This page is for everyone at Stanford University, Stanford Health Care (SHC), and Stanford Medicine Children’s Hospital (SMCH)
with access to sensitive data, including health care data and protected health information (PHI).
YOU are responsible for taking precautionary measures to protect any data you use, access, or share at Stanford.
Quick help needed? Grab the infographic:
Stanford is committed to privacy and data security.
This commitment is important for everyone in the Stanford community to adopt for the protection of our people and our information, especially related to health care data.
Consequences for mishandling data can include fines (for Stanford or you), imprisonment, and loss of your professional license.
Privacy and data security laws include serious consequences for failing to protect confidentiality and security–for both Stanford and for you as an individual.
Let's not forget the reason for our commitment—the potential impact for those who we are trying to protect, like patients and clinical trial participants.
Risks of mishandling sensitive data include:
Open each section to see details.
When it comes to accessing (including querying) data, there is a significant difference between what you can access and what you should access.
For example, employees have access to operational and/or clinical systems with data based on their role within the organization and business need for access. That encompasses that data an employee can access.
However, employees should access only what is specifically required and approved.
Only use approved services for the data which you are accessing or using.
The Stanford data classification for PHI is “High Risk PHI Data.” There are approved services for handling this type of data.*
*Note that any solution(s) for High Risk PHI might have special processes and procedures also required in order to ensure data privacy and security. Be sure to review all of the related requirements. Seek assistance or request a data risk assessment (DRA).
Keep in mind that various protections and consequences apply for specific types of data and situations.
Let's look at a few details:
Data received from a proprietary source (such as corporate data or information about sponsored research projects) can be sensitive and require protection from disclosure.
The State of California has its own legal requirements for different types of sensitive data, as do other states.
Data subject to European Union privacy regulations (GDPR) must be treated as sensitive personal information even if coded (where HIPAA allows de-identified data to retain certain types of codes).
Data that are individually identifiable (such as SSNs) but not created or maintained by a HIPAA-covered entity (such as a hospital) may not be subject to HIPAA but may be subject to other legal or contractual restrictions.
For research subject to IRB approval, data management is governed by the terms of that IRB approval, which may be more limiting or specific that Stanford's general guidelines for High Risk Data.
If you suspect or know of a data compromise or risk, immediately report the incident to keep you and others safe:
Note: For any incidents involving UK Biobank data, view the UK Biobank reporting protocols here.
University Privacy Office: Get help related to privacy questions.
University IT Information Security Office: Get help related to IT security.
Stanford Health Care Privacy Office: Get help related to patient data and PHI.
Research Compliance Office (IRB): Get help related to human subject research and the protection of participants.
University Privacy Office Training
University IT Information Security Office Resources
Stanford Medicine Training and Resources
Once you complete this form*, you will automatically receive an email with the details of your commitment. You can also choose to send your commitment to individuals you choose.
*Note this commitment does not act as a replacement for the official training. This web page is a supplemental resource.