The New Massachusetts Miracle:

Similar documents
AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

PERSONALLY IDENTIFIABLE INFORMATON (PII)

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

The Privacy & Security of Protected Health Information

HIPAA and HITECH: Privacy and Security of Protected Health Information

FCSRMC 2017 HIPAA PRESENTATION

A self-assessment for GxP and HIPAA concerns

IDENTITY THEFT TOOLS AND RESOURCES TO HELP CLIENTS PROTECT THEIR IDENTITY. February 10, 2016 Washington, DC

HIPAA Education Program

A Deep Dive into the Privacy Landscape

A general review of HIPAA standards and privacy practices 2016

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

Advanced HIPAA Communications and University Relations

CLINICIAN S GUIDE TO HIPAA PRIVACY

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

HIPAA Privacy Training for Non-Clinical Workforce

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

PRIVACY BREACH GUIDELINES

East Carolina University 2010 Annual HIPAA Privacy Training

Privacy and Security Compliance: The. Date Presenter Name of Member Organization

HIPAA Are You As Compliant as You Think?

RED FLAGS IDENTITY THEFT PREVENTION PROGRAM. For purposes of the Program, the following terms are defined as:

Information Privacy and Security

The future of patient care. 6 ways workflow automation will transform the healthcare experience

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Session Number G24 Responding to a Data Breach and Its Impact. Karen Johnson Chief Deputy Director California Department of Health Care Services

Chapter 9 Legal Aspects of Health Information Management

Privacy and Security For Teammates

HCCA Institute Privacy Officer Round Table Discussion

A PHIPA Update from the IPC

Security Risk Analysis

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Understanding the Privacy and Security Regulations

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Status Check On Health IT

STAFFING AGENCY ADMINISTRATIVE POLICIES AND PROCEDURES

System Office New Hire Orientation

Rialto Police Department Policy Manual

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

CSU COLLEGE REVIEWS. The California State University Office of Audit and Advisory Services. California State University, Sacramento

Office of Inspector General

Protecting PHI for Clinical Staff and Students

Research Compliance Oversight in the Department of Veterans Affairs

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

Protecting Health Information: Health Data Security Training

HIPAA Privacy & Security Training

HIPAA Privacy & Security Training

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

U.S. Department of Education Office of Inspector General

PRIVACY BREACH MANAGEMENT POLICY

2018 Employee HIPAA Orientation (EHO) Handbook

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK

Navpreet Kaur IT /16/16. Electronic Health Records

MCCP Online Orientation

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

ACCME Data Request Form 792_ Page 1 of 8

Many of these activities are conducted through formal and informal cooperation with both foreign and domestic institutions.

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

DUTIES OF A CUSTODIAN

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

TABLE OF CONTENTS. Page OBJECTIVES, SCOPE AND METHODOLOGY... 1 BACKGROUND Organizational Structure and Personnel... 4

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

MEANINGFUL USE & RISK ASSESSMENT

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

I further certify that all responses provided, to the best of my knowledge, are true, accurate and complete.

Subj: BUREAU OF NAVAL PERSONNEL PRIVACY PROGRAM AND ESTABLISHMENT OF THE BUREAU OF NAVAL PERSONNEL PRIVACY CADRE

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

Table of Contents. introduction permit fact sheet completeness checklist. Introduction

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital

The Impact of New Technology in Health Care on Privacy

UNIVERSITY POLICE CAMPUS WATCH REPORT. Volume: 20, Issue 1 September 2009 LAPTOP THEFTS!!

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Title: HIPAA PRIVACY ADMINISTRATIVE

DES PLAINES POLICE DEPARTMENT GENERAL ORDER Jim Prandini, Chief of Police

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

BOARD OF LICENSE COMMISSIONERS PRINCE GEORGE S COUNTY, MARYLAND PERFORMANCE AUDIT OCTOBER 2001

School Safety Audit Checklist

Report No. D September 25, Controls Over Information Contained in BlackBerry Devices Used Within DoD

NCAA IMPOSES PENALTIES IN TEXAS CHRISTIAN UNIVERSITY INFRACTIONS CASE

HRPA s Regulatory Framework: Regulating the Human Resources Profession in Ontario

2018 Role of Technology in Law Enforcement Paperwork annual report

Export Controls. Audit Report # June 29, The University of Texas at El Paso Institutional Audit Office

DEPARTMENT OF DEFENSE AGENCY-WIDE FINANCIAL STATEMENTS AUDIT OPINION

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

HIMSS Security Survey

University of Florida Privacy Office

system of records in its inventory of record systems subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended.

System of Records Notice (SORN) Checklist

WSSCA s 25 Point School Security Checklist. Sandy Hook Commission Report

VHA Privacy Policy Training FY VHA Privacy Office

VOLUNTEER POLICY & PROCEDURES

WESTERN REGIONAL CHAMPIONSHIPS TOURNAMENT BID SUBMITTAL PACKAGE

RESIDENCE HALLS MOVE-IN GO FOR GOLD. University of Wyoming

Privacy & Security: What You Need to Know

POLICY ON INCIDENT REPORTING AND INCIDENT MANAGEMENT

Transcription:

The New Massachusetts Miracle: Reducing the Risk of FERPA Violations Wednesday, 9:15 am - 10:15 am Room 201B Session ID: 073 AACRAO Annual Meeting Philadelphia, PA - April 4, 2012 Ari Kaufman Associate Registrar - Operations Berklee College of Music

Outline of Presentation Challenges of enforcing FERPA in today s environment Description of 201 CMR 17.00 (The New Massachusetts Regulations) How and why Berklee complied as it did and how it benefits the Office of the Registrar How your school can move forward to better FERPA compliance (even if it s not in Massachusetts)

About Us: Berkee College of Music Boston, MA - founded 1945 Approximately 4300 students, 568 faculty, 542 fulltime staff Largest independent music college in the world. Focus on contemporary music New campus in Valencia, Spain with new graduate programs to begin there in Fall 2012 Former students include: Branford Marsalis, Billy Squier, Quincy Jones, Melissa Etheridge, Paula Cole, and Esperanza Spalding

Does the expression Massachusetts Miracle ring a bell?

Some Massachusetts Miracles In the past 10 years, Massachusetts has had 7 professional sports championships! (Patriots 3, Red Sox 2, Celtics 1, Bruins 1) c.

Some Massachusetts Miracles The Boston Big Dig project only costed $22 billion to complete (almost $20 billion over budget).

Not really a miracle, but an interesting fact There is a DUNKIN DONUTS every 10.7 miles in Massaschusetts (988 stores in total... only 136 STARBUCKS stores)

The actual Massachusetts Miracle High-Tech Boom in Massachusetts which brought the unemployment rate from 11.2% in 1975 to 2.9% in 1988... but which subsequently collapsed Gov. Michael Dukakis

Who at your school has FERPA near the top of their priority list at your school? President Vice President of Student Affairs Vice President of Info Technology In-house Counsel (if you have one...) Office of the Registrar

Why is FERPA a consideration, but not a hot issue at many colleges? It is old news (A law from 1974) No school has ever lost Federal funding as a result of FERPA violations Schools have other priorities (Enrollment, Funding, Technology, Student Services)

Identity Theft is a hot issue It s a real problem! In 2003 alone: 9.91 million Americans were victims of identity theft $52.6 billion was lost as a result

In 2010, Massachusetts came up with a miraculous solution to deal with identity theft

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (OF MASSACHUSETTS) Regulation apples to all entities that have access to personal information: including colleges and universities A comprehensive information security program must be in writing

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (OF MASSACHUSETTS) Information Security Officer needs to be identified Restrictions to physical access of records required Facilities should be appropriately locked

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (OF MASSACHUSETTS) - March 1, 2010 Portable devices must be encrypted if they contain personal information of customers Personal info includes: (a) Social Security number; (b) driver's license number or stateissued identification card number; or (c) financial account number, or credit or debit card number,

Penalties: 201 CMR 17.00 vs FERPA Penalty for EACH violation of the Massachusetts regulation is $5,000 A restaurant chain was fined $110,000 for violation - so the Massachusetts law has teeth. The restaurant chain in question failed to protect patrons personal information. Conversely, to date no school has lost Federal funding due to FERPA violations (no teeth)

A Big Concern for Colleges: Social Insecurity Numbers Colleges are intricately involved with SSN s Transcripts - SSN s are commonly included Financial Aid Student Employees

Could FERPA ride the coattails of 201 CMR 17.00? Protect other FERPA protected information as much as SSN s Why? Even if a student folder that didn t contain an SSN was stolen, there is still a lot of sensitive information

Implementing 21 CMR 17.00 Risk Assessment Process: Information Asset Containers Worksheets Prioritize Risks Mitigate Risk

Risk Assessments (must be documented) Information Asset Containers (OCTAVE Allegro methodology developed by the Software Engineering Institute at Carnegie Mellon Univ.) Technical Containers (e.g., hard drives, stick drives, electronic devices, laptops) Physical Containers (e.g., file cabinets, offices, shredding bins, trash cans) People (e.g., cleaning people, student traffic, staff members, unauthorized people)

A worksheet completed Examples: for each risk Theft from student folder filing system - Probability: MEDIUM Theft of an unencrypted laptop- Probability: MEDIUM Theft or improper disposal (not shredded) of records in common area - Probability: HIGH

Assess Each Risk Rank the various risk assessment sheets in order of likelihood and severity of violation Prioritize mitigation strategies Begin work to mitigate risks

Where we were... Office of the Registrar had one locking door, not dead-bolt, glass window File cabinet containing student folders did not have any locking mechanism Digitized records convenient for office staff, but also convenient for potential thieves (portable hard drive in common area) Unencrypted laptops that left the office regularly

New Massachusetts Miracle!!!

Where we are now... Office of the Registrar has two locking doors, inner door requires card reader File cabinet containing student folders has locking mechanism. Procedures in place to lock each day Digitized records moved from unsecure portable hard drive to secure server Laptops that leave the office regularly are now encrypted

How did it get implemented... Created Information Security Council (included 10 Vice Presidents). Created an Office of Information Security and a Chief Information Security Officer Created Information Security Oversight Committee (director level members) to manage the risk assessment and mitigation process

Why Berklee did all this work... Brand New Regulation Actual compliance could be measurable and state expected it to be followed Potential fines were significant

What next for Berklee? Extend focus to transactions (document lifecycle) in addition to asset containers Who handles sensitive documents Irregularities in processing paperwork Focus on emails on iphones and ipads, etc

How can FERPA be less like Rodney Dangerfield and more like Aretha Franklin (R-E-S-P-E-C-T)

Influence the Powers That Be The Senior college leadership would need to prioritize FERPA even more How do you get that to happen?

Two Possible Avenues (especially if you re not in Massachusetts) Federal Government Identity Theft Rules to complement FERPA Establish Internal FERPA Review Policy

Emphasize the Identity Theft issue as much as possible Federal Gov t passed the Identity Theft and Assumption Deterrance Act of 1998 To punish those who committed identity theft It charged the Federal Trade Commision to come up with rules to prevent identity theft What did the FTC come up with?

The Red Flags Rule The FTC (along with 5 other agencies) came up with these rules effective January 1, 2011: Red Flag = Sign that Potential Identity Theft has taken place 26 Different Types of Red Flags specified Written policies must be in place to identify Red Flags

Limitations of the Red Flags Rule Asks organizations how they prevent identity theft, but it does not require any specific security enhancements (physical or technological) Focuses on reactive vs. proactive steps (fraud that is in progress or already happened)

Cal State Univ System The policies... shall be reviewed... during the Spring Quarter, 1979, and every two years thereafter from standpoint of appropriateness, viability, fee structures, and overall effectiveness in executing the mandate of FERPA... from Cal State Bernadino s Policies and Procedures

Cal State Univ System a.the review will be conducted by an ad hoc committee appointed by the Vice President for Student Affairs. b.the committee will report its findings in writing to the Vice President for Student Affairs who will forward the report and his recommendations to the University President. c.a report on each biennial review and any University action taken will be forwarded by the University President to the Chancellor from Cal State Bernadino s Policies and Procedures

Suggestions: Utilize the Red Flags Rule to jump-start your school s attention to information security Advocate that education record data all should be treated at (or near) the same level of security as SSN s

Suggestions: Have a well-written annual notification policy in your bulletin about FERPA Have it include that an internal review of the effectiveness of the school s FERPA policy take place every two years

Suggestions: Establish a Information Security Council at your school with high level VP s that includes FERPA compliance within its purview Stress the dangers of identity theft and ask for funding to do a risk assessment and mitigation steps (similar to what 201 CMR 17.00 requires)

Questions? Ari Kaufman - akaufman@berklee.edu

Thank you! Ari Kaufman - akaufman@berklee.edu Please be sure to complete your session evaluation form Session ID: 073 Title: Reducing the Risk of FERPA Violations

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback