Why You Need to Secure Your Information

Stanford University's information privacy rules are put in place to guard sensitive information according to State and Federal regulations as well as University policies. By complying with these policies, you're not only protecting the integrity of your own information, but also the university at large—and yourself as a liable individual.

At the most practical level, securing the information on your computer means:

  • Ensuring that your information remains confidential and only those who should access that information, can.
  • Knowing that no one has been able to change your information, so you can depend on its accuracy (information integrity).
  • Making sure that your information is available when you need it (by making back-up copies and, if appropriate, storing the back-up copies off-site).


In addition to the practical reasons noted above for keeping your information secure, there are State and Federal regulations in place that require you to secure Stanford information, holding you personally liable for a breach, especially of patient data:

Stanford Policies

To comply with federal and state regulations above, and to additionally protect Stanford information, there are a variety of Stanford and IRT policies that outline how best to protect yourself and the University. Click here to find out more.

What Should I Do?

  • These laws and policies encourage, and often require, the use of encryption. Therefore, Stanford now requires all computers and devices with access the University's network to be encrypted. Stanford recommends using the encryption that is native to your operating system (BitLocker for Windows, FileVault2 for MacOS). For more information about encryption at Stanford, you can visit our encryption page, or go to med.stanford.edu/datasecurity.
  • If you are running a server, make sure that you properly secure your server.
  • Be aware of the 18 HIPAA identifiers, so that you can be sure that you're publishing truly anonymous data.
  • See How To Secure Your Information for a whole list of tips on securing your computer and your information.

If you suspect that there has been a possible breach of information (lost/stolen device, for example), see Reporting an Incident for the steps you should take. The legal limit for reporting an incident is five days, so do not wait even for the next business day to report a problem.

The effects of SB541 and AB211

Regardless of whether it was mal-intended or not, anyone who uses patient information is personally responsible for its disclosure.

A patient whose information was breached has the right to sue the individual and it does not have to be for actual damages.

Although Stanford University and the School of Medicine will try to assist the employee with the potential legal battle, the individual is personally responsible for all financial penalties and lawsuits.


If you are unsure about what you need to do, contact the IRT Service Desk at 5-8000 and the folks there will walk you through these and other steps for securing your computer.