.
VANDERBILT UNIVERSITY MEDICAL CENTER

Information Privacy and Security

Disclosure Tracking

HIPAA regulations permit certain disclosures of patient information without special permission from the patient.  However, the regulations require that these disclosures be tracked in order to produce a list of such disclosures to the patient upon their request.  Patients are informed of this right to an 'accounting of disclosures' in our Notice of Privacy Practices.  This obligation is reflected in Operations Policy 10-40.15:   Use and Disclosure of Protected Patient Information.  The following types of disclosures must be tracked:

  • Any disclosure required by law including but not limited to birth, deaths, work-related injuries;
  • Reports of child abuse, neglect or domestic violence;
  • Health oversight activities;
  • Disclosures in accordance with a judicial subpoena;
  • Disclosure for certain law enforcement purposes (identification of a suspect or missing person, identification of a crime victim, suspected crime, etc.)
  • Disclosures to funeral directors, coroners, and medical examiners:  In the event of a patient death, unit staff do not need to log initial calls to TDS, nor does the physician need to log the subsequent return of the completed death certificate - these entries will be generated by Bereavement Liaisons.  All calls to the medical examiner or coroner should be logged. 
  • Disclosures to organ procurement and banking organizations
  • Disclosures to a third party when the safety of an individual is at risk (threat of violent crime, etc.)
  • Specialized government functions (law enforcement custodial situations)
  • Workers' compensation disclosures:  Reviews of current inpatient charts  by workers' compensation case managers should be handled in accordance with policy 10-4.07.  Unit staff does not need to track these disclosures - it will be logged by Utilization Management.
  • Disclosure for research with a waiver of informed consent from the IRB

To facilitate this accounting, we have developed a centralized electronic system to log them in this system. This simple system captures the information required, is linked to the patient’s MRN and will allow us to respond completely and accurately to patient requests. The disclosure tracking system can be accessed through StarChart. There is also a way to directly access the system for anyone with a RACF_ID (used for StarPanel, WIZ, Medipac or Epic access). Click on the links for instructions on how to use the different versions of the system.  The following information pertaining to these disclosures must be entered into the electronic disclosure tracking system"

Disclosure Date:     The date the disclosure was made.

Description:     A brief  description of the protected patient information disclosed.  (Examples include but are not limited to: (1) patient chart; (2) type of injury, identity of perpetrator and histroy of events leading up to admission; or (3) to report work-related injuries as required by law; or (4) to identify a suspect or missing person, etc.)

Reason:     A brief statment that describes the reason for the disclosure or why it was required.  (Examples include but are not limited to: (1) to report child abuse as required by law; (2) to report the death of an individual as required by law: (3) to report work-related injuries as required by law; or (4) to identify a suspect or missing person, etc.)

Recipient Name:     The specific name of the entity or organization who received the protected patient information.  (Examples include but are not limited to: (1) nashville, Metr Public Health Department; (2) to report the death of an individual to identigy a suspect or missing person, etc.)

Address:     The address of the entity or organization (If Known)

This page was last updated February 11, 2011 and is maintained by Linda Campbell