1. Privacy Laws & Higher Education

2. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does the law protect? b.Who does the law apply to? c.Where are potential risk areas at UW? d.What does the law require? 3.Privacy Laws & Audits 4.References/Questions

3. FERPA Family Educational Rights & Privacy Act  Law:  Protects student educational records, including documents that contain information directly related to the student  Includes records maintained by the University or a person/entity acting on its behalf.  Educational institutions may not release educational records without the student’s consent. This includes prospective employers, government agencies, credit bureaus and others.  Exception: Student Directory Information  Applies to: Educational institutions

4. FERPA Family Educational Rights & Privacy Act  Potential Risk Areas at UW:  Registrars’ Offices;  Admissions’ Offices;  Financial Aid Offices;  Deans’ Offices;  Hall Health;  Sports Medicine Clinic;  Others  Requires: Students’ Consent Annual Publication of FERPA Policy Complaint Process School Directory Opt-out Provision

5. HIPAA Health Insurance Portability & Accountability Act  Law:  Protects privacy & security of personally identifiable health information.  Privacy Rule: Pertains to Oral, Paper & Electronic Information  Security Rule: Pertains to Only Electronic Information  Limits use & disclosure of health information to treatment, payment & healthcare operations.  FERPA Exception  Applies to:  Health care providers,  Health care plans, and  Health care clearinghouses

6. HIPAA Health Insurance Portability & Accountability Act  Potential Risk Areas at UW:  HMC, UWMC  UWP, CUMG  Dental Clinics  Hall Health Services; Sports Medicine Clinic  UW Group Health Plans (Plan Administration) Note: HIPAA may also impact research with human subjects, SOM Library, some development activities  Requires: Administrative Safeguards Privacy Officer Privacy Notice Amendment of Plans Policies & Procedures Training Business Associate Agreements Complaint Process

7. GLBA: Gramm Leach Bliley Act  Law:  Protects privacy & security of personally identifiable, non-public, financial information.  Privacy provision has a FERPA exception, but safeguards rule does not.  Applies to:  Businesses that provide financial services or products  Examples: Brokering or servicing loans, Transferring or safeguarding money, Providing financial advice, Collecting consumer debt

8. GLBA: Gramm Leach Bliley Act  Potential Risk Areas at UW:  Central Administration:  Financial: Student Financial Services  Administration: Huskies Card  Development: Planned Giving  Schools:  Financial Aid Offices  Deans Emergency Loans  Pro Bono Tax Program  Requires: Oversight Risk Assessment Written Safeguards Program Monitoring of Safeguards Contract Provisions with Service Providers

9. FACTA: Disposal Rule Fair & Accurate Credit Transactions Act  Law:  Ensures proper disposal of confidential, personally identifiable, financial reports.  Applies to:  Individuals & companies that obtain consumer reports, including credit reports & other information related to employment background checks  Includes employers, lenders, insurers, mortgage brokers, debt collectors.

10. FACTA: Disposal Rule Fair & Accurate Credit Transactions Act  Potential Risk Areas at UW:  Office of Human Resources  Other departments responsible for conducting background checks, such as Finance.  Possibly Student Financial Services and Student Financial Aid  Requires: Reasonable disposal policies & practices Due diligence in selecting of a disposal company’s operations

11. CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act  Law:  Protects e-mail communications from SPAM (non-solicited pornography & marketing materials)  Applies to:  Commercial e-mail communications  Includes any e-mail message where the primary purpose is to promote a product or service  Also includes any e-mail message that promotes content on a Website operated for a commercial purpose.

12. CAN-SPAM Controlling the Assault of Non-Solicited Pornography & Marketing Act  Potential Risk Areas at UW: Revenue generating centers or operations Commerce related activities Hosted programs Advertisements or promotions of product or service Examples:  Products offered by UW to 3 rd parties  Trips organized by a UW office  Tickets for sporting or cultural events  Subscriptions to journals, magazines or newsletters  Requires: Valid return e-mail address Mechanism for recipients to opt-out Notice that e-mail is an advertisement or solicitation Valid physical postal address of sender No false or misleading transmission information

13. Privacy Laws & Audit Services Privacy Compliance & Audit Services: Include Privacy Laws in Operational Self Assessment Consider Types of Information in Scoping Process Health Information (HIPAA) Financial Information (GLB) Credit Information (FACTA Disposal Rule) Student Information (FERPA) E-Mail (CAN SPAM) Develop Audit Programs Refer to legal requirements for appropriate internal controls Refer to University policies, which may be more stringent than the law Educate & Counsel Clients

14. References  HHS Website:  HIPAA  FTC Website:  GLB  FACTA Disposal Rule  CAN-SPAM  DOE Website:  FERPA  UW Websites  Privacy Law.Net