To start off, I just wanted to say ‘Happy Data Privacy Day!’ Since it is Data Privacy Day, we here at securestate thought it would be appropriate to talk about some privacy related topics. If you are unfamiliar with the holiday,Data Privacy Day is an international holiday that is celebrated in the United States, Canada,and several European countries to help promote data privacy awareness. It is meant to bring together the public, industry, and privacy professionals on topics such as: social media; privacy concerns; and local, state, and international privacy laws and regulations. Today I thought it would be interesting to erform a comparison of FERPA and HIPAA.
Aside from the Payment Card Industry Data Security Standard (PCI DSS), another big regulatory requirement that is on many security, compliance, and privacy professionals’ minds is the Health Insurance Portability and Accountability Act (HIPAA). Even though HIPAA has been around since 1995, it really had not gained momentum in the community until the past few years when fines started being issued; better guidance started being distributed from HHS, CMS, ORC, and NIST; and the ORC started performing more audits. However, there has been a privacy law that has been on the books for much longer than HIPAA: the Family Educational Rights and Privacy Act (FERPA).
What Is FERPA?
FERPA is a privacy law meant to protect student records from being disclosed to individuals or organizations without the proper consent from the eligible student or parent, and provides the right of an eligible student or parent to review records and formally amend any errors. Eligible students are students who are at least 18 years of age or who are attending postsecondary education. This law has been in existence since 1974, and governs elementary, secondary, and postsecondary schools, i.e. colleges and universities which receive federal funding. If a school has been found to have had student records breached or shared with individuals or organizations without proper consent, then the Department of Education potentially could cut all federal funding such as federally funded education programs, grants, and the ability to accept student loans.
Who Is In Charge of FERPA?
Currently under the Department of Education, The Family Policy Compliance Office (FPCO) is responsible for investigating complaints and providing technical guidance. It then is the responsibility of the State Education Agencies and Local Education Agencies to enforce state and local laws for elementary, secondary, and postsecondary schools.
How Were HIPAA and FERPA Similar, And How Are They Now Different?
HIPAA and FERPA were very similar at one time because both regulations were enforced only when a formal complaint was sent to their respective offices. After a formal complaint was made, an investigation was performed; however, in almost all cases it only resulted in a nasty-gram from the ORC or the FPCO, and a slap on the wrist. It was not until recent years that HIPAA started requiring organizations to report known or suspected breaches of electronic protected health information (ePHI), and fines have been issued for organizations that handle ePHI. As HIPAA matured over time, FERPA remained the same, requiring only the investigation of formal complaints. FERPA currently does not require a school to have a security or a risk management program to protect student records or report any breaches of student records. However, according to the Family Educational Rights Privacy Act, Final Rule, from 2008, it is “suggested” that they implement these protections; however, it is not required.
How Can We Make FERPA Better?
I think there are a couple of different paths that FERPA could take. The most obvious would be to make revisions to the current regulations to require schools to have in place an information security and risk management program, and require schools to report any suspected or known breaches. Another way is to control it from the state level. A good example of this is the Massachusetts Breach Notification Law that not only requires proper breach notification, but also ensures that the organization have a proper security program in place. Such state laws could give schools a little bit of a push to better protect student records and report suspected or known breaches. Currently many of the states have in place only a breach notification law that requires organizations such as schools to report the loss of PII to the people affected. This is, however, more than what FERPA requires.
What Will The Future Bring?
I believe that one way or another, schools will need to have a functional, formal, and documented security program to protect student records. The program will be required to have a proper risk management program, operating and effective security controls, and security policies and procedures. Whether it comes from the Federal Department of Education and the FPCO, or is required through state laws, it is coming. Is your school ready?