Privacy concerns are an important issue at OHSU. Being a covered entity of a medical institution, we have to follow the dictates of HIPAA. And being part of an institution of higher learning, we also need to follow the constraints of FERPA. Beyond the ethical reasons to abide by these privacy dictates, legal breaches can result in very stiff financial penalties. Issues related to each are listed below.
"The Health Insurance Portability and Accountability Act [of 1996] (HIPAA) Privacy Rule is a set of standards that address how certain organizations (called covered entities) may use and disclose individually identifiable health information (called protected health information or PHI)."1 As HC&A is a covered entity under OHSU, we must abide by the rules of HIPAA.
This affects our work as processors through the descriptions we craft and the access we provide. With physical processing, note any material containing PHI by writing "[RESTRICTED]" in the folder title. If entire series or collections are restricted, this should also be noted in the finding aid and physical boxes should be labeled as "RESTRICTED." If a date is known when restrictions will be lifted for the materials (for example, 50 years after the death of the individual in question), that date should be noted in the description information as well.
Access to physical materials may be granted for research purposes. Contact Meg Langford for more information regarding that process. Materials being made available online should have all PHI redacted from the access copy. For redaction, OHSU follows the Safe Harbor Methodology for de-identifying records placed online and for certain access copies provided in person. See this guide for fuller information about what should be redacted or review the list below and the related files.
The following identifiers of the individual or of relatives, employers, or household members of the individual, are to be redacted:
"The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education."2 FERPA was created to protect the privacy of student records.
A student is any defined as anyone who is or has been attending an educational institution. FERPA defines education records as those that are directly related to a student and maintained by an educational agency or institution, or by a party acting for that agency or institution. And "directly related" means the record expressly identifies the student by name, number, or some other direct identifier; or the student’s identity could be deduced from the information in the record, either alone or in combination with other publicly available information. FERPA restrictions do not apply to deceased individuals.
Exceptions to FERPA include:
Education records include the following:
Records that are NOT considered educational include:
LSTA - Student Worker Training Materials
HIPAA Resource Page (Society of American Archivists' Science, Technology & Health Care Roundtable and Archivists and Librarians in the History of the Health Sciences)
HIPAA Policy Brief (U.S. Department of Health & Human Service)
Family Educational Rights and Privacy Act (FERPA) (U.S. Department of Education)