in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption: School (K-12) Medical Records Are Protected By HIPAA? (Updated)

I came across an article that left my head scratching.  According to lahontanvalleynews.com, Tom Considine opined in his show "Who Complies" that a school was in breach of HIPAA because it was disposing of student health files by dumping it at a landfill.  Sure, it's an issue quite removed from laptop encryption software stories, but I couldn't help looking into it.

(My second update to this post contains a link to "Joint Guidance on the Application of FERPA and HIPAA to Student Records," which should clear up a lot of issues regarding whether a student record comes under the auspices of FERPA or HIPAA.)

I Think Tom's Wrong; FERPA Applies, Not HIPAA

I've read Considine's words here, and I've got to wonder whether he actually looked into the issue.

I did a quick check on-line, and found that, for the most part, school records don't fall under HIPAA.  Rather, FERPA comes into play, as detailed at privacyrights.org ("Health records kept by schools are classified as "education records" covered by the Family Educational Rights and Privacy Act (FERPA)") and worldprivacyforum.org, which notes the same (unless we're talking about private schools; apparently, they work under a different set of rules).

FERPA, if you're not aware, stands for Family Educational Rights and Privacy Act and is overseen by the Department of Education.  (If you've ever had to go to the school medical center during your college years, you've probably come across FERPA literature one way or another).

FERPA Doesn't Require Encryption

As far as I can tell, FERPA doesn't require the use of encryption for sensitive information, including health information.  This probably accounts for the rash of university-related data breaches that I encountered in the news.  The Georgetown U. alumni database theft from a couple of years back come to mind, for example.

Hm.  Perhaps FERPA should look into data protection.  Based on what I've learned above, I'm going to admit that I don't know whether I should take this at face value, but Considine claims that "schools are targeted five times more for identify theft because students may not learn about it until years later." (my emphasis; five times more than who? or what? is a valid question, I think).

If this is true, considering how many schools and students we have in the US--and how few of them have adequate security for protecting assets like computers--there might be a potential minefield there that hasn't attracted much notice.

(Update: I was about to publish this post when I noticed that databreaches.net had actually come to the same conclusion regarding HIPAA vs. FERPA.  Serves me right for not reading until the end; it could have saved me a lot of time.)

(Update 25 May 2011): Found an excellent resource on FERPA v. HIPAA: Joint Guidance on the Application of FERPA and HIPAA to Student Records has nuggets like these:

At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district.

Some schools may receive a grant from a foundation or government agency to hire a nurse.   Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA.


Related Articles and Sites:
http://www.databreaches.net/?p=11952

 
<Previous Next>

Disk Encryption Software: Loma Linda Hospital Reports Computer Theft

Disk Encryption Is Not The Only Safe Harbor Under Proposed Irish Breach Notification Law

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.