Presentation on theme: "Baron Rodriguez, PTAC Director"— Presentation transcript:
12014 Early Childhood Privacy and Confidentiality Workshop April 16th, 2014 Baron Rodriguez, PTAC DirectorMichael Hawes, Statistical Privacy Advisor (DoED)Frank Miller, FPCO Team Leader (DoED)Sharon Walsh, DaSy ConsultantAnn Agnew, DaSy HIPAA ConsultantMissy Cochenour, State Support Team
2Objectives for the DayLearn about FERPA & HIPAA implications for early childhood integrated data systemsDevelop drafts of data sharing agreements with your state teamLearn about methods to share about privacy with external data users, such as parents, policymakers, and others
3IntroductionsAs a state, discuss what you hope to learn today and how each of you fit into the state picture around early childhood integrated data systems, both now and in the future
4Early Childhood Data Overview - Missy Cochenour, SST -
5Key Data Uses in Early Childhood What is driving the work in Early Childhood?Critical policy and program questions across agencies and programsWho are the potential users?Policymakers, program administrators, teachers, parents, and othersDiscussion question: What does the use have to do with Privacy?
6Key Data Uses in Early Childhood UserInterest/NeedExample(s)Policymakers & LegislatorsInform policy development, revision, and funding decisionsResource allocation, program evaluation, legislative actions, etc.Program leadersImprove program effectiveness and efficiencyProgram evaluation, resource allocation, staffing needs, community needs, program development, program planning, etc.EducatorsInform decisions to improve local-level learning environmentsResource allocation, staffing needs, instructional approaches, student placement, curriculum development, etc.ResearchersAssess the impact of policies and programs on students and education entitiesResearch questions, program evaluation, policy evaluation, etc.FamiliesSupport learning and inform decisions about placement in available schools/programs/ coursesWhich schools/programs to send their child to, which classes to take to be ready for college, resources available, etc.Speaker: MissyWe can come back and think about the specificity needed for these various roles (better modeling)This slide will bridge from Corey’s overview and the need to identify the mission and the users to the actual EC uses.
7Key Data Uses in Early Childhood UserExamples from Other StatesPolicymakers & LegislatorsAre children birth to age 5 on track to succeed when they enter school?What are the education and economic returns on early childhood investments? What are the definable characteristics of the state’s Birth-8 workforce?Which children and families are and are not being served by which programs and services?Program leadersWhat characteristics of programs are associated with positive outcomes for which children?What characteristics of programs improve quality of services for families?Is my program effective?Are my teachers prepared to meet the needs of the families we serve?EducatorsIs my class/child development on track to succeed when they enter school?Is “this” instructional strategy working for this child?ResearchersDoes the self-regulation of a child predict their school success in K?How effective is this program? (General program evaluation)What would the impact of increased quality standards have on the workforce?FamiliesWhat is the best program for my child? Where are programs located?Is my child on track to be ready for school?Speaker: MissyThis slide will bridge from Corey’s overview and the need to identify the mission and the users to the actual EC uses. [Per meeting: Some examples may focus specifically on children with special needs, in foster care, or other cases, relevant to the audience—Missy will engage Robin and/other speakers for those, as needed.]
8Early Childhood Education Program Definition According to 20 USCS § 1003(8), the term “early childhood education program” means –“(A) a Head Start program or an Early Head Start program carried out under the Head Start Act (42 U.S.C et seq.), including a migrant or seasonal Head Start program, an Indian Head Start program, or a Head Start program or an Early Head Start program that also receives State funding;(B) a State licensed or regulated child care program; or
9Early Childhood Education Program Definition C) a program that—(i) serves children from birth through age six that addresses the children's cognitive (including language, early literacy, and early mathematics), social, emotional, and physical development; and(ii) is –(I) a State pre-kindergarten program;(II) a program authorized under section 619 or part C of the Individuals with Disabilities Education Act [20 USCS § 1419 or §§ 1431 et seq.]; or(III) a program operated by a local educational agency.”
10Privacy Considerations in Using Early Childhood Data What legal obligation do EC educational agencies and institutions have to protect PII from students records?Privacy of individual student records is protected under FERPAOther Federal, State, and local laws, such as HIPAA and IDEA, may also applyDetermine how/which information is going to flow between agencies to help assess which laws may applyDevelop data sharing agreements which ensure data is only shared for authorized purposes and adequately protected at all timesTony (5-7 minutes)Starts conversations with P20W CouncilEarly Childhood Essential QuestionsResearch or Evaluation QuestionsImportance of working collaboratively across DepartmentsStarts conversations with our own technical departmentWhat data systems are in place and what are their plans for future system?Is Early Childhood part of data system or part of plans for future system?What is the timeline to incorporate EC data into data system?Starts conversations with other departments and agenciesHelps to think about various stakeholders, particularly data stewardsProvides support to P20 CouncilCommunication PlanAgreement FormWhat needs to be done with the EC data in order for it to roll into data system?Carol and Mike (1-2 minutes each)
11- Baron Rodriguez, PTAC Director & Frank Miller, FPCO Team Leader - FERPA / IDEA Overview- Baron Rodriguez, PTAC Director &Frank Miller, FPCO Team Leader -
12Family Educational Rights and Privacy Act (FERPA) FERPA provides parents the right toinspect and review education records;seek to amend education records; andconsent to the disclosure of personally identifiable information from education records, except as provided by law.When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”).
13To Which Educational Agencies and Institutions Does FERPA Apply? US DEPT OF EDElementarySecondary.Postsecondary
14What Are Education Records? “Education records” are records that are –directly related to a student; andmaintained by an educational agency or institution, or, by a party acting for the agency or institution.
15What Is Personally Identifiable Information (PII)? AddressMother’s maiden nameNameSocial Security NumberDate of birthParent’s name
16What Is Directory Information? PII that is not generally considered harmful or an invasion of privacy if disclosedNot a student’s Social Security Number and generally not a student ID numberMay include a student ID number displayed on a student ID badge
17Part B of the Individuals with Disabilities Act (IDEA) § Confidentiality of Information “The Secretary takes appropriate action, in accordance with section 444 of GEPA [FERPA], to ensure the protection of the confidentiality of any personally identifiable data, information, and records collected or maintained by the Secretary and by SEAs and LEAs pursuant to Part of the Act, and consistent with §§ through ”Deb
18Part C of the Individuals with Disabilities Act (IDEA) § Confidentiality “The Secretary takes appropriate action, in accordance with section 444 of GEPA [FERPA], to ensure the protection of the confidentiality of any personally identifiable data, information, and records collected or maintained by the Secretary and by lead agencies and EIS providers pursuant to part C of the Act, and consistent with §§ through The regulations in §§ through ensure the protection of the confidentiality of any personally identifiable data, information, and records collected or maintained pursuant to this part by the Secretary and by participating agencies, including the State lead agency and EIS providers, in accordance with [FERPA].”Deb
19Consent for Disclosures § of the IDEA Part B requires –Parental consent before PII is disclosed to parties, other than to officials of participating agencies in order to meet IDEA requirements, unless the information is contained in education records and the disclosure is authorized by FERPAEllen then Deb
20Consent for Disclosures § of Part C requires a lead agency or other participating agency may not disclose PII to any party except participating agencies (including lead agency and EIS providers) that are part of the State’s Part C system without parental consent, unless –Authorized to do so under §§ (d), (b)(1)(i) and (b)(1)(ii), and (b)(6)(ii)(A); orOne of the exceptions in FERPA (§ 99.31), where applicable to Part C.Ellen then Deb
21FERPA and IDEA Early Childhood Programs FERPA applies the same requirements to both IDEA B & C programsIDEA Part B, Section 619 and IDEA Part C have similar, but slightly different, confidentiality provisions
22FPCO Letter to Edmunds (2012) “Early intervention records” is the same as “education records” for purposes of the confidentiality protections under IDEA Part C and FERPAIf early intervention records are covered under FERPA and IDEA Part C, those records are exempt as PHI under the HIPAA Privacy Rule
23How FERPA Terms Apply to IDEA Part C IDEA Part C, in § (b)(2), includes the following translation provisions for FERPA terms:Education record = Early intervention recordEducation = Early interventionEducational agency or institution = Participating agencySchool official = Qualified EIS personnel/Service CoordinatorState educational authority = Lead agencyStudent = Child under IDEA Part C
24Primary Rights of Parents under FERPA Right to inspect and review education records (§ 99.10);Right to seek to amend education records (§§ 99.20, 99.21, and 99.22); andRight to consent to the disclosure of personally identifiable information from education records, except as provided by law (§§ and 99.31).
25Annually Notified of Rights § 99.7Schools must annually notify parents of students and eligible students in attendance of their rights under FERPA.FERPARIGHTS
26Right to Consent to Disclosures Except for specific exceptions, a parent or eligible student shall provide a signed and dated written consent before a school may disclose education records.The consent must:specify records that maybe disclosed;state purpose of disclosure; andidentify party or class of partiesto whom disclosure may be made.§ 99.30
27So, when is prior consent NOT required before disclosing PII in education records?
28What Are the Exceptions to General Consent? § 99.31To school officials with legitimate educational interests (defined in annual notification);To schools in which a student seeks or intends to enroll;To State and local officials pursuant to a State statute in connection with serving the student under the juvenile justice system;To comply with a judicial order or subpoena (reasonable effort to notify parent or student at last known address);To accrediting organizations;
29What Are the Exceptions to General Consent? To parents of a dependent student;To authorized representatives of Federal, State, and local educational authorities conducting an audit, evaluation, or enforcement of education programs;To organizations conducting studies for specific purposes on behalf of schools;In a health or safety emergency;To State and county social service agencies or child welfare agencies (new); andDirectory information.
30Uninterrupted Scholars Act (USA) New exception to the general consent rule under FERPA enacted on January 14, 2013:Permits disclosure of PII from education records of children in foster care to: “agency caseworker or other representative” of a State or local child welfare agency (CWA) who has the right to access a student’s case plan under State or tribal lawDisclosure permitted when: the CWA is “legally responsible… for the care and protection of the student”Provisions for tribal organizations as well
31Additional Exception to Consent Uninterrupted Scholars Act amended the notification requirement in FERPA’s subpoena or judicial order exception (§ 99.31(a)(9)) when the parent is a party to a court proceeding involving child abuse, neglect, or dependency and the court order is issued in the context of that court proceeding
32The exceptions to consent are permissible, NOT required
33What Limitations Apply to the Redisclosure of PII? Receiving party should be informed that the information may not be further disclosed, except when the disclosure is:to the parent or eligible student;on behalf of the school under § 99.31;pursuant to a court order, subpoena, or in connection with litigation between the school and parent/student;to the parents of a dependent student; ordirectory information.
34What are the Recordkeeping Requirements? An educational agency or institution must maintain a record of each request for access to and each disclosure from an education record, as well as the names of State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) that may make further disclosures of personally identifiable information from the student’s education records without consent under §
35What are the Enforcement Provisions? The Family Policy Compliance Office (FPCO) investigates complaints and violations under FERPAParents and eligible students may file timely complaints (180 days) with FPCOIf an SEA or another entity that receives Department funds violates FERPA, FPCO may bring an enforcement action against that entityEnforcement actions include the 5-year rule as well as withholding payment, cease and desist orders, and compliance agreements
36Key Points to RememberProperly de-identified data can be shared without any FERPA considerations and should be your FIRST option as it limits the risk of unauthorized PII disclosureIn most cases, consent is the best approach for sharing PII with non-profit organizationsDirectory Information is often misunderstood. Opt-out provisions do not prevent data from being shared under the Audit/Evaluation or School Official exceptions
37- Ann Agnew, HIPAA Consultant, DaSy - HIPAA Overview- Ann Agnew,HIPAA Consultant, DaSy -
38What is HIPAA?Health Insurance Portability and Accountability Act of 1996Established Certain Insurance ProtectionsCoverage PortabilityLimited exclusions for health conditionsProhibited discrimination based on health statusGuaranteed renewability
39What is HIPAA?Required Standards for the Exchange of Electronic InformationDirected the Department of Health and Human Services to:Set standards for the content of electronic transactions and for the format of transmissionEstablish “Code Sets” for use as descriptors of diagnosis and treatmentEstablish “Unique Identifiers” for employers and providersThe Centers for Medicare and Medicaid Services (CMS) sets electronic standards through formal notice and comment rule-making
40What about HIPAA Privacy and Security? Statute sets out a process for establishing privacy protections (SEC. 264)HHS directed to make recommendations covering “at least”what rights an individual has regarding his/her health informationprocedures to exercise those rightsappropriate uses and disclosures for individually identifiable information
41HIPAA Privacy and Security Protections and Requirements HIPAA Administrative Simplification RegulationsSuite of regulations covering HIPAA provisions45 CFR Parts 160, 162, and 164Privacy Rule and Security Rule implemented and enforced by the Office of Civil Rights in the Department of Health and Human Services
42HIPAA Privacy and Security Protections and Requirements Privacy Rule - 45 CFR Part 160 and Subparts A and E of Part 164Establishes national standards to protect individuals’ medical records/personal health informationFinal Rule - August 14, 2002Accounting for Disclosure - provision within Privacy RuleCovered entities must provide, on request, account of disclosures of protected informationModifications proposed - May 31, to implement HITECH Act provisions/other updatesFinal Rule still pending
43HIPAA Privacy and Security Protections and Requirements Security Rule - 45 CFR Part 160 and Subparts A and C of Part 164Established national standards for the protection of electronic personal health informationSets requirements for administrative, physical and technical safeguardsFinal Rule - February 20, 2003
44HIPAA Privacy and Security Protections and Requirements Enforcement - 45 CFR Parts 160 and 164Provides standards for the enforcement of all HIPAA rulesFinal Rule - February 16, 2006Breach Notification - 45 CFRRequires HIPAA covered entities to provide notifications of any breach of “protected heath information”Interim Final Rule - August 24, 2009
45HIPAA Privacy and Security Protections and Requirements HIPAA Omnibus Rule - 45 CFR Parts 160 and 164Implements provisions of the Health Information Technology for Economical and Clinical Health Act (HITECH) - part of the American Recovery and Reinvestment Act of 2009Modifies Privacy, Security and Enforcement RulesFinal Rule - January 17, 2013
46Privacy - What Rights Are Conferred? Notice of privacy practices Access to records Amend/correct records Disclosure accounting Restriction request Confidential communications requirements
47Privacy - Who Does It Apply to? “Covered Entities”Health Plans - in general, all group and individual plans that provide or pay for health servicesHealth Care Providers - any health care provider who engages in any electronic transactions covered by HIPAA standardsHealthcare Clearinghouses - generally entities that convert nonstandard information into standard format required for electronic transmission
48Privacy - Who Does It Apply to? “Business Associates”Individual or organizationPerforms services on behalf of a covered entityORProvides services to a covered entityANDServices involve the use and/or disclosure of protected health information
49Privacy - What’s Included? “Protected Health Information” (PHI)Any individually identifiable health information held or transmitted by a covered entityInformation is protected regardless of form - electronic, paper, oral
50Privacy - What’s NOT Included? De-identified informationEducation and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232gJOINT GUIDANCE ON THE APPLICABILITY OF FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) and the HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TO STUDENT RECORDS
51When Can PHI Be Used or Disclosed? Any purpose authorized in writing by the individualAny use “permitted” or “required” under regulationGoverning principle - “minimum necessary”
52“Required” UsesDisclosure to the individual or their personal representativeDisclosure to HHS for compliance investigation or enforcement action
53“Permitted” Uses “Use with opportunity to object” Informal process Does not require written permissionIndividual may opt out of participationExample: inclusion of information in a directoryIncidental Use/DisclosureInadvertent disclosure associated with otherwise permissible use
54“Permitted” Uses Public Interest and Benefit Activities Balance between public and private benefit issuesList of 12 categories, including:Public Health ActivitiesJudicial & Administrative ProceedingsVictims of Abuse, Neglect or Domestic ViolenceLaw Enforcement PurposesResearchSerious Threat to Health or Safety
55“Permitted” Uses Limited Data Set Aggregated information Some identifiers removedRequires a data use agreementAgreement must specify purposes and limitations on use
56“Authorized” Uses Required for any other use of PHI Authorization must be in writingMust be specific in terms of what data and purpose of useMay authorize use by covered entity or by third partyTreatment or payment MAY NOT be conditioned on authorizationAuthorization specifically required for:Psychotherapy notesMarketing
57Penalties for Non-Compliance CivilHITECH established 4 Tiers based on level of culpabilityAmount per violation - $100 to $50,000 or moreCalendar year cap - $1.5 millionCriminalPenalties range from 1 to 10 years in prisonEnforced by Department of Justice522 referrals for investigation to dateHITECH extended direct liability to Business Associates
58Penalties - Examples Penalties are not insubstantial 2011 First civil money penalty4.3 million to Cignet Health Care2013Penalties ranged from $150,000 to $1.7 million2014First fine against a local governmentSkagit County in Washington State$215,000
59Penalties - Examples Penalty is only part of the cost 2012 BCBS Tennessee1.5 million fine17 million on investigation, notification and mitigation
60Breach Notification “Wall of Shame” Violations involving disclosure of information on 500 or more individuals834 reported cases reported under Breach Notification (as of April 14)
61Items of Interest Personal Representative Parents generally recognized as “personal representative of an un-emancipated minor”Personal representative exercises privacy rights on behalf of minorState law governsLimited exceptions (where state or other law requires disclosure of information to the minor)
62Items of InterestDisclosure of Student Immunizations to Schools - Section (b)Omnibus Rule of 2013Covered entity may share proof of immunization with schoolwhen such proof is required for admittance of studentWritten consent is required, butCovered entity must document some form of agreementForm of documentation not specifiedDocumentation need not be HIPAA compliant “authorization”
63Security RuleApplies to information contained in electronic records (“e-PHI”)Includes information created, received, maintained or transmitted in electronic formRequires administrative, technical, organizational and physical safeguards of e-PHIDoes not specify standards or measuresRequires “Risk Analysis” - on an ongoing basis - to determine what is “reasonable and appropriate”
64Summary IS THE INFORMATION NEEDED CONTAINED IN AN “EDUCATION RECORD”? IS THE INFORMATION HELD BY A HIPAA “COVERED ENTITY”?IS THE INFORMATION IN THE FORM OF “PROTECTED HEALTH INFORMATION”?
65- Baron Rodriguez, PTAC Director - FERPA Exceptions- Baron Rodriguez, PTAC Director -
66Data Sharing = Disclosure Remember: There is no “data sharing” or “research” clause in FERPA, rather, sharing of student PII is considered “disclosure” under FERPA and is only allowable under specific circumstances.
67FERPA’s Audit or Evaluation Exception A state or local educational authority may designate a third party as their “authorized representative” and then disclose PII from education records to them for the purposes of conducting an audit or evaluation of a federal or state-supported education program.
68FERPA’s Audit or Evaluation Exception - Requirements Disclosing entity must be a state or local educational authorityMust be for the evaluation of a federal or state- supported education programMust use a written agreement to designate the recipient as the authorized representativeThe written agreement must include a number of required elements(see “Guidance on Reasonable Methods and Written Agreements”)
69FERPA’s Audit or Evaluation Exception - Requirements The recipient must:Comply with the terms of the written agreement;Use the PII only for the authorized purpose;Protect the PII from further disclosure or other uses; andDestroy the PII when no longer needed for the evaluation.
70School Official Exception Schools or LEAs can use the School Official exception under FERPA to disclose education records to a third party only if the outside party:Performs a service/function for the school/district for which the educational organization would otherwise use its own employeesIs under the direct control of the organization with regard to the use/maintenance of the education records
71School Official Exception Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPADoes not re-disclose or use education data for unauthorized purposes
72Studies Exception“For or on behalf of” schools, school districts, or postsecondary institutionsStudies must be for the purpose ofDeveloping, validating, or administering predictive tests; orAdministering student aid programs; orImproving instruction.Written Agreements
73Written Agreements: Studies Exception Written agreements mustSpecify the purpose, scope, and duration of the study and the information to be disclosed, andRequire the organization touse PII only to meet the purpose(s) of the studylimit access to PII to those with legitimate interestsdestroy PII upon completion of the study and specify the time period in which the information must be destroyed
74Remember: Use the Appropriate FERPA Exception Schools/LEAs: IT contractors must meet criteria under the School Official exception discussed earlier. SEAs: Cannot use the School Official exception; therefore, must designate IT service providers as “authorized representatives” under the Audit/Evaluation exception.
75Audit or Evaluation§ 99.35Federal, State, and local officials listed under § 99.31(a)(3), or their authorized representative, may have access to education records only –in connection with an audit or evaluation of Federal or State supported education programs, orfor the enforcement of or compliance with Federal legal requirements which relate to those programs.The information must be:protected in a manner that does not permit disclosure of PII to anyone; anddestroyed when no longer needed for the purposes listed above.
76Who Is an Authorized Representative? § 99.3Any entity or individual designated by a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to conduct—with respect to Federal- or State-supported education programs—any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs
77Studies Exception§ 99.31Studies conducted “for or on behalf of” schools, school districts, or postsecondary institutionsStudies must be for the purpose ofDeveloping, validating, oradministering predictive tests;orAdministering student aidprograms;Improving instruction.
78What Are Written Agreements? Mandatory for LEA or SEA disclosing PII without consent under audit/evaluationMandatory for school or LEA for disclosing to outside organization under the studies exception, or for SEA redisclosing for, or on behalf of, school or LEA
79Reasonable Methods§ 99.35In disclosing to a designated authorized representative under audit/evaluation exception, LEA must ensure to the greatest extent practicable that an authorized representativeUses PII only to carry out an audit or evaluation of education programs, or for the enforcement of or compliance with, Federal legal requirements related to these programsProtects the PII from further disclosures or any unauthorized useDestroys the PII records when no longer needed for the audit, evaluation, or enforcement or compliance activity
82Guidance Documents & FERPA Regulations Addressing Emergencies on CampusJoint FERPA-HIPAA GuidanceFERPA & Disclosures Related to Emergencies & Disastersguidance.pdfBalancing Student Privacy & School SafetyCurrent FERPA RegulationsNew Amendments to FERPA Regulations (Effective 1/3/12)New Model NotificationsLEAs:
83FPCO Contact InformationFor technical assistance and advice to school officials:Family Policy Compliance OfficeU.S. Department of Education400 Maryland Avenue, SWWashington, DC(202) Telephone(202) FaxFor informal requests for technical assistance, us at:FPCO Web site:Ellen
85Panelists Ann Agnew (HIPAA Consultant, DaSy) Baron Rodriguez (Director, PTAC)Michael Hawes (Statistical Privacy Advisor, ED)Frank Miller (Team Leader, Family Policy Compliance Office, ED)
86MOU / Data Sharing Agreement Overview - Baron Rodriguez, PTAC Director -
87What Is a Data Sharing Agreement? Can be called many different names: MOU, MOA, Contract, Written Agreement, etc.The mandatory elements of the agreement vary slightly between the two exceptionsThe data sharing checklist delineates the minimum requirements under the Studies and the Audit or Evaluation exceptions
88Approaches to Data Sharing Agreements Master data sharing agreement across all early childhood partners with addendums for each request based on the type of exceptionNo master data sharing agreement across all early childhood partners, only individual agreements for each request
89Why Are Data Sharing Agreements Needed? They are now required when sharing under either the Audit/Evaluation exception or Studies exceptionEven under the School Official exception, it is a best practice to have an agreement in place
90Remember…“It is important to keep in mind that individual State privacy or procurement laws may contain more stringent requirements for data sharing written agreements and that other Federal privacy laws, such as the Individuals with Disabilities Education Act and the Health Insurance Portability and Accountability Act, may be applicable depending on the type of data being shared and the entities with whom the data are shared. Therefore, parties entering into an agreement are advised to always consult with their procurement staff and/or legal staff to ensure compliance with all applicable Federal, State, and local laws and regulations.” (See Data Sharing Agreement Checklist)
91When Does FERPA Apply to EC Organizations? Student DataFederally fundedStudent record with PII and health data: FERPA applies.Health-record only. HIPPA may apply.NOT federally funded?Not FERPA protected. HIPAA may apply.
92Frequently Asked Questions to HHS #1 On your school’s enrollment card, there is a question asking whether the student has health insurance. If the parent answers “no,” a school staff member sends a letter home informing the parent about Medicaid and CHIP and providing a toll-free number to call to get help with an application. DOES THIS VIOLATE FERPA? A: This is perfectly acceptable. It raises no FERPA concerns because the school has not disclosed personally identifiable information (PII) from a student’s education records to an outside entity.
93Frequently Asked Questions to HHS #2 On the school enrollment card, there is a question asking whether the student has health insurance. If the parent answers “no,” the nurse calls to inform the parent about Medicaid and CHIP. She asks if it is OK to share the parent’s phone number with the school social worker, who can provide application assistance. Is a consent form needed to allow the nurse to pass the parent’s phone number to the social worker – both school employees – or is oral consent necessary?
94Frequently Asked Questions to HHS #2 A: In this scenario, no consent is required for the school nurse to disclose PII from education records to another school official with a legitimate educational interest (i.e., the school social worker). A “legitimate educational interest” typically means that the school official needs to see the education records in order to perform their professional duties.Remember:Annual notification requirement – Defining WHO, WHAT, and “legitimate educational interest”
95Frequently Asked Questions to HHS #3 On the school’s enrollment card, there is a question asking whether the student has health insurance. If the parent answers “no,” staff from a community-based organization that works with the school calls the parent to talk about the availability of Medicaid and CHIP and to offer application assistance. (FYI, the community-based organization might be a local community health center, a children’s health advocacy organization, or Boys and Girls Club.) Can the school provide this information to the community-based organization?
96Frequently Asked Questions to HHS #3 A: FERPA does not generally permit schools to disclose PII from students’ education records to a community-based organization without the consent of the parent or eligible student, or unless the disclosure meets one of the exceptions to the general consent requirement. Exceptions: Directory Information (as defined) But… Because this type of information (eligibility) is considered PII, it cannot be considered directory information and requires parental consent.
97State MOU Development Activity - Missy Cochenour, SST -
98ObjectivesTo have your state work to establish a draft data sharing agreement needed to continue the work in your state
99Activity 1: Relationship to Structure & Privacy The structure of your agencies and where the data currently resides impacts the way in which agreements are created and for what purposeHow the data moves is important consideration in the way the agreement is createdInstructions:Look at your structure across agencies and how the data flowsDraw it out (like CT’s that Baron showed)
100Privacy Considerations with Critical Questions Complying with FERPA:Under what exception does it apply?List the exceptionsIs there an MOU in place to share these data?Does it include the critical question and the related elements?Aggregate and de-identified data*Spend more time as a group
101Activity 2: Decide the Approach Considering your structure, decide on the approach for sharing dataMaster data sharing agreement with addendumNo master data sharing agreement, only individual agreementDecide on which exception is needed based on the agreement type:Studies exceptionAudit or Evaluation exception
102How to Make the Decision Share DataTechnical sharingMaster Data Sharing AgreementSpecific Use for SharingStudies ExceptionAudit and Eval. ExceptionLet’s look at the checklist
103CommonalitiesAll agreements should have a specified purpose for the agreementAll agreements should have the identified data that will be sharedAll agreements should discuss destruction of dataAll agreements should discus the consequences of not following the agreementWhen using exceptions the agreement should always have information about how the data will be used (not applicable for a master data sharing agreement as this will be captured in the addendum)
104DifferencesThere are more differences than commonalities as is the nature of these agreements:Master AgreementsStudies ExceptionAudit or Evaluation ExceptionFocuses on the linkage and storage of data across entitiesDiscusses where the data will reside and who owns itVery specific purposeSpecific purposeMuch more detail about the identification, use and destruction of PII
105Instructions Please work in your state team and your TA support to: For states with a draft MOU: Review your current sections and modify as neededFor states drafting an MOU today: Create a draft that is appropriate for your state
106Wrap-up Activity Discussion What needs to be done with your draft when you return home?
107Summarize Lessons learned Next steps for the state Resources requested that might be helpful as you continue this conversation in your state
108- Michael Hawes, Statistical Privacy Advisor - Engaging and Informing Parents and the Public: Privacy and Transparency Best Practices- Michael Hawes,Statistical Privacy Advisor -
109Why Transparency? Rise in public discourse on data and student privacy Rise in misinformation and confusion about the issuesState-level legislative action to restrict data collection, use, and sharingPrivacy vs. Utility TradeoffWhat’s in it for the parent’s and students?
110Fair Information Practice Principles (FIPPs) Collection LimitationData QualityPurpose SpecificationUse LimitationSecurity SafeguardsOpennessIndividual ParticipationAccountability
111Transparency Best Practices Let parents know what information you’re collecting, and why you’re collecting itKeep (and publish) a data inventoryInform parents about your data governance and information security practicesBe open about who you share data with, and why. (Post your data sharing contracts and MOUs)Value! Value! Value! (Explain what’s in it for the parents/children)
112Remember:In the absence of information, people tend to assume the worstJust because something is legal, doesn’t mean it’s a good idea!Be open about what you’re doingHighlight your successes
113- Baron Rodriguez, PTAC Director - State Team Discussion- Baron Rodriguez, PTAC Director -
114What steps can you take to engage and inform parents and the public? State Team DiscussionWhat steps can you take to engage and inform parents and the public?
115- Baron Rodriguez, PTAC Director - Wrap Up- Baron Rodriguez, PTAC Director -
116Resources More PTAC resources at http://ptac.ed.gov/ Checklist: Data Sharing Agreement (Apr 2012)Guidance for Reasonable Methods and Written AgreementsProtecting Student Privacy While Using Online Educational ServicesWebinar: The Intersection of FERPA and IDEA Confidentiality Provisions (Mar 2012)Case Study #2: Head Start Program (Jan 2012)More PTAC resources atData security, privacy, disclosure avoidance, data governance, data sharing, legal references, FAQ, video trainings, webinars, and other events!
117Questions & Answers Thank you!! SST will facilitate questions and hope that each panelist will help answer as appropriate. (10-15 minutes)