Uf privacy office l.jpg
Advertisement
This presentation is the property of its rightful owner.
1 / 18

UF Privacy Office PowerPoint PPT Presentation

UF Privacy Office Susan Blair, MSJ, MBA, CIPP - CIA Chief Privacy Officer Road to the UF Privacy Office 20-year Health Professional BA, Health Administration MBA, Finance & Mgmt 18-year Corporate Mgr. Manager, Finance & Budgeting Internal Auditor Director, Occupational Health

Download Presentation

UF Privacy Office

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Uf privacy office l.jpg

UF Privacy Office

Susan Blair, MSJ, MBA, CIPP - CIA

Chief Privacy Officer


Road to the uf privacy office l.jpg

Road to the UF Privacy Office

  • 20-year Health Professional

  • BA, Health Administration

  • MBA, Finance & Mgmt

  • 18-year Corporate Mgr.

    • Manager, Finance & Budgeting

    • Internal Auditor

    • Director, Occupational Health

  • MSJ, Health & Privacy Law

  • UF Privacy Manager

  • Privacy Professional Certification


Role of uf privacy officer l.jpg

Role of UF Privacy Officer

  • Required by federal health regulation, effective April 2003

  • Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results

  • Develop and implement strategies, policies, and procedures

  • Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications

  • Recommend disciplinary actions, up to and including dismissal


Privacy confidentiality defined l.jpg

Privacy & Confidentiality Defined…

  • Privacy

    • Freedom from intrusion or observation

    • Maintaining control over personal information

    • Not US Constitutional right

    • Florida Constitution (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law.

  • Confidentiality

    • Only permitting certain authorized persons to have information, with the understanding that they will not share the information except to other authorized persons


Scope of privacy regulations at uf l.jpg

Scope of Privacy Regulations at UF

  • Federal Statutes

    • Federal Education Records Protection Act (FERPA)

    • Privacy Act of 1974

    • Patriot Act

    • Graham-Leach-Bliley Act

    • Fair Credit Reporting Act

    • Right to Financial Privacy Act

    • Children’s Online Privacy Protection Act (COPPA)

    • Electronic Communications Privacy Act

    • Stored Wire and Electronic Communications Act

    • Cable Communications Policy Act


Scope of privacy regulations at uf6 l.jpg

Scope of Privacy Regulations at UF

  • Federal statutes cont’d

    • Health laws

      • Health Insurance Portability & Accountability Act (HIPAA) for medical components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation

      • Americans with Disabilities Act

      • Federal Substance Abuse Record Confidentiality Rules

  • National Industry Standards

    • Payment Credit Industry Data Security Standards


Scope of privacy regulations at uf7 l.jpg

Scope of Privacy Regulations at UF

  • Florida Statutes

    • Chapter 90: Evidence

    • Chapter 119: Public Records

    • Chapter 390: Mental Health

    • Chapter 395: Health Care Organizations

    • Chapter 397: Substance Abuse

    • Chapter 440: Workers’ Compensation

    • Chapter 456: Medical Records

    • Chapter 458: Board of Medicine

    • Chapter 501: Consumer Protection

    • Chapter 817: Privacy Breach Notification


Scope of privacy regulations at uf8 l.jpg

Scope of Privacy Regulations at UF

  • International Privacy Laws

    • US: Department of Commerce’s Safe Harbor Privacy Principles

    • Europe: Council of Europe Convention for the Protection of Human Rights and Fundamental Freedom, EU Data Protection Directive, Articles 1-33

    • Canada: Personal Information Protection & Electronic Documents Act

    • Additional Regulations: Argentina, Hungary, Iceland, Ireland, Japan, the Netherlands, and elsewhere


Top three danger zones l.jpg

Top Three Danger Zones

  • Family Educational rights and Privacy Act (FERPA): Student Records

    • Authorizes Secretary of Education to end all federal funding if a university fails to comply with statute

  • Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information

    • Civil penalties and DOJ criminal prosecutions, which may result in penalties and up to ten years of jail time

  • Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information

    • Noncompliant entities may be fined $500,00 per incident if cardholder information is compromised, and processing privileges may be revoked


Number one privacy crisis l.jpg

Number One Privacy Crisis

  • Privacy Breach, which may result in Identity Theft

  • UF Breach Experience

    • PHI: 10,670

    • PII: 43, 924

    • Notifications: 10,672

    • $182 Average Cost (est.) per Compromised Record

    • ID Theft: One suspect report


Why do privacy breaches occur l.jpg

Why Do Privacy Breaches Occur?

  • Inadequate Training and Careless or Inattentive Data Systems Management

  • Data Rich Information Systems

  • Outdated Data Security Safeguards

    • Inadequate Administrative Policies

    • Technology Failures

    • Sophisticated Intruders, with Potential Criminal Intent

  • Negligent Hiring

  • Demonstrated Opportunities for Repeat Access

  • Business Partners Fail to Protect Information


Effect of privacy breach l.jpg

Effect of Privacy Breach

  • Public Relations: Loss of Institution’s Reputation

  • Financial Expenses: Legal, administrative, investigative costs

  • Notification, including multimedia notice, and Consumer Support

  • Restitution Payments

  • Law Enforcement Investigation

  • Lawsuits: Civil or Consumer Class Actions

  • Sanctions: Civil and/or Criminal Prosecutions, Penalties, Industry Actions, Research May Be Curtailed

  • Reduced Donations or Contributions

  • Promote Increased or Enhanced Regulations and Regulatory Surveillance


So what does this mean to me l.jpg

So, what does this mean to me?

  • FERPA 2007 Unauthorized Disclosures: 849 in 7 incidents; 2 incidents reported to federal authorities

    • How does UF conduct FERPA training ?

  • Colleges: Business, Dentistry, Engineering, IFAS, Latin America Center, Medicine; each college must pay their breach expenses

  • At risk: UF Research funding, financial aid programs, recovery and restitution expenses


Individual college mitigation initiatives l.jpg

Individual College Mitigation Initiatives

  • Complete training and awareness programs

    • Complete online or classroom training

    • Follow Privacy Statement practices; see http://privacy.ufl.edu/informationprivacy.html

    • Rapid reporting of suspected breach

  • Meet or exceed UF data standards; remove SSNs from databases including legacy systems; encrypt portable devices, especially laptops

  • Background check employees in ‘trust’ positions, at minimum


Pop quiz l.jpg

Pop Quiz …

  • Which of the following disclosures require the student’s written permission?

    • A letter of reference for graduate school

    • Transcript and GPA for school where student intends to enroll

    • Grades to the custodial parent paying tuition

    • GPD inquiring whether the student was in class on a specific day

    • To the student for personal reasons


Pop quiz16 l.jpg

Pop Quiz …

  • A student assigned to an advisor requests to review her educational record, including everything the advisor has written about her. She believes the advisor recorded personal information about her in his private notes, recorded during their meetings.

  • Does the law allow the student access to all of her records?


Check your answers l.jpg

Check Your Answers …

  • 100% correct? Congratulations. (Are your faculty and staff as knowledgable?) For FERPA training, see http://www.privacy.ufl.edu/studentfaculty.html

  • Uncertain? Complete and direct your faculty and staff to complete the online FERPA training too.

  • Remember … Compliance is more than guesswork.


Questions l.jpg

Questions ???

  • Contact Information

    Susan Blair, Privacy Officer

    Room N1-001, HSC

    (352) 273-5094

    Hotline 866-876-4472

    Websites: http://privacy.ufl.edu

    Emails: [email protected] or

    [email protected]


  • Login