Safeguarding Private Information Family Educational Rights and Privacy Act of 1974 FERPA Health Insu

1
Safeguarding Private InformationFamily
Educational Rights and Privacy Act of
1974(FERPA)Health Insurance Portability and
Accountability Act of 1996 (HIPAA)Gramm-Leach-Bli
ley Act of 1999 (GLBA)

• Presented by
• General Counsel
• HIPAA Privacy and Security Officers
• Internal Auditing and the Records Office

2
Presenter Team

• Joe Barron, General Counsel
• Sue Harvey, Director, Academic Records and
  Registration
• Bryan Callaway, Privacy Officer
• Cathy Ashmore, Security Officer
• Kathleen Moreno, Director, Internal Auditing
• Julie Benedict, Training and Development

3
Laws Governing Privacy and Security

• Family Educational Rights and Privacy Act of 1974
  (FERPA) the Buckley Amendment
• covers the privacy of all education and some
  medical records
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA)
• covers the privacy of personal health
  information
• Gramm-Leach-Bliley Act of 1999 (GLBA)
• covers the security of all non-public
  personally-identifiable financial information

4
What is Privacy?
Privacy refers to the right of an individual to
control his/her private personal information and
to not have it divulged or used by others against
his/her wishes.
5
What is Security?

• Security refers to the mechanisms put in place to
  safeguard University records, whether such
  mechanisms are physical, technological, or
  administrative. Some examples of security would
  be
• Using a firewall on the network to prevent
  unauthorized network access by outside sources
  (technological)
• Adjusting your monitor so other people cannot
  read the information displayed (physical)
• Limiting access to data by not randomly assigning
  access to sensitive information for employees
  (administrative)

6
What is Confidentiality?
Confidentiality protects an individuals right to
not have any information contained in his/her
records maintained by the University accessed by
anyone who does not have a legitimate
institutional or business need to know.
7
Definitions
8
Definitions (contd)
9
Definitions (contd)
10
Definitions (contd)
11
Corresponding IGPs
12
Information Covered
13
Acts Impact on University
14
Who to Contact
15
Affected Departments
16
Key Features
17
Enforcement
18
Penalties
19
Definitions
20
Definitions (contd)
21
Definitions (contd)
22
Definitions (contd)
23
Corresponding IGPs
24
Information Covered
25
Acts Impact on University
26
Who to Contact
27
Affected Departments
28
Key Features
29
Enforcement
30
Penalties
31
Definitions
32
Definitions (contd)
33
Definitions (contd)
34
Definitions (contd)
35
Corresponding IGPs
36
Information Covered
37
Acts Impact on University
38
Who to Contact
39
Affected Departments
40
Key Features
41
Enforcement
42
Penalties
43
Who Will Verify Compliance with these Federal
Acts?
Office of Internal Auditing (581-5018)
44
Five Simple Steps for Employees to Safeguard
Information

• Be aware that personally identifiable information
  should only be used for LEGITIMATE EDUCATIONAL OR
  BUSINESS NEED TO KNOW PURPOSES.
• Protect computer passwords, choose strong
  passwords (see http//www.eiu.edu/itshelp/passwor
  d/password.html for tips, and change them
  regularly. DO NOT SHARE YOUR PASSWORD WITH OTHER
  EMPLOYEES.
• When unauthorized users are (or may be) present,
  cover or secure papers that have identifiable
  information.
• Understand the difference between legitimate
  business need to know and gossip. Just because
  you and your co-worker have the capability to
  access information does not mean its OK to
  discuss the information between yourselves.
• Keep security patches and anti-virus software
  up-to-date use the automatic update feature, if
  available. Call the ITS Help Desk (581-HELP) if
  you have questions regarding security patches and
  anti-virus software.

45
How do we, as employees, protect this information?

• Restrict access to all unauthorized internal and
  external users
• Secure your information by turning your monitors
  away from public viewing
• Log off systems in public areas
• Ask for identifiable information to be written
  down rather than stated aloud
• Understand what access you are requesting ITS to
  give to employees
• Be cognizant of access given to student employees

46
How do we, as employees, protect this information?

• Restrict physical access to data
• Locking file cabinets
• Restricted access to office keys
• Remove vendor-supplied default passwords and
  change security parameters as necessary
• Question the need to use social security numbers
• Leave social security numbers off forms unless
  legally required (use last four digits if
  necessary)

47
Confidentiality Notice
Eastern Illinois University maintains strict
confidentiality and security of records in
compliance with the Family Educational Rights and
Privacy Act of 1974 (FERPA), the Health Insurance
Portability and Accountability Act (HIPAA) and
the Gramm-Leach-Bliley Act (GLBA), in addition to
other federal and state laws. These laws pertain
to the security and privacy of all records that
contain information that identifies or could lead
to the identification of a student or that could
reveal private information concerning an employee
or customer.
48
Confidentiality Notice
Employees are authorized access to such private
information as a condition of employment to the
extent necessary to perform their duties. As an
employee/volunteer/student/third party
administrator of the university, you are required
to protect against unauthorized access to such
information, ensure the security and privacy of
such information, and disclose any anticipated
threats or hazards to such information. You must
be very careful not to release this information
to the public or to other individuals, including
but not limited to University employees who have
not been authorized or who do not have a
legitimate institutional or business need to
know. Any questions regarding release of such
information to another person should be directed
to your supervisor or their designee.
49
Confidentiality Notice

• Eastern Illinois University defines unauthorized
  access to be
• Access to student, employee or University
  information not necessary to carry out your job
  responsibilities.
• Non-business or non-institutional access to the
  records of a student or employee. This includes
  your children as protected under FERPA, spouse,
  parents and other relatives as well as friends
  and acquaintances.
• Release of student or employee information to
  unauthorized internal or external users.
• Release of additional or excessive student or
  employee information to an authorized
  individual/agency than is essential to meeting
  the stated purpose of an approved request.

50
Confidentiality Notice
Information may not be divulged, copied,
released, sold, loaned, reviewed, altered or
destroyed except as properly authorized by the
appropriate university official within the scope
of applicable federal or state laws, including
record retention schedules and corresponding
Internal Governing Policies.
51
Confidentiality Notice
As an employee of Eastern Illinois University,
you must abide by the rules, regulations,
policies and procedures of EIU as well as federal
and state laws applicable to your position at the
university. EIU may at any time, revoke
employee/volunteer/student/third party access,
other authorization, or other access to
confidential information. Additionally, failure
to comply with any of the acts, rules,
regulations, EIU policies and corresponding
procedures may result in disciplinary actions,
including termination of employment. Criminal or
civil penalties may also be imposed, depending
upon the nature and severity of the breach of
confidentiality.
52
Remember

• When in doubt,

Dont give it out
Check it out -Sue Harvey
53
Remember
Keeping confidential information private and
secure not only protects the University
It protects you.
54
Recycling
Locking shred bins may be obtained from the
Recycling Department. Please contact Allan
Rathe, Recycling Coordinator, at 591-7022 or
csalr_at_eiu.edu. Recycling information is available
at http//www.eiu.edu/physplnt/recyclin.shtml.
55
Thank you for your time.
QuestionsCommentsConcerns