What You Need to Know About Security and Compliance

We live in a digital world, surrounded by devices and technologies that make our lives easier and more efficient. Many of these advancements are created with security as an afterthought or to be addressed at some point down the line—often only when the security of those systems is compromised.

It’s no surprise, then, that hackers can sometimes gain access to private or confidential information.

Fortunately, there are laws in place to protect the privacy of customers and employees who use digital systems—including HIPAA rules for medical organizations, FERPA for educational institutions, GLBA for financial organizations, GDPR throughout the EU and more. These regulations define “data security,” alerting companies that handle sensitive information to the measures they should take to keep consumers’ data safe.

HIPAA Rules and Security Compliance

The HIPAA rules, introduced by the U.S. Department of Health and Human Services, protect both patients and medical organizations from security breaches that could compromise sensitive health information. The HHS Office for Civil Rights enforces these regulations, which apply to all health plans, healthcare clearinghouses and healthcare providers.

The HIPAA rules define several different security standards—the HITECH Act specifies breach notification requirements, for example—but one of the most important rules is the privacy rule. This dictates how patient information is stored and shared, with the goal of keeping it secure from hackers.

The HIPAA privacy rule applies when a medical company, healthcare provider or clearinghouse uses technology to store or transmit health care information in any form. It also covers “business associates,” vendors that work with these organizations to provide administrative or IT services.

Specifically, the privacy rule requires that healthcare providers follow these steps:

Protect patient privacy by designating a privacy official and training employees on privacy policies.

• Limit access to patient information to “necessary” employees only.

• Ensure confidentiality, integrity and availability of all systems that store or transmit health data.

• Identify and protect against reasonably anticipated threats to data.

• Protect all devices that store patient information with “appropriate” administrative, physical and technical safeguards.

The HIPAA rules also specify minimum requirements for protecting patient data: encryption, unique user IDs, restricted access permissions, physical security—all characteristics of strong information security protocols.

FERPA Rules and Security Compliance

The Family Educational Rights and Privacy Act applies to schools, school districts, colleges and universities. It ensures that organizations protect students’ privacy by limiting the distribution of their personally identifiable information to third parties—including any student records stored in digital form. FERPA also specifies how these organizations should store or transmit student data, requiring that they protect it from illegal access and use.

FERPA applies to student records such as (but not limited to):

• Grades, transcripts or reports;

• Information about activities;

• Disciplinary history; and

• Medical records.

When a school uses technology—such as a computer system or website—to store or transmit student data, it must follow FERPA rules. The organization also needs a privacy policy to limit access to these systems and keep them secure from hackers.

The privacy rule applies when a school uses digital tools for both educational and administrative purposes. This includes any hardware or software that manages student records, including online learning systems, class management tools and automatic grading programs.