Information Privacy and Security

Important Internal Links:

Thank you for taking the time to visit our website.  In order to serve our customers better, we ask that you take a moment to complete a short survey.  Your opinion and comments are informative and helpful to maintaining the VUMC Privacy and Security Website.   


HIPAA at Vanderbilt University Medical Center

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes national standards for protecting the privacy and security of health information and defines specific rights for individuals with respect to their health information.  Individually identifiable health information that is created or received by a covered entity qualifies as protected health information (PHI) and is subject to the rules and regulations of HIPAA.

Vanderbilt University is a single legal entity that performs both covered and non-covered functions and has, therefore, elected to be a hybrid entity under HIPAA.  Several separate legal entities are affiliated through common ownership interest with Vanderbilt University Medical Center (VUMC) and meet certain criteria that qualify them to participate in the Vanderbilt Affiliated Covered Entity (VACE) for functions covered under HIPAA. 

VUMC uses the services of a variety of businesses or independent contractors to carry out some of its activities, services and functions.  HIPAA allows a covered entity to disclose PHI to these external parties if they enter into a Business Associate Agreement that obligates the business associate to take appropriate steps to safeguard the information consistent with the HIPAA guidelines. 

The HIPAA Privacy Rule regulates how health care providers and health plans may use and disclose protected health information, in whatever form - on paper, electronic, or oral.  The Privacy Rule mandates that health care providers distribute a Notice of Privacy Practices to all patients.  This document outlines how their information may be used and disclosed with and without their special written authorization and defines certain patient rights.  For additional information on VUMC privacy policies and practices, visit the Privacy Page

The HIPAA Security Rule requires that workforce members adhere to controls and safeguards to ensure the confidentiality, integrity and availability of electronic protected health information (ePHI).  These administrative, technical and physical safeguards are intended to detect and prevent reasonably anticipated errors and threats due to malicious or criminal actions, system failure, natural disasters and employee or user error.  Such events could result in damage to or loss of personal information, corruption, loss of data integrity or compromise the privacy of patient or employee records.  For additional information on VUMC information security policies and practices, visit the Info Security Page.

The HIPAA regulations also define standards for the content and format of electronic health care billing transactions.  The standards for the National Provider Identifier require a unique identification number for every health care provider who bills for services.  The standards for Transactions and Code Sets regulate the transfer of health information for certain electronic financial transactions.  These transactions include facility technical claims, professional and dental claims, remittance advices and eligibility requests.  For information regarding VUMC process and practices related to these standards, visit the HIPAA Transactions and Code Sets web page.

This page was last updated March 9, 2016 and is maintained by