Archival Processing: HIPAA & FERPA

Overview

Privacy concerns are an important issue at OHSU. Being a covered entity of a medical institution, we have to follow the dictates of HIPAA. And being part of an institution of higher learning, we also need to follow the constraints of FERPA. Beyond the ethical reasons to abide by these privacy dictates, legal breaches can result in very stiff financial penalties. Issues related to each are listed below.

HIPAA

"The Health Insurance Portability and Accountability Act [of 1996] (HIPAA) Privacy Rule is a set of standards that address how certain organizations (called covered entities) may use and disclose individually identifiable health information (called protected health information or PHI)."1 As HC&A is a covered entity under OHSU, we must abide by the rules of HIPAA.

This affects our work as processors through the descriptions we craft and the access we provide. With physical processing, note any material containing PHI by writing "[RESTRICTED]" in the folder title. If entire series or collections are restricted, this should also be noted in the finding aid and physical boxes should be labeled as "RESTRICTED." If a date is known when restrictions will be lifted for the materials (for example, 50 years after the death of the individual in question), that date should be noted in the description information as well. 

Access to physical materials may be granted for research purposes. Contact Meg Langford for more information regarding that process. Materials being made available online should have all PHI redacted from the access copy. For redaction, OHSU follows the Safe Harbor Methodology for de-identifying records placed online and for certain access copies provided in person. See this guide for fuller information about what should be redacted or review the list below and the related files.

Safe Harbor Methodology

The following identifiers of the individual or of relatives, employers, or household members of the individual, are to be redacted:

  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code (some exceptions)
  3. All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age
  4. Telephone numbers, fax numbers, email addresses
  5. Vehicle identifiers and serial numbers, including license plate numbers
  6. Device identifiers and serial numbers
  7. Web Universal Resource Locators (URLs)
  8. Social security numbers
  9. Internet Protocol (IP) addresses
  10. Biometric identifiers, including finger and voice prints
  11. Full-face photographs and any comparable images
  12. Any unique identifying number, characteristic, or code, including (but not limited to) medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers

FERPA

"The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education."2 FERPA was created to protect the privacy of student records. 

A student is any defined as anyone who is or has been attending an educational institution. FERPA defines education records as those that are directly related to a student and maintained by an educational agency or institution, or by a party acting for that agency or institution. And "directly related" means the record expressly identifies the student by name, number, or some other direct identifier; or the student’s identity could be deduced from the information in the record, either alone or in combination with other publicly available information. FERPA restrictions do not apply to deceased individuals.

Exceptions to FERPA include:

  • Directory Information – Publicly available information about a student that is not considered harmful or an invasion of privacy if disclosed (unless student has opted to restrict this information).
    • Student’s name
    • Class, college, and major
    • Local and permanent addresses and email address
    • Listed telephone number
    • Enrollment status
    • Most recent previous educational institution attended
    • Dates of attendance at the university
    • Degree earned
    • Nature and place of employment at the university
    • Honors and awards received
    • Publication titles
    • Participation in officially recognized or registered activities and sports
    • University IDs and photographs
  • The student has given written consent for the disclosure.
  • The law provides an exception for disclosure without the student’s consent.

What is a record?

Education records include the following:

  • Biographical Information: Date and place of birth, gender, nationality, race and ethnicity, identification photographs, and disability information
  • Academic Information: Grades, evaluations, courses taken, academic specialization and activities, official communications regarding status, internship program records
  • Coursework Information: Papers and exams after they are graded and recorded, class schedules, recorded communications that are part of the academic process
  • Disciplinary Records: Actions or proceedings, including investigation, adjudication, or imposition of sanctions by an educational agency or institution with respect to an infraction or violation of the internal rules of conduct
  • Financial Records: Including financial aid forms, records, and correspondence
  • Any other records or logs containing identifiable student information, maintained by the University for any reason

Records that are NOT considered educational include:

  • University law enforcement records
  • Employment records, unless the employment is dependent on status as a student (such as evaluations of graduate assistants)
  • Records created or received after an individual is no longer a student
  • Grades on peer-graded papers, before they are collected and recorded by a teacher
  • “Sole-possession records” – a limited category of records used only as memory aids for the personal use of the maker and not shared with others

Additional Resources

LSTA - Student Worker Training Materials

HIPAA Resource Page (Society of American Archivists' Science, Technology & Health Care Roundtable and Archivists and Librarians in the History of the Health Sciences)

HIPAA Policy Brief (U.S. Department of Health & Human Service)

HIPAA regulations at OHSU

Family Educational Rights and Privacy Act (FERPA) (U.S. Department of Education)