« Back

Comprehensive Standard 3.9.2

The institution protects the security, confidentiality, and integrity of student records and maintains special security measures to protect and back up data. (Student records)


√ CompliantNon-Compliant

Narrative

The University of Texas Medical Branch at Galveston (UTMB) protects the security, confidentiality and integrity of its student records because it has developed, implemented, and adheres to policies and procedures designed to achieve these purposes in compliance with the Family Educational Rights and Privacy Act (FERPA). UTMB policies regarding security of student records are also in compliance with state statutes, including the Texas Open Records Act, and all other federal, state, University of Texas (UT) System and University policies (1).

Integrity. Data in the student records system cannot be changed without authorization from the student. UTMB publishes the fact that students have access to their own academic records, as well as a list of data elements that are considered directory information, on the Enrollment Services website (2) and, on the same site, students can access forms to withhold directory information (3). In keeping with FERPA, students have the right to challenge the accuracy of their records.

UT System policies require that institutions assign a unique identifier for each student and other individuals who are associated with the institution at the earliest point of contact, that sensitive date concerning a student cannot be released to any vendor without that studentís written approval, and that any such release must be in full compliance with all applicable privacy laws, including FERPA.

Security. Physical and electronic safeguards have been established by UTMB to protect student records from unauthorized access. In addition to the unique identifier and policies related to FERPA, UTMB, as a state institution of higher education, complies with requirements stipulated in the Texas Administrative Code (4). These standards comprise the basic tenets for the institutional information security program. As a component of UT System, UTMB must also comply with UT System policies regarding information resource use and security (5). These policies require each UT institution to establish prudent and acceptable practices regarding the use and safeguarding of UT information resources; to protect the privacy of individuals for whom the UT institutional system holds personally identifiable information; to ensure compliance with applicable statutes, regulations, and mandates regarding the management and security of information resources; and to educate individual users with respect to the responsibilities associated with use of institutional information resources.

Studentsí permanent records are stored in a secured room that has both physical security and fire suppression installed. Only members of the Enrollment Services staff have access to these records, and they are fully trained in the confidentiality, access, release, and security of the records. In addition, there is a University owned and managed document imaging system that also maintains both hand-created and electronically-created documents.

Confidentiality. UTMB takes measures to ensure access to records is granted only to authorized personnel and then only when based upon legitimate need. All faculty, staff and administrators that have access to the records and electronic data are required to complete compliance training as established by the institution to ensure compliance with the security, confidentiality, and integrity of student data. Student records can only be shared without student consent in those few instances outlined by FERPA (6).

Student health and counseling records are maintained by the Office of Student Wellness in accordance with UTMB policy regarding the use and disclosure of protected health information (PHI), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and FERPA regulations (7). The database for the electronic medical record is on a secure UTMB server and all paper charts are secured in locked file cabinets inside a secured area.

Protection and Back Up of Records. UTMB has safeguards in place to ensure continuity and security of records in event of natural disaster or other critical event such as system disk drive failures, espionage, or data entry errors. Backup data storage of student data, in addition to being located on Galveston Island, is also provided in stormproof facilities in far northwest Houston, approximately 60 miles inland, and as a fail-safe mechanism, at the UT System central data center facilities in Arlington, Texas, near the Dallas/Fort Worth area. UTMB is required by state law (TAC 202, section 202.70(6) and UT System to ensure the operational integrity and recoverability of critical systems and information resources. UTMB has developed an internal institutional information security program for electronic student academic records that promotes risk management practices and ensures the protection, backup and data recovery of information resources critical to its missions (8).

The Office of Information Security at UTMB is responsible for administering the information security function and serves as internal and external point of contact for all information security matters (9). UTMB has implemented specific administrative, technical, and physical safeguards to assure compliance with this principle. The Information Security Officer has followed these safeguards in developing a comprehensive set of policies, practice standards, and procedures that address key issues related to information security management and data integrity across the institution, including not only student data but also patient confidentiality and employee privacy. These are posted on the internal website for institutional use (10). In addition, all users are required to complete security awareness training that details the responsibilities of each user of information resources, as well as proactive steps to help keep data and information systems more secure.

Distance Education Students. The integrated nature of the technical and physical security controls for students throughout UTMB includes not only those located in Galveston but also all students receiving instruction at remote sites. Documented procedures assure that security of personal information is protected in assessments, evaluations, and in the dissemination of results. Remote access practice standards provide requirements and guidelines to support accessing UTMBís information resources from remote locations and apply to all individuals who may be required to connect from remote locations, including private homes, business locations, and public access points (11).

Sources
1. UTMB Handbook of Operating Procedures, Section 2, General Administrative Policies and Services, Policy 2.19.6, Information Resources Security
http://www.utmb.edu/policies_and_procedures/IHOP/General_Administration/IHOP%20-%2002.19.06%20-%20Information%20Resources%20Security.pdf

2. UTMB Notification of Rights under Family Educational Rights and Privacy Act of 1974 (FERPA)
http://www.utmb.edu/enrollmentservices/pdf/DirectoryInfoPolicy_000.pdf

3. UTMB Request to Restrict Release of Information
http://www.utmb.edu/enrollmentservices/pdf/RequestHoldDirectoryInfo.pdf

4. Texas Administrative Code, Title 1, Part 10, Chapter 202
http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=5&ti=1&pt=10&ch=202&sch=C&rl=Y

5. University of Texas System Administration Policy Library, Policy UTS165, UT System Information Resources Use and Security Policy, Section 11, Management of Sensitive Digital Data.
http://www.utsystem.edu/bor/procedures/policies/uts165.pdf

6. Family Educational Rights and Privacy Act
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

7. UTMB Handbook of Operating Procedures, Section 2, General Administrative Policies and Services, Policy 2.19.6, Information Resources Security, Definitions.
http://www.utmb.edu/policies_and_procedures/IHOP/General_Administration/IHOP%20-%2002.19.06%20-%20Information%20Resources%20Security.pdf

8. UTMB Information Resources Practice Standards, Section 1, Security Management, Subject 3, Disaster Recovery, Practice Standards 1.3.2., Backup and Data Recovery.
http://www.utmb.edu/InfoSec/Policies/ps/ps132.pdf

9. Information Security
http://www.utmb.edu/infosec/Welcome.asp

10. UTMB Information Security, Policies and Practice Standards
http://www.utmb.edu/infosec/PoliciesStandards/Index.asp

11. UTMB Information Resources Practice Standard, Section 1, Subject 2, Practice Standards 1.2.8, Remote Access. Accessed from:
http://www.utmb.edu/infosec/PoliciesStandards/Index.asp

Right Column

Lorem ipsum dolor sit amet, test link adipiscing elit. Nullam dignissim convallis est. Quisque aliquam. Donec faucibus. Nunc iaculis suscipit dui. Nam sit amet sem. Aliquam libero nisi, imperdiet at, tincidunt nec, gravida vehicula, nisl. Praesent mattis, massa quis luctus fermentum, turpis mi volutpat justo, eu volutpat enim diam eget metus. Maecenas ornare tortor. Donec sed tellus eget sapien fringilla nonummy. Mauris a ante. Suspendisse quam sem, consequat at, commodo vitae, feugiat in, nunc. Morbi imperdiet augue quis tellus.