Stanford
University Privacy Office

Physical Offsite Storage Guide

Overview

Physical offsite storage requires appropriate handling and protection of Stanford University’s physical records, including, but not limited to, paper records, audio tapes, video tapes, and photographs. The security of these items is particularly important when they contain High and Moderate Risk Data such as:

- Protected Health Information (PHI) ‐ Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

- Individually identifiable health information is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition
  • the provision of health care to the individual
  • the past, present, or future payment for the provision of health care to the individual
  • the identity of the individual or for which there is a reasonable basis to believe it can be used to identify the individual

- Personally Identifiable Information (PII)‐ Information that can be used alone or when combined with other PII to distinguish or trace an individual’s identity. Examples of PII include an individual’s name, social security number, address, phone number, credit card or bank account number.

Full policy below

Please review the full reference guide at the link below.

Overview

Physical offsite storage requires appropriate handling and protection of Stanford University’s physical records, including, but not limited to, paper records, audio tapes, video tapes, and photographs. The security of these items is particularly important when they contain High and Moderate Risk Data such as:

  • Protected Health Information (PHI)‐ Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

    Individually identifiable health information is information, including demographic data, that relates to:

    • the individual’s past, present or future physical or mental health or condition
    • the provision of health care to the individual
    • the past, present, or future payment for the provision of health care to the individual

    • the identity of the individual or for which there is a reasonable basis to believe it can be used to identify the individual

       

  • Personally Identifiable Information (PII)‐ Information that can be used alone or when combined with other PII to distinguish or trace an individual’s identity. Examples of PII include an individual’s name, social security number, address, phone number, credit card or bank account number.

Best Practices

 

  • For vendors with access to PHI, a Business Associate Agreement (BAA) must be in place before the vendor receives any PHI. 

Roles & Responsibilities

 

SoM Originators/Initiators: Faculty and Staff

  • Before sending items to off‐site storage, determine if the records can be destroyed, stored electronically, or stored on‐site. If physical offsite storage is determined necessary, only use a Stanford approved off‐ site storage vendor.
  • Identify the record category (financial, research, personnel, PHI, etc.) to ensure appropriate retention periods and security of High and Moderate Risk information. Be sure to review and follow the appropriate retention policy before destroying any documents, audio tapes, video tapes, etc. See https://doresearch.stanford.edu/topics/record-retention  
  • Choose an appropriate vendor for records to send to physical off‐site storage. For assistance selecting a vendor, contact Procurement.
  • Ensure that the vendor contract includes compliance information in accordance with applicable policies and regulations.
  • For vendors with access to PHI, a Business Associate Agreement (BAA) must be in place before the vendor receives any PHI.

  • Maintain a complete inventory of all items stored off‐site with vendors, including the box number, record name, description, file listing, date range, and required retention/destruction date.

    SoM Approvers/Reviewers: Director of Finance and Administration and/or designee

    • Perform periodic monitoring and oversight for physical offsite storage to ensure the following:
      • SoM Originators/Initiators roles and responsibilities are performed appropriately.
      • Physical offsite storage processes are in compliance with policies & regulations.

Penalties for non‐compliance:

Potential financial penalties for non‐compliance with the Health Insurance Portability and Accountability Act (HIPAA) can be significant; up to $50,000 per violation, with an annual maximum of $1.5 million.

Policies & Regulations

3.15: Stanford Medicine Policy for the Removal and Transport of PHI
https://med.stanford.edu/md/mdhandbook/section-3-md-requirements-proced…;

DoResearch‐ Records Retention‐ Uniform Guidance, Administrative Guide Memos (AGM), and  Other Regulations: https://doresearch.stanford.edu/topics/record-retention 

Procurement‐ Contract Processing‐ http://web.stanford.edu/group/fms/fingate/staff/buypaying/contract_purchases.html

Questions? Subject Matter Expert (SME) Contacts

For Physical Offsite Storage:

University Privacy Office‐ https://privacy.stanford.edu/

Make a Service Request 

DoResearch

Procurement ‐ Purchasing services 

For Electronic Storage:

Stanford Medicine - Technology & Digital Solutions

 

Document History

 

 

Created: November 2016

Last Updated URL Links: September 2022

Author: Office of the Chief Risk Officer, University Privacy Office  https://privacy.stanford.edu/ 

Reviewed by: SME Contacts