UF Privacy Office - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

UF Privacy Office

Description:

... to be let alone and free from governmental intrusion ... Chapter 119: Public Records. Chapter 390: Mental Health. Chapter 395: Health Care Organizations ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 19
Provided by: sabl2
Category:

less

Transcript and Presenter's Notes

Title: UF Privacy Office


1
UF Privacy Office
  • Susan Blair, MSJ, MBA, CIPP - CIA
  • Chief Privacy Officer

2
Road to the UF Privacy Office
  • 20-year Health Professional
  • BA, Health Administration
  • MBA, Finance Mgmt
  • 18-year Corporate Mgr.
  • Manager, Finance Budgeting
  • Internal Auditor
  • Director, Occupational Health
  • MSJ, Health Privacy Law
  • UF Privacy Manager
  • Privacy Professional Certification

3
Role of UF Privacy Officer
  • Required by federal health regulation, effective
    April 2003
  • Analyze relevant privacy regulations assess
    institution privacy-related risks provide
    oversight for regulatory compliance track
    results
  • Develop and implement strategies, policies, and
    procedures
  • Act as central contact and investigation
    authority for privacy complaints, alleged
    breaches and notifications
  • Recommend disciplinary actions, up to and
    including dismissal

4
Privacy Confidentiality Defined
  • Privacy
  • Freedom from intrusion or observation
  • Maintaining control over personal information
  • Not US Constitutional right
  • Florida Constitution (Article One, Section 23)
    Every natural person has the right to be let
    alone and free from governmental intrusion into
    the person's private life exception Not to
    limit the public's right of access to public
    records and meetings as provided by law.
  • Confidentiality
  • Only permitting certain authorized persons to
    have information, with the understanding that
    they will not share the information except to
    other authorized persons

5
Scope of Privacy Regulations at UF
  • Federal Statutes
  • Federal Education Records Protection Act (FERPA)
  • Privacy Act of 1974
  • Patriot Act
  • Graham-Leach-Bliley Act
  • Fair Credit Reporting Act
  • Right to Financial Privacy Act
  • Childrens Online Privacy Protection Act (COPPA)
  • Electronic Communications Privacy Act
  • Stored Wire and Electronic Communications Act
  • Cable Communications Policy Act

6
Scope of Privacy Regulations at UF
  • Federal statutes contd
  • Health laws
  • Health Insurance Portability Accountability Act
    (HIPAA) for medical components Faculty practice
    plans, HSC Colleges, CLAS, IFAS, Student Health
    Care Center, Institutional Review Boards, Benefit
    and Disability Plans, and UF Foundation
  • Americans with Disabilities Act
  • Federal Substance Abuse Record Confidentiality
    Rules
  • National Industry Standards
  • Payment Credit Industry Data Security Standards

7
Scope of Privacy Regulations at UF
  • Florida Statutes
  • Chapter 90 Evidence
  • Chapter 119 Public Records
  • Chapter 390 Mental Health
  • Chapter 395 Health Care Organizations
  • Chapter 397 Substance Abuse
  • Chapter 440 Workers Compensation
  • Chapter 456 Medical Records
  • Chapter 458 Board of Medicine
  • Chapter 501 Consumer Protection
  • Chapter 817 Privacy Breach Notification

8
Scope of Privacy Regulations at UF
  • International Privacy Laws
  • US Department of Commerces Safe Harbor Privacy
    Principles
  • Europe Council of Europe Convention for the
    Protection of Human Rights and Fundamental
    Freedom, EU Data Protection Directive, Articles
    1-33
  • Canada Personal Information Protection
    Electronic Documents Act
  • Additional Regulations Argentina, Hungary,
    Iceland, Ireland, Japan, the Netherlands, and
    elsewhere

9
Top Three Danger Zones
  • Family Educational rights and Privacy Act
    (FERPA) Student Records
  • Authorizes Secretary of Education to end all
    federal funding if a university fails to comply
    with statute
  • Health Insurance Portability Accountability Act
    (HIPAA) Protected Health Information
  • Civil penalties and DOJ criminal prosecutions,
    which may result in penalties and up to ten
    years of jail time
  • Payment Credit Industry Data Security Standard
    (PCIDSS) Credit Card Information
  • Noncompliant entities may be fined 500,00 per
    incident if cardholder information is
    compromised, and processing privileges may be
    revoked

10
Number One Privacy Crisis
  • Privacy Breach, which may result in Identity
    Theft
  • UF Breach Experience
  • PHI 10,670
  • PII 43, 924
  • Notifications 10,672
  • 182 Average Cost (est.) per Compromised Record
  • ID Theft One suspect report

11
Why Do Privacy Breaches Occur?
  • Inadequate Training and Careless or Inattentive
    Data Systems Management
  • Data Rich Information Systems
  • Outdated Data Security Safeguards
  • Inadequate Administrative Policies
  • Technology Failures
  • Sophisticated Intruders, with Potential Criminal
    Intent
  • Negligent Hiring
  • Demonstrated Opportunities for Repeat Access
  • Business Partners Fail to Protect Information

12
Effect of Privacy Breach
  • Public Relations Loss of Institutions
    Reputation
  • Financial Expenses Legal, administrative,
    investigative costs
  • Notification, including multimedia notice, and
    Consumer Support
  • Restitution Payments
  • Law Enforcement Investigation
  • Lawsuits Civil or Consumer Class Actions
  • Sanctions Civil and/or Criminal Prosecutions,
    Penalties, Industry Actions, Research May Be
    Curtailed
  • Reduced Donations or Contributions
  • Promote Increased or Enhanced Regulations and
    Regulatory Surveillance

13
So, what does this mean to me?
  • FERPA 2007 Unauthorized Disclosures 849 in 7
    incidents 2 incidents reported to federal
    authorities
  • How does UF conduct FERPA training ?
  • Colleges Business, Dentistry, Engineering, IFAS,
    Latin America Center, Medicine each college must
    pay their breach expenses
  • At risk UF Research funding, financial aid
    programs, recovery and restitution expenses

14
Individual College Mitigation Initiatives
  • Complete training and awareness programs
  • Complete online or classroom training
  • Follow Privacy Statement practices see
    http//privacy.ufl.edu/informationprivacy.html
  • Rapid reporting of suspected breach
  • Meet or exceed UF data standards remove SSNs
    from databases including legacy systems encrypt
    portable devices, especially laptops
  • Background check employees in trust positions,
    at minimum

15
Pop Quiz
  • Which of the following disclosures require the
    students written permission?
  • A letter of reference for graduate school
  • Transcript and GPA for school where student
    intends to enroll
  • Grades to the custodial parent paying tuition
  • GPD inquiring whether the student was in class on
    a specific day
  • To the student for personal reasons

16
Pop Quiz
  • A student assigned to an advisor requests to
    review her educational record, including
    everything the advisor has written about her.
    She believes the advisor recorded personal
    information about her in his private notes,
    recorded during their meetings.
  • Does the law allow the student access to all of
    her records?

17
Check Your Answers
  • 100 correct? Congratulations. (Are your
    faculty and staff as knowledgable?) For FERPA
    training, see http//www.privacy.ufl.edu/stude
    ntfaculty.html
  • Uncertain? Complete and direct your faculty and
    staff to complete the online FERPA training too.
  • Remember Compliance is more than guesswork.

18
Questions ???
  • Contact Information
  • Susan Blair, Privacy Officer
  • Room N1-001, HSC
  • (352) 273-5094
  • Hotline 866-876-4472
  • Websites http//privacy.ufl.edu
  • Emails sablair_at_vpha.ufl.edu or
  • Privacy_at_ufl.edu
Write a Comment
User Comments (0)
About PowerShow.com