Skip to main content Skip to secondary navigation

Physical Offsite Storage Guide

Overview

Physical offsite storage requires appropriate handling and protection of Stanford University’s physical records, including, but not limited to, paper records, audio tapes, video tapes, and photographs. The security of these items is particularly important when they contain High and Moderate Risk Data such as:

- Protected Health Information (PHI) ‐ Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

- Individually identifiable health information is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition
  • the provision of health care to the individual
  • the past, present, or future payment for the provision of health care to the individual
  • the identity of the individual or for which there is a reasonable basis to believe it can be used to identify the individual

- Personally Identifiable Information (PII)‐ Information that can be used alone or when combined with other PII to distinguish or trace an individual’s identity. Examples of PII include an individual’s name, social security number, address, phone number, credit card or bank account number.

Full policy below

Please review the full referenece guide at the link below.

Overview

Physical offsite storage requires appropriate handling and protection of Stanford University’s physical records, including, but not limited to, paper records, audio tapes, video tapes, and photographs. The security of these items is particularly important when they contain High and Moderate Risk Data such as:

  • Protected Health Information (PHI)‐ Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

    Individually identifiable health information is information, including demographic data, that relates to:

    • the individual’s past, present or future physical or mental health or condition

    • the provision of health care to the individual

    • the past, present, or future payment for the provision of health care to the individual

    • the identity of the individual or for which there is a reasonable basis to believe it can be used to identify the individual

       

  • Personally Identifiable Information (PII)‐ Information that can be used alone or when combined with other PII to distinguish or trace an individual’s identity. Examples of PII include an individual’s name, social security number, address, phone number, credit card or bank account number.

Best Practices

 

  • For vendors with access to PHI, a Business Associate Agreement (BAA) must be in place before the vendor receives any PHI. Stanford’s preferred vendor for physical offsite storage is DataSafe, Inc. as there is a Master Service Agreement (MSA) and BAA in place with this vendor.

Roles & Responsibilities

 

SoM Originators/Initiators: Faculty and Staff

  • Before sending items to off‐site storage, determine if the records can be destroyed, stored electronically, or stored on‐site. If physical offsite storage is determined necessary, only use a Stanford approved off‐ site storage vendor.

  • Identify the record category (financial, research, personnel, PHI, etc.) to ensure appropriate retention periods and security of High and Moderate Risk information. Be sure to review and follow the appropriate retention policy before destroying any documents, audio tapes, video tapes, etc. See https://doresearch.stanford.edu/research‐administration/major‐topics/record‐retention

  • Choose an appropriate vendor for records to send to physical off‐site storage (preferred Stanford

vendor is DataSafe, Inc.). For assistance selecting a vendor, contact Procurement.

  • Ensure that the vendor contract includes compliance information in accordance with applicable policies and regulations.

  • For vendors with access to PHI, a Business Associate Agreement (BAA) must be in place before the vendor receives any PHI.

  • Maintain a complete inventory of all items stored off‐site with vendors, including the box number, record name, description, file listing, date range, and required retention/destruction date.

    SoM Approvers/Reviewers: Director of Finance and Administration and/or designee

    • Perform periodic monitoring and oversight for physical offsite storage to ensure the following:

      • SoM Originators/Initiators roles and responsibilities are performed appropriately.

      • Physical offsite storage processes are in compliance with policies & regulations.

Penalties for non‐compliance:

Potential financial penalties for non‐compliance with the Health Insurance Portability and Accountability Act (HIPAA) can be significant; up to $50,000 per violation, with an annual maximum of $1.5 million.

Policies & Regulations

 

University Privacy Office‐ Physical Offsite Storage‐ Removal and Transport of PHI/PII: https://med.stanford.edu/md/mdhandbook/section‐3‐15‐stanford‐medicine‐policy‐for‐the‐removal‐and‐ transport‐of‐phi.html

 

DoResearch‐ Records Retention‐ Uniform Guidance, Administrative Guide Memos (AGM), and Other Regulations: https://doresearch.stanford.edu/research‐administration/major‐topics/record‐retention

 

Procurement‐ Contract Processing‐ http://web.stanford.edu/group/fms/fingate/staff/buypaying/contract_purchases.html

Questions? Subject Matter Expert (SME) Contacts

 

For Physical Offsite Storage:

University Privacy Office‐ https://privacy.stanford.edu/

Make a Service Request 

DoResearch‐ https://doresearch.stanford.edu/

Director of Research Administration and Compliance, Ken Merritt ‐ kmerritt@stanford.edu

Procurement (for SoM)‐ https://web.stanford.edu/group/fms/fingate/contact/index Contracts Advisor II, Dan Kim‐ hdankim@stanford.edu

For Electronic Storage:

SoM Information Resources & Technology (IRT)‐ http://med.stanford.edu/irt.html IRT Help Desk‐ Submit an IRT Help Form; or call (650) 725‐8000

Document History

 

 

Created: November 2016

Author: Office of the Chief Risk Officer, Internal Audit Services-https://ocro.stanford.edu/audit/internal

 

Reviewed by: SME Contacts