And
The Family Educational
Rights and Privacy Act-Buckley Amendment (FERPA)
The Health Insurance
Portability and Accountability Act of 1996 (HIPAA) requires standards to be
adopted in two areas.
Electronic health-care transactions:
Since the Central New York Regional Information Center (CNYRIC) submits all
Medicaid claim data to the electronic Medicaid system in New York State
(eMedNY) for processing; it is a covered entity under this act. The electronic transmission of Medicaid data
is now HIPAA compliant.
Privacy: The Family Educational Rights and Privacy Act-Buckley Amendment
(FERPA a.k.a. Buckley Amendment) is more restrictive than HIPAA with respect to
the protection of privacy and security of all health related services. Since all school districts /§4201
schools/counties (and
any other educational entities that have access to student data) are obligated
to be in compliance with FERPA, they are also HIPAA compliant.
In
order to assure compliance with FERPA (and thus with HIPAA), the following
minimum procedures must be in place:
ü All
student data files and information must be protected (i.e. student files are
locked or only accessible by appropriate personnel).
ü Any
student information/files transmitted to other appropriate recipients must also
be protected. Information files must be
encrypted and password protected.
ü Student
information/files may be faxed to appropriate personnel, but only to secure
sites.
ü Parental
consent is required for the release of any personally identifiable information
other than those specifically excluded in the attached FERPA Fact Sheet (see
Page 8).
ü See
Procedures for Transmission of Student Specific Information (Page 9) for all communications between school districts/§4201 schools/counties and
SED/DOH pertaining to student specific information.
The Family
Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a
Federal law that protects the privacy of student education records. The law applies to all schools that receive
funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to
their children's education records.
These rights transfer to the student when he or she reaches the age of
18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible
students."
Parents or eligible students have the right to inspect
and review the student's education records maintained by the school. Schools are not required to provide copies
of records unless, for reasons such as great distance, it is impossible for
parents or eligible students to review the records. Schools may charge a fee for copies.
Parents or eligible students have the right to request
that a school correct records which they believe to be inaccurate or
misleading. If the school decides not
to amend the record, the parent or eligible student then has the right to a
formal hearing. After the hearing, if
the school still decides not to amend the record, the parent or eligible
student has the right to place a statement with the record setting forth his or
her view about the contested information.
Generally, schools must have written permission from
the parent or eligible student in order to release any information from a
student's education record.
However, FERPA allows schools to disclose those
records, without consent, to the following parties or under the following
conditions (34 CFR § 99.31):
·
School
officials with legitimate educational interest;
·
Other
schools to which a student is transferring;
·
Specified
officials for audit or evaluation purposes;
·
Appropriate
parties in connection with financial aid to a student;
·
Organizations
conducting certain studies for or on behalf of the school;
·
Accrediting
organizations;
·
To
comply with a judicial order or lawfully issued subpoena;
·
Appropriate
officials in cases of health and safety emergencies; and
State and local authorities, within a juvenile justice
system, pursuant to specific State law.
Schools may disclose, without consent,
"directory" information such as a student's name, address, telephone
number, date and place of birth, honors and awards, and dates of
attendance. However, schools must tell
parents and eligible students about directory information and allow parents and
eligible students a reasonable amount of time to request that the school not
disclose directory information about them.
Schools must notify parents and eligible students annually of their
rights under FERPA. The actual means of
notification (special letter, inclusion in a PTA bulletin, student handbook, or
newspaper article) is left to the discretion of each school.
For
additional information or technical assistance, you may call (202) 260-3887 (voice). Individuals who use TDD may call the Federal Information Relay
Service at 1-800-877-8339. Or you may contact the Compliance Office at
the following address: Family Policy Compliance Office
U.S.
Department of Education
400
Maryland Avenue, SW
Washington,
D.C. 20202-4605
To maintain security all
staff (including school district/§4201 school/county, State
agency, RIC, and other third party vendor staff) who handle data with student
identifying information, especially while seeking clarification on the
processing of claims, must abide by the following rules:
The
sender should place the student last name, first name, date of birth and gender
on a numbered line. This will allow the
receiving staff to provide a response using only the number, without having to
repeat the identifying information.
Call
the receiver ahead of time to be immediately available to retrieve the
document. The intended receiver needs
to provide the sender with a phone number for a fax machine that is located in
a secure environment and not open to the general public.
E-mail
transmissions are permissible only if the data is encrypted and password
protected. Information on encryption
software is available from SED.
The telephone
is preferable for small numbers of requests.
Leave messages containing identifying data only on voice mail systems
that are password protected.
Diskettes and printed
documents may be mailed but be sure to mail only to a specific individual with
the right to know. General addresses,
where anyone can open the mail, would be inappropriate.
HAND DELIVERED FILES:
Diskettes (files such as your Medicaid Demographic File
[MD], Medicaid Services File [MS], Medicaid Eligibility File [ME] or Medicaid
Remittance File [MR] and printed documents with personally identifiable
information may be hand delivered without encrypting the files. However, the information must be hand delivered
to an appropriate individual with the right to know.
FILES, LOGS,
DOCUMENTATION OR ANY MEDIUM CONTAINING STUDENT PERSONALLY IDENTIFIABLE
INFORMATION:
All files must be maintained in a secure environment with
access to only appropriate staff who requires access to such information to carry
out their work responsibilities.
Information left unattended should be locked or maintained where access
would be denied.
ENCRYPTION INFORMATION:
School Districts, §4201 schools and counties may continue to use their
current encryption software as long as it meets industry standards for security
and privacy and is password protected.
However, if you do not currently have any encryption software you will
need to purchase a package in order to meet FERPA requirements for security and
privacy regarding the sending or transmitting of personally identifiable
student information. The New York State
Education Department (SED) does not recommend that school districts or counties
use any particular software package or vendor.
School districts, §4201 schools, or counties may pursue appropriate
options, based on their existing infrastructure and support, and should involve
their information technology support staff in deciding which option or software
is in its best interest. However, SED
requires that any software selected must be compatible with the PGP software
used by SED, the Department of Health (DOH) and the Central New York Regional
Information Center (CNYRIC). The WEB
site to inquire about the PGP Encryption Software is http://www.pgp.com/products/workgroup/index.html. The PGP version that is most compatible for
this purpose is the PGP Desktop 8.0 version.
Whatever option you choose or software you use, the recipient of your
data must be able to open the file with the password you choose.
LOCAL REGIONAL INFORMATION CENTER (RIC) FILE
TRANSFER PROTOCOL (FTP).
If your local RIC offers an electronic file transfer
process to submit or retrieve files, the RIC takes the responsibility for the
securing the information and the authorization for its use. The site automatically protects all
personally identifiable information using the Secure Socket Layer (SSL)
software. If interested in submitting
or retrieving information using this process, contact your RIC for details and
authorization. You will be able to
submit your MS file directly to CNYRIC through the new MEDWEB site in late fall
of 2005. You can now receive all your
reports, ME files, and MR files through the new CNY WEB REPORT Site.
NOTE: The Health Information
Portability and Accountability Act (HIPAA) expressly excludes from HIPAA
coverage any information maintained in school district educational records
which are subject to the Family Educational Rights and Privacy Act (FERPA). Any questions regarding the above should be
addressed to:
The New York State Education
Department
The Medicaid Services Unit
Robert J. Scalise,
Coordinator
Room 304 Education Building
(EB)
89 Washington Avenue
Albany, New York 12234
Email: rscalise@mail.nysed.gov
Phone: 518 474-3227