The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the "Privacy Rule" and the "Security Rule") protect the privacy of an individual’s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information (“PHI”).

What is Covered by HIPAA?

As health care providers, Stanford Hospital and Clinics, and Lucile Packard Children’s Hospital (together the “Hospitals”) must follow the Privacy and Security Rules. Stanford University, although primarily an educational and research institution, also conducts activities governed by HIPAA. The parts of Stanford University that are covered by HIPAA are called HIPAA Components. To see a diagram of the HIPAA components, go to the Covered Entity page on this website. Together the Stanford University HIPAA Components and the Hospitals form an affiliated covered entity under HIPAA. Stanford University and the Hospitals’ benefit plans must also comply with HIPAA. All members of the workforce and our business associates, including trainees, researchers, volunteers, consultants, and service providers, must comply with HIPAA, the Privacy and Security Rules, and Stanford University’s and the Hospital’s HIPAA policies.

Privacy and Security Policies

To meet the requirements of the Privacy and Security Rules, Stanford University, Hospitals and benefit plans have adopted policies which govern the use and disclosure of PHI. Handling of PHI in research and fundraising activities have special restrictions under HIPAA, and additional policies apply to these activities.


It is important that each department in Stanford’s covered entity develop and maintain appropriate procedures to ensure that the Privacy and Security Rules are followed in their organization. Stanford has developed sample procedures to assist in this process.


Each person who handles PHI must be aware of the obligations imposed by HIPAA and the Privacy and Security Rules. Stanford has developed general HIPAA training which is required to be taken by every member of the workforce who comes in contact with PHI. Certain special training modules are required to be taken by those whose jobs require them to be in closer contact with PHI. Each department will determine the appropriate training modules to be taken by its workforce. Additional training on local procedures is also should be provided by each department in the covered entity.


HIPAA’s Privacy Rule requires that Stanford establish a Privacy Officer with responsibility to implement and monitor compliance with HIPAA. In addition, each group or department within the covered entity has identified an individual responsible for implementation of the HIPAA policy requirements and ongoing compliance with HIPAA. For a list of contacts, go to the Contacts tab on this website.

Last modified Tue, 2 Jul, 2013 at 17:06