J a n u a r y 1 6 , 20 24 Carol McMahon D i r e c t o r, P r i v a
34 Slides2.80 MB
J a n u a r y 1 6 , 20 24 Carol McMahon D i r e c t o r, P r i v a c y B r a n d o n S y ke s Privacy Specialist U F P r i v a c y O ffi c e Privacy in Higher Education Risk and Compliance Learn-Over-Lunch Series
AGENDA H E R E ’ S W H AT ’ S O N THE AGENDA UF Privacy Office . .3 Privacy .5 FERPA. . 7 HIPAA .14 Florida Privacy Laws . .26 AI . . 30 Global Privacy Laws.31 Reporting . 2
The Privacy Offi ce is one of several components of the UF Compliance and Ethics Program. The University’s enterprise-wide institutional program is responsible for promoting a culture of ethical conduct and making sure the University is compliant with regulations, laws, rules, standards, and policies. 3
Terra DuBois Chief Compliance, Ethics & Privacy Officer Organizational Structure Jacob Perrone Admin Assistant II Compliance & Ethics Katherine Moore Director, Compliance and Ethics, Deputy Chief Compliance Officer Loren Israel Assistant Director, Compliance and Ethics Sonya Burtner Assistant Director, Compliance and Ethics Conflicts of Interest David Altman Analyst John Ciminillo Analyst Youth Compliance Services Sophia Andrews Assistant Director, Youth Compliance Clery Act Compliance Rebecca DeCesare Assistant Director Clery Act Compliance Privacy Compliance UF Health Compliance Carol McMahon Director, UF Privacy Robert Michalski Vice President & Chief Compliance & Privacy Officer Brandon Sykes Privacy Specialist Christian Justiniano Privacy Specialist Destiny Evans Sr. Director, UF Health Privacy Carol DeBose Privacy Specialist Jessica Smith Privacy Specialist 4
Key Functions Promote a culture of privacy, confidentiality, and compliance with regulations Provide guidance and education on privacyrelated matters Assist with University hotline inquiries and investigations that pertain to privacy Assess and address privacy compliance risks Develop and maintain UF’s Privacy Policies Support and promote compliance with UF’s Information Security Program and Information Technology Policies and Standards 5
Key Functions (cont.) The UF Privacy team serves as a resource to help the University community understand requirements and individual rights regarding the University’s use and disclosure of certain types of data. Here are some key data types and the laws addressing each: Personal data (e.g., Social Security numbers, credit card numbers, etc.) Florida Information Protection Act (FIPA) and other state laws Gramm Leach Bliley Act General Data Protection Regulation Health data (Protected Health Information) Health Insurance Portability and Accountability Act (HIPAA) Student records data Family Educational Rights and Privacy Act (FERPA) Research data 6
7
What is FERPA? The Family Educational Rights and Privacy Act (FERPA) is a federal law that regulates access and disclosure of student education records. After a student turns 18 or enters a postsecondary institution, FERPA affords the student the right to have access to their education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. Prior to either of those two events, FERPA affords parents those rights to their children’s education records. FERPA requires UF to provide annual notification of the institutional policy regarding the privacy of educational records, which gives students the right to: Inspect and review their education records Request an amendment to their education records Consent to disclosure of personally identifiable information contained in their student records (unless an exception outlined in the law applies) File a complaint with the Department of Education Family Policy Compliance Office if they feel their FERPA rights have been violated 8
Education Records (34 CFR 99.3) What is considered an Education Record? “Record” - Any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film microfilm, and microfiche “Education Record” - Those records that are directly related to a student; and - Maintained by an educational agency or institution or by a party acting for the agency or institution “Student” - Any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records 9
What are not Education Records? Personal Notes - Records that are in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person except a temporary substitute for the maker of the record. Law Enforcement Unit - Records of the law enforcement unit of an educational agency or institution that are created by the law enforcement unit, created for a law enforcement purpose, and maintained by a law enforcement unit. Employee Records - To qualify as an employee record, the record must be made and maintained in the regular course of business, relate exclusively to that individual in the individual’s capacity as an employee, and are not available for any other purpose. Treatment Records - Records that are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional acting in their professional capacity. They’re made, maintained, or used only in connection with the treatment of the student and disclosed only to individuals providing treatment. Alumni Records - Records created or received by an educational institution after the student is not longer in attendance and do not relate to the individual’s attendance as a student. 10
What Information is Protected? What is considered Personally Identifiable Information? It includes, data or information that contains the name of a student, the student’s parent or other family member’s name, the address of the student, parent, or family member, a personal identifier, such as Social Security number or student ID number (UFID), or other information that would make the student's identity easily traceable. What is Directory Information? (Annual Notice) Student name Class and college Local and permanent address Listed telephone number Email address Enrollment status Most recent previous educational institution attended Dates of attendance the University of Florida 11
What Information is Protected? (cont.) What is Directory Information? (Annual Notice) Majors Minors Certificates Specializations Degree earned Nature and place of employment at the university Honors and awards received Publication titles Participation in official recognized or registered activities and sports Weight and height of university athletes 12
Confidentiality of Student Records Student educational records may be released without the student’s consent to school officials who have a legitimate educational interest in accessing the records. School Official - An employee, agent or officer of the university or State University System of Florida in an administrative, supervisory, academic, research or support staff position; - Persons serving on university committees, boards, and/or councils; and - Persons employed by or under contract to the university to perform a special task, such as an attorney our auditor. Legitimate educational interest - Any authorized interest or activity undertaken in the name of the university for which access to an educational record is necessary or appropriate to the operation of the university or to the proper performance of the educational mission of the university. 13
H I PA A HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 14
What is HIPAA? The Health Insurance Portability and Accessibility Act of 1996, as amended, in conjunction with its implementing regulations, governs the privacy and security of “Protected Health Information” (PHI). It applies to PHI that is collected, maintained, used or transmitted by “Covered Entities” and their “Business Associates”, in any medium. 15
HIPAA applies to Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained by electronic media or any other form or medium. Note: Health information that is covered by FERPA is specifically excluded from the definition of PHI. Health information held by a Covered Entity in its role as an employer is also specifically excluded. Covered Entity: A health plan, health care provider, or health care clearinghouse that transmits health information in an electronic format in connection with a transaction covered by HIPAA. The University of Florida has been designated a “Hybrid Covered Entity”, as only its healthcare components (“Covered Components”) are governed by HIPAA. This includes UF’s healthcare facilities and healthcare-related schools. A complete list can be found at https://privacy.ufl.edu/wp-content/uploads/2018/08/1.1-Relationship-of-UF-Com ponents-and-Entities-Explained.pdf Business Associate: An external entity or person that creates, receives, maintains or transmits PHI while performing activities on behalf of a Covered Entity, such as administrative, legal, or financial services. When a Covered Component contracts with such an entity to provide services, a Business 16
The 3 Parts of the HIPAA Regulations (45 CFR Parts 160, 162, 164) PRIVACY RULE SECURITY RULE BREACH NOTIFICATION RULE 17
The HIPAA Privacy Rule The Privacy Rule establishes the rules for how Covered Entities can use and disclose PHI: For treatment, payment, or healthcare operations without obtaining patient authorization. Any other use will usually require a patient authorization. Exceptions to the authorization requirement are described more fully in the HIPAA regulations. These include disclosures in connection with public health, child abuse, elder abuse, domestic violence, averting a serious threat to health or safety, law enforcement, and judicial and administrative proceedings. Disclose only the minimum necessary to accomplish the purpose of the disclosure. 18
Rights of Patients under the Privacy Rule The Privacy Rule establishes the rights of patients concerning their PHI, including the right to: Access and obtain a copy of PHI; Request amendments to inaccurate or incomplete PHI; Obtain an accounting of disclosures; Request restrictions on access to PHI; Prevent uses and disclosures of PHI, such as for fundraising; Request an alternative location or method for receiving communications relating to PHI; Receive a copy of the Notice of Privacy Practices of a Covered Entity. 19
The HIPAA Security Rule The Security Rule establishes the standards for the protection of electronic PHI (ePHI). The purpose of these regulations is to: Ensure the Confidentiality, Integrity, and Availability of ePHI Confidentiality means that ePHI is not disclosed to any unauthorized person; Integrity means that ePHI has not been altered or destroyed; Availability means the ePHI is accessible and useable upon demand. Protect against any reasonably anticipated hazards to the security or integrity of ePHI Ensure compliance by the workforce of the Covered Entity 20
Safeguards for Protecting ePHI The Security Rule also establishes 3 sets of “safeguards” for protecting ePHI: Administrative Safeguards (e.g., Password Management) Physical Safeguards (e.g., Workstation Use requirements) Technical Safeguards (e.g., Encryption) HIPAA Security Rule policies and procedures (and much, much more) are located on the UF IT website at https://it.ufl.edu/it-policies/. 21
Safeguards for Protecting PHI in any medium The Security Rule also requires that PHI in any medium be protected by “reasonable safeguards”, although it does not specify what constitutes “reasonable safeguards”. A practical approach is useful, for example: Speak quietly in public areas; Lock records in file cabinets and/or offices or records rooms; Use the automatic logoff function on your computer; Encrypt data sent by email; Verify fax numbers Verify the identity of anybody you call; Do not leave anything containing PHI in your car! 22
The HIPAA Breach Notification Rule The Breach Notification Rule requires Covered Entities and their Business Associates to provide notice following a breach of PHI and sets out the standards for notification, typically of the Department of Health and Human Services Office of Civil Rights and the individuals whose data was breached. A breach occurs when PHI, in any form, is lost, stolen, or otherwise inappropriately accessed or disclosed. An impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI was compromised - based on a risk assessment of at least the following factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated. 23
When is a breach not a breach? There are three exceptions to the definition of “breach” - disclosures that are not considered to be breaches: The unintentional acquisition, access, or use of PHI by a person acting under the authority of a Covered Entity or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further disclosure or use. The inadvertent disclosure of PHI by a person authorized to access PHI at a Covered Entity or Business Associate to another person authorized to access PHI at the same Covered Entity or Business Associate. The Covered Entity or Business Associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information. 24
Note on data breaches Sometimes a “data breach” is actually the type of nefarious situation you see in the news – someone downloaded data and gave it to an external person or entity. More often, a “data breach” is carelessness, an accidental disclosure of data, or even the act of a disgruntled former employee. For example: Leaving a laptop in a car Losing flash drives, especially unencrypted flash drives Accidentally posting a spreadsheet on a website Sending an email to the wrong person Losing paper file folders Not terminating the access of a former employee, who then downloads data Not collecting the equipment of a former employee 25
FLORIDA PRIVACY LAWS 26
Florida Information Protection Act of 2014 The Florida Information Protection Action (FIPA) is a state law that provides procedures for the protection and security of the sensitive personal information of Floridians. It includes a comprehensive set of breach notification requirements. Under FIPA, a “breach of security” or “breach” means unauthorized access of data in electronic form containing personal information. Personal Information is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security Number Driver’s license or other similar number issued on a government document used to verify identity Financial account number, in combination with a password Medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional Health insurance policy number or any unique identifier used by a health insurer to identify the individual. A username or e-mail address, in combination with a password FIPA requires that covered entities (like UF) give notice to every individual from Florida whose personal information was accessed, or is reasonably believed to have been accessed, as a result of the breach. The notification requirements are based on the number of individuals affected by the breach. 27
Florida Statute 119.071(5)(a)(2) Each UF unit with access to personal identification or personally identifiable financial information is responsible for developing and implementing procedures to comply with the Identity Theft Prevention Program. As allowed and/or required by law, UF collects, maintains, uses, and discloses Social Security Numbers (SSNs) and credit card or other financial information of employees, students, clients, patients, vendors, and others in the ordinary course of its business. Workforce members must promptly report known or suspected loss or theft of SSNs from University records or record systems to the Privacy Office for immediate investigation. The unit manager/designee will determine whether the activity is fraudulent and will enlist the assistance of the Privacy Office. 28
SB 662 – Student Online Personal Information Act Effective on July 1, 2023, the Student Online Personal Information Protection Act (Florida Statute 1006.1494), substantially restricts the operator of a website, online service, or online application that is used for K-12 school purposes from collecting, disclosing, or selling student data, or from using student data to engage in targeted advertising. The bill prohibits operators from knowingly: Engaging in targeted advertising based on any information, including persistent unique identifiers, acquired using their educational technology Using an information, including persistent unique identifiers, gathered through their educational technology to create profiles of students, except for K-12 school purposes. Sharing, selling, or renting student information to third parties. Disclosing certain covered information, except under specified circumstances. 29
What are the impacts of AI? Be on the look out: EU AI Act Executive Order on Safe, Secure, and Trustworthy AI Congress? General Thoughts 30
Global Privacy Laws It started in 2018 European Union Data Protection Regulation (EU GDPR) UK Data Protection Regulation (UK GDPR, went into effect at the same time as Brexit) Chinese The Personal Information Protection Law (PIPL) Most countries in the world now have data protection/data privacy legislation. Many are supposedly modeled on the EU GDPR but have their own national character. Feel free to contact us any time with questions or concerns. 31
Reporting a Breach Known or potential breaches of personally identifiable information, education records, or PHI (accidental or intentional) should be reported immediately using any of the following ways: Email: [email protected] Phone: (352) 294-8720 Toll-Free: (866) 876-4472 If you want to remain anonymous, you can submit a report to the UF Compliance Hotline at: Toll-Free: (877) 556-5356 URL: https://compliance.ufl.edu/compliancehotline/ 32
Contact Information Questions or concerns about Privacy should be directed to any of the following: Carol McMahon Director, UF Privacy Email: [email protected] Phone: (352) 294-1912 Christian Justiniano UF Privacy Specialist Email: [email protected] Phone: (352) 294-8726 Brandon Sykes UF Privacy Specialist Email: [email protected] Phone: (352) 294-8718 33
Questions?