Privacy Laws & Higher Education

Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does the law protect? b.Who does the law apply to? c.Where are potential risk areas at UW? d.What does the law require? 3.Privacy Laws & Audits 4.References/Questions

FERPA Family Educational Rights & Privacy Act  Law:  Protects student educational records, including documents that contain information directly related to the student  Includes records maintained by the University or a person/entity acting on its behalf.  Educational institutions may not release educational records without the student’s consent. This includes prospective employers, government agencies, credit bureaus and others.  Exception: Student Directory Information  Applies to: Educational institutions

FERPA Family Educational Rights & Privacy Act  Potential Risk Areas at UW:  Registrars’ Offices;  Admissions’ Offices;  Financial Aid Offices;  Deans’ Offices;  Hall Health;  Sports Medicine Clinic;  Others  Requires: Students’ Consent Annual Publication of FERPA Policy Complaint Process School Directory Opt-out Provision

HIPAA Health Insurance Portability & Accountability Act  Law:  Protects privacy & security of personally identifiable health information.  Privacy Rule: Pertains to Oral, Paper & Electronic Information  Security Rule: Pertains to Only Electronic Information  Limits use & disclosure of health information to treatment, payment & healthcare operations.  FERPA Exception  Applies to:  Health care providers,  Health care plans, and  Health care clearinghouses

HIPAA Health Insurance Portability & Accountability Act  Potential Risk Areas at UW:  HMC, UWMC  UWP, CUMG  Dental Clinics  Hall Health Services; Sports Medicine Clinic  UW Group Health Plans (Plan Administration) Note: HIPAA may also impact research with human subjects, SOM Library, some development activities  Requires: Administrative Safeguards Privacy Officer Privacy Notice Amendment of Plans Policies & Procedures Training Business Associate Agreements Complaint Process

GLBA: Gramm Leach Bliley Act  Law:  Protects privacy & security of personally identifiable, non-public, financial information.  Privacy provision has a FERPA exception, but safeguards rule does not.  Applies to:  Businesses that provide financial services or products  Examples: Brokering or servicing loans, Transferring or safeguarding money, Providing financial advice, Collecting consumer debt

GLBA: Gramm Leach Bliley Act  Potential Risk Areas at UW:  Central Administration:  Financial: Student Financial Services  Administration: Huskies Card  Development: Planned Giving  Schools:  Financial Aid Offices  Deans Emergency Loans  Pro Bono Tax Program  Requires: Oversight Risk Assessment Written Safeguards Program Monitoring of Safeguards Contract Provisions with Service Providers

FACTA: Disposal Rule Fair & Accurate Credit Transactions Act  Law:  Ensures proper disposal of confidential, personally identifiable, financial reports.  Applies to:  Individuals & companies that obtain consumer reports, including credit reports & other information related to employment background checks  Includes employers, lenders, insurers, mortgage brokers, debt collectors.

FACTA: Disposal Rule Fair & Accurate Credit Transactions Act  Potential Risk Areas at UW:  Office of Human Resources  Other departments responsible for conducting background checks, such as Finance.  Possibly Student Financial Services and Student Financial Aid  Requires: Reasonable disposal policies & practices Due diligence in selecting of a disposal company’s operations

CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act  Law:  Protects communications from SPAM (non-solicited pornography & marketing materials)  Applies to:  Commercial communications  Includes any message where the primary purpose is to promote a product or service  Also includes any message that promotes content on a Website operated for a commercial purpose.

CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act  Potential Risk Areas at UW: Revenue generating centers or operations Commerce related activities Hosted programs Advertisements or promotions of product or service Examples:  Products offered by UW to 3 rd parties  Trips organized by a UW office  Tickets for sporting or cultural events  Subscriptions to journals, magazines or newsletters  Requires: Valid return address Mechanism for recipients to opt-out Notice that is an advertisement or solicitation Valid physical postal address of sender No false or misleading transmission information

Privacy Laws & Audit Services Privacy Compliance & Audit Services: Include Privacy Laws in Operational Self Assessment Consider Types of Information in Scoping Process Health Information (HIPAA) Financial Information (GLB) Credit Information (FACTA Disposal Rule) Student Information (FERPA) (CAN SPAM) Develop Audit Programs Refer to legal requirements for appropriate internal controls Refer to University policies, which may be more stringent than the law Educate & Counsel Clients

References  HHS Website:  HIPAA  FTC Website:  GLB  FACTA Disposal Rule  CAN-SPAM  DOE Website:  FERPA  UW Websites  Privacy Law.Net