Information Privacy and Security


 Access to Confidential Information  IM 10-30.03   Internet Monitoring and Filtering for Clinical Workstations     IM 10-30.04

 Access to Protected Patient Information by Job Role 
  IM 10-30.24

 MHAV:  Eligibility of Levels of  Access
 IM 10-30.20  (pulled due to revision)
 Audit Logs and Activity Review for Electronic Systems and Applications Containing Protected Health Information
  IM 10-40.24
 Patient Photography and Video Imaging
 IM 10-30.17
     Instructions to upload an image to your  computer
Authorization and Access to Electronic System And  Applications  IM 10-30.19

 Patient Request to Amend Protected Health Information   IM 10-40.17
Procedural Process;  Amendment Request Form;  Patient Acknowledgement Ltr.; Amend Accepted Ltr.; Amend Denied Ltr; Statement of Disagreement form

 Authorization to Access Medical Records:  Self & Others 
  IM 10-20.01
 Patient Request to Restrict the Use  of Information  IM 10-30.08
     Patient Requests for Restriction:  Service Estimate Method
 Breach Notification:  Unauthorized Access, Use or Disclosure of Individually Identifiable Patient or Other Personal Information  IM 10-30.02  Patient Request for Confidential Communications  IM  10-30.09
 Business Associate Agreements  IM 10-10.01  Patient Safety and Confidentiality:  No Information, Security Ris, STAT and Alias Designations  IM 10-30.08
 Cloud-Based Computing and Data Storage  IM 10-30.27 Personal Health Information Provided through MHAV  IM 10-30.21
 Computer Workstation and Lockout and Automatic Log-off Standards  IM 10-30.16  Privacy and Information Security Training
 IM 10-30.05

 Confidentiality of Protected Patient Information
  IM 10-30.01

 Protection and Security of Protected Health Information IM  10-30.13
 De-Identification of Protected Health Information
 IM 10-30.07
 Protection and Security  of Research Health Information  IM 10 -30.14
Disposal of Confidential Information  IM 10-30.18  Releasing Patient Informatin and Coordinating Access to Patients by External Law Enforcement Official and Investigators  IM 10-30.11
  HHS:  HIPAA guide for Law Enforcement (Hand-out)
 Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information  IM 10-30.15  Sanctions for Privacy and Information Security Violations  IM 10-30.12
 Faxing Confidential Information  IM 10-10.03  Use and Disclosure of Protected Health Information  IM 10-30.06
 Identity Theft Prevention and Response  IM 10-30.04  



Cloud-Based Computing and Data Storage - IM 10-30.27
Cloud-Based Computing and Data Storage Services may not be used for creation, sharing or storage of VUMC Patient or other confidential information unless the service has been approved and confirmed via Vanderbilt contract processes.

These policies are intended to provide guidance about reasonable and appropriate safeguards for the confidentiality, accuracy, and integrity of patient and other individually identifiable information. 
If you have questions or need assistance in interpretation or application of any of these policies, please contact the Privacy Office at 936-3594 or email the Privacy Office.

Thank you for taking the time to visit our website.  In order to serve our customers better, we ask that you take a moment to complete a short survey.  Your opinion and comments are informative and helpful to maintaining the VUMC Privacy and Security Website.   


This page was last updated June 18, 2014 and is maintained by