Skip to content

Patient Information Privacy FAQs

Below are answers to commonly asked questions about  Business Associate Agreements and emailing patient information.

Business Associate Agreements

May I delete the reference to Washington law in Section 1?

No. The HIPAA privacy regulations create a minimum standard for the protection of health
information nation-wide. The regulations allow for the possibility that state law is more
protective of a patient’s privacy or provides a patient greater access to protected health
information. In these instances, state law may actually govern the use or disclosure of health information, not the HIPAA regulations. Thus, it is important for business associates to understand that use or disclosure of protected health information on behalf of UW Medicine must conform to both state and federal requirements.

May I expand the requirement in Section 3 for reporting of unauthorized use or disclosure beyond five working days?

Maybe. This is ultimately a business decision and your leadership should make this determination. Expanding the reporting period may impact UW Medicine’s ability to respond quickly in the case of a breach. The maximum time UW Medicine generally accepts is twenty days.

May I expand the requirement in Section 5 for amending the designated record set beyond five days?

Maybe. UW Medicine must consider state law requirements and you should consult with UW Medicine Compliance to discuss the operational implications. Upon request for amendment of a medical record, state law provides that a health care provider must correct or amend the records within ten calendars days of receiving the request (RCW 70.02.100). If unusual circumstances exist, state law provides for a maximum of twenty-one days to respond. The HIPAA privacy regulations, in contrast, allow a health care provider sixty days to respond. This provision tends to be an area in which considerable energy in negotiation is expended. The most important question to address is whether the business associate holds medical records that would be subject of the amendment request and whether they will be impacted by a short deadline.

Can the Business Associate Agreement be multi-entity for vendors providing services to more than one entity?

Yes, the Business Associate Agreement may include any/all UW Medicine entities. The Business Associate Agreement must have signature lines for each entity included, be signed by an authorized person from each entity, and be maintained in accordance with entity-specific records retention rules.

May I remove the requirement that the Business Associate provide individuals with access to their PHI?

No, the Business Associate must make PHI available in accordance with HIPAA and state laws governing access of individuals to PHI.


May the Business Associate provide PHI to a subcontractor?

Yes, but the Business Associate must enter into a contract that meets the requirements of a business associate agreement or other arrangement with the subcontractor(s) to ensure that the same restrictions and conditions, including the implementation of reasonable and appropriate safeguards to protect the information that apply to the Business Associate, also apply to the subcontractor.

Is a Business Associate Agreement required for a data storage contract?

Yes, if an entity maintains PHI on behalf of the University of Washington or UW Medicine, it is a business associate even if the entity does not actually view the PHI.

What if the Business Associate is a governmental entity?

When the Business Associate is a governmental entity, UW Medicine may enter a Memorandum of Understanding to document the Business Associate’s privacy, security, and electronic exchanges assurances. The Memorandum of Understanding must contain the required elements of a Business Associate Agreement.

What if there is a suspected or discovered violation of a Business Associate Agreement?

If violation(s) of the Business Associate Agreement is suspected or discovered, the department manager or other individual initiating a contract is required to report the violation to UW Medicine Compliance and request investigation.

Emailing Patient Information

Do You Text or Email Patients?

Yes. UW Medicine Compliance policies allow workforce members to communicate electronically with their patients provided they apply reasonable safeguards such as:

  1. Double checking the recipient email address to avoid unintentional disclosure; and
  2. Limiting the amount or type of protected health information

Patients have a right to request communication preferences such as text message or email and, when reasonable, workforce members should accommodate such requests. Workforce members may consider using Microsoft Outlook’s Encryption feature in the email’s Options tab when emailing protected health information. If this is not possible then the patient should be warned about the risks of unencrypted email or text messages, which is described here:

Can you send Protected Health Information (PHI) to authorized third party recipients via email?

Yes, so long as the following requirements are met:

  1. The email is encrypted:
    • The email is sent within UW Medicine (to other or email addresses)
    • The email is sent to one of our affiliates included on the UW Medicine Information Security Approved Domain List (for example,,,,, or,); or
    • The email is manually encrypted using email options; and
  2. The email contains the minimum amount of patient information necessary to meet the recipient’s needs.
Is there a person available to assist with email program configuration in the event problems arise?

Yes, the IT personnel that support your department or clinical entity can assist you.

Is there specific language that should be used in email sent directly to a patient?

Yes, the following language should be included under your signature on any email sent to a patient:

“The above email may contain patient identifiable or confidential information. Because email is not secure, please be aware of associated risks of email transmission. If you are a patient, emailing a UW Medicine provider implies your agreement to email communication. For more information, see

The information is intended for the individual named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender by reply email, and then destroy all copies of the message and any attachments. See our Notice of Privacy Practices at”

Can you automatically forward email received by your University account to other email accounts such as Gmail or Yahoo?
No, UW Medicine staff and students may not automatically forward email received by their University account to a personal email account. This action is prohibited by the policies of the University since the transmission and storage of email data is not necessarily secure.
What steps should be taken when an email containing patient information is sent to the wrong recipient?
If you are the sender notify UW Medicine Compliance. If you are the recipient, immediately reply to the sender notifying them of the error, delete the email permanently from your email account’s Deleted Items folder, and notify UW Medicine Compliance.

Appointment Reminders and Other Types of Messages

Can I include patient information when I leave a voicemail message?

Patient Privacy laws allow health care entities to communicate with patients regarding their health care at their homes or other preferred locations. This includes leaving verbal messages for patients electronically (e.g. voice mail) or with individuals who may answer the phone (e.g. the patient’s family member). However, to reasonably safeguard the patient’s privacy, workforce members must take care to minimize the amount of PHI disclosed when leaving appointment reminders or other types of messages for patients. Outlined below are the best practices to use in these situations:

  • When directed to voice messaging, provide your name, number, the UW Medicine entity from which you are calling and other information which is minimally necessary to confirm an appointment or request a return phone call.
  • When you reach someone other than the patient at the patient’s contact number, use professional judgment to determine the minimum necessary information to disclose and ensure that the disclosure is in the best interest of the patient.

If you have any questions, contact us.