Privacy Laws & Higher Education
Agenda
1.
Five Privacy Laws
a.
b.
c.
d.
e.
2.
FERPA
HIPAA
GLB
FACTA Disposal Rule
CAN-SPAM
Overview of the Laws
a.
b.
c.
d.
What does the law protect?
Who does the law apply to?
Where are potential risk areas at UW?
What does the law require?
3.
Privacy Laws & Audits
4.
References/Questions
FERPA
Family Educational Rights & Privacy Act


Law:

Protects student educational records, including documents that contain information directly related to
the student

Includes records maintained by the University or a person/entity acting on its behalf.

Educational institutions may not release educational records without the student’s consent. This includes
prospective employers, government agencies, credit bureaus and others.

Exception: Student Directory Information
Applies to:
Educational institutions
FERPA
Family Educational Rights & Privacy Act

Potential Risk Areas at UW:








Registrars’ Offices;
Admissions’ Offices;
Financial Aid Offices;
Deans’ Offices;
Hall Health;
Sports Medicine Clinic;
Others
Requires:




Students’ Consent
Annual Publication of FERPA Policy
Complaint Process
School Directory Opt-out Provision
HIPAA
Health Insurance Portability & Accountability Act


Law:

Protects privacy & security of personally identifiable health information.

Privacy Rule: Pertains to Oral, Paper & Electronic Information

Security Rule: Pertains to Only Electronic Information

Limits use & disclosure of health information to treatment, payment & healthcare operations.

FERPA Exception
Applies to:



Health care providers,
Health care plans, and
Health care clearinghouses
HIPAA
Health Insurance Portability & Accountability Act

Potential Risk Areas at UW:





HMC, UWMC
UWP, CUMG
Dental Clinics
Hall Health Services; Sports Medicine Clinic
UW Group Health Plans (Plan Administration)
Note: HIPAA may also impact research with human subjects, SOM Library, some development activities

Requires: Administrative Safeguards







Privacy Officer
Privacy Notice
Amendment of Plans
Policies & Procedures
Training
Business Associate Agreements
Complaint Process
GLBA:
Gramm Leach Bliley Act


Law:

Protects privacy & security of personally identifiable, non-public, financial information.

Privacy provision has a FERPA exception, but safeguards rule does not.
Applies to:

Businesses that provide financial services or products

Examples:
 Brokering or servicing loans,
 Transferring or safeguarding money,
 Providing financial advice,
 Collecting consumer debt
GLBA:
Gramm Leach Bliley Act


Potential Risk Areas at UW:

Central Administration:
 Financial: Student Financial Services
 Administration: Huskies Card
 Development: Planned Giving

Schools:
 Financial Aid Offices
 Deans Emergency Loans
 Pro Bono Tax Program
Requires:





Oversight
Risk Assessment
Written Safeguards Program
Monitoring of Safeguards
Contract Provisions with Service Providers
FACTA: Disposal Rule
Fair & Accurate Credit Transactions Act

Law:


Ensures proper disposal of confidential, personally
identifiable, financial reports.
Applies to:

Individuals & companies that obtain consumer reports,
including credit reports & other information related to
employment background checks

Includes employers, lenders, insurers, mortgage brokers,
debt collectors.
FACTA: Disposal Rule
Fair & Accurate Credit Transactions Act

Potential Risk Areas at UW:




Office of Human Resources
Other departments responsible for conducting background checks, such as Finance.
Possibly Student Financial Services and Student Financial Aid
Requires:


Reasonable disposal policies & practices
Due diligence in selecting of a disposal company’s operations
CAN-SPAM
Controlling the Assault of Non-Solicited Pornography & Marketing Act

Law:


Protects e-mail communications from SPAM (non-solicited pornography & marketing
materials)
Applies to:

Commercial e-mail communications

Includes any e-mail message where the primary purpose is to promote a product or service

Also includes any e-mail message that promotes content on a Website operated for a
commercial purpose.
CAN-SPAM
Controlling the Assault of Non-Solicited Pornography & Marketing Act

Potential Risk Areas at UW:




Revenue generating centers or operations
Commerce related activities
Hosted programs
Advertisements or promotions of product or service
Examples:
 Products offered by UW to 3rd parties
 Trips organized by a UW office
 Tickets for sporting or cultural events
 Subscriptions to journals, magazines or newsletters

Requires:





Valid return e-mail address
Mechanism for recipients to opt-out
Notice that e-mail is an advertisement or solicitation
Valid physical postal address of sender
No false or misleading transmission information
Privacy Laws & Audit Services
 Privacy Compliance & Audit Services:
 Include Privacy Laws in Operational Self Assessment
 Consider Types of Information in Scoping Process
 Health Information (HIPAA)
 Financial Information (GLB)
 Credit Information (FACTA Disposal Rule)
 Student Information (FERPA)
 E-Mail (CAN SPAM)
 Develop Audit Programs
 Refer to legal requirements for appropriate internal controls
 Refer to University policies, which may be more stringent than the law
 Educate & Counsel Clients
References

HHS Website:


FTC Website:




HIPAA
GLB
FACTA Disposal Rule
CAN-SPAM
DOE Website:

FERPA

UW Websites

Privacy Law.Net