Information Privacy and Security

Policies Recently Updated:

  • Privacy and Information Security Training, IM 10-30.05 (revisions specifically define the initial and ongoing training requirements for each group, i.e. Staff, students, house staff, etc.)
  • Use and Disclosure of Protected Health Information, IM 10-30.06 (Minor updates and inclusion of Omnibus Rule changes issued January 25, 2013)
  • Access to Confidential Information, IM 10-30.03 (Editorial Update)


These policies are intended to provide guidance about reasonable and appropriate safeguards for the confidentiality, accuracy, and integrity of patient and other individually identifiable information. 
If you have questions or need assistance in interpretation or application of any of these policies, please contact the Privacy Office at 936-3594 or email the Privacy Office.

Access to Confidential Information IM 10-30.03
Access to Protected Patient Information by Job Role  IM 10-30.24
Audit Logs and Activity Review for Electronic Systems and Applications Containing  Protected Health Information IM 10-40.24
Authentication to Electronic Systems and Applications   IM 10-30.28
Authorization and Access to Electronic System And  Applications   IM 10-30.19
Authorization to Access Medical Records:  Self & Others  IM 10-20.01
Breach Notification:  Unauthorized Access, Use or Disclosure of Individually Identifiable  Patient or Other Personal Information  IM 10-30.02
Business Associate Agreements  IM 10-10.01
Cloud-Based Computing and Data Storage    IM 10-30.27
Computer Workstation and Lockout and Automatic Log-off Standards IM 10-30.16
Definition of the Legal Medical Record and the Designated Record Set IM 10-20.05
De-Identification of Protected Health Information IM 10-30.07
Disposal of Confidential Information IM 10-30.18
Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information IM 10-30.15
Faxing Confidential Information IM 10-10.03
Identity Theft Prevention and Response IM 10-30.04
Internet Monitoring and Filtering for Clinical Workstations IM 10-30.04
MHAV:  Eligibility of Levels of  Access IM 10-30.20
Patient Photography and Video Imaging 
  Instructions to upload an image to your computer
IM 10-30.17
Patient Request for Confidential Communications IM  10-30.09
Patient Request to Amend Protected Health Information
   Procedural Process   Amendment Request Form
   Patient Acknowledgement Ltr.
   Amend Accepted Ltr.   Amend Denied Ltr.
   Statement of Disagreement form
IM 10-40.17
Patient Request to Restrict the Use  of Information
   Service Estimate Method
IM 10-40.20
Patient Safety and Confidentiality: No Information, Security Risk, STAT and Alias  Designations IM 10-20.12
Personal Health Information Provided through MHAV IM 10-30.21 
Privacy and Information Security Training IM 10-30.05
Protection and Security of Protected Health Information IM  10-30.13
Protection and Security of Research Health Information IM 10-30.14
Release of Patient Information IM 10-30.29
Records Retention and Destruction IM 10-10.02
Releasing Patient Information and Coordinating Access to Patients by External Law Enforcement Official and Investigators
 HHS:  HIPAA guide for Law Enforcement (Hand-out)
IM 10-30.11
Sanctions for Privacy and Information Security Violations IM 10-30.12
Use and Disclosure of Protected Health Information IM 10-30.06

This page was last updated July 12, 2016 and is maintained by