Skip to content Skip to navigation

Privacy Incidents FAQs

What is a Privacy Incident?

A privacy incident is any successful orunsuccessful loss of control, compromise, or unauthorized disclosure, acquisition, access of protected health information (PHI) or electronic protected health information (ePHI). Some common examples of privacy incidents may include:

  1. Misdirected email—i.e., sending an email containing Sensitive Data (including High Risk and Moderate Risk data) to an incorrect party.

  2. Unsecure email—i.e., sending an email containing Sensitive Data to a correct or incorrect party without sending that email secure in accordance with the University's Secure: email policy.   

  3. Misdirected fax or print job—i.e., misdialing a fax number or sending a print job to an incorrect printer. 

  4. Unauthorized disclosure—i.e., sending research samples, patient lists or other documents to the incorrect recipient or to a recipient where a business associate agreement (BAA) or data use agreement (DUA) has not been properly put in place.

  5. Lost/Stolen Devices—i.e., loss or theft of any mobile or computing device (including USB thumb-drives, mobile phones, tablets, laptops, desktops), whether it is encrypted or not.  

What is a Breach?

A privacy breach is any successful compromise of protective controls, or unauthorized acquisition, disclosure, access of use of PHI or ePHI which triggers reporting obligations under federal and/or state law to those individuals whose information was compromised.

What should I do if I think a Privacy Incident may have occurred?

If you believe that a privacy incident has occurred—even a seemingly innocuous incident—immediately report it to the University Privacy Office by one of the following three methods:

  1. Report.  Fill out the online incident form available here.

  2. Email.  Send an email to privacy@stanford.edu  

  3. Telephone.  Call (650) 725-1828

  4. In person at our physical office location during normal business hours at 127 Crothers Way, Stanford CA 94305.

*Please do not include any PHI or other sensitive data other than what is necessary for you to complete the initial report to our office.

A member of the University Privacy Office will follow up with you about your initial report where you will be able to provide additional details regarding the incident. We appreciate your timely response and continued cooperation in helping us to complete our investigation.