Compliance Certification Report

3.9.2
The institution protects the security, confidentiality, and integrity of its student records and maintains special security measures to protect and back up data. (Student Records)
√ Compliant
Partially Compliant
Non-Compliant
Narrative:
The University of Texas Medical Branch at Galveston (UTMB) protects the security, confidentiality and integrity of its student records because it has developed, implemented and adheres to policies and procedures designed to achieve these purposes in compliance with the Family Educational Rights and Privacy Act (FERPA). UTMB policies regarding security of student records are also in compliance with state statutes, including the Texas Open Records Act, and all other federal, state, system and university policies (1) (2) (3) (4). UTMB publishes the fact that students have access to their own academic records, as well as a list of data elements that are considered Directory Information, on the Enrollment Services website (5). In addition, at the same site students can access forms to withhold Directory Information (6). In keeping with FERPA, students have the right to challenge the accuracy of their records.

Studentsí permanent records are stored in a secured room that has both physical security and fire suppression installed. Only members of the Enrollment Services staff have access to these records, and they are fully trained in the confidentiality, access, release, and security of the records. All faculty, staff and administrators that have access to the records and electronic data are required to complete compliance training as set by the institution to ensure compliance with the security, confidentiality and integrity of student data.

UTMB has developed an internal institutional information security program for electronic student academic records that promotes risk management practices and ensures the availability, integrity, and confidentiality of information resources critical to its missions. UTMBís backup and data recovery system assures long-term integrity of this information (7). Student health and counseling records are maintained by the Office of Student Wellness in accordance with UTMB policy regarding the use and disclosure of protected health information (PHI) (8) , the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and FERPA regulations. The database for the electronic medical record is on a secure UTMB server and all paper charts are secured in locked file cabinets inside a secured area.

As a state institution of higher education, UTMB complies with requirements stipulated in the Texas Administrative Code (9). These standards comprise the basic tenets for the institutional information security program. As a component of The University of Texas System, UTMB must also comply with the UT System policies regarding information resource use and security (10). These policies require each UT institution to establish prudent and acceptable practices regarding the use and safeguarding of the UT System information resources, to protect the privacy of individuals for whom the UT institutional system holds personally identifiable information, to ensure compliance with applicable statutes, regulations, and mandates regarding the management and security of information resources and to educate individual users with respect to the responsibilities associated with use of institutional information resources. They also require that institutions assign a unique identifier for each student and other individuals who are associated with the institution at the earliest point of contact, that sensitive date concerning a student cannot be released to any vendor without that studentís written approval, and that any such release must be in full compliance with all applicable privacy laws, including FERPA (11).

The Information Security Officer at UTMB is responsible to the Information Resources Manager for administering the information security function and serves as internal and external point of contact for all information security matters (12). The Information Resources Manager is the Chief Information Officer and is charged with overseeing the acquisition and use of UTMBís information resources. UTMB has implemented specific administrative, technical, and physical safeguards to assure compliance with this principle. The Information Security Officer has developed a comprehensive set of policies, practice standards, and procedures that address key issues related to information security management and data integrity. These have been approved by the institutional Computing Standards Advisory Group and are posted on the internal website for institutional use (13). In addition, all users are required to complete security awareness training which detail the responsibilities of each user of information resources, as well as proactive steps to help keep data and information systems more secure.
#
Source
1
UTMB Institutional Handbook of Operating Procedures, Section 2, General Administrative Policies and Services, Policy 2.19.5, Acceptable Use of Information Resources
http://intranet.utmb.edu/Policies_And_Procedures/General_Administrative/PNP_004827
2
UTMB Institutional Handbook of Operating Procedures, Section 2, General Administrative Policies and Services, Policy 2.19.6, Information Resources Security
http://intranet.utmb.edu/Policies_And_Procedures/General_Administrative/PNP_004828
3
UTMB Institutional Handbook of Operating Procedures, Section 2, General Administrative Policies and Services, Policy 2.19.7, Email Use
http://intranet.utmb.edu/Policies_And_Procedures/General_Administrative/PNP_004829
4
UTMB Institutional Handbook of Operating Procedures, Section 2, General Administrative Policies and Services, Policy 2.19.8, Internet Use
http://intranet.utmb.edu/Policies_And_Procedures/General_Administrative/PNP_004830
5
UTMB Policy on Release of Student Academic Data
http://intranet.utmb.edu/enrollmentservices/PDF/FERPADirectoryInfoAugust2004.pdf
6
UTMB Request to Restrict Release of Information
http://www.utmb.edu/enrollmentservices/current/documents/RequestHoldDirectoryInfo.pdf
7
UTMB Institutional Handbook of Operating Procedures, Section 6, Compliance Policies, Policy 6.2.1, Use and Disclosure of PHI Based on Patient Authorization
http://www.utmb.edu/compliance/hipaa/Policies-Final%20Version/6-2-1.pdf
8
UTMB Information Resources Practice Standards, Section 1, Security Management, Standard 1.3.2, Backup and Data Recovery
http://www.utmb.edu/is/policy/Search/ps132_08-31-05.pdf
9
Texas Administrative Code, Title 1, Part 10, Chapter 202
http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=5&ti=1&pt=10&ch=202&sch=C&rl=Y
10
UT System Policy Library, UTS165, Information Resources Use and Security Policy
http://www.utsystem.edu/policy/ov/uts165.html
11
UT System Policy Library, UTS165, Information Resources Use and Security Policy, Procedures 10.1.5 and 26.2.1.2
http://www.utsystem.edu/policy/policies/uts165.html
12
UTMB Information Services Policies, Practice Standards, and Procedures
http://cirt.utmb.edu/
13
UTMB Information Security, Policies and Practice Standards
http://www.utmb.edu/is/policy/listing.htm