FERPA 101. December 4, Michael Hawes Director of Student Privacy Policy U.S. Department of Education

Similar documents
Patient Privacy Requirements Beyond HIPAA

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

PROCEDURE-STUDENT RECORDS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

Parental Consent For Minors to Receive Services

Health Insurance Portability and Accountability Act. Awareness Training for Volunteers

R. Gregory Cochran, MD, JD

JOINT NOTICE OF PRIVACY PRACTICES

Slide 1. Slide 2. Slide 3. When to share and not to share information Financial Aid Offices and requests for data

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Notice of Privacy Practices

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

HIPAA PRIVACY TRAINING

CAPITAL SURGEONS GROUP, PLLC

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

HIPAA and Mandatory Reporting Hiding in Plain Sight

New Patient Information

HIPAA Privacy Rule and Sharing Information Related to Mental Health

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

HIPAA Policies and Procedures Manual

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

Notice of HIPAA Privacy Practices Updates

NOTICE OF PRIVACY PRACTICES

FERPA, CHALLENGES FACING SCHOOL NURSES & DISCIPLINARY ACTIONS FERPA. MELANIE BALESTRA, MN, NP, JD JD August May 4, 22, 2012

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

NOTICE OF PRIVACY PRACTICES

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

The HIPAA Privacy Rule and Research: An Overview

HIPAA Training

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

The HIPAA privacy rule and long-term care : a quick guide for researchers

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

Southwest Idaho Ear, Nose and Throat, P.A. Notice of Privacy Practices

HIPAA Privacy Rule. Best PHI Privacy Practices

Clarifying HIPAA Privacy Rules for Mental Health and Addiction Crises. National Council for Behavioral Health March 19, 2018

Advanced HIPAA Communications and University Relations

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

A general review of HIPAA standards and privacy practices 2016

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Notice of Privacy Practices

NAME SS# ADDRESS CITY STATE ZIP. TELEPHONE (home) (business) Cell SEX M F BIRTH DATE PLACE OFBIRTH RACE ETHNICITY LANGUAGE

Louisiana Medicaid Hospital Precertification for Acute Care. On Line Webinar November 12 13, 2009

JOINT NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES

HIPAA and HITECH: Privacy and Security of Protected Health Information

FAFSA Completion Initiative Participation Agreement

Privacy Practices Home Visit Doctor, LLC July 2017

Protecting Patient Privacy It s Everyone s Responsibility

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

OREGON HIPAA NOTICE FORM

NOTICE OF PRIVACY PRACTICES

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

The Children's Clinic Patient Information Form

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

HIPAA Education Program

NOTICE OF PRIVACY PRACTICES

Understanding the Privacy and Security Regulations

University of Wisconsin-Madison Policy and Procedure

Mobile Mammo Registration Instructions

ASU Phi Theta Kappa Scholarship Awards. General Information

1303A West Campus Drive

Patient Appointment Agreement

NOTICE OF PRIVACY PRACTICES

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

CHI Mercy Health. Definitions

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

PRIVACY IMPACT ASSESSMENT (PIA) For the

NOTICE OF PRIVACY PRACTICES

The Privacy & Security of Protected Health Information

Notice of Privacy Practices

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

HIPAA & OPIOID RESPONSE

The Arizona HIO Statute

Information Sharing and HIPAA Compliance

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Information Sharing in Criminal Justice Mental Health Collaborations

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

NORTH COUNTRY HEALTHCARE

Addendum 1 Compliance indicators for the Australian Privacy Principles

NOTICE OF PRIVACY PRACTICES

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

Michigan Department of Education Michigan Department of Community Health. Laws That Affect School Health Services Programs in Michigan

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

Information Privacy and Security

always legally required to follow the privacy practices described in this Notice.

42 CFR Part 2: Improvements and New Challenges with the Use and Disclosure of Substance Use Disorder Treatment Records

Transcription:

FERPA 101 December 4, 017 Michael Hawes Director of Student Privacy Policy U.S. Department of Education United States Department of Education Privacy Technical Assistance Center

The U.S. Department of Education s Role in Protecting Student Privacy Administering and enforcing federal laws governing the privacy of student information Family Educational Rights and Privacy Act (FERPA) Protection of Pupil Rights Amendment (PPRA) Raising awareness of privacy challenges Providing technical assistance to schools, districts, and states Promoting privacy & security best practices

Family Educational Rights and Privacy Act (FERPA) Gives parents (and eligible students) the right to access and seek to amend their children s education records Protects personally identifiable information (PII) from education records from unauthorized disclosure Requires written consent before sharing PII unless an exception applies 3 3

To which educational agencies and institutions does FERPA apply? Elementary Secondary Postsecondary 4 U E S D D E P T O F 4

Just what is an Education Record? Education records are records that are 1) directly related to a student; and ) maintained by an educational agency or institution or by a party acting for the agency or institution. 5 5

Personally Identifiable Information (PII) Direct Identifiers e.g., Name, SSN, Student ID Number, etc. (1:1 relationship to student) Indirect Identifiers e.g., Birthdate, Demographic Information (1:Many relationship to student) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. ( 99.3) 6 6

Exceptions to FERPA s Written Consent Requirement 7 7

Directory Information Exception May include: ü name, address, phone number, and e-mail address ü photograph ü date and place of birth ü Most recent school attended; grade level and major field of study ü dates of attendance (e.g., year or semester) ü participation in officially recognized sports and activities; height and weight of athletes, ü degrees, honors, and awards received, and Can never include social security number Can t disclose non-directory information with directory information 8

Directory Information Exception Annual notice must be given to parents Students may choose to opt-out of the disclosure of directory information Schools may adopt a limited directory information policy that allows for the disclosure of directory information to specific parties, for specific purposes, or for both. 9 9

FERPA: School Official Exception PII may only be disclosed from education records without consent to other school officials within institution or to third parties acting as school officials, if they: 10 Perform an institutional service or function for which the agency or institution would otherwise use employees; Are under the direct control of the agency or institution with respect to the use and maintenance of education records; Only use PII from education records for the purposes for which the disclosure was made; Meet the criteria specified in the school s annual notification of FERPA rights

Health or Safety Emergencies Exception Disclosure is necessary to protect the health or safety of the student or others. There is an articulable and significant threat to the health or safety of a student or other individuals. Appropriate parties typically means local, State, or federal law enforcement, trained medical personnel, public health officials, and parents. Must be related to an actual, impending, or imminent emergency. School makes determination on case-by-case basis. 11

Research & Evaluation under FERPA FERPA does not have a research exception to the parental consent requirement. Instead, research and evaluation using PII from education records is typically performed using either FERPA s: Studies Exception, or the Audit and Evaluation Exception to the requirement for parental consent. 1 1

Audit/Evaluation Exception Allows PII from education records to be shared without consent, for certain audits or evaluations, with: Authorized representatives of certain FERPA-permitted entities : Comptroller General of U.S., U.S. Attorney General, U.S. Secretary of Education, and State or Local Educational Authorities; Must be to audit or evaluate a federal- or state-supported education program, and if there is a written agreement that meets certain requirements. 34 CFR Section 99.31(a)(3) 13 13

FERPA: Studies Exception PII from education records may be disclosed in connection with certain studies conducted for or on behalf of schools, school districts, or postsecondary institutions if: Studies must be for the purpose - Developing, validating, or administering predictive tests; - Administering student aid programs; or - Improving instruction There is a written agreement with the individual/organization performing the study that meets certain requirements. 14

How should you obtain the student data you need for your grants? 15

Will you be publishing data? Remember: FERPA s definition of PII includes anything linked or linkable to the student Aggregate data may still contain PII! 16

Integrated Data Systems PTAC Guidance on Integrated Data Systems and Student Privacy (January 017) 17

PTAC Resources https://studentprivacy.ed.gov/ Help Desk (privacyta@ed.gov) Guidance and Best Practice Documents o Data Sharing under FERPA o Data Security o Data Governance and much, much more. Videos o FERPA for Parents and Students o Designing a Privacy Program and many others. 18 United States Department of Education United States Department Education, Privacy Technical Assistance Center Privacy Technical AssistanceofCenter

CONTACT INFORMATION United States Department of Education, Privacy Technical Assistance Center (855) 49-307 (0) 60-3887 privacyta@ed.gov student.privacy.ed.gov (855) 49-3073 19

Lara Cartwright-Smith, JD, MPH www.healthinfolaw.org

HIPAA Privacy Rule Basics Applies to records held by Information covered Not covered Consent for disclosures Permissive disclosures Required disclosures HIPAA Privacy Rule Covered Entities (CEs) mainly health care providers and insurers/plans) Business Associates (BAs) who work on behalf of CEs and use or maintain PHI Protected Health Information (PHI) individually identifiable health information held or transmitted by CE or BA Includes a limited data set (LDS) Partially de-identified by excluding 18 identifiers, such as name, address, SSN. Health information in records that are governed by FERPA; De-identified information. In general, CEs may not disclose PHI without written authorization by the person who is the subject of the information. For minors, state law re: parental consent applies. Treatment, Payment, Healthcare Operations (TPO); Required by state law (inc. health and safety); For research, public health practice, and quality improvement, but only LDS (partially de-identified). Minimum necessary standard applies in most cases (except treatment). To individual or their designated recipient. www.healthinfolaw.org

Where FERPA applies, HIPAA doesn t Under HIPAA, protected health information (PHI) does not include: Employment or education records held by a CE; Information in records subject to FERPA; or De-identified information. Health records maintained a school that are education records or treatment records of eligible students under FERPA are excluded from the definition of PHI. Therefore, neither the HIPAA Privacy Rule nor the HIPAA Security Rule applies to schools where the only records kept meet the definition of education or treatment records under FERPA. www.healthinfolaw.org

Schools typically will only have to comply with FERPA, not HIPAA Student health records maintained by a person or entity acting on behalf of a school subject to FERPA are education records, not PHI. If FERPA applies, its stricter standards govern, even if HIPAA would allow disclosure. Schools may receive information from HIPAA-covered entities, such as a provider or health plan. Once the information is added to a student s school record, it s covered by FERPA, not HIPAA. Receiving such information does not make the school a business associate under HIPAA. www.healthinfolaw.org

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback