Skip to main content

HIPAA Security: Security Management Policy

I. Scope & Applicability

This policy applies to Stanford University HIPAA Components (SUHC) information systems that maintain electronic protected health information (ePHI) and the persons responsible for managing and auditing those information systems.

Information systems that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.

II. Policy Statement

SUHC will take reasonable and appropriate precautions to prevent, detect, contain, and correct security violations.

III. Principles

  1. System Identification and Tracking. The person responsible for HIPAA compliance in each component of the SUHC is responsible for identifying and maintaining an inventory of the information system(s) managed within that component. When a new information system is implemented, that responsible person will request a Security, Privacy, and Legal Review per the University’s Minimum Security Standards.
  2. Risk Management Program. The Stanford University Chief Information Security Officer, in coordination with the University Privacy Officer, will establish a program to identify and mitigate risks to ePHI.
    1. Risk Analysis. The Joint Security, Privacy, and Legal Review Committee will conduct assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Risk analyses will be conducted or updated:
      1. When a new information system is implemented;
      2. Periodically as part of an ongoing risk management program; and
      3. In response to a significant newly-recognized risk identified as a result of activity reviews, security incidents, or environmental or operational changes.
    2. Risk Mitigation and Monitoring. The Stanford University Chief Information Security Officer or delegate will recommend and monitor the effectiveness of security measures designed to reduce risks and vulnerabilities to a reasonable and appropriate level. More specifically, these measures are designed to reasonably and appropriately:
      1. Protect the confidentiality, integrity, and availability of all ePHI that SUHC creates, receives, maintains or transmits.
      2. Protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of such information.
      3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule.
      4. Facilitate workforce compliance.
  3. Information System Activity Reviews. The System Owner or delegate for an information system will:
    1. Regularly perform reviews of information system activity (e.g., audit logs and trails, information system activity records, facility access records) for the purpose of detecting:
      1. Unauthorized access to ePHI;
      2. Unusual patterns of use or activity; and
      3. Other potential security violations.
    2. Document System Activity Review findings. Documentation will be retained for a minimum of six years from the date of review; and
    3. Report suspicious findings in accordance with the security incident reporting mechanisms established by the Stanford University Chief Information Security Officer or appropriate delegate.
  4. Security Incident Detection, Response and Reporting. The Stanford University Chief Information Security Officer and delegates will develop, document, and implement procedures to:
    1. Identify possible security incidents;
    2. Respond to suspected or known security incidents;
    3. Mitigate, to the extent practical, harmful effects of known security incidents; and
    4. Document and report security incidents and their outcomes. All documentation relating to potential and verified security incidents will be retained for at least six years from the date of documentation.

IV. Procedures

Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

V. Exceptions

Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.

VI. Related Documents

  1. SUHC HIPAA Security: Information Access Controls Policy
  2. SUHC HIPAA Security: Audit Controls Policy
  3. SUHC HIPAA Security: Contingency Planning Policy

VII. Document Information

  1. Legal Authority/References
    Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.306(a); §164.308(a)(1)(i); §164.308(a)(1)(ii)(A); §164.308(a)(1)(ii)(B); §164.308(a)(1)(ii)(D); §164.308(a)(6)
  2. Contact for Questions Related to this Policy
    Stanford University Chief Information Security Officer
    securityofficer@stanford.edu
  3. Document Review History
    Version Date Modified Comments
    1.0 07/14/2005 Yes  
    1.1 12/07/2015 Yes Reviewed and updated by Aaron Arutunian

This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.

Last modified