I. Scope & Applicability
This policy applies to Stanford University HIPAA Components (SUHC) electronic protected health information (ePHI).
Information systems that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.
II. Policy Statement
SUHC will protect ePHI from unauthorized alteration, destruction or disclosure by implementing reasonable and appropriate measures to facilitate the maintenance of reliable system components, workflows, and data.
III. Principles
- Mechanisms to Authenticate ePHI. SUHC will implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. SUHC System Owners will determine the type of mechanism(s) to employ as follows:
- Electronic Authentication. SUHC will implement electronic mechanisms (e.g., error-correcting memory and magnetic disc storage, digital signatures, checksum technology) when such mechanisms are available, employable and commensurate with the criticality and risks associated with the ePHI.
- Procedural Authentication. If electronic authentication mechanisms are not available or employable, or in order to augment electronic mechanisms, SUHC will implement procedural mechanisms (e.g., double data entry, manual data validation) when such mechanisms are appropriate based on the criticality and risks associated with the ePHI.
- Data and System Integrity Checks. SUHC System Owners will establish mechanisms and procedures (e.g., backup verification, hardware and software reviews) to perform periodic checks of data and system functionality to identify integrity issues (e.g., corrupted data, failing hardware, software errors). The frequency of data and system integrity checks will be commensurate with the criticality and risks associated with the ePHI, but no less than on an annual basis.
- User Reporting. SUHC users will report suspected vulnerabilities or unauthorized ePHI data modification or destruction to the responsible System Administrator. The System Administrator will report suspicious findings that may indicate a security incident or other violation in accordance with the security incident reporting procedures developed by the Stanford University Chief Information Security Officer.
- Change Management. When developing or making changes to their information systems, SUHC System Owners will implement change control procedures (e.g., documentation, rollback plans, system testing) to reduce the risk of operator or system errors that could result in incidents such as unauthorized disclosures of or access to ePHI, unexpected system downtime, or data errors.
- Integration with Other HIPAA Policies. Data and system integrity are integral to compliance with the HIPAA Security Rule and impact many areas of implementation. Consequently, additional principles promoting data and systems integrity can be found in other SUHC HIPAA Security policies listed in the Related Documents Section VI, below.
IV. Procedures
Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.
V. Exceptions
Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.
VI. Related Documents
- SUHC HIPAA Security: Information Access Controls Policy
- SUHC HIPAA Security: Computing Devices and Electronic Storage Media Policy
- SUHC HIPAA Security: Audit Controls Policy
- SUHC HIPAA Security: Facilities Security Policy
- SUHC HIPAA Security: Contingency Planning Policy
- SUHC HIPAA Security: Security Management Policy
- SUHC HIPAA Security: Transmission of ePHI Policy
VII. Document Information
- Legal Authority/References
Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.312(c) - Contact for Questions Related to this Policy
Stanford University Chief Information Security Officer
securityofficer@stanford.edu - Document Review History
Version Date Modified Comments 1.0 01/28/2005 Yes 1.1 11/23/2015 Yes Reviewed and updated by Aaron Arutunian
This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.