Skip to main content

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was put in place to safeguard and protect the privacy of patient health information, allow the portability of healthcare coverage when employment changes or ends, reduce the risk of healthcare fraud and abuse, and regulate industry standards on healthcare processes and electronic billing information.

HIPAA Privacy and Security rules apply to the following Vanderbilt plans offered to employees and their families:

  • Medical
  • Dental
  • Vision
  • Prescription Drugs
  • Employee Assistance Programs (EAP)
  • Healthcare Flexible Spending Accounts


Protected Health Information (PHI)

PHI is health information that:

  • Identifies an individual directly or includes detailed information that could be used to identify an individual;
  • Relates to past, present or future mental or physical health care, conditions, treatments, and billing/payment;
  • Is created, received, or maintained by a Vanderbilt University covered entity


HIPAA Covered Entities

Covered Entities as defined by the Privacy Rule may include:

  • Health plan (insurance companies, government programs (i.e., Medicare, etc.)
  • Health care provider (doctors, clinics, dentists, pharmacies, etc.)
  • Business associate (involved in the administration of plans or patient care)


HIPAA Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) providing standards for businesses to follow that protects sensitive patient health information from being disclosed in any manner without the patient’s knowledge or consent.

The HIPAA Privacy Rule was issued by the US Department of Health and Human Services (HHS) to implement the requirements of HIPAA.


HIPAA Security Rule

The HIPAA Security Rule insures the confidentiality, integrity, and availability of electronic PHI (ePHI) as covered by the Privacy Rule.


HIPAA Enforcement

The Vanderbilt University HIPAA Privacy & Security Official should be your first point of contact should you have any questions, concerns or if you suspect a HIPAA disclosure breach has occurred:

Julie Hanna
(615) 373-6624 (phone) (email)


HIPAA Training

Employees with direct access to Protected Health Information (PHI) are automatically scheduled for HIPAA training through Oracle Learning. If you have an employee that should be scheduled for training, please email and include the employee’s name, ID and the reason training is needed.


Helpful Links

US Department of Health and Human Services Office for Civil Rights

Your Rights Under HIPAA

VU HIPAA Privacy Manual

VU HIPAA Privacy Notice