For Adjunct Clinical Faculty
As part of Stanford University School of Medicine’s ongoing data security efforts, we are asking individuals likely to work with Stanford's electronic Protected Health Information (ePHI) to participate in the Stanford University Data Security Program. This program requires that all computers or mobile devices that access Stanford data be encrypted and managed.
All computers used to access Stanford ePHI are subject to these requirements: both Stanford-supplied computers or mobile devices, and personal computers or mobile devices. It is the personal responsibility of each individual who works with (or could reasonably be exposed to) ePHI or other Moderate or High Risk (previously Restricted or Prohibited) information to ensure that their devices comply with this program.
Participating in the program is easy: see below for how to get started. If you need help, check the Frequently Asked Questions.
Three steps:
- 1. You will be emailed a personalized link to the School of Medicine ACF Attestation tool which will identify which requirements affect you directly based on your use of Stanford ePHI. Depending on your answers to this survey, you will either:
- a) Need to use your existing Stanford ID (SUNet ID) to complete a School of Medicine Data & Device Attestation to confirm your electronic access to Stanford ePHI, and to identify the types of devices you use for this access.
- b) Have a Stanford ID (SUNet ID) sponsored for you so you can complete the Data & Device Attestation described in (a) above.
- c) Have no need to go through additional forms, but need to ensure any of your personally-owned devices that access Stanford ePHI meet the School of Medicine data security requirements.
What devices should you report?
- Please only report the devices that you will use for Stanford Medicine business—both Stanford School of Medicine-owned and personally-owned devices.
- Please do not report devices owned by Stanford Health Care (SHC), Stanford Children's Health (SCH) or any other healthcare institution.
- We strongly recommend you don't use personal devices to access Stanford. However, if you do so, the Stanford University data security requirement #2 described below will apply.
The following two steps are only required if you plan to use Stanford-owned or personally-owned devices to access Stanford ePHI:
- 2. Encrypt all computers and mobile devices that access Stanford ePHI or other Moderate or High Risk (previously Restricted or Prohibited) data.
- Only if you are using a Stanford-owned device, you must additionally:
- 3. Install management software:
- BigFix for laptops and desktops (https://med.stanford.edu/datasecurity/bigfix.html)
- MDM for mobile devices (http://mdm.stanford.edu)
More Resources:
- Frequently Asked Questions about ACF and computer security
- Am I Encrypted? (AMIE) (this page is only required for and available to individuals with SUNet IDs)
- Stanford Risk Classifications (definitions of Moderate and High Risk data; minimum security standards for Stanford computers and servers)
If you need assistance with your data security attestation or any of the details included in this process, you can contact the IRT Service Desk at 650-725-8000.