Original Version: May 31, 2004
Revised: December 30, 2006
Purdue University
Information Security Program
As it pertains to the Gramm Leach Bliley Act and the Health Insurance Portability and
Accountability Act of 1996, Safeguarding of Electronic Customer Information and
Protected Health Information
Objectives of the Information Security Program for the Gramm Leach Bliley Act (GLBA)
and Health Insurance Portability and Accountability Act of 1996 (HIPAA):
 Ensure the security and confidentiality of customer information in compliance with
applicable GLBA rules as published by the Federal Trade Commission.
 Provide administrative, physical, and technical safeguards to ensure compliance with the
HIPAA Security Rule.1
 Safeguard against anticipated threats to the security or integrity of protected electronic data.
 Guard against unauthorized access to or use of protected data that could result in harm or
inconvenience to any customer.
Contents
I. Coordination of the Information Security Program
II. Risk Assessment and Safeguards2
III. Employee Training and Education
IV. Oversight of Service Providers and Contracts
V. Evaluation and Revision of the Information Security Plan
VI. Definitions
VII. Appendices
I. Coordination and Responsibility for the Information Security Program
The Coordinator of the Information Security Program is the Chief Information Security Officer
(CISO) for Purdue University. The Coordinator has also been designated as the HIPAA Security
Officer. The Coordinator is responsible for the development, implementation, and oversight of
Purdue University’s compliance with the policies and procedures required by the Gramm Leach
Bliley Act (GLBA) Safeguards Rule and the Security Rule of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA). Although ultimate responsibility for compliance lies
with the Coordinator, representatives from each of the operational areas are responsible for
1 Purdue University compliance with the HIPAA Privacy Rule is not covered by this document. This Information
Security Program document pertains to the GLBA Safeguards Rule and the HIPAA Security Rule.
2 For purposes of HIPAA, only Security Rule risk assessments are covered by this document.
1
implementation and maintenance of the specified requirements of the security program in their
specific operation.
See Appendix A-1 for the matrix identifying the GLBA operational areas and their
representatives. Appendix A-2 includes a list of areas considered for inclusion in this program,
but deemed to be outside the scope of the GLBA Safeguards Rule.
A list of Purdue University HIPAA covered components and their representatives may be found
at http://www.purdue.edu/hipaa/arealiaisons/arealiaisons.shtml.
These lists (GLBA operational areas and their representatives and HIPAA covered components
and their representatives) may be updated from time to time.
GLBA Committee
The GLBA Standing Committee exists to ensure that this Information Security Program is kept
current and to evaluate potential policy or procedural changes driven by GLBA. This committee
includes the following individuals: Director of Audits, Chief Information Security Officer,
Executive Director Financial Aid, Bursar, University Counsel, and representatives from the
Calumet, Fort Wayne, and North Central regional campuses. Other individuals may be added as
needed. This committee meets biannually and as needed.
Questions regarding GLBA impacts on business processes and policies should be directed to the
Coordinator of the Information Security Program.
HIPAA Steering Committee
The HIPAA Steering Committee was created to ensure that activities are sufficient for Purdue
University to maintain compliance with the three segments of the HIPAA Administrative
Simplification regulations: the Privacy Rule, Transaction and Code Set Standards, and the
Security Rule. Changes to the HIPAA Security Rule, which could impact the Information
Security Plan will be discussed during the quarterly HIPAA Steering Committee meetings.
A roster of HIPAA Steering Committee members may be found at:
http://www.purdue.edu/hipaa/administration/hipaasteeringcommrosterforwebsite.pdf
Questions regarding HIPAA impacts on business processes and policies should be directed to the
Director of HIPAA Privacy Compliance.
Questions regarding technical issues, risk assessments, and information technology security
policy should be directed to the Office of Information Technology Security and Privacy.
This Information Security Program includes input from other Purdue University departments and
from the University’s General Counsel.
2
II. Risk Assessment and Safeguards
There is an inherent risk in handling and storing any information that must be protected.
Identifying areas of risk and maintaining appropriate safeguards can reduce risk. Safeguards are
designed to reduce the risk inherent in handling protected information and include safeguards for
information systems and the storage of paper.
The GLBA Information Sheet and HIPAA Information Sheet are located in Appendix B.
The Coordinator of the Information Security Program must work with all relevant areas of the
University to identify potential and actual risks to security and privacy of electronic information.
Each representative, or designee, will fully participate in periodic data security reviews as
specified by the Coordinator. Each representative, or designee, must also participate in a data
security review whenever there is a material system change in that area. Documentation of the
review will be retained by the Coordinator for a period of six (6) years from the date of its
creation or the date when it last was in effect, whichever is later.
III. Employee Training and Education
Employees handle and have access to protected information in order to perform their job duties.
This includes permanent and temporary employees as well as student employees, whose job
duties require them to access protected information or who work in a location where there is
access to protected information. Departments are responsible for maintaining a high level of
awareness and sensitivity to safeguarding protected information and should periodically remind
employees of its importance. Seemingly minor changes to office layout and practices could
significantly compromise protected information if a culture of awareness is not present.
The department representative is responsible for ensuring that staff are trained in the relevant
GLBA and HIPAA concepts and requirements. Training materials relative to GLBA and HIPAA
have been developed by the GLBA Committee and the HIPAA Privacy Compliance Office.
These training templates and required materials are available on the web (see Appendix C for the
websites). Upon approval by the Coordinator for GLBA and Director of HIPAA Privacy
Compliance for HIPAA, these training templates and other materials may be tailored by each
department to reflect their individual training needs. Training may be delivered in a variety of
ways that meet the department’s objectives. Departments are responsible for maintaining
records of staff that have received training and must be able to produce written copies upon
request. A sample GLBA acknowledgement statement and HIPAA Confidentiality Statement
are provided in Appendix G. These statements should be signed by all employees receiving
GLBA or HIPAA training. These records should be maintained in departmental files by the
GLBA or HIPAA representative. These records need to be maintained and available for audit for
a period of six (6) years from the date of the record’s creation or the date when it was last in
effect, whichever is later.
3
IV. Oversight of Service Providers and Contracts
GLBA requires the University to take reasonable steps to select and retain service providers who
maintain appropriate safeguards for covered data and information. GLBA Contracts with service
providers entered into prior to June 24, 2002 were grandfathered until May 2004. University
General Counsel prepared language to ensure that all relevant service provider contracts comply
with GLBA provisions. Contracts should be reviewed to ensure the following language is
included:
[Service Provider] agrees to implement and maintain a written comprehensive
information security program containing administrative, technical and physical
safeguards for the security and protection of customer information and further
containing each of the elements set forth in § 314.4 of the Gramm Leach Bliley
Standards for Safeguarding Customer Information (16 C.F.R. § 314). [Service Provider]
further agrees to safeguard all customer information provided to it under this Agreement
in accordance with its information security program and the Standards for Safeguarding
Customer Information.
The GLBA contract addendum and service provider due diligence questionnaire are
provided in Appendix H.
Similarly, HIPAA allows a covered component to disclose protected health information to a
business associate who is providing a particular function for the covered entity only if the
covered entity obtains satisfactory assurances that the business associate will safeguard the
information appropriately as required by HIPAA. Excluded from this requirement are
disclosures for treatment, and other exceptions. Standard contracts have been developed by
University General Counsel and such contracts are administered by the HIPAA Privacy
Compliance Office. The covered component is responsible for identifying the need for a
business associate agreement and should contact the HIPAA Privacy Compliance Office to
determine if a business associate's agreement is required and for issuance of the agreement.
Purdue Purchasing may issue a business associate agreement in conjunction with a master
agreement and will coordinate with the HIPAA Privacy Compliance Office should this occur.
These contracts should not be issued by covered components independently from the HIPAA
Privacy Compliance Office.
V. Evaluation and Revision of the Information Security Program
GLBA mandates that this Information Security Program be subject to periodic review and
adjustment. The most frequent of these reviews will occur within Information Technology
Security and Privacy where constantly changing technology and constantly evolving risks
indicate the wisdom of regular reviews. Processes in other relevant offices of the University such
as data access procedures and the training program should undergo regular review. It is the
policy of Purdue University to conduct yearly security assessment reviews for HIPAA purposes.
4
This Information Security Program, as well as the related Data Retention Policy, should be
reevaluated annually in order to ensure ongoing compliance with existing and future laws and
regulations.
VI. Definitions
Covered Component means any area of Purdue University, which is required to be
compliant with either GLBA or HIPAA regulations.
Customer Information means any record containing nonpublic personal information as
defined in 16 C.F.R. § 313.3(n), about a customer of a financial institution, whether in paper,
electronic, or other form, that is handled or maintained by or on behalf of [the financial
institution] or [its] affiliates.
Financial Product or Service means
(i)
any product or service that a financial holding company could offer by engaging
in a financial activity; and
(ii)
Financial Service includes your evaluation or brokerage of information that you
collect in connection with a request or an application from a consumer for a
financial product or service.
Non-Public Personal Information means
(i)
Personally identifiable financial information and
(ii)
Any list, description, or other grouping of consumers (and publicly
available information pertaining to them) that is derived using any
personally identifiable financial information that is not publicly
available. 16 C.F.R. § 313.3(n) (1).
Personally Identifiable Financial Information means any information:
(i)
A consumer provides to you to obtain a financial product or
service from you;
(ii)
About a consumer resulting from any transaction involving a
financial product or service between you and a consumer; or
(iii)
You otherwise obtain about a consumer in connection with
providing a financial product or service to the consumer.
Protected Information refers to either personally identifiable financial information or
protected health information, which is covered by either the Gramm Leach Bliley Act
(GLBA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Protected Health Information (=individually identifiable health information) is
information that is a subset of health information, including demographic information
collected from an individual, and:
(i)
Is created or received by a health care provider, health plan, employer, or health
care clearinghouse; and
5
(ii)
Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual; and
a. That identifies the individual; or
b. With respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
Examples of Activities the FTC is Likely to Consider as a Financial Product or
Service include:
 Student (or other) loans, including receiving application information, and the making
or servicing of such loans
 Financial or investment advisory services
 Credit counseling services
 Tax planning or tax preparation
 Collection of delinquent loans and accounts
 Sale of money orders, savings bonds or traveler’s checks
 Check cashing services
 Travel agency services provided in connection with financial services
 Real estate settlement services
 Money wiring services
 Issuing credit cards or long term payment plans involving interest charges
 Personal property and real estate appraisals
 Career counseling services for those seeking employment in finance, accounting or
auditing
 Services provided by a principal, broker or agent with respect to life, health, liability
or disability insurance products
 Obtaining information from a consumer report
 Providing or issuing annuities
Last revised: 12/30/2006
6
VII. Appendices
A.


A-1: Business Processes Identified for Risk Assessment Under Gramm Leach
Bliley - Matrix as of August, 2004.
A-2:
Business Processes Considered Out of Scope Under Gramm Leach
Bliley – Matrix as of August, 2004.
B.


B-1: GLBA Information Sheet.
B-2: HIPAA Information Sheet. More information on Purdue University’s
HIPAA compliance program can be found at: http://www.purdue.edu/hipaa/.
C. GLBA and HIPAA Training Templates (departments are responsible for maintaining
records of staff that have received training). Note: Either training template may be
used or departments may adapt, with permission, the training template relative to
departmental needs.
1. http://www.itap.purdue.edu/security/policies/GLB_Safeguards_Rule_Training_Business_Office.pdf
2. http://www.itap.purdue.edu/security/policies/GLB_Safeguards_Rule_Training_General.pdf
4. http://www.purdue.edu/hipaa/stafftraining/stafftraining.shtml
D. Legal References (citations)
1. 15 USC, Subchapter I, §§ 6801-6809 (Gramm-Leach-Bliley Act)
2. Pub. L. No. 104-191, 110 Stat. 1936 (codified in scattered sections of 18, 26,
29, and 42 U.S.C.). (Health Insurance Portability and Accountability Act of
1996)
3. 16 CFR, Part 313 (Privacy Regulations, see reference to Family Educational
Rights and Privacy Act (FERPA).)
4. 20 USC, Chapter 31, 1232g (FERPA)
5. 34 CFR, part 99 (FERPA regulations)
6. 16 CFR, part 314 (Safeguard Regulations, as published in the Federal
Register, 5/23/02)
7. 45 CFR, parts 160 & 164; 68 Fed. Reg. 8334 (Feb. 20, 2003) (HIPAA
Security Regulations)
8. NACUBO Advisory Report 2003-01, issued 1/13/03
9. FTC Facts for Business: Financial Institutions and Customer Data:
Complying with the Safeguards Rule, published September 2002
E. Selected University Policies, Executive Memoranda (referenced)
 No. B-50, Terms and Conditions of Employment of Faculty Members,
http://www.purdue.edu/oop/policies/pages/human_resources/b_50.html
 No. B-55, Terms and Conditions of Employment of Administrative and
Professional Staff,
http://www.purdue.edu/oop/policies/pages/human_resources/b_55.html
 No. C-2, Disclosure of University Records: Procedures for Use in Connection
with the “Access to Public Records” Law, and in Response to Third-Party
7














Subpoenas,
http://www.purdue.edu/oop/policies/pages/human_resources/c_2.html
No. C-8, Policy for Security Standard Practice Procedures,
http://www.purdue.edu/oop/policies/pages/records/c_8.html
C-10, Delegation of Administrative Authority and Responsibility to Officers
Reporting to the President of the University,
http://www.purdue.edu/oop/policies/pages/governance/c_10.html
No. C-34, Data Security and Access Policy Statement,
http://www.purdue.edu/oop/policies/pages/information_technology/c_34.html
No. C-41, Assignment of Authority and Responsibility for the Retention and
Disposal of University Records,
http://www.purdue.edu/oop/policies/pages/records/c_41.html
No. C-51, University Policy Regarding the “Family Educational Rights and
Privacy Act of 1974” (as amended),
http://www.purdue.edu/oop/policies/pages/records/c_51.html
IT Resource Acceptable Use Policy (V.4.1),
http://www.purdue.edu/policies/pages/information_technology/v_4_1.html
Social Security Number Policy (V.5.1),
http://www.purdue.edu/policies/pages/information_technology/v_5_1.html
Authentication and Authorization (V.1.2)
http://www.purdue.edu/policies/pages/information_technology/v_1_2.html
Incident Response (V.1.4)
http://www.purdue.edu/policies/pages/information_technology/v_1_4.html
Privacy for Electronic Information (V.1.3)
http://www.purdue.edu/policies/pages/information_technology/v_1_3.html
HIPAA Covered System and Application Logging (V.1.7) Interim
http://www.purdue.edu/policies/pages/information_technology/v_1_7_interim
.html
Proper Disposal of Electronic Media (V.1.5) Interim
http://www.purdue.edu/policies/pages/information_technology/v_1_5.html
Remote Access to IT Resources (V.1.6) Interim
http://www.purdue.edu/policies/pages/information_technology/v_1_6_interim
.html
Electronic Mail (V.3.1)
http://www.purdue.edu/policies/pages/information_technology/v_3_1.html
F. Selected Purdue Information Technology Administrative Computing Guidelines or
Policies (referenced)
1. Standards http://www.purdue.edu/securepurdue/standards/
2. Best Practices http://www.purdue.edu/securepurdue/bestPractices/
G.


G-1: Example GLBA Acknowledgement Statement
G-2: Example HIPAA Confidentiality Statement
8
H. GLBA Contracts Addendum and Service Providers Questionnaire
I. GLBA Quick Reference Checklist
9
Appendix A-1
Business Processes Identified for Risk Assessment Under the Gramm Leach Bliley Act
Matrix as of August 2004
Process
Area - West
Lafayette
Campus
Division of
Financial Aid
WL Area
Contact
Regional Campus
Contact
Rationale
Financial Aid
Director
Financial Aid
Director
Loans – Purdue and
Perkins/Health
Profession/Nursing
(application).
Loans – Purdue and
Perkins/Health
Profession/Nursing
(servicing and
collection)
Loans – School as
Lender
Deferred fees
Division of
Financial Aid
Financial Aid
Director
Financial Aid
Director
Involves collection of student
and parent personal financial
information in conjunction
with potentially being offered
student loans as part of the aid
package.
Student loans are a financial
product or service.
Loan Operations
Manager,
Loan
Program
N/A
Student loans are a financial
product or service.
Bursar
Bursar
Bursar
Bursar
Bursar
Bursar
Installment plan
Bursar
Bursar
Bursar
Budget plan
Bursar
Bursar
Bursar
Accounts Receivable
University
Collections
Manager,
UCO
Comptroller
Credit bureau
reporting
University
Collections
Manager,
UCO
Comptroller
Collection agency
referrals
University
Collections
Manager,
UCO
Comptroller
Student loans are a financial
product or service.
Represents offering “credit”
for tuition and fee payments
through deferment of amounts
due beyond due date.
Includes fee for service.
Represents offering “credit”
for tuition and fee payments
through deferment of amounts
due beyond due date.
Includes fee and truth in
lending disclosures.
Up front financing for tuition
and fees. Includes fee for
service.
CARS system used to bill for
tuition and fee amounts past
due or due to bad checks or
failed ACH payments.
Student loans and tuition
debts are reported to credit
bureaus.
Student loans and tuition
debts are referred to third
party agencies for collection.
Receipt and
processing of
applications for
financial aid
10
Process
Care Credit in Vet
Teaching Hospital –
“looks” like regular
merchant card
activity. We have
app forms available,
but don’t make credit
decisions
Downloads of
mainframe or client
server data to Access
or other query
databases
Lockbox processing
Planned Giving
Area - West
Lafayette
Campus
Credit Card
Operations
WL Area
Contact
Regional Campus
Contact
Credit Card
Operations
Manager
N/A
Bursar
Computing
Mgr of
Systems and
Office
Automation
Comptroller
Includes
student
loans,
accounts receivable, tuition
and fee payment plan
information.
Credit Card
Operations/Bursar
Bursar &
Credit Card
Operations
Manager
NA
General Counsel,
Office of Planned
Giving
General
Counsel,
University
Development
Office
General Counsel,
University
Development Office
Student loan payments and
deferred fee payments are
processed
through
the
lockbox. Staff with access to
lockbox information system
(LOIS) can view statements
and invoices imaged by bank.
Planned Giving maintains tax
information
for
certain
individuals
as
part
of
recommending a particular
deferred gift option.
11
Rationale
Appendix A-2
Business Processes Considered Out-of-Scope under the Gramm Leach Bliley Act
Matrix as of August 2004
Process
Area - West
Lafayette
Campus
Compensation
and Benefits
Reason for
Exclusion
Rationale
Not applicable under
Act
Purdue University does not provide financial
or investment advice.
University Tax
Group
Not applicable under
Act
Purdue University does not provide tax advice
or return preparation.
Boiler debit card
Card Office
Not applicable under
Act
Purdue University is not providing credit, nor
is confidential information collected.‫٭‬
Transmission of
student information to
National Clearing
House
Salary and travel
advance promissory
notes (in foundation)
Affiliated
organizations’
investments in CMIP
and UEP
Faculty editorships
Division of
Financial
Aid/Registrar
Not applicable under
Act
Task is not in conjunction with customers
obtaining financial products or services.
Purdue
Research
Foundation
Investments/Ac
counting
Out of Scope
Process resides in foundation.
Not applicable under
Act
Investments are not for individuals and
customer information is not captured.
Various
academic areas
Out of Scope
Limited tax return
(for student orgs)
preparation by Tax
Group
Verification of
employment/salary by
banks for purposes of
employees obtaining
loans
Direct deposit
(PEFCU file
transmission)
University Tax
Group
Not applicable under
Act
Services are not provided to individuals;
should be cautious about assessing fees for this
service as other regulations applicable to banks
may apply.
Services are not being provided to individuals.
Payroll/Investm
ents
Not applicable under
Act
Direct Deposit of
Financial Aid
(PEFCU file
transmission)
ACH Activities:
Bursar
Not applicable under
Act.
Remittance of
withholdings
University Tax
Group/Investme
nts
Not applicable under
Act
Financial counseling
by Compensation and
Benefits
Tax treaty analysis by
University Tax Group
Payroll
Not applicable under
Act
12
Incidental process; not involved in University
providing financial products or services.
However, good business practices for
safeguarding information apply if copies are
kept.
Transactions involving payroll appear outside
of scope of Act. Rational is that if the FTC
intended to include these activities, they would
not have limited GLBA to “financial
institutions” only.
Task is not in conjunction with customers
obtaining financial products or services.
See above.
Process
Area - West
Lafayette
Campus
Payroll/Investm
ents
Reason for
Exclusion
Rationale
Not applicable under
Act
See above.
Remittance of
PERF/TIAACREF/and other
SRA’s
Dean of Students
Emergency Loan
Fund
Compensation
and
Benefits/Invest
ments
Dean of
Students/Loan
Operations
Not applicable under
Act
See above.
Not applicable under
Act
Loans are short term and interest free.
Check cashing service
Fiscal
Administrator
PMU
Not applicable under
Act
Purdue-pay (similar
function at regionals,
if applicable)
Bursar & Credit
Card
Operations
Manager
Director/Center
for Career
Opportunities
Not applicable under
Act
Customer information not collected or
maintained. Fee is $1.00 based on showing
PUID card. FTC rules envisioned “payday”
loan operations.‫٭‬
For tuition and fee payments, no different than
any other payment mechanism. Not obtaining
a financial process or service.‫٭‬
Not applicable under
Act
Customer information is not collected or
maintained.‫٭‬
e-Commerce &
Credit Card
Operations
Not applicable under
Act
Comptroller.‫٭‬
Remittance of child
support payments to
State of Indiana
Career counseling for
students interested in
financial services
industry
New uses of Purduepay for gifts, deposits,
etc. (similar function
at regionals, if
applicable)
‫٭‬Denotes rationale that was verified with the Federal Trade Commission.
13
Appendix B-1
Gramm Leach Bliley Act (GLBA) Information Sheet
Introduction
The Gramm Leach Bliley Act (GLBA) is a comprehensive law affecting institutions and
departments that deal with financial information which includes nonpublic personal information
such as addresses and phone numbers; bank and credit card account numbers; income and credit
histories; and Social Security numbers. Due to the fact that Purdue University does significantly
engage in student loan making and provides other financial services that use nonpublic personal
information, Purdue falls within the definition of “financial institution” under GLBA regulations.
For these reasons, Purdue University will be reviewing policies and systems to ensure
compliance with the requirements of the GLBA Safeguards Rule. Purdue’s current Family
Educational Rights and Privacy Act (FERPA) initiatives will ensure compliance with the Privacy
Rules required by the GLBA, limiting the scope of this assessment to the Safeguards Rule.
Requirements
The GLBA includes requirements to protect the security, integrity, and confidentiality of this
consumer information. To be GLBA compliant, organizations must develop, implement, and
enforce a comprehensive information security program including administrative, technical, and
physical safeguards as determined appropriate for the institution and data. In addition to
developing their own safeguards, organizations are responsible for taking steps to ensure that
their affiliates and service providers safeguard customer information in their care.
Due to these requirements, the IT Security and Policy group will be performing risk assessments
on all areas that must meet GLBA compliance requirements.
Actions required
The following basic actions must be taken to satisfy GLBA requirements:




Assess risk
Manage and control risk
Oversee service provider arrangements
Adjust the program to work with new technologies.
More information on risk assessments generally can be found at:
http://www.itap.purdue.edu/security/services/assessment.cfm
14
Appendix B-2
HIPAA Information Sheet
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a comprehensive
law affecting institutions and departments that deal with protected health information. University
policy defines this as:
Individually identifiable health information, in any form received or
created as a consequence of providing healthcare services or health plan
benefits (including demographic information).
Protected health
information may include information used for research purposes, if that
information identifies or could be used to identify a human research
subject.
Because most, if not all of this information is stored, transmitted, and/or processed by various
information systems, ITaP Security and Privacy (ITSP) assesses the compliance and risk of
various departments within not only ITaP but the rest of the University.
Requirements
HIPAA includes requirements to protect the security, integrity, and confidentiality of this healthrelated information. These requirements apply to departments at Purdue that have been officially
designated by the HIPAA Privacy Compliance Office as covered by HIPAA. To be HIPAA
compliant, departments must develop, implement, and enforce a comprehensive security
program including administrative, technical, and physical safeguards as determined appropriate
for the institution and data. In addition to developing their own safeguards, departments are
responsible for taking steps to ensure that their affiliates and service providers safeguard
customer information in their care.
Actions Required
The following basic actions must be taken to satisfy HIPAA requirements:
 Assess risk to information systems, applications, and the HIPAA covered data it must
protect.
 Manage and control these risks.
 Identify business associates in your area and communicate them to the HIPAA
Privacy Compliance Office prior to sharing protected health information with them.
 Adjust new technologies and programs to satisfy HIPAA requirements.
A full risk assessment and compliance recommendation for your department will be performed
by ITSP to accomplish these goals.
15
Appendix G-1
GLBA Acknowledgement Statement
I acknowledge that I have participated in training concerning the Gramm Leach Bliley Standards
for Safeguarding Customer Information on the following date:
_________________________ ___________________
Signed
___________________________
Printed
___________________________
Department
16
Appendix G-2
HIPAA Confidentiality Statement
Certain employees of Purdue University may encounter health information protected by the
Health Insurance Portability and Accountability Act of 1996 through various sources including,
but not limited to, interoffice communications, data or software maintenance, electronic media,
verbal interactions, health plan claims or medical records. Employees with access to such
information shall not discuss, disclose, or give access to confidential health information except
as needed to perform an essential job function or to those having a legal right to such
information. They must further agree to access, use and disclose only the minimum protected
health information necessary to perform their job functions and to follow the University policies
and procedures that address the technical, physical and administrative safeguarding and security
of protected health information. Any breach of confidentiality in violation of University
policies, professional standards or state and federal laws and regulations governing protected
health information, may result in applicable sanctions and/or university disciplinary action
against the responsible employee.
By signing below, I certify that I have received and reviewed training concerning the HIPAA
Privacy Regulations and that I will abide by the Purdue policies and procedures to ensure
appropriate confidentiality and security of the health information that I encounter to do my job.
________________________________
Signed
______________
Date
________________________________
Printed
_________________________________
Department
17
Appendix H
ADDENDUM TO SERVICE PROVIDER AGREEMENT
This Addendum to Service Provider Agreement is entered into by Purdue University (“Purdue”)
and ________________________ (“Service Provider”) this ___ day of __________, 200__.
WHEREAS,
Purdue
and
Service
Provider
executed
dated_________________________________________, ____________ for
_________________________________________ (“Original Agreement”).
an
the
Agreement
purpose of
WHEREAS, the Original Agreement contemplates that “Customer Information” (as the term is
defined in the Gramm Leach Bliley Safeguards Rule, 16 C.F.R. § 314) may be provided or exchanged
with Service Provider in connection with a financial product or service;
WHEREAS, the Gramm Leach Bliley Safeguards Rule requires Purdue to ensure, by contract,
that Service Provider implements and maintains appropriate safeguards for Customer Information
provided to Service Provider.
NOW THEREFORE, the parties agree to add the following requirements to their Original
Agreement:
1. Service Provider agrees to implement and maintain a written comprehensive information
security program containing administrative, technical and physical safeguards for the security
and protection of Customer Information and further containing each of the elements set forth
in § 314.4 of the Gramm Leach Bliley Standards for Safeguarding Customer Information (16
C.F.R. § 314).
2. Service Provider further agrees to safeguard all Customer Information provided to it under
the Original Agreement and this Addendum in accordance with its information security
program and the Gramm Leach Bliley Standards for Safeguarding Customer Information.
3. All other provisions of the Original Agreement between the Parties shall remain in full force
and effect.
IN WITNESS WHEREOF, the parties have executed this Addendum to Service Provider
Agreement on the date and year first written above.
Purdue University
__________________________
“Service Provider”
By:___________________________
Printed:_______________________
By:_________________________
Printed:______________________
Title:_________________________
Title:________________________
#341217.1
18
Gramm Leach Bliley (GLB) Safeguards Rule
Service Provider Due Diligence
Company name:
___________________
Company Federal ID#:
_________________
Completed by (name, title): ___________________
Contact information (phone, fax, e-mail, address):
Please answer the following questions regarding your firm’s implementation of the GLB
Safeguards Rule:
1. Does your firm have a written information security program that contains administrative,
technical, and physical safeguards appropriate to the size and complexity of the firm, the
nature and scope of its activities, and the sensitivity of customer information at issue?
(circle one)
YES
NO
If no, please explain.
2. Has your firm designated an employee or employees to coordinate the information
security program? (circle one)
YES
NO
If no, please explain.
19
3. Has your firm undergone an assessment to identify reasonable, foreseeable internal and
external risks to the security, confidentiality, and integrity of customer information that
could result in the unauthorized disclosure, misuse, alteration, destruction, or other
compromise of such information? (circle one)
YES
NO
If no, please explain.
4. At a minimum, did the risk assessment include consideration of risks in the following
areas: employee training and management; information systems including network and
software design, as well as information processing, storage, transmission, and disposal;
and detecting, preventing, and responding to attacks, intrusions, or other systems
failures? (circle one)
YES
NO
If no, please explain.
5. Has your firm taken steps to select and retain service providers that are capable of
maintaining appropriate safeguards for customer information? (circle one)
YES
NO
If no, please explain.
6. Has your firm included appropriate language in service providers’ contracts requiring
them to implement and maintain appropriate safeguards? (circle one)
YES
NO
If no, please explain.
20
I certify that the information provided above is true and correct to the best of my knowledge.
Signature
Date
21
Appendix I
GLBA Quick Reference Chart
Item:
Comment:
Objectives of
Information
Security Program
Ensure the security and confidentiality of customer information.
Operational Areas
Impacted
Date / Timeframe, if applicable:
Responsible
Party
Coordinator
Protect against anticipated threats to the security or integrity of customer information.
Guard against unauthorized access to or use of customer information that could result in harm or
inconvenience to any customer.
Comply with applicable Gramm Leach Bliley rules as published by the Federal Trade Commission.
Includes but not limited to The Division of Financial Aid, Office of the Bursar, University Collections,
The Office of Planned Giving (see appendix A-1 for Matrix Identifying Operational Areas).
GLBA
Standing
Committee
Coordinator
responsible for
specific operation
Chief Information Security Officer. Coordinator must work with all relevant areas of the University to
identify potential and actual risk to security and privacy of information.
Coordinator
Offices deemed
outside GLBA
safeguard rules
(refer to appendix A-2)
GLBA
Standing
Committee
Standing
Committee
Director of Audits, Chief Information Security Officer, Bursar, Executive Director of Financial Aid,
representatives from the regional campuses, University Counsel.
Meetings biannually and as
needed.
Rep or Designee
Responsible to conduct a periodic data security review, with guidance from the coordinator.
Must retain assessment data for a period of two (2) years including the most recent assessment.
Retain two (2) years.
Directors & supervisors responsible for ensuring compliance with information security practices.
Training template on the web at:
1. http://www.itap.purdue.edu/security/policies/GLB_Safeguards_Rule_Training_Business_Office.pdf
2. http://www.itap.purdue.edu/security/policies/GLB_Safeguards_Rule_Training_General.pdf
22
GLBA
Standing
Committee
Coordinator
Item:
Comment:
Date / Timeframe, if applicable:
Maintain records that staff have received training (see Appendix G-1 for sample training statement).
Retain records for six (6) years including most recent training year. (Includes permanent, temporary, and
student employees whose jobs require them to access customer information or they work in a location
where there is access to customer information.)
Retain proof of training six (6)
years.
Responsible
Party
Questions
regarding
technical issues,
risk assessment,
and information
technology policy
Questions on
business policy
and processes
Contact Office of Information Technology Security and Privacy
ITSP
Contact Coordinator of the Information Security Program
Coordinator
Service Providers
Requirement
(Contracts)
Must include specific language in third party service in contracts relative to compliance with GLB,
Reference Item IV, page 4, GLB policy for specific language and Appendix H.
Department
and General
Counsel
Periodic review
required
GLB mandates that Information Security Programs be subject to periodic review and adjustment.
Customer
Information
Any record containing nonpublic personal information as defined in 16 C.F.R. 313.3(n), about a
customer of a financial institution, whether in paper, electronic, or other form, that is handled or
maintained by or on behalf of [the financial institution] or [its] affiliates.
Financial Product
or Service
Financial Product or Service means any product or service that a financial holding company could offer
by engaging in a financial activity.
Financial Service includes your evaluation or brokerage of information that you collect in connection
with a request or an application from a consumer for a financial product or service.
(i) Personally identifiable financial information, and
(ii) Any list, description , or other grouping of consumers (and publicly available information pertaining
to them) that is derived using any personally identifiable financial information that is not publicly
available. 16 C.F.R. 313.3 (n) (1).
Non-Public
Personal
Information
PersonallyIdentifiable
Financial
Information
Means any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between
you and a consumer; or
23
Plan to be evaluated annually.
GLBA
Standing
Committee
Not
Applicable
Item:
Examples FTC
considers a
financial product
Examples FTC
considers a
financial product
or service.
Comment:
Date / Timeframe, if applicable:
Responsible
Party
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service
to the consumer.
Student (or other) loans, including receiving application information, and the making or servicing of such
loans
Financial or investment advisory services
Credit counseling services
Tax planning or tax preparation
Collection of delinquent loans and accounts
Sale of money orders, savings bonds or traveler's checks
Check cashing services
Travel agency services provided in connection with financial services
Real estate settlement services
Money wiring services
Issuing credit cards or long term payment plans involving interest charges
Personal property and real estate appraisals
Career counseling services for those seeking employment in finance, accounting or auditing
Services provided by a principal, broker or agent with respect to life, health, liability or disability
insurance products
Obtaining information from a consumer report
Providing or issuing annuities
24
Not
Applicable