Skip to content Skip to site navigation Skip to service navigation

HIPAA Security: Transmission of ePHI Policy

I. Scope & Applicability

This policy applies to electronic protected health information (ePHI) while the data is in transit over an electronic communications network and when the transmission is initiated by Stanford University HIPAA Components (SUHC). All SUHC applications that transfer ePHI over an electronic communications network (e.g., email, file transfer, web browser) are subject to this policy.

If transmitting ePHI using an email or other electronic messaging system, refer to the SUHC HIPAA Security: Email and Other Electronic Messaging of ePHI Policy for specific requirements.

Information systems, including electronic communications networks that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.

II. Policy Statement

SUHC will implement reasonable and appropriate measures to guard against unauthorized access to and protect the integrity and confidentiality of ePHI that is transmitted over an electronic communications network while the data is in transit and when the transmission is initiated by SUHC.

III. Principles

  1. Appropriate Transmission of ePHI. Transmission of ePHI must be in accordance with SUHC privacy policies governing PHI use and disclosure.
  2. Protected Versus Open Networks. A protected network is a SUHC computer network or specific segment of a SUHC network that is considered adequately secure for the transmission of unencrypted ePHI and has been so designated by the Stanford University Chief Information Security Officer or delegate. Any network or segment of a network that is not designated by the Stanford University Chief Information Security Officer or delegate as a protected network will be considered an open network and not adequately secure for the transmission of unencrypted ePHI. The Internet and most Stanford networks are considered open networks.
  3. Protected Networks Designation. In designating a protected network, the Stanford University Chief Information Security Officer or delegate must evaluate, and consider adequate, the following:
    1. Network Isolation – the physical, hardware and/or software systems (e.g., firewall, dedicated circuits) that isolate it from other segments of the network and other networks;
    2. Access Control – the controls that restrict accessibility to only authorized users and computing devices; and
    3. Centralized Management and Monitoring – the procedures and mechanisms that are in place for monitoring the network and maintaining acceptable configurations, and reporting network incidents and configuration changes to the Stanford University Chief Information Security Officer or delegate.
  4. Transmission over a Protected Network. While ePHI is in transit over a protected network, SUHC will take precautions to protect ePHI from intentional and unintentional loss or modifications by implementing data integrity measures. Data integrity measures will be implemented at all practical levels, but at a minimum at one of the following levels:
    1. Application level;
    2. Operating System level;
    3. Transport level
  5. Transmission over an Open Network. When any portion of a transmission traverses an open network ePHI will be encrypted. While in transit over an open network, ePHI will be protected from unauthorized access, and intentional and unintentional loss or modification, by implementing both encryption and data integrity measures. Encryption and data integrity measures will be implemented at all practical levels, but at a minimum at one of the following levels:
    1. Application level;
    2. Operating System level;
    3. Transport level

Procedures

Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

Exceptions

Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.

Related Documents

  1. SUHC HIPAA Security: Email and Other Electronic Messaging of ePHI Policy

VII. Document Information

  1. Legal Authority/References
    Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.312(e)
  2. Contact for Questions Related to this Policy
    Stanford University Chief Information Security Officer
    securityofficer@stanford.edu
  3. Document Review History
    Version Date Modified Comments
    1.0 01/28/2005 Yes  
    1.1 12/07/2015 Yes Reviewed and updated by Aaron Arutunian

This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.

Last modified April 14, 2023