu of or in addition to the copies, the Health Service may charge a reasonable cost for the preparation of a summary. The Health Service will, however, inform the student of the cost of preparing a summary in advance of its preparation. The Health Service will respond to the individual or the individual’s representative request for PHI within 30 days of our receipt of your request. If, however, your health information is not readily accessible by Washington University or is maintained in an off-site storage location, the health service has 60 days to respond to the request.
An individual has the right to request access to his or her own PHI. Washington University has adopted a policy to respond to such a request for access in a consistent fashion. The policy to which this procedure relates introduces a “Designated Record Set” (as defined herein) which contains PHI to which an individual has the right of access. or to obtain a copy. The university is required to provide this access.
Anything not included in the Designated Record Set is not considered part of the right of access. Examples include correspondence and psychotherapy notes that are intentionally excluded by federal law from the Designated Record Set.
The Designated Record Set is the collection of medical records and billing records that are used to make decisions about individuals and are maintained by or for a Health Care Provider. It also means the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan. The term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity such as Washington University.
Washington University must provide access to PHI in accordance with the Individual’s rights as defined by federal regulations and the university’s Notice of Privacy Practices.
Individuals may NOT access PHI maintained outside the Designated Record Set and the following types of PHI:
- Psychotherapy notes
- Information compiled in reasonable anticipation of civil, criminal, or administrative action or other proceeding
- PHI maintained for compliance with Clinical Laboratory Improvement Amendments (CLIA) and which is prohibited from access or is exempt from disclosure under CLIA
- PHI created or obtained by a health care provider in the course of research that includes treatment where the individual consented to the denial of access when he or she consented to participate in the research and WU informed the Individual that access would be restored upon completion of the research
Washington University and its member organizations are committed to conducting business in compliance with all applicable laws, regulations, and policies. As part of this commitment, the university has adopted a policy to ensure that it requests, uses internally, or discloses externally only the minimum necessary protected health information to accomplish an intended purpose. It must obtain a specific, written authorization from an individual before using or disclosing the individual’s PHI for all purposes other than treatment, payment or health care operations or uses and disclosures required by law.
The minimum necessary rule applies:
1) To all Requests by WU for PHI unless WU is requesting PHI for Treatment purposes;
2) To all Uses of PHI by WU except in the following situations:
- Uses pursuant to an Authorization unless the Authorization is requested by WU for its own use or is for PHI that was created for research that includes Treatment of the Individual (see WU HIPAA Policy on Authorization Required for Uses or disclosures of Protected Health Information);
- Uses required by law as long as the Use is limited to the relevant requirements of such law; and
3) To all Disclosures of PHI by WU except in the following situations: (see WU HIPAA Policy on Verbal/Inferred Agreement to Use or Disclosure Protected Health Information);
- Disclosures to a health care provider for purposes of treatment of the Individual;
- Disclosures that are permitted or required by the privacy regulations, such as disclosures made under the regulations governing the Individual’s right to access or right to an accounting of PHI;
- Disclosures to the Secretary of Health and Human Services for purposes of enforcing or ensuring compliance with the privacy regulations;
- Disclosures required by law; or
- Disclosures required by WU to ensure its compliance with applicable requirements of the privacy regulations.
Appropriate methods of communicating PHI
1) Face-to-face communications between Washington University health care providers.
As a general rule, conversations concerning an individual’s PHI should only occur in the context of treatment, payment, or health care operations, or when the Individual has signed an Authorization. See WU HIPAA Policy on Authorization Required to Use or Disclose Protected Health Information.
If it is necessary to discuss an Individual’s PHI in other contexts, under no circumstances should an Individual’s PHI be discussed in any public place or area where it might be inappropriately overheard, such as cafes, elevators, hallways or public transportation.
2) Face-to-face communications with family members, friends or other non-WU persons.
Conversations with persons involved in an Individual’s care, such as family members, close personal friends, or other persons identified by the Individual, generally should occur only after the individual has given, at a minimum, his or her verbal authorization. For further information, see WU HIPAA Policy on Verbal/Inferred Agreement to Use or Disclose Protected Health Information.
The appropriateness of a conversation involving PHI will ordinarily depend upon the surrounding facts and circumstances. This policy cannot address all potential situations that may arise and it is not intended to be all-inclusive. Common sense and good judgment must be applied in each case. Each member of the university workforce who communicates PHI in a face-to-face conversation with another person is responsible for ensuring that the communication is reasonably designed to protect the PHI to the greatest extent possible without interfering with the intended purpose of the communication. At a minimum, one should:
- request the identity of the person requesting the PHI;
- determine the relationship between this person and the individual (i.e., a health care provider, a family member providing care, a payor, etc.);
- determine the reason for requesting the PHI (i.e., for treatment, payment, health care operations, law enforcement, etc.); and
- unless the PHI is being provided for treatment purposes, decide what is the “minimum necessary” amount of PHI that may be provided. See WU HIPAA Policy on minimum necessary Request, use or disclosure of Protected Health Information.
How the university satisfies this policy depends upon the surrounding facts and circumstances. For example, if the individual is unable to provide his or her verbal authorization because he or she is unconscious or unavailable, then it may use professional judgment and experience to make reasonable inferences if it is appropriate and in the best interests of the individual to disclose the PHI to another person. If so, only PHI directly relevant to the person’s involvement with the Individual’s health care should be disclosed. For example, if an individual brings a spouse into the doctor’s office or a colleague or friend brings the individual to the emergency room for treatment, it is reasonable to assume, absent extenuating circumstances, that the person is involved in the Individual’s care and may appropriately be given general information concerning the individual’s condition without first obtaining the individual’s written or verbal authorization.
3) Telephone communications.