1 / 30

Privacy In Academia

Susan Blair, MSJ , MBA, CIPP UF Chief Privacy Officer. Privacy In Academia. Goals of this Training. To describe the Role of the Chief Privacy Officer To define restricted information and identify the scope of UF’s Privacy Office

kamran
Download Presentation

Privacy In Academia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Susan Blair, MSJ, MBA, CIPP UF Chief Privacy Officer Privacy In Academia

  2. Goals of this Training • To describe the Role of the Chief Privacy Officer • To define restricted information and identify the scope of UF’s Privacy Office • To make you aware of the most relevant privacy laws and their impact on UF • To outline UF’s greatest privacy risks • To make you aware of your obligations to preserve the privacy and confidentiality of restricted information • To provide some basic tools for responding to a privacy breach

  3. Structure & Organization Vice President For Human Resources Shands Privacy Initiatives UF Information Security Initiatives Chief Privacy Officer UF Healthcare Components IRB’s and Privacy Board (Research) UF Healthcare Affiliated Entities All Other UF Colleges, Departments, and Affiliates UF Jacksonville

  4. Role of UF’s Chief Privacy Officer • Required by federal regulation, effective April 2003 • Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results • Develop and implement strategies, policies, and procedures • Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications • Recommend disciplinary actions, up to and including dismissal.

  5. What is Restricted Information? • Any and all personal identification information, protected health information, financial information, and other information protected by law in any format (paper, electronic, or other). • Examples include: • Medical records and medical record numbers; • Student UFID numbers, grades, schedules, records, and reports; • Human resource data, including disciplinary actions; • Florida Drivers License numbers; • Social security numbers; and • Any financial account information, including credit and debit card numbers.

  6. Privacy & Confidentiality Defined • Privacy • Freedom from intrusion or observation • Maintaining control over personal information • Not a US Constitutional right – but it is in the Florida Constitution: • (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law. • Confidentiality • Only permitting certain authorized persons to have information, with the understanding that they will not share the information except to other authorized persons

  7. Scope of Privacy Regulations at UF - Federal • Federal Statutes • Family Educational Rights and Privacy Act (FERPA) • Privacy Act of 1974 • Patriot Act • Graham-Leach-Bliley Act • Fair Credit Reporting Act • Right to Financial Privacy Act • Children’s Online Privacy Protection Act (COPPA) • Electronic Communications Privacy Act • Stored Wire and Electronic Communications Act • Cable Communications Policy Act

  8. Federal Privacy Regulations (continued) • Federal Health laws • HIPAA (Health Insurance Portability & Accountability Act) for healthcare components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation • HIPAA II – The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 • Americans with Disabilities Act • Federal Substance Abuse Record Confidentiality Rule

  9. Scope of Privacy Regulations at UF - State Florida Statutes with privacy requirements - Healthcare Florida Statutes with privacy requirements – All Others Chapter 90: Evidence Chapter 119: Public Records Chapter 501: Consumer Protection Chapter 817: Breach Notification Chapter 1002-1006: Education Records • Chapter 381.004: HIV Testing • Chapter 384: STDs • Chapter 385: Chronic Diseases • Chapter 392: TB Control • Chapter 393: Developmental Disabilities • Chapter 394: Mental Health • Chapter 395: Hospitals • Chapter 397: Substance Abuse • Chapter 400: Nursing Homes, Hospices • Chapter 405: Medical Research • Chapter 440: Workers’ Compensation • Chapter 456-468: Health Professions

  10. Scope – National & International • National Industry Standards • Payment Credit Industry Data Security Standards • International Privacy Laws • US: Department of Commerce’s Safe Harbor Privacy Principles • Europe: Council of Europe Convention for the Protection of Human Rights and Fundamental Freedom, EU Data Protection Directive, Art.1-33 • Canada: Personal Information Protection & Electronic Documents Act • Additional Regulations: Argentina, Australia, Hungary, Iceland, Ireland, Japan, the Netherlands, Korea, India, and elsewhere • Regulatory Changes • American Reinvestment and Recovery Act/HITECH • State Attorney General prosecutions under HIPAA HITECH • State Attorney General prosecutions or penalties, i.e. California, Massachusetts, and Texas

  11. Five Privacy Protection Principles • Controls: Limited, Role–based Access to Data • Define individuals and roles permitted to access Restricted Data • Appoint Data Custodians to manage systems used with Restricted Data • Boundaries: Authorization Required to Use or Disclose Data • Authorized by the person who is the subject of the data • Authorized by law • Authorized by a policy based on law • Safeguards:Measures to protect Restricted Data • Administrative: Staffing, Policies & Procedures, Training • Physical: Locks, Barriers, Screens, etc. • Technical: Computer Accounts, Passwords, Audits • Accountability: Uniformly enforce UF policies to protect Restricted Data • Immediately report exposures of Restricted Data to the UF Privacy Office • Consistently apply Sanctions and Penalties • Balance: Individual Privacy and University Interests

  12. Top Three Danger Zones • Family Educational Rights and Privacy Act (FERPA): Student Records • Authorizes Secretary of Education to end all federal funding if a university fails to comply with federal statute • Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information • Civil penalties and DOJ criminal prosecutions, which may result in significant fines, penalties, and up to ten years of jail time • Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information • Noncompliant entities may be fined $500,000 per incident if cardholder information is compromised, and processing privileges may be revoked

  13. Taking a Closer Look: FERPA • Pub.L.No. 93-380, Buckley Amendment • Applies to Institutions receiving US Dept of Education Funds • Prohibits release of Student Records without authorization by student or parent • Education Records Relate Directly to Student: • Grades, transcripts, recommendations, financing • Excludes law enforcement, health, and psychological records • Provide Notice of Student Rights • Access and Ability to Correct Errors • Limits on Disclosure, With Violent Crime Exception • Enforcement • No Private Right of Action

  14. FERPA : Gonzaga University • Student at GU, attempting to become elementary school teacher after graduation, applies for teaching position • Candidacy reference check concurrent with GU ongoing investigation for sexual misconduct • GU notifies state agency for teacher certification about misconduct allegations • Victim of misconduct recants, stating GU exaggerated issues • Student sues GU for unauthorized disclosures under FERPA • Jury awards student $1.155 M for compensatory and punitive damages • What happened next?

  15. FERPA: University of Florida • Undergraduate advisor researched over 300 student records to assess likelihood of cheating in class. The advisor did not have permission from his chair or an IRB allowance. • Same advisor reviewed coworker’s graduate student record without authorization. • Result: No longer researching; no longer advising; no longer here.

  16. Taking a Closer Look: HIPAA • 45 CFR, Parts 160 – 164; aka Healthcare Privacy & Security Rules, which protect individually identifiable health information • Privacy:Freedom from intrusion, maintaining control over PHI, expecting providers to respect individual’s rights • Security:Controlling access and protecting data so that it is complete and accurate • Applies to covered entities that provide healthcare services and bill electronically • Universities with health care centers are usually “hybrid entities”, meaning only certain functions of the school are subject to HIPAA • i.e. HSC Colleges, Student Health Center, Faculty Group Practices

  17. Taking a Closer Look: HIPAA • Establishes Patients’ Rights • Notice of Privacy Practices • View or obtain MR copies • Request MR corrections or amendments • Request confidential communications • Request restrictions of PHI • Governs PHI Use and Disclosures • Enforced by civil and criminal sanctions, including penalties and possible jail time • Requires administrative activities like policies and procedures, training, tracking-reporting, and auditing • No Private Right of Action • Florida ranks first in number of HIPAA prosecutions

  18. HIPAA: University of Florida • Two HSCstudents who were Gator football fans visited a hospitalized Gator player; neither student was assigned direct care responsibilities for the team player. • To justify their visit, the students provided unnecessary medical counseling and also shared the player’s medical information with their church congregation to pray for his rapid recovery. • Despite multiple HIPAA trainings, the students did not believe they had violated the privacy regulations because they did not ask the player for his autograph! • Each student was suspended for a semester and given additional assignments about the importance of medical privacy and patient trust.

  19. HIPAA: University of Florida • HSC Student took unauthorized patient photographs, after being denied that privilege, during a Surgery rotation • The student posted the photos on MySpace.com along with derogatory comments about the patient and the patient’s disability • Privacy Office and Dean recommend expulsion, but Student Affairs disagreed with recommendations • The student was suspended for a year from the University and was assigned community service, special research projects, and mandatory counseling sessions before being permitted to reapply to UF to resume studies.

  20. Taking a Closer Look: PCIDSS • Payment Credit Industry Data Security Standards, initiated by American Express, Discover, MasterCard, and Visa • Requires Merchants and Payment Processors to Secure Networks, Protection of Cardholder Data, and Auditing of Security Systems Regularly • 12 Standards, with 179 specific security requirements • Merchants At UF: Bookstore, Phillips Center, UAA, Student Health Center, etc . • Uses Penalties to Enforce Compliance • Based on Transaction Volumes • $500K per Incident • Restitution to Cardholder • Revocation of Transaction Privilege • Escalating Sanctions with No Appeal

  21. PCIDSS: Georgia Institute of Technology • GT Performing Arts Center sold tickets to events, accepting credit card payments • Performing Arts Center created an unencrypted database with credit card information to return funds when events were cancelled • Hacker accessed Performing Arts Center database obtaining over 61,000 names and credit card numbers • Assessed $2.2 M penalty with enhanced data security safeguards and audits required

  22. Another Looming Regulatory Risk • FTC Red Flag Rules, effective December 31, 2010 • Requires written ID Theft Prevention Program for any ‘covered account’ for individuals or households. • Regularly extending, renewing, or continuing credit • Regularly arranging (acting as go-between) for credit • Acting as an assignee of an original creditor • The BOT approved UF’s Identify Theft Prevention Policy in early 2009 • Requires Business Unit or Affiliate to implement procedures and train employees. • * Available on privacy website at http://privacy.ufl.edu • Protecting Social Security Numbers* • The Red Flag Rules* • Business Unit Procedures

  23. Number One Privacy Crisis • Privacy Breach, which may result in Identity Theft* • Experience at US Colleges and Universities • 2010 • 72 incidents • 1,849,241 records exposed • 2011 • 50 incidents • 510,907 records exposed • 2012 • 223 incidents • 932,544 records exposed *Florida ranks first nationally; average loss identity theft = $75,000.

  24. Why Do Privacy Breaches Occur? • Data Rich Information Systems • Outdated or inadequate data security safeguards • Lack of administrative engagement • Poor and inconsistent physical barriers • Technology failures – authentication / authorization • Sophisticated intruders, with potential criminal intent • Unsophisticated intruders with easily accessible tools • Careless or inattentive data systems management • Negligent hiring and training practices • Demonstrated opportunities for repeat access • Business partners fail to protect information

  25. Effects of Privacy Breaches on UF • Public Relations Damage: Loss of Institution’s Reputation • Reduced Enrollment • Reduced Grant Funding • Reduced Donations or Contributions • Financial Expenses: • Legal, administrative, and investigative costs • Notification costs, including: • Letters and multimedia notices • Consumer response support • Restitution payments • Subsequent law enforcement investigations • Sanctions: Civil and/or Criminal Prosecutions, Penalties, Industry Reactions, Research May Be Curtailed • Fallout: Increased or Enhanced Regulations and Regulatory Surveillance • Lawsuits: Civil or Consumer Class Actions

  26. How We Manage a Privacy Breach • Investigate and confirm intrusion • Implement business recovery process • Evaluate legal requirements (i.e. Florida Chapter 817) • Oversee notification process (affected individuals/federal agencies) • Customer Support • Facilitate development of enhanced safeguards and publicize improved processes • Risk Mitigation, including audits of data systems • Revise business contracts

  27. How You Manage a Privacy Breach • Discover, report, and contain - immediately • Complete an incident report with whatever information you have and send to the Privacy Office • If theft is involved, call the University Police Department • If computers are involved, call IT Security / CNS • Assist with investigation process only as requested – do not try to investigate on your own • Notification Process – overseen by Privacy Office, paid for by you • Letter to Affected Individuals • Website Postings • Media Response • Improve – change processes, enhance safeguards, and educate staff affected by the changes • Assist with post-improvement audits of data systems

  28. Total Privacy Incidents Investigated

  29. It’s Not Alphabet Soup … COPPA facta GLBA CFAA DPPA HIPAA ADA ITADA The Privacy Act FERPA TCFAPA ECPA CPNI pcidss REDFLAGS

  30. When in Doubt … Call First • Susan Blair, CPO Room G24, Tigert Hall (352) 273-1212 • Hotline: 866-876-4472 • Website: http://privacy.ufl.edu • Emails: sablair@ufl.edu or privacy@ufl.edu

More Related