Information Privacy and Security

Cloud-Based Computing and Data Storage - IM 10-30.27
Cloud-Based Computing and Data Storage Services may not be used for creation, sharing or storage of VUMC Patient or other confidential information unless the service has been approved and confirmed via Vanderbilt contract processes.

Release of Patient Information - IM 10-30.29

Records Retention and Destruction - IM 10-10.02


These policies are intended to provide guidance about reasonable and appropriate safeguards for the confidentiality, accuracy, and integrity of patient and other individually identifiable information. 
If you have questions or need assistance in interpretation or application of any of these policies, please contact the Privacy Office at 936-3594 or email the Privacy Office.

Access to Confidential Information  IM 10-30.03

Access to Protected Patient Information by Job Role    IM 10-30.24

Audit Logs and Activity Review for Electronic Systems and Applications Containing Protected Health Information
  IM 10-40.24

Authentication to Electronic Systems and Applications IM 10-30.28

Authorization and Access to Electronic System And  Applications  IM 10-30.19

Authorization to Access Medical Records:  Self & Others    IM 10-20.01

Breach Notification:  Unauthorized Access, Use or Disclosure of Individually Identifiable Patient or Other Personal Information  IM 10-30.02

Business Associate Agreements  IM 10-10.01

Cloud-Based Computing and Data Storage  IM 10-30.27

Computer Workstation and Lockout and Automatic Log-off Standards  IM 10-30.16

Confidentiality of Protected Patient Information   IM 10-30.01

De-Identification of Protected Health Information  IM 10-30.07

Disposal of Confidential Information  IM 10-30.18

Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information  IM 10-30.15

Faxing Confidential Information  IM 10-10.03

Identity Theft Prevention and Response  IM 10-30.04

Internet Monitoring and Filtering for Clinical Workstations     IM 10-30.04

MHAV:  Eligibility of Levels of  Access   IM 10-30.20  (pulled due to revision)

Patient Photography and Video Imaging   IM 10-30.17
Instructions to upload an image to your computer

Patient Request for Confidential Communications  IM  10-30.09

Patient Request to Amend Protected Health Information   IM 10-40.17
Procedural Process;  Amendment Request Form;  Patient Acknowledgement Ltr.; Amend Accepted Ltr.; Amend Denied LtrStatement of Disagreement form

Patient Request to Restrict the Use  of Information  IM 10-30.08
Patient Requests for Restriction:  Service Estimate Method

Patient Safety and Confidentiality:  No Information, Security Risk, STAT and Alias Designations  IM 10-30.08

Personal Health Information Provided through MHAV  IM 10-30.21

Privacy and Information Security Training   IM 10-30.05

Protection and Security of Protected Health Information IM  10-30.13

Protection and Security  of Research Health Information  IM 10 -30.14

Release of Patient Information IM 10-30.29

Records Retention and Destruction IM 10-10.02

Releasing Patient Informatin and Coordinating Access to Patients by External Law Enforcement Official and Investigators  IM 10-30.11
HHS:  HIPAA guide for Law Enforcement (Hand-out)

Sanctions for Privacy and Information Security Violations  IM 10-30.12 Use and Disclosure of Protected Health Information  IM 10-30.06


This page was last updated December 16, 2014 and is maintained by