.

Information Privacy and Security

FAQ

  1. What is HIPAA?
  2. What is the Privacy Office and what do they do?
  3. There has been a breach of patient privacy in my department. What do I do?
  4. I want to provide a flyer to a specific patient population, produced by an outside organization (i.e., American Heart Association). May I do this?
  5. How much personal information may be released to family members over the phone?
  6. What is my responsibility related to the vendors that I bring into the Medical Center?
  7. My patient does not answer the phone directly. How can I leave a HIPAA compliant message with someone else or a voice mail? 
  8. My patient is now on another unit. May I access their record?
  9. May I email my patient related to his or her care?
  10. How much information may I give an Insurance company?
  11. How much information may I give to a police officer?
  12. What information may be faxed?
  13. May I mail my patient's information?
  14. Someone wants to come into a clinical area and observe. How can I make this happen?
  15. We use a sign-in sheet for our patients. Is that okay?
  16. What information may be listed on a dry erase whiteboards?
  17. I purchased a new laptop. May I use it for work purposes? And if so, how do I protect it?
  18. I have access to clinical systems and my husband asked that I look up his record to check that his physician's notes were correctly entered. Based on his explicit request, am I allowed to access his medical records?

    The Privacy Office is available to answer questions you may have concerning policies, laws and regulations, HIPAA and HITECH Act Privacy Regulations.  If you haven't seen the answer to your question(s) on this page, please do not hesitate to contact our office email Privacy.Office@vanderbilt.edu

What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed to protect the confidential medical and billing records of our patients. A particularly important element of HIPAA regulation pertains to patients' rights related to access and control of their medical information. We count on all members of the VUMC entity to incorporate the HIPAA rules into their daily activities. Our patients have a right to privacy. We are committed to complying with HIPAA, not only because it is the law, but also because we value our patients and their privacy.  See 
HIPAA at VUMC page on this website.
******************************************************************************************************************

What is the Privacy Office and what do they do?
The Privacy Office at VUMC supports the development and deployment of policies, procedures, and processes to safeguard patient privacy and the privacy and security of patient information.  The Privacy office provides training and consultative services related to VUMC policies as well as State and Federal laws and regulations. The office is also responsible for revising and updating annual training for all faculty and staff as well as participates in orientation training. The Privacy Office is responsible for reviewing EVE report (employees reviewing employees) electronic medical records.  The Privacy Office runs audits for patients/employees upon request or as a part of an investigation for possible unauthorized access to medical records.

******************************************************************************************************************

There has been a breach of patient privacy in my department. What do I do?
Privacy breaches or privacy incidents (relating to the need to investigate an incident) need to be reported to the Privacy Office as soon as they are discovered, even if the person who discovered the breach was not involved.  
******************************************************************************************************************

I want to provide a flyer to a specific patient population, produced by an outside organization (i.e., American Heart Association). May I do this?
A flyer may be posted in the clinic waiting room for interested patients.  Questions concerning mass-mailings to a patient population should start with the Privacy Office at 
privacy.office@vanderbilt.edu.  Once it is known what type of information is in the mailing or how the mailing list was created, a member of the privacy office will direct you to another department(s) for further processes.
******************************************************************************************************************

How much personal information may be released to family members over the phone?
According to the 
Notice of Privacy Practices, you may release personal information to anyone that the patient has identified as the recipient of such information (see Communication with Family and Others about Your Care and Permission to See Your Medical Record).  Refer all others to the contact person the patient designates. In all other cases, telephone communication about patient information is challenging since you can't physically confirm the identity of the caller. Reasonable precautions need to be taken to safeguard the privacy of the patient. Suggested precautionary steps:  Check the record to make sure the patient is listed as a no information; check Alerts; Ask the caller to identify two pieces of personal information about the patient that a typical acquaintance would not know; such as birth year, maiden name, mother's maiden name.  Always follow the Minimum Necessary Rule and only disclose specifically what is needed by the family member to support the patient's care.
******************************************************************************************************************

What is my responsibility related to the vendors that I bring into the Medical Center?
Before allowing vendors access to the Medical Center, they must check in with VUMC's Medical Center Support Services, 3-5453. Once this is complete, they should be wearing a Visitor ID at all times while in the Medical Center. Do not leave vendors alone in areas with PHI that they do not need to have access to (i.e., clinic work areas). It is recommended that they stay in the waiting room or in a designated conference room.

******************************************************************************************************************

My patient does not answer the phone directly. How can I leave a HIPAA compliant message with someone else or a voice mail? 
Leave the minimum amount of information needed: your name, phone number and that you are from VUMC. A recommended best practice would be to obtain the patients preference for follow up or appointment communication at the initial point of contact.

******************************************************************************************************************

My patient is now on another unit. May I access their record?
You may access the patient’s record only if you have a legitimate need to do so (for treatment, payment, or health care operations). Otherwise, you should not access the record.

******************************************************************************************************************

May I email my patient related to his or her care?
Secure messaging between VUMC clinical providers and patients is provided within the MyHealthatVanderbilt (MHAV) patient portal.  Communication of PHI over the internet between the patient and VUMC staff/Faculty member requires written consent from the patient prior to the transmission of the PHI.  Such documentation should be saved or scanned into the patient's electronic medical record.  (See 
Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information - IM 10-30.15)
******************************************************************************************************************

How much information may I give an Insurance company?
According to 
Notice of Privacy Practice, we may use and disclose medical information for the purpose of obtaining payment. Best practice is to only provide what is needed for this purpose. For example, lab values are not required for billing purposes, and therefore should not be provided to the insurance company. However, if the patient has submitted an Authorization allowing the use and disclosure of his or her information to the insurance company, the minimum necessary standard would no longer apply.
******************************************************************************************************************

How much information may I give to a police officer?
None. All release of patient information to external law enforcement agencies by VUMC workforce members is coordinated through the Vanderbilt University Police Department (VUPD), with the exception of general patient condition information released by the VUMC Office of News & Communications.  VUMC staff approached by external law enforcement official immediately calls VUPD and wait until a VUPD officer arrives before releasing any information.  (See Policy: 
Releasing Patient Information and Coordinating Access to Patients by External Law Enforcement Officials and Investigators - (IM 10-30.11)
******************************************************************************************************************

What information may be faxed?
VUMC workforce members may take reasonable and appropriate precautions when using fax machines to transmit confidential documents or when auto-faxing directly from an electronic system or application. Faxing should only be used when there is a time sensitive need to send/receive and an alternative secure method does not exist (mail, courier services, secure file transfer). Always send the minimum information necessary. Best practice is to confirm correct fax number prior to sending and include a cover letter. (See Policy:  
Faxing Confidential Information - IM 10-10.03)
******************************************************************************************************************

May I mail my patient's information?
Yes, as long as the patient has not requested otherwise, and you have a patient-care need to do so. Best practice is to mail only the minimum required, to confirm the correct address with the patient prior to sending, to seal the envelope or package well. 

******************************************************************************************************************

Someone wants to come into a clinical area and observe. How can I make this happen?
The VUMC Observational Experience program allows for students, working professionals and others to observe. Please contact VUMC Observational Experience at
VOE@vanderbilt.edu
******************************************************************************************************************

We use a sign-in sheet for our patients. Is that okay?
It is OK; however, reasonable safeguards and the minimum necessary standard must be met. For example, if using a patient sign-in sheet, do not request any medical information not required for sign-in. Also, consider a pull-off label system or a thick black marker to cross off names as patients are called in for their appointments, such that patient names do not accumulate throughout the day for subsequent patients to view.

******************************************************************************************************************

What information may be listed on a dry erase whiteboards?
The use of whiteboards is allowed as long as reasonable safeguards are implemented, as appropriate. Listing only last name and first initial in the department is adequate, whereas full first and last name are permitted for safety reasons in the operating room. The important considerations are whether the board is visible to passers-by and whether it contains PHI. If yes to both, consider whether there are other ways that the protected data (including demographic data) could be "reasonably" limited to the minimum necessary to allow the unit to safely manage patient care.

******************************************************************************************************************

I purchased a new laptop. May I use it for work purposes? And if so, how do I protect it?
You should avoid using any personal devices for work purposes. If you must use your personal laptop for work purposes, discuss it with your Manager first and consult with IT before use to ensure proper security through encryption, firewalls, passwords, anti-virus software, regular software updates, (see the the Information Security Page on this website).  Always follow best practices, including the physical security of your device at all times, regular backups of data, storage of only the very minimum necessary patient information, and the permanent deletion of all data and files the moment they are no longer needed. Remember, it is your responsibility to encrypt and safeguard your device, and you may be held personally liable for breaches of patient information due to an unencrypted, personal device that does not comply with VUMC policy.

******************************************************************************************************************

I have access to clinical systems and my husband asked that I look up his record to check that his physician's notes were correctly entered. Based on his explicit request, am I allowed to access his medical records?
No. You are not authorized to directly access the medical records of any individual whose care you are not involved with without written authorization that has been scanned into the record.  (See: 
Communication and Consent to View Medical Record).  Faculty and staff members may access and view their own electronic records and the electronic records of their minor children (under the age of 18) for whom they are the legal guardians and are not otherwise prohibited from viewing the medical record.

The Privacy Office is available to answer questions you may have concerning policies, laws and regulations, HIPAA and HITECH Act Privacy Regulations.  If you haven't seen the answer to your question(s) on this page, please do not hesitate to contact our office email Privacy.Office@vanderbilt.edu

 

This page was last updated March 19, 2015 and is maintained by