Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices

Transcription

1 Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices (Session ID: 152) Maureen Carver, Assistant Dean and Registrar, Law School, Villanova University Rita Garner, Registrar, Medical College of Georgia Joann Wilson-Singleton, Registrar, Harvard University-School of Public Health

2 Gramm-Leach Bliley Act Joann Wilson-Singleton

3 Agenda What is the Gramm-Leach Bliley Act (GLB)? How does the GLB impact Student Services (SS)? What assessments have been made? What actions are needed on the part of SS staff? Resources, Discussion, Questions

4 What is the Gramm-Leach Bliley Act (GLB)? GLB is a federal law enacted to protect the security of personally identifiable, non-public, financial information particularly in the banking industry. However, this applies to all institutions that provide financial services (It was ruled in 2003 that GLB applies to Higher Education). Financial activities include servicing loans, safeguarding money, providing financial advice, and collecting consumer debt. Protect customer s non-public personal information (information collected that can be paralleled with bank-like activities). Emergency loan Tax Information Check Processing Loan Processing Promissory Notes

5 Why is GLB Important? For starters: We must ask, how would we want our personal information handled? With the rapid growth of technology, identity theft has become the fastest growing crime. Every 79 seconds a thief steals someone's identify, opens an account and goes on a buying spree. CBSnews.com

6 What does GLB require? Identify and assess the risk to customer information. Design and implement a safeguard program. Monitor the implementations and make adjustments as needed. Have a written plan that illustrates actions that will be taken should data be compromised. Ensure that outside venders understand and comply with GLB.

7 Key Concepts in SS Assessments and Risks Although confidentiality is assumed under FERPA, GLB is broader and requires more scrutiny. Paper flow personal financial information is locked in room/suites, but not in filing cabinets Computer vulnerabilities- (unmonitored) passwords security locking workstation when unattended data stored in the c: drive or on the network personal data that is transmitted via Accessibility who should have access are people that should not have access able to view confidential data who do we determine that we can discuss this information with and where SS should have formal training, and written policy that incorporates security regarding technology, confidentiality and access

8 Improvement Plans Papers containing personal information should be kept in a locked filing cabinet overnight. Not locking this data, allows data to be accessible to nonaffiliated staff that should not have access (ie: maintenance/security). Keys should be kept in a safe place-not in the open. Lock computer workstations when left unattended. Password protected screen-saver should default after 15 min.

9 Improvement Plan Cont. SS offices should assess paper-flow and determine document expiration dates. An annual clean-up date should be designated s with SSN should be sent as attached excel (password protected documents). All papers containing personal information that are no longer needed should be SHREDDED. Checks should be kept in a locked area overnight. Card Swipes Security Keys for Secured Areas.

10 Improvement Plan Cont. Formal Training on FERPA and GLB will be provided by departments: New employees should be notified in their 1 st week of confidentiality and SS policy. (this includes temps) Current staff should notified of new policy implementation. A Security Agreement should be signed by staff with access to SS data via systems or files. Revisit progress at all-staff meetings (assess best practices).

11 Best Practices Storing records in a secure place Providing secure data transmission Disposing of customer information in secure manner Monitoring to ensure that improper disclosure or theft is not occurring

12 Resources Gramm-Leach Bliley Act FERPA

13 FERPA The Family Educational Rights and Privacy Act of 1974 Presenter: Maureen O Mara Carver Assistant Dean for Student Records and Registrar Villanova University School of Law

14 What Are Education Records Under FERPA? Education records are defined as records that are: Directly assigned to a student and Maintained by an educational agency or institution or by a party acting for the agency or institution

15 What Are NOT Education Records Under FERPA? Education records are NOT : Sole possession records Law enforcement unit records Employment records Medical records or Post-attendance records

16 What Happens If a College Does Not Comply With FERPA? The Department of Education may issue a notice to cease the practice complained of and could ultimately withhold funds administered by the Secretary of Education.

17 DIRECTORY INFORMATION Information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. It includes but is not limited to, the student s name, address, telephone listing, electronic address, photograph, date and place of birth, major field of study, dates of attendance, grade level, enrollment status (e.g., undergraduate or graduate; full-time or part-time), participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received, and the most recent educational agency or institution attended.

18 NON-DIRECTORY INFORMATION Items that can never be designated and disclosed as directory information are a student s: social security number, gender, religious preference, grades, and GPA.

19 TRUE OR FALSE? Faculty have the right to inspect and review the education records of any student.

20 TRUE OR FALSE? A faculty member has posted grades of all the students in his class outside his office. This is a violation of FERPA.

21 TRUE OR FALSE? A state institution in Pennsylvania must respond to a subpoena received from the Supreme Court of California.

22 TRUE OR FALSE? Health records, maintained at the Student Health Center, are education records, subject to FERPA.

23 TRUE OR FALSE? Student representatives on committees (e.g. honors, curriculum, etc.) have the right to see other students education records during the deliberations of that committee if they have been designated as school officials.

24 FOOD FOR THOUGHT I offer another unrelated suggestion to bar admissions authorities. That is a modification of the release form signed by applicants to address the requirements of the Family Educational Rights and Privacy Act (FERPA), often referred to as the Buckley Amendment. Bar admissions authorities routinely have applicants sign a release of information held by a laundry list of agencies, including the applicant s law school. When bar admissions authorities request a copy of an applicant s law school application or other information from a law school, they accompany the request with a copy of the applicant s signed release. I have yet to see a bar admissions release that, in my opinion, satisfies FERPA s release requirements. This puts the law school in the position of choosing between its obligation to assist the bar admissions authority and its obligations under FERPA; a violation of the latter can conceivably result in loss of federal funds for the school s parent institution. I have mentioned this problem at national meetings on bar admission, but as yet to no avail. In order to protect my law school, I now have matriculants sign a form during orientation that releases the school from any liability under FERPA for providing information to bar admissions authorities. Because professional licensing of various types is extremely important to the protection of society, an amendment to FERPA to protect institutions that provide information to professional licensing entities is advisable. Absent that, bar admissions authorities should be able to develop a release form that would protect law schools from FERPA claims. The bar admissions process is vitally important to the legal profession. As deans, we should take seriously our role in this gatekeeping process, and I believe we do. Better cooperation between law schools and bar admissions authorities and more attention to specific details of our interrelationship would benefit both and, in turn, the legal profession and the public we serve. * Dean and Professor of Law, University of South Dakota School of Law.

25 Where Can I Get More Information Regarding FERPA? Family Policy Compliance Office U.S. Department of Education 400 Maryland Avenue, SW Washington, DC Phone: (202) FAX: (202) ferpa@ed.gov Web:

26 HIPAA Security (Health Insurance Portability and Accountability Act) Rita B. Garner, Registrar Medical College of Georgia

27 What is HIPAA? Health Insurance Portability and Accountability Act of 1996 August 21, 1996 Improve the portability and continuity of Health Insurance Make Health Care industry more efficient

28 What is HIPAA? (cont.) Simplify the administration of health insurance. Give patients more control over Protected Health Information (PHI)

29 What is PHI? Names Geographic Data Dates Phone numbers Fax numbers addresses SSN Medical Record # Driver s License # Finger & Voice images Full face photographic images and comparable images

30 Health Insurance Portability and Accountability Act (HIPAA) Portability [Insurance Reform] Accountability [Administrative Simplification] Transactions, Code Sets & Identifiers Privacy Security

31 Privacy VS Security WHAT is protected - Health information about an individual Who is permitted access, use or disclosure of the information HOW information is protected Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.

32 Security Administrative Procedures Physical Safeguards Technical Safeguards

33 Administrative Procedures Ensure the following exist: Security Plans Policies and Procedures Contractual Agreements Training

34 Physical Safeguards Workstation Location Physical Device Security Laptop computer vs. Desk Top computer

35 Technical Safeguards Strong password policy Reset Password Lock out Auto Logoff Firewall Location of data storage (server or PC) File encryption (VPN)

36 Password Protection Standards Change passwords at least once every 90 days. Do not write down passwords. Do not store passwords on-line without encryption.

37 Password Protection Standards Do not use the same password for all accounts (e.g., personal ISP account, on-line banking, , etc.). Do not share passwords with anyone, including administrative assistants, your boss, co-workers or family members. Don't reveal a password over the phone or in .

38 Password Protection Standards Don't hint at the format of a password (e.g., "my family name"). Don't reveal a password on questionnaires or security forms. Don't use the "Remember Password" feature of applications (e.g., GroupWise, Instant Messenger, Internet Explorer, Firefox).

39 Security Highlights All workforce members must receive security awareness training Establish policies and procedures that allow access to electronic PHI on a need-to-know basis Workstations must contain proper security mechanisms to ensure the data is protected. Limit physical access to facilities that contain electronic PHI Implement audit controls that record and examine who has logged into information systems that contain PHI Establish and enforce sanctions to all workforce members who don t follow security P&P s

40 References paa/index.asp

41 QUESTIONS? Rita B. Garner, Registrar Medical College of Georgia Joann Wilson-Singleton, Registrar Harvard School of Public Health Maureen O Mara Carver Assistant Dean for Student Records and Registrar Villanova University School of Law Carver@law.villanova.edu