Stanford Medicine is committed to providing and maintaining a secure computing environment to protect the personal data we are trusted with and to enable the important work toward our missions to flourish. Public web content is bound by the same policy and requirements. See the Data Security website for more details.
HIPAA Legal Standard
Site owners and content authors are responsible and accountable for insuring that information published on Stanford Medicine websites and other services do not violate HIPAA or FERPA requirements. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains standards and rules which govern the treatment of individually identifiable health information. Under no circumstances should health information about a patient be disclosed without express written consent from the patient or his or her guardian. See the University's online HIPAA resources for more information.
Obligations of Site Owners
Reasonable measures must be taken to protect the security of page that contain protected health information. In general this means that access to these pages needs to be tightly controlled and the content must be delivered via SSL encryption.
No Protected Health Information (PHI) should be stored or served from any public Stanford Medicine website, blog, survey, or video channel. Read more about the content classification system.
Email and Form Considerations
Sites must not collect restricted content from a website email form or email link; email is not secure. If you need to collect restricted content you should use Qualtrics.
Secure written consent from individuals not affiliated with Stanford whose pictures appear on your website, wiki or blog, or video channel. In most cases, the school's general release form will suffice. However, whenever personal medical information is disclosed, the individual (or their guardian) must sign the a HIPAA release form.
- Stanford students, faculty and staff: No release required, but ask for verbal permission
- Family, friends, anyone in the community: Basic photo or video release
- Any person whose identifying health information is disclosed: HIPAA release
Note: this applies to individuals treated at the Stanford hospitals, health facilities and elsewhere