Why You Need to Secure Your Information
Stanford University's information privacy rules are put in place to guard sensitive information according to State and Federal regulations as well as University policies. By complying with these policies, you're not only protecting the integrity of your own information, but also the university at large—and yourself as a liable individual.
At the most practical level, securing the information on your computer means:
- Ensuring that your information remains confidential and only those who should access that information, can.
- Knowing that no one has been able to change your information, so you can depend on its accuracy (information integrity).
- Making sure that your information is available when you need it (by making back-up copies and, if appropriate, storing the back-up copies off-site).
In addition to the practical reasons noted above for keeping your information secure, there are State and Federal regulations in place that require you to secure Stanford information, holding you personally liable for a breach, especially of patient data:
- HIPAA (Health Information Portability and Accountability Act, http://hipaa.stanford.edu) was enacted in order to protect the privacy of an individual's health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information (PHI).
- Click here to learn how to anonymize research data so that it meets HIPAA regulations.
- HITECH (Health Information Technology for Economic and Clinical Health) Act is an addendum to HIPAA and has additional requirements and penalties: Business Associates (BA), those organizations that receive and use ePHI as partners, are now held accountable for the disclosure of patient information.
- California Privacy Act (SB1386) requires the proper protection of private information, such as social security numbers and credit card numbers.
- Senate Bill 541 (SB541) authorizes the California Department of Public Health (CDPH) to investigate unlawful or unauthorized access to, or viewing, use or disclosure of, patient information.
- Assembly Bill 211 (AB211) authorizes a new California state office, the Office of Health Information Integrity (OHII), to investigate and enforce existing medical privacy laws and to investigate individuals and assess penalties against individuals for unauthorized access to or viewing, use or disclosure of patient information.
To comply with federal and state regulations above, and to additionally protect Stanford information, there are a variety of Stanford and IRT policies that outline how best to protect yourself and the University. Click here to find out more.
What Should I Do?
- These laws and policies encourage, and often require, the use of encryption. Therefore, Stanford now requires all computers and devices with access the University's network to be encrypted. Stanford recommends using the encryption that is native to your operating system (BitLocker for Windows, FileVault2 for MacOS). For more information about encryption at Stanford, you can visit our encryption page, or go to med.stanford.edu/datasecurity.
- If you are running a server, make sure that you properly secure your server.
- Be aware of the 18 HIPAA identifiers, so that you can be sure that you're publishing truly anonymous data.
- See How To Secure Your Information for a whole list of tips on securing your computer and your information.
If you suspect that there has been a possible breach of information (lost/stolen device, for example), see Reporting an Incident for the steps you should take. The legal limit for reporting an incident is five days, so do not wait even for the next business day to report a problem.
The effects of SB541 and AB211
Regardless of whether it was mal-intended or not, anyone who uses patient information is personally responsible for its disclosure.
A patient whose information was breached has the right to sue the individual and it does not have to be for actual damages.
Although Stanford University and the School of Medicine will try to assist the employee with the potential legal battle, the individual is personally responsible for all financial penalties and lawsuits.
If you are unsure about what you need to do, contact the IRT Service Desk at 5-8000 and the folks there will walk you through these and other steps for securing your computer.