The following contains a brief introduction to FERPA and HIPAA and links to UW and government resources with further details.

This article has been moved to the COE Wiki as well


The following contains a brief introduction to FERPA and HIPAA and links to UW and government resources with further details.


Disclaimer

This article is written by the COE Tech Office in an effort to introduce these important issues. This article is based on our best understanding of the official direction provided by the UW CISO's Office. That office's interpretations and direction remain our governing policy.

What is FERPA

The Family Educational Rights and Privacy Act is a federal law governing the handling of student information. It does not include specific administrative or technological rules. It says information custodians must be responsible for the private information entrusted to them and that they can be sued if they fail to appropriately protect that information. FERPA requirements include

  • Protect Student Educational Record
  • Implement a process for granting access to a record
  • Inform students, parents, patients information security & privacy rights
  • Provide an "Opt out" option

It also says that when a custodian accepts private information from a student and entrusts that data to a third party they retain legal liability for protection of that information. If UW collects student data, stores that data in Joe's Cloud Web Service and Joe leaks the data, UW and the UW employees involved are the legally liable party.

Examples of FERPA governed data include: Grades, courses taken, schedule, test scores, advising records, educational services received, disciplinary actions, student identification number, Social Security number, student private email (with exceptions related to UW business).

What is HIPAA

The Health Information Portability and Accountability Act is a federal law governing the handling of patient information. It does not include specific administrative or technological rules. It says information custodians must be responsible for the private information entrusted to them and that they can be sued if they fail to appropriately protect that information.

It also says that when a custodian accepts private information from a patient and entrusts that data to a third party they retain legal liability for protection of that information. If UW collects patient data, stores that data in Joe's Cloud Web Service and Joe leaks the data, UW and the UW employees involved are the legally liable party.

What is FERPA or HIPAA compliant

There is not a checklist you complete or an audit you pass once to become FERPA or HIPAA compliant. Compliance is an ongoing process of due care. You weigh your responsibilities and risks, consider costs and benefits, and make responsible decisions.

We have ways to work toward "compliance", be responsible with protected information, and limit our liability.

  • Identify sensitive protected information we hold and the laws and policies that govern it
  • Establish and follow policies that appropriately protect our information
  • Use available technology to keep information secure
  • When working with partners create contractual agreements that will allow us to meet our obligations and minimize risk

Working with 3rd Parties

There are many cases when we benefit from working with external partners. When the work involves protected information our goal is to verify that the partner is handling information appropriately and establish policy and procedure to meet our obligations and minimize risk.

The HIPAA law describes Business Associate Agreements (BAA). Unless a BAA exists, the organization that accepted the personal information (UW) is responsible for it and has liability. A BAA can transfer legal liability to a 3rd party for what happens to information in their domain.

Data Security Agreement

The UW CISO's office has created a template Data Security Agreement to serve as the basis for this discussion. The main points of the data security agreement are:

  • Partner will take appropriate measures to keep data secure
  • Partner will not access data beyond what is required to provide contracted service
  • Partner will not share data further
  • In case of a breach, the partner will notify UW promptly so UW can meet its own notification obligations
  • In case of a breach, the partner accepts liability for a breach that occurred within their system.

The following are links to the UW Data Security agreement and FAQ page.

Alternatives to Data Security Agreement

Not all partners or vendors will be willing to sign the Data Security Agreement and that is not necessarily a dead end. Alternatives include:

  • The partner's existing contract covers the same issues as the UW Data Security Agreement
  • Partner writes their own BAA or addendum to the contract that covers the same ground
  • UW evaluates benefit and risks and decides to accept limited risk for substantial benefit

The Office of the CISO will review alternate contracts to the UW Data Security Agreement.

Evaluating Risk

  • How sensitive is the information?
  • How many individuals' information are affected?
  • How transparent if the vendor about their practices?
  • How securely is the information handled?
  • Is the partner going to share the information further?

The UW CISO provides the following questionnaire to help consider risk and guide discussion with vendors.

Alternatives to External Services

UW provides in house services and has established agreements with several vendors that make these services appropriate for some protected information.

  • Google Gmail, Calendar, Drive - UW has a data agreement with Google for core Google apps that provide protection for student data. These protections are only in place when you use Google apps with your @uw.edu login.
  • Microsoft OneDrive Pro - UW has a data agreement with Microsoft for SkyDrive Pro that covers both student and patient data (FERPA and HIPAA). At this time the UW Microsoft OneDrive Pro only allows sharing within UW, but work is being done to allow external collaboration.
  • Canvas LMS - UW has a data agreement for student data (FERPA).
  • Catalyst - Is an internal UW system that has been reviewed and deemed appropriate for both student (FERPA) and patient data (HIPAA).
  • Video via MediaAMP - MediaAMP is a UW-IT managed, self-sustaining service. It provides video hosting including login protected, securely delivered video. It is appropriate for both student (FERPA) and patient data (HIPAA).

UW CISO

The UW Office of the Chief Information Security Officer is our guide in these matters. Their website contains policies and tools to help make decisions around these issues. Additionally, they have staff available to answer questions and review specific situations.