Legal & Security

HIPAA | FACTA | Red Flags

The Audits Are Coming – The Audits Are Coming

The federal government is cracking down on privacy breaches. Since the passage of the HITECH ACT Final Security Rule, the Office of Civil Rights Enforcement has processed over 100,000 complaints. Corrective actions were imposed in over 23,000 of these cases. Multi-million dollar fines have been imposed in several cases, including a $4.8 million fine levied against New York-Presbyterian Hospital and Columbia University In 2014.

Permanent Audit Program

The OCR has begun auditing covered entities for compliance with the HIPAA Privacy and Security Rules. The time frame for and the scope of these audits are presently unknown, but it is expected the permanent audit program will audit 800 covered entities and 400 business associates. OCR will likely pay close attention to whether covered entities have conducted, regularly reviewed and updated their risk assessment, as required by the Security Rule.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Office of Civil Rights Enforcement of the U.S. Department of Health and Human Services has provided videos and PowerPoint presentations to educate health providers and their business associates about their requirements under HIPAA including the “Final Rule”. The links are provided below.

Your Mobile Device and Health Information Privacy and Security 

Understanding the Basics of HIPAA Security Risk Analysis and Risk Management 

Patient Privacy: A Guide for Providers 

HIPAA and You: Building a Culture of Compliance 

Family Educational Rights and Privacy Act (FERPA)

Family Policy Compliance Office (FPCO) Home

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”

  • Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
  • Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
  • Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
    • School officials with legitimate educational interest;
    • Other schools to which a student is transferring;
    • Specified officials for audit or evaluation purposes;
    • Appropriate parties in connection with financial aid to a student;
    • Organizations conducting certain studies for or on behalf of the school;
    • Accrediting organizations;
    • To comply with a judicial order or lawfully issued subpoena;
    • Appropriate officials in cases of health and safety emergencies; and
    • State and local authorities, within a juvenile justice system, pursuant to specific State law.

Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

For additional information, you may call 1-800-USA-LEARN (1-800-872-5327) (voice). Individuals who use TDD may use theFederal Relay Service.

Or you may contact us at the following address:

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202-8520

Red Flags Rule

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.


For more information click here

North Carolina Identity Theft Protection Act

The NCITPA protects residents of North Carolina from misuse of their personal information. The Act outlines the protection requirements for businesses operated in the state with respect to personal information as well as those maintaining records that contain personal information of North Carolina residents, subject to any superceeding federal legislation. The Act also proscribes the appropriate means by which such information may be disposed.

NCITPA permits consumers to issue a “security freeze” on the consumer’s credit report by
making a request in writing by certified mail to a consumer reporting agency. When a security freeze is in place, a consumer reporting agency may not release the consumer’s credit report or information to a third party without prior express authorization from the consumer.

Contact Us

We want to hear from you!


1 + 1 =