Policies & Regulations

Why You Need to Secure Your Information

Stanford's data protection policies are here to help you: they're in place in order to comply with various federal and state regulations. In the case of an unauthorized data breach, not only the University but you personally can be held liable, and are therefore subject to the responsibilities and penalties at all levels:

Governmental Regulations

University and School of Medicine Policies

Sensitive information must be transferred securely.  If other secure options are not feasible and external USB media must be used, that media must be encrypted.  For individuals whose role will require them to handle or transmit High Risk data at some point in their time at Stanford, all computers used for Stanford work will need to have an agent installed to prevent inadvertently copying data from the computer to an unencrypted drive.

Potential Penalties

Additional Recommendations

Risk Classifications and Minimum Security Standards

Stanford's Risk Classifications for its information resources provides a framework to determine the risk of information resources.  Based on these risk categories, Minimum Security Standards have been established for:

  • Endpoints
  • Servers
  • Applications
  • Software-as-a-Service, Platform-as-a-Service
  • Infrastructure-as-a-Service & Containerized Solutions


Be aware of the 18 HIPAA Identifiers so you can be sure you can know whether your data is de-identified.

Learn more about anonymizing research data so that it meets HIPAA regulations.

University Information Privacy & Security Quick Reference Guide


If you have questions or need assistance, call 650-725-8000 (M-F 7a-6p) or submit a help ticket at tdshelp.stanford.edu.