Presentation on theme: "Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does."— Presentation transcript:
Privacy Laws & Higher Education
Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does the law protect? b.Who does the law apply to? c.Where are potential risk areas at UW? d.What does the law require? 3.Privacy Laws & Audits 4.References/Questions
FERPA Family Educational Rights & Privacy Act Law: Protects student educational records, including documents that contain information directly related to the student Includes records maintained by the University or a person/entity acting on its behalf. Educational institutions may not release educational records without the student’s consent. This includes prospective employers, government agencies, credit bureaus and others. Exception: Student Directory Information Applies to: Educational institutions
FERPA Family Educational Rights & Privacy Act Potential Risk Areas at UW: Registrars’ Offices; Admissions’ Offices; Financial Aid Offices; Deans’ Offices; Hall Health; Sports Medicine Clinic; Others Requires: Students’ Consent Annual Publication of FERPA Policy Complaint Process School Directory Opt-out Provision
HIPAA Health Insurance Portability & Accountability Act Law: Protects privacy & security of personally identifiable health information. Privacy Rule: Pertains to Oral, Paper & Electronic Information Security Rule: Pertains to Only Electronic Information Limits use & disclosure of health information to treatment, payment & healthcare operations. FERPA Exception Applies to: Health care providers, Health care plans, and Health care clearinghouses
HIPAA Health Insurance Portability & Accountability Act Potential Risk Areas at UW: HMC, UWMC UWP, CUMG Dental Clinics Hall Health Services; Sports Medicine Clinic UW Group Health Plans (Plan Administration) Note: HIPAA may also impact research with human subjects, SOM Library, some development activities Requires: Administrative Safeguards Privacy Officer Privacy Notice Amendment of Plans Policies & Procedures Training Business Associate Agreements Complaint Process
GLBA: Gramm Leach Bliley Act Law: Protects privacy & security of personally identifiable, non-public, financial information. Privacy provision has a FERPA exception, but safeguards rule does not. Applies to: Businesses that provide financial services or products Examples: Brokering or servicing loans, Transferring or safeguarding money, Providing financial advice, Collecting consumer debt
GLBA: Gramm Leach Bliley Act Potential Risk Areas at UW: Central Administration: Financial: Student Financial Services Administration: Huskies Card Development: Planned Giving Schools: Financial Aid Offices Deans Emergency Loans Pro Bono Tax Program Requires: Oversight Risk Assessment Written Safeguards Program Monitoring of Safeguards Contract Provisions with Service Providers
FACTA: Disposal Rule Fair & Accurate Credit Transactions Act Law: Ensures proper disposal of confidential, personally identifiable, financial reports. Applies to: Individuals & companies that obtain consumer reports, including credit reports & other information related to employment background checks Includes employers, lenders, insurers, mortgage brokers, debt collectors.
FACTA: Disposal Rule Fair & Accurate Credit Transactions Act Potential Risk Areas at UW: Office of Human Resources Other departments responsible for conducting background checks, such as Finance. Possibly Student Financial Services and Student Financial Aid Requires: Reasonable disposal policies & practices Due diligence in selecting of a disposal company’s operations
CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act Law: Protects communications from SPAM (non-solicited pornography & marketing materials) Applies to: Commercial communications Includes any message where the primary purpose is to promote a product or service Also includes any message that promotes content on a Website operated for a commercial purpose.
CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act Potential Risk Areas at UW: Revenue generating centers or operations Commerce related activities Hosted programs Advertisements or promotions of product or service Examples: Products offered by UW to 3 rd parties Trips organized by a UW office Tickets for sporting or cultural events Subscriptions to journals, magazines or newsletters Requires: Valid return address Mechanism for recipients to opt-out Notice that is an advertisement or solicitation Valid physical postal address of sender No false or misleading transmission information
Privacy Laws & Audit Services Privacy Compliance & Audit Services: Include Privacy Laws in Operational Self Assessment Consider Types of Information in Scoping Process Health Information (HIPAA) Financial Information (GLB) Credit Information (FACTA Disposal Rule) Student Information (FERPA) (CAN SPAM) Develop Audit Programs Refer to legal requirements for appropriate internal controls Refer to University policies, which may be more stringent than the law Educate & Counsel Clients