Title: Safeguarding Private Information Family Educational Rights and Privacy Act of 1974 FERPA Health Insu
1Safeguarding Private InformationFamily
Educational Rights and Privacy Act of
1974(FERPA)Health Insurance Portability and
Accountability Act of 1996 (HIPAA)Gramm-Leach-Bli
ley Act of 1999 (GLBA)
- Presented by
- General Counsel
- HIPAA Privacy and Security Officers
- Internal Auditing and the Records Office
2Presenter Team
- Joe Barron, General Counsel
- Sue Harvey, Director, Academic Records and
Registration - Bryan Callaway, Privacy Officer
- Cathy Ashmore, Security Officer
- Kathleen Moreno, Director, Internal Auditing
- Julie Benedict, Training and Development
3Laws Governing Privacy and Security
- Family Educational Rights and Privacy Act of 1974
(FERPA) the Buckley Amendment - covers the privacy of all education and some
medical records - Health Insurance Portability and Accountability
Act of 1996 (HIPAA) - covers the privacy of personal health
information - Gramm-Leach-Bliley Act of 1999 (GLBA)
- covers the security of all non-public
personally-identifiable financial information
4What is Privacy?
Privacy refers to the right of an individual to
control his/her private personal information and
to not have it divulged or used by others against
his/her wishes.
5What is Security?
- Security refers to the mechanisms put in place to
safeguard University records, whether such
mechanisms are physical, technological, or
administrative. Some examples of security would
be - Using a firewall on the network to prevent
unauthorized network access by outside sources
(technological) - Adjusting your monitor so other people cannot
read the information displayed (physical) - Limiting access to data by not randomly assigning
access to sensitive information for employees
(administrative)
6What is Confidentiality?
Confidentiality protects an individuals right to
not have any information contained in his/her
records maintained by the University accessed by
anyone who does not have a legitimate
institutional or business need to know.
7Definitions
8Definitions (contd)
9Definitions (contd)
10Definitions (contd)
11Corresponding IGPs
12Information Covered
13Acts Impact on University
14Who to Contact
15Affected Departments
16Key Features
17Enforcement
18Penalties
19Definitions
20Definitions (contd)
21Definitions (contd)
22Definitions (contd)
23Corresponding IGPs
24Information Covered
25Acts Impact on University
26Who to Contact
27Affected Departments
28Key Features
29Enforcement
30Penalties
31Definitions
32Definitions (contd)
33Definitions (contd)
34Definitions (contd)
35Corresponding IGPs
36Information Covered
37Acts Impact on University
38Who to Contact
39Affected Departments
40Key Features
41Enforcement
42Penalties
43Who Will Verify Compliance with these Federal
Acts?
Office of Internal Auditing (581-5018)
44Five Simple Steps for Employees to Safeguard
Information
- Be aware that personally identifiable information
should only be used for LEGITIMATE EDUCATIONAL OR
BUSINESS NEED TO KNOW PURPOSES. - Protect computer passwords, choose strong
passwords (see http//www.eiu.edu/itshelp/passwor
d/password.html for tips, and change them
regularly. DO NOT SHARE YOUR PASSWORD WITH OTHER
EMPLOYEES. - When unauthorized users are (or may be) present,
cover or secure papers that have identifiable
information. - Understand the difference between legitimate
business need to know and gossip. Just because
you and your co-worker have the capability to
access information does not mean its OK to
discuss the information between yourselves. - Keep security patches and anti-virus software
up-to-date use the automatic update feature, if
available. Call the ITS Help Desk (581-HELP) if
you have questions regarding security patches and
anti-virus software.
45How do we, as employees, protect this information?
- Restrict access to all unauthorized internal and
external users - Secure your information by turning your monitors
away from public viewing - Log off systems in public areas
- Ask for identifiable information to be written
down rather than stated aloud - Understand what access you are requesting ITS to
give to employees - Be cognizant of access given to student employees
46How do we, as employees, protect this information?
- Restrict physical access to data
- Locking file cabinets
- Restricted access to office keys
- Remove vendor-supplied default passwords and
change security parameters as necessary - Question the need to use social security numbers
- Leave social security numbers off forms unless
legally required (use last four digits if
necessary)
47Confidentiality Notice
Eastern Illinois University maintains strict
confidentiality and security of records in
compliance with the Family Educational Rights and
Privacy Act of 1974 (FERPA), the Health Insurance
Portability and Accountability Act (HIPAA) and
the Gramm-Leach-Bliley Act (GLBA), in addition to
other federal and state laws. These laws pertain
to the security and privacy of all records that
contain information that identifies or could lead
to the identification of a student or that could
reveal private information concerning an employee
or customer.
48Confidentiality Notice
Employees are authorized access to such private
information as a condition of employment to the
extent necessary to perform their duties. As an
employee/volunteer/student/third party
administrator of the university, you are required
to protect against unauthorized access to such
information, ensure the security and privacy of
such information, and disclose any anticipated
threats or hazards to such information. You must
be very careful not to release this information
to the public or to other individuals, including
but not limited to University employees who have
not been authorized or who do not have a
legitimate institutional or business need to
know. Any questions regarding release of such
information to another person should be directed
to your supervisor or their designee.
49Confidentiality Notice
- Eastern Illinois University defines unauthorized
access to be - Access to student, employee or University
information not necessary to carry out your job
responsibilities. - Non-business or non-institutional access to the
records of a student or employee. This includes
your children as protected under FERPA, spouse,
parents and other relatives as well as friends
and acquaintances. - Release of student or employee information to
unauthorized internal or external users. - Release of additional or excessive student or
employee information to an authorized
individual/agency than is essential to meeting
the stated purpose of an approved request.
50Confidentiality Notice
Information may not be divulged, copied,
released, sold, loaned, reviewed, altered or
destroyed except as properly authorized by the
appropriate university official within the scope
of applicable federal or state laws, including
record retention schedules and corresponding
Internal Governing Policies.
51Confidentiality Notice
As an employee of Eastern Illinois University,
you must abide by the rules, regulations,
policies and procedures of EIU as well as federal
and state laws applicable to your position at the
university. EIU may at any time, revoke
employee/volunteer/student/third party access,
other authorization, or other access to
confidential information. Additionally, failure
to comply with any of the acts, rules,
regulations, EIU policies and corresponding
procedures may result in disciplinary actions,
including termination of employment. Criminal or
civil penalties may also be imposed, depending
upon the nature and severity of the breach of
confidentiality.
52Remember
Dont give it out
Check it out -Sue Harvey
53Remember
Keeping confidential information private and
secure not only protects the University
It protects you.
54Recycling
Locking shred bins may be obtained from the
Recycling Department. Please contact Allan
Rathe, Recycling Coordinator, at 591-7022 or
csalr_at_eiu.edu. Recycling information is available
at http//www.eiu.edu/physplnt/recyclin.shtml.
55Thank you for your time.
QuestionsCommentsConcerns