You are viewing information for the Morgantown Campus. At another location? Change your campus.

WVU Medicine employees reminded to not disclose PHI or business asset data on internet message applications

WVU Medicine employees are reminded not to disclose or post Protected Health Information (PHI) or business asset data on any publicly accessible internet message applications system, such as ChatGPT, Signal, WhatsApp and Conversational AI.

To seek approval to post these materials, contact Tina Williams, system enterprise information management privacy director; Tony Condia, vice president of marketing and communications; or Hunter Barbour, chief information security officer.

Conversational AI, or Logic Learning Machine (LLM) artificial intelligence

ChatGPT and other AI applications cannot be used for any business purposes, such as emails, PowerPoints, patient questions, translations or any other business function (this is not an exhaustive list). Unless the application is approved through the correct legal, security and compliance channels, it must not be used for any business purposes.

Why?

ChatGPT and other AI applications store data from all interactions in a database that is not secure or compliant with WVU Medicine policy and other regulatory bodies. This information is then used for whatever purpose that company desires with no oversight. The information is often inaccurate and should only be used as a novelty in personal, non-work situations.

As with all PHI, this information must not be entered into a computer unless the individuals who have access to that computer have a legitimate need to know the information.

Any application that has not been approved for business use through the WVU Medicine Information Technology Security Risk Assessment process cannot be used for business or clinical activities. The Security Risk Assessment is performed to protect the WVU Medicine Network, our patients, our providers and our WVU Medicine employees. The Security Risk Assessment process should be followed when creating IT capital requests or IT operating budget requests, Requests for Proposals and purchasing any hardware, software, device or application that will be used for business purposes for all WVU Health System-associated companies. This includes purchasing credit cards. IT, Legal and Procurement teams have created standard contract terms that MUST be in all IT and HTM/BioMedical contracts to ensure that the vendors comply with IT security requirements.

Examples of hardware and software requiring a Security Risk Assessment (this is not an exhaustive list):

  • IT hardware: telephones, smartphones, desktop and laptop computers, tablets, headphones, keyboards, mice, credit card processing devices, etc.
  • IT software: clinical applications, such as electronic medical records (EMRs), radiology databases and PACS, laboratory, pathology, pharmacy and any ancillary applications.
  • IT software: financial applications, such as payroll, human resources, purchasing, inventory, enterprise resource planning (ERP), etc.
  • BioMedical hardware and software: MRIs, x-ray devices, lab instruments, pharmacy devices, robots, etc.
  • Facilities equipment and software: tube systems, HVAC systems, camera systems, door locking systems, signage, elevators, etc.
  • Any cloud-based application or system in which WVU Medicine data is stored or that WVU Medicine workers access.

When purchasing these items, please be sure to mark the item in Workday for “IT Review.” Failure to follow this will result in corrective actions.

Contact Hunter Barbour at Hunter.Barbour@wvumedicine.org with any questions or concerns.

Morgantown Campus Resources

At another location? Change your campus.

Health Sciences Center

Online Tools

Human Resources

WVU Medicine

Information Technology Services (ITS)

Communication Resources

Staff Directories

WVU Resources