The college is mandated by federal, state and/or local law, or college policy to enforce privacy and security safeguards for regulated data. This area of the knowledgebase will help guide you through a general overview of regulated data-types at HCC. Please speak to your immediate supervisor for more information related to your role and responsibilities to meet regulatory compliance requirements when generating, storing, using, sharing, and managing regulated data.
Family Educational Rights & Privacy Act (FERPA)
The Family Educational Rights & Privacy Act or FERPA (the Buckley Amendment) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA defines students’ rights broadly, giving the student the right to control to whom their education record is released. Broadly, FERPA:
- Establishes the rights of students to inspect and review their education records,
- Provides students the right to control the release of education records to third parties without permission of the student,
- Provides guidelines for the correction of inaccurate or misleading data through formal and informal hearings.
- Provides students the right to file complaints with the Family Policy Compliance Office, U.S. Department of Education concerning alleged failures by the institution to comply with the Act.
- For complete FERPA information, visit: https://studentprivacy.ed.gov/node/548/
Health Insurance Portability & Accountability Act (HIPAA)
Summary of the HIPAA Privacy Rule:
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
The HCC HIPAA Privacy Officer is the designated HCC person responsible for knowing HIPAA regulations, providing training for Clinic staff, student clinicians, and supervisors (“Clinic Personnel”) in HIPAA compliance, and assuring that HIPAA-related policies and procedures are instituted and followed. To that end, a breach is defined as the acquisition, access, use or disclosure of Protected Health Information ("PHI") in violation of the HIPAA Privacy Rule. Examples of a breach include stolen or improperly accessed PHI; PHI inadvertently sent to the wrong provider; and the unauthorized viewing of PHI.
Payment Card Industry - Data Security Standard (PCI-DSS)
The Payment Card Industry - Data Security Standard (PCI-DSS) is a global security standard that provides the security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment Card Brands. It is required for all credit card transactions and is enforced via the Merchant Agreement terms.
- PCI DSS stands for Payment Card Industry Data Security Standard.
- The standard is a set of requirements which ensure technical and procedural security in accepting, transmitting and storing payment Card Holder Data (CHD).
- Payment cards include credit, debit, gift, prepaid, etc.
- The standard is issued and maintained by the PCI Security Standards Council (PCI SSC) and applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit CHD. Complete PCI DSS information can be found at the PCI SSC website.
- If you have any questions or concerns about how you are handling payment card information at HCC, then please contact your area HCC IS consultant
Gramm Leach Blilley Act (GLBA)
The Gramm Leach Bliley Act (GLBA) is a federal law that requires financial institutions to ensure the confidentiality, integrity, and availability of customer information. While HCC is not a "financial institution" per se, as an institution of higher education, it is required to comply with this regulation. GLBA has two parts, one relating to privacy and one mandating security. For colleges, FERPA addresses the privacy component of GLBA and HCC is not required to specifically address the privacy provisions in GLBA. The second part of GLBA called the Standards for Safeguarding Customer Information, requires HCC to adopt security controls to protect the confidentiality, integrity, and availability of personally identifiable information provided for the purposes of financial aid and student loan servicing.