NMSU is required to comply with the following data-privacy federal & industry regulations, which pertain to the privacy and protection of selected University information:
- FERPA is the Family Educational Rights and Privacy Act of 1974, which requires control over the disclosure of student information. For more information please visit NMSU’s FERPA website.
- HIPAA is the Health Insurance Portability and Accountability Act of 1996, which requires control over the disclosure of medical information. For more information please visit NMSU’s HIPAA website.
- GLBA is the Gramm-Leach-Bliley Act of 1999, which requires control over the disclosure of nonpublic information. For more information please visit NMSU’s GLBA website.
- RFR is the (Identity Theft) Red Flags Rule provision of the Fair and Accurate Credit Transactions Act of 2003, which requires control over the disclosure of personally identifiable information. Refer to the Federal Trade Commission for Identity Theft consumer information. For more information please visit NMSU’s Red Flags Rule website.
- FISMA is the Federal Information Security Management Act of 2002, which sets forth information security requirements that federal agencies and any other parties collaborating with such agencies (grantees) must follow in an effort to effectively safeguard IT systems and the data they contain. Ensure to visit NMSU’s FISMA website for more information. For more information please visit NMSU’s FISMA website.
- PCI DSS is the Payment Card Industry Data Security Standards, which require the proper protection and safe handling of credit cardholder information. Ensure to visit NMSU’s PCI DSS website for more information.
- The EU General Data Protection Regulation (GDPR) – is a legislative framework valid across all the European Union states and a law that is designed to strengthen the privacy and protect data for individuals across all the EU countries by requiring institutions including NMSU to adopt new data protection processes and controls. For more information please visit NMSU’s GDPR website.
FERPA and HIPAA Guidance:
- HIPAA & FERPA – joint guidance from Departments of Education and Health & Human Services – Which one applies? FERPA
- Does FERPA or HIPAA apply to records on students at health clinics run by postsecondary institutions? FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity.
The National Institute of Standards and Technology (NIST) – NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems that help ensure compliance with federal and industry privacy regulations such as FISMA, FERPA, HIPAA, PCI DSS and others. NIST publishes standards, guidelines, recommendations and research on computer/cyber/information security and privacy.
- NMSU will use the NIST standards as its guiding compliance and security framework and meet relevant standards to assure regulatory compliance using a risk-based methodology.
Other regulatory privacy and regulatory requirements that may affect NMSU’s Information Technology.
- Privacy Act of 1974 (2015 Edition) – can generally be characterized as an omnibus “code of fair information practices” that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies.
- Electronic Communications Privacy Act (ECPA) – ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.
- Children’s Online Privacy Protection Act (COPPA) – COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
- Freedom of Information Action (FOIA) – FOIA is a law that gives you the right to access information from the federal government. It is often described as the law that keeps citizens in the know about their government.
- E-Government – develops and provides direction in the use of Internet-based technologies to make it easier for citizens and businesses to interact with the Federal Government, save taxpayer dollars, and streamline citizen participation.
For more information click on the respective link or contact the IT Compliance Function at firstname.lastname@example.org.