Q: How can I be sure what qualifies as Stanford ePHI?
A: The Stanford Risk Classification Chart defines PHI, and outlines what information Stanford classifies as High, Moderate, and Low Risk. This policy is primarily concerned with electronic PHI (ePHI) from Stanford - PHI/ePHI from other institutions should not be included.
Q: Does the policy affect people who have no Stanford ePHI on their computers?
A: All ACF will first be asked to complete an ACF Attestation. This survey will identify whether or not you are required to comply with the Stanford data security policies. Based on your answers to the ACF Attestation, you may be required to complete the additional Data and Device Attestation. If you have no access to Stanford ePHI and use no Stanford equipment, no additional actions will be required by you.
Q: Does the policy apply to ACF who could, but do not, access or receive Stanford ePHI?
A: All ACF are asked to complete the ACF Attestation and, if necessary, the additional Data and Device Attestation.
Q: I have Emeritus/Emerita status; do I need to fill out a data attestation?
A: Emeriti/Emeritae who are no longer active with Stanford School of Medicine are excluded from the requirement.
Q: What if I work with SHC or SCH but don't have a computer or device of my own?
A: If you hold any level of SHC or SCH credentialing, you will be expected to attest to having access to Stanford ePHI, which will be reflected in the records. If you don't have any computers or mobile devices that access ePHI, you will not need to register any devices.
Q: What do I need to do, if I attest to working with Stanford ePHI?
A: Individuals who work with Stanford High Risk Data (including ePHI from either SHC or SCH) will need to encrypt all Stanford-owned and personally-owned mobile devices, laptops and desktops that are used to access that information. Please note that while it is not required, it is strongly recommended that you back up your device prior to encrypting it.
Additionally, ACF who use Stanford-owned equipment need to ensure for their equipment used to access Stanford ePHI:
Q: How can I confirm that I am compliant with the data security policies?
A: If you have a Stanford SUNet ID, you can view your status at the page AMIE (Am I Encrypted?). This page presents the details of your status and your registered devices; and will either confirm your compliance, or list further steps you need to take in order to fulfill security requirements.
Q: Do I, as an Adjunct Clinical Faculty member, need a Stanford email address to be compliant?
A: All ACF will require a functioning email address of some kind; a Stanford email address is not required. For any ACF using Stanford-owned equipment, a Stanford email address will need to be sponsored by your department.
Q: What if the device I use for Stanford business is owned by another institution or health care provider?
A: Devices owned by other institutions or health care providers should not be attested to and should not be used to access Stanford ePHI. Devices used to access another institution's ePHI should not be used for Stanford business.
Q: Are there any planned changes to remote EPIC access from home desktop computers?
A: There are no planned changes at this time.
Q: How will IDF (the ID finder associated with BigFix) determine if social security numbers and credit card numbers are personal to me or my family, and will any such data be retained by Stanford?
A: There is currently no plan to review personal data; it is the user's personal responsibility to determine what data will and will not be backed up.
Q: If a compliant computer changes its character of use (i.e., is no longer used for Stanford business), can BigFix and IDF be removed?
A: All Stanford ePHI and other High Risk Data must be securely removed first, then the security attestation should be updated. Then BigFix can be removed.
Q: Do I need a separate computer for Stanford vs. non-Stanford use?
- A: We strongly recommend you don't use personal devices to access Stanford. However, if you do so, the Stanford University data security requirements described above will apply.
- Devices used to access other institutions' ePHI should not be used to access Stanford.
- Due to these policies, some Stanford Departments have made computers/mobile devices available to their trainees and employees. Please check with your department to see if the opportunity is available to you to use only a Stanford-dedicated computer/mobile device to access Stanford ePHI.
Q: Does this policy apply to someone who never accesses or sends Stanford ePHI, but who might inadvertently receive 1 or 2 emails a year containing Stanford ePHI? Couldn’t I just delete the email, unopened, if I have no registered computers or mobile devices?
A: If in your role as an ACF, you would never reasonably expect to receive Stanford ePHI, and such emails are truly incidental and accidental, then the answer would be, Yes, please delete it immediately. However, if in your role, you could reasonably expect that you might receive Stanford ePHI, then your attestation should be updated to reflect that information.
Q: Does this policy apply to ACF who send/receive “Secure:” email not containing Stanford ePHI?
A: Per your role as an ACF, you must still complete the ACF Attestation and possibly the Device and Data Attestation. If you are using no Stanford-owned computers or mobile devices, and would receive no Stanford ePHI via email - Secure: or otherwise - you should not need to take additional steps. But please first complete the ACF Attestation to identify the requirements applying to you.
Stanford's Secure: mail only ensures that a message is encrypted in transit; it is not necessarily an indication that the message includes Stanford ePHI. If you have a Stanford email account and need to send High Risk Data in email, you should use Secure: anywhere in the subject line of the message to ensure the message is encrypted. Note that the Subject line itself is not encrypted and should not include any High Risk Data.
Q: Does this policy apply to ACF who use only web-based Stanford email and never download anything from that email to their computer?
A: Stanford web mail currently downloads attachments automatically that may contain PHI, therefore, even incidental use of any Stanford mail requires Stanford University data security policies to apply. It is likely that future upgrades may resolve this issue.
Q: Does this count as Stanford ePHI? I am supervising a trainee and I might receive an email such as the following: "My patient needs to meet at a different time next week so I would like to change our supervision time.”
- A: So long as no patient-identifiable information is contained in the message, it is not considered Stanford ePHI.
- If it contains Stanford patient treatment information such as name, medical record number, initials, appointment dates, treatments, etc., then it should be considered Stanford ePHI.
- All trainees and employees should be made aware of the importance of NOT sending Stanford ePHI to ACF supervisors who are NOT equipped to access Stanford ePHI on their personal computers/devices. We recommend that this policy be adopted and are working on including it as part of routine training.
Q: Is there an automatic way to flag an email that contains Stanford ePHI? What if I get an email that I know or suspect contains Stanford ePHI?
A: Currently, there is no notification that a message may or does contain Stanford ePHI. If you suspect a document contains Stanford ePHI and if you are using a computer or mobile device that is not fully compliant with data security requirements, you should delete that email unopened — or wait to open it from your registered device. We are testing some automated technical controls to automatically block unencrypted ePHI email.
Still have questions we didn't answer?