UF Protection Office - PowerPoint PPT Presentation

uf privacy office l.
Skip this Video
Loading SlideShow in 5 Seconds..
UF Protection Office PowerPoint Presentation
UF Protection Office

play fullscreen
1 / 18
Download Presentation

UF Protection Office

Presentation Transcript

  1. UF Privacy Office Susan Blair, MSJ, MBA, CIPP - CIA Chief Privacy Officer

  2. Road to the UF Privacy Office • 20-year Health Professional • BA, Health Administration • MBA, Finance & Mgmt • 18-year Corporate Mgr. • Manager, Finance & Budgeting • Internal Auditor • Director, Occupational Health • MSJ, Health & Privacy Law • UF Privacy Manager • Privacy Professional Certification

  3. Role of UF Privacy Officer • Required by federal health regulation, effective April 2003 • Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results • Develop and implement strategies, policies, and procedures • Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications • Recommend disciplinary actions, up to and including dismissal

  4. Privacy & Confidentiality Defined… • Privacy • Freedom from intrusion or observation • Maintaining control over personal information • Not US Constitutional right • Florida Constitution (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law. • Confidentiality • Only permitting certain authorized persons to have information, with the understanding that they will not share the information except to other authorized persons

  5. Scope of Privacy Regulations at UF • Federal Statutes • Federal Education Records Protection Act (FERPA) • Privacy Act of 1974 • Patriot Act • Graham-Leach-Bliley Act • Fair Credit Reporting Act • Right to Financial Privacy Act • Children’s Online Privacy Protection Act (COPPA) • Electronic Communications Privacy Act • Stored Wire and Electronic Communications Act • Cable Communications Policy Act

  6. Scope of Privacy Regulations at UF • Federal statutes cont’d • Health laws • Health Insurance Portability & Accountability Act (HIPAA) for medical components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation • Americans with Disabilities Act • Federal Substance Abuse Record Confidentiality Rules • National Industry Standards • Payment Credit Industry Data Security Standards

  7. Scope of Privacy Regulations at UF • Florida Statutes • Chapter 90: Evidence • Chapter 119: Public Records • Chapter 390: Mental Health • Chapter 395: Health Care Organizations • Chapter 397: Substance Abuse • Chapter 440: Workers’ Compensation • Chapter 456: Medical Records • Chapter 458: Board of Medicine • Chapter 501: Consumer Protection • Chapter 817: Privacy Breach Notification

  8. Scope of Privacy Regulations at UF • International Privacy Laws • US: Department of Commerce’s Safe Harbor Privacy Principles • Europe: Council of Europe Convention for the Protection of Human Rights and Fundamental Freedom, EU Data Protection Directive, Articles 1-33 • Canada: Personal Information Protection & Electronic Documents Act • Additional Regulations: Argentina, Hungary, Iceland, Ireland, Japan, the Netherlands, and elsewhere

  9. Top Three Danger Zones • Family Educational rights and Privacy Act (FERPA): Student Records • Authorizes Secretary of Education to end all federal funding if a university fails to comply with statute • Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information • Civil penalties and DOJ criminal prosecutions, which may result in penalties and up to ten years of jail time • Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information • Noncompliant entities may be fined $500,00 per incident if cardholder information is compromised, and processing privileges may be revoked

  10. Number One Privacy Crisis • Privacy Breach, which may result in Identity Theft • UF Breach Experience • PHI: 10,670 • PII: 43, 924 • Notifications: 10,672 • $182 Average Cost (est.) per Compromised Record • ID Theft: One suspect report

  11. Why Do Privacy Breaches Occur? • Inadequate Training and Careless or Inattentive Data Systems Management • Data Rich Information Systems • Outdated Data Security Safeguards • Inadequate Administrative Policies • Technology Failures • Sophisticated Intruders, with Potential Criminal Intent • Negligent Hiring • Demonstrated Opportunities for Repeat Access • Business Partners Fail to Protect Information

  12. Effect of Privacy Breach • Public Relations: Loss of Institution’s Reputation • Financial Expenses: Legal, administrative, investigative costs • Notification, including multimedia notice, and Consumer Support • Restitution Payments • Law Enforcement Investigation • Lawsuits: Civil or Consumer Class Actions • Sanctions: Civil and/or Criminal Prosecutions, Penalties, Industry Actions, Research May Be Curtailed • Reduced Donations or Contributions • Promote Increased or Enhanced Regulations and Regulatory Surveillance

  13. So, what does this mean to me? • FERPA 2007 Unauthorized Disclosures: 849 in 7 incidents; 2 incidents reported to federal authorities • How does UF conduct FERPA training ? • Colleges: Business, Dentistry, Engineering, IFAS, Latin America Center, Medicine; each college must pay their breach expenses • At risk: UF Research funding, financial aid programs, recovery and restitution expenses

  14. Individual College Mitigation Initiatives • Complete training and awareness programs • Complete online or classroom training • Follow Privacy Statement practices; see http://privacy.ufl.edu/informationprivacy.html • Rapid reporting of suspected breach • Meet or exceed UF data standards; remove SSNs from databases including legacy systems; encrypt portable devices, especially laptops • Background check employees in ‘trust’ positions, at minimum

  15. Pop Quiz … • Which of the following disclosures require the student’s written permission? • A letter of reference for graduate school • Transcript and GPA for school where student intends to enroll • Grades to the custodial parent paying tuition • GPD inquiring whether the student was in class on a specific day • To the student for personal reasons

  16. Pop Quiz … • A student assigned to an advisor requests to review her educational record, including everything the advisor has written about her. She believes the advisor recorded personal information about her in his private notes, recorded during their meetings. • Does the law allow the student access to all of her records?

  17. Check Your Answers … • 100% correct? Congratulations. (Are your faculty and staff as knowledgable?) For FERPA training, see http://www.privacy.ufl.edu/studentfaculty.html • Uncertain? Complete and direct your faculty and staff to complete the online FERPA training too. • Remember … Compliance is more than guesswork.

  18. Questions ??? • Contact Information Susan Blair, Privacy Officer Room N1-001, HSC (352) 273-5094 Hotline 866-876-4472 Websites: http://privacy.ufl.edu Emails: sablair@vpha.ufl.edu or Privacy@ufl.edu