Other Federal and State Laws involving Sensitive Information
Assummarized below, a number of federal and state laws may apply to information collected and maintained by University employees. Please direct questions regarding the applicability of these laws and other potential legal issues to the Information Security Analyst or the Office of General Counsel.
The Family Educational Rights and Privacy Act (FERPA)
Enacted in 1974, FERPA (also known as the Buckley Amendment) affords students (or parents if the student is a minor) certain rights with respect to the student’s “education records.” As defined under FERPA, the term “education records” encompasses a broad range of materials and information such as disciplinary, financial and academic records established during a given student’s enrollment and maintained in a variety of University databases and other filing arrangements. In particular, FERPA provides that “education records” and personally identifiable information contained therein may not be released or disclosed (including disclosure by word of mouth) without the written consent of the student (or parents, as the case may be). Violations of FERPA may result not only from the unauthorized disclosure of education records but also from the failure to exercise due care in protecting such records against unauthorized access from outsiders. However, even in the absence of express student (or parental) consent, FERPA permits disclosure of education records to University employees who have a legitimate interest in the student and to outside parties in a variety of circumstances, such as those where public health or safety are at issue. For FERPA training and additional information please visit the Registrar's Office.
Health Insurance Portability and Accountability Act (HIPAA)
Enacted in 1996, HIPAA sets national privacy standards for the protection of certain types of health information to the extent such information is electronically transmitted by health plans, health care clearinghouses, and health care providers. The University is subject to HIPAA as a provider of employee group health plans. Accordingly, with respect to such health plans, the University has
(a) adopted written privacy procedures describing who has access to protected health information, how such information will be used, and when it may be disclosed
(b) required business associates to protect the privacy of such health information
(c) trained employees in the applicable privacy policies and procedures
(d) designated a Privacy Officer to be responsible for ensuring that such policies and procedures are followed. HIPAA may also apply to certain research activities such as the collection and use of personally identifying health information from patient populations in clinical settings. Further information regarding compliance with HIPAA is available through the University’s Privacy Officer in Risk Management. For HIPAA training and additional information please visit the HIPAA website.
The Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999, the GLBA requires financial institutions to carefully protect customers’ financial information. Universities are “financial institutions” by virtue of their loan servicing and therefore must comply with GLBA provisions. The GLBA has two relevant components
(1) “safeguarding” rules
(2) privacy rules.
Computer Fraud and Abuse Act (CFAA)
Enacted in 1984 (and revised in 1994), the CFAA criminalizes unauthorized access to a “protected computer” with the intent to defraud, obtain any information of value or cause damage to the computer. Under the CFAA, a “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication or that is used by or for a financial institution or the government of the United States. For example, the act of “hacking” into a secure web site from an out-of-state computer may violate the CFAA
Electronic Communications Privacy Act (ECPA)
Enacted in 1986, the ECPA broadly prohibits (and makes criminal) the unauthorized use or interception of the contents or substance of wire, oral or electronic communications. In addition, the ECPA prohibits unauthorized access to or disclosure of electronically stored communications or information. Such prohibitions may apply to University employees who willfully exceed the scope of their duties or authorizations by accessing certain databases housed within the University system. The ECPA does not, however, prohibit the University from monitoring network usage levels and patterns in order to ensure the proper functioning of its information systems.
State and Federal Laws
In addition to the federal laws summarized above, there may be particular state laws that apply to the handling of confidential information. For example, state laws may govern the collection or use of information regarding children, consumers and other groups. Before establishing new practices with regard to the handling of confidential information, University employees are encouraged to consult the General Counsel on campus. Additional state laws and information can be found on the following websites:
Ohio Office of Information Technology: http://www.oit.ohio.gov/IGD/policy/OhioITPolicies.aspx
United States Department of Health and Human Services: http://www.hhs.gov/ocr/hipaa/
US Department of Education: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Ohio - House Bill 104: http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_104_
When negotiating contracts with third party vendors, UT employees should consider whether such vendors require access to UT databases or to other filing systems containing confidential information. Agreements providing third party vendors with access to such information must ensure that the vendor is subject to obligations of confidentiality that will enable the UT to comply with its own obligations under the applicable privacy laws. In addition, such vendors should be contractually obligated to implement data protection and security measures that are commensurate with the UT. By the same token, UT employees must be careful not to disclose confidential information entrusted to their care by an outside party, especially when such information is governed by the terms of a confidentiality agreement or clause with that party.