Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does the law protect? b.Who does the law apply to? c.Where are potential risk areas at UW? d.What does the law require? 3.Privacy Laws & Audits 4.References/Questions
FERPA Family Educational Rights & Privacy Act Law: Protects student educational records, including documents that contain information directly related to the student Includes records maintained by the University or a person/entity acting on its behalf. Educational institutions may not release educational records without the student’s consent. This includes prospective employers, government agencies, credit bureaus and others. Exception: Student Directory Information Applies to: Educational institutions
FERPA Family Educational Rights & Privacy Act Potential Risk Areas at UW: Registrars’ Offices; Admissions’ Offices; Financial Aid Offices; Deans’ Offices; Hall Health; Sports Medicine Clinic; Others Requires: Students’ Consent Annual Publication of FERPA Policy Complaint Process School Directory Opt-out Provision
HIPAA Health Insurance Portability & Accountability Act Law: Protects privacy & security of personally identifiable health information. Privacy Rule: Pertains to Oral, Paper & Electronic Information Security Rule: Pertains to Only Electronic Information Limits use & disclosure of health information to treatment, payment & healthcare operations. FERPA Exception Applies to: Health care providers, Health care plans, and Health care clearinghouses
HIPAA Health Insurance Portability & Accountability Act Potential Risk Areas at UW: HMC, UWMC UWP, CUMG Dental Clinics Hall Health Services; Sports Medicine Clinic UW Group Health Plans (Plan Administration) Note: HIPAA may also impact research with human subjects, SOM Library, some development activities Requires: Administrative Safeguards Privacy Officer Privacy Notice Amendment of Plans Policies & Procedures Training Business Associate Agreements Complaint Process
GLBA: Gramm Leach Bliley Act Law: Protects privacy & security of personally identifiable, non-public, financial information. Privacy provision has a FERPA exception, but safeguards rule does not. Applies to: Businesses that provide financial services or products Examples: Brokering or servicing loans, Transferring or safeguarding money, Providing financial advice, Collecting consumer debt
GLBA: Gramm Leach Bliley Act Potential Risk Areas at UW: Central Administration: Financial: Student Financial Services Administration: Huskies Card Development: Planned Giving Schools: Financial Aid Offices Deans Emergency Loans Pro Bono Tax Program Requires: Oversight Risk Assessment Written Safeguards Program Monitoring of Safeguards Contract Provisions with Service Providers
FACTA: Disposal Rule Fair & Accurate Credit Transactions Act Law: Ensures proper disposal of confidential, personally identifiable, financial reports. Applies to: Individuals & companies that obtain consumer reports, including credit reports & other information related to employment background checks Includes employers, lenders, insurers, mortgage brokers, debt collectors.
FACTA: Disposal Rule Fair & Accurate Credit Transactions Act Potential Risk Areas at UW: Office of Human Resources Other departments responsible for conducting background checks, such as Finance. Possibly Student Financial Services and Student Financial Aid Requires: Reasonable disposal policies & practices Due diligence in selecting of a disposal company’s operations
CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act Law: Protects e-mail communications from SPAM (non-solicited pornography & marketing materials) Applies to: Commercial e-mail communications Includes any e-mail message where the primary purpose is to promote a product or service Also includes any e-mail message that promotes content on a Website operated for a commercial purpose.
CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act Potential Risk Areas at UW: Revenue generating centers or operations Commerce related activities Hosted programs Advertisements or promotions of product or service Examples: Products offered by UW to 3 rd parties Trips organized by a UW office Tickets for sporting or cultural events Subscriptions to journals, magazines or newsletters Requires: Valid return e-mail address Mechanism for recipients to opt-out Notice that e-mail is an advertisement or solicitation Valid physical postal address of sender No false or misleading transmission information
Privacy Laws & Audit Services Privacy Compliance & Audit Services: Include Privacy Laws in Operational Self Assessment Consider Types of Information in Scoping Process Health Information (HIPAA) Financial Information (GLB) Credit Information (FACTA Disposal Rule) Student Information (FERPA) E-Mail (CAN SPAM) Develop Audit Programs Refer to legal requirements for appropriate internal controls Refer to University policies, which may be more stringent than the law Educate & Counsel Clients