“Confidentiality is an ancient and well-warranted social value.”
~ Kay Redfield Jamison
Today’s blog entry is a companion piece to last week’s,
Be A Superhero Employee: Block Workplace Cyber Security Breaches
Workplace confidentiality is not just refraining from spreading the latest gossip, keeping a secret a coworker has asked you to keep or protecting the confidences of your boss. Those are certainly important, but I’d like to focus on those confidences that are required by law — the ones that protect the privacy of students, patients, consumers, clients and customers. These regulations are meant to strengthen the protections of Americans’ right to privacy that is implied in the U.S. Constitution. It is crucial that these privacy laws that protect all of us be enforced in every workplace that is affected. And because these laws are complex employees should check with their respective company’s legal and compliance sources for answers to specific questions and solutions to complicated issues.
The industries most affected are Education, Healthcare and Financial Services; they are among the most highly regulated industries, and with good reason. They gather and maintain highly sensitive records and information required in crucial areas of our lives. Workers in those industries are the gatekeepers of these laws, and are in positions of being both beneficiaries and enforcers, depending on their particular situations.
Are you familiar with one of more of the following major consumer protection laws that keep your personal information confidential?
Education – FERPA
For those employed at educational institutions that must comply with the Family Educational Rights and Privacy Act, or FERPA, which was signed into law in 1974 to protect the privacy of a student’s education records, strict enforcement is a top priority. Staff and faculty are trained in FERPA regulations as well as in their respective schools’ policies to serve the student’s interests and help their respective institutions comply with the law. The institutions that are affected include any elementary, secondary and post-secondary schools that receive funding under programs of the U.S. Department of Education; such popular funding programs include Perkins Loans, Pell Grants and Work-Study, among others.
Staff at higher education levels often encounter a challenge involving not only the transition of students from high school to college, but also the transition that parents undergo as well. Every year, millions of parents receive a big surprise when they learn that they no longer have legal access to the education records of their newly minted college student son or daughter. And even if parents are aware, they often have difficulty in accepting this fact. As a parent of a former college student, I understand the difficulty of this life change; it adds to the stress and feeling of helplessness, especially if you are already struggling with bidding farewell to your child as she or he leaves home to live on campus. Parents experience not only a separation of distance and time, but now the law says they must relinquish legal control of their offspring’s private education records, even if the parents are footing the tuition bill!
This is how FERPA works: Until a student turns 18 or attends any post-high-school educational institution, FERPA provides parents with access to their child’s student records and the ability to request corrections to those records. But when that 18th birthday rolls around or the student attends an institution of higher learning, the rights of the parents transfer to the student. At that point, if the parents wish to continue to access any of their son’s or daughter’s education records, they are required to obtain the student’s written consent. Such consent by the student is usually provided in the form of a waiver, and each school might have its own waiver template. It is best to check with the particular college, university or other institution that the student will attend to learn its policy and procedures regarding FERPA. For example, most colleges will err on the side of caution when it comes to releasing a student’s records and other information. The broader goal of the educational institution is to protect the student’s privacy, but it must also comply with the law. This is all part of the higher education experience for both student and parents, and a crucial transition that begins the process of separation. For the student, it is an opportunity to prepare for adulthood by making decisions for herself or himself with the support and assistance of a trained staff and faculty. For parents, while they will remain a powerful and influential force in their children’s lives, it gives them some space to step back a bit and let their offspring leave the nest, stretch their wings and learn to take charge of their lives as they enter its next phase.
Thus, it behooves parents and students to learn earlier than later about FERPA and other laws that protect the privacy of education information and how it will affect them. Understanding the intent of the law and why affected education institutions implement policies to enforce it will help to enhance the relationship between parents and student, and parents and institution, and make the higher education experience less stressful and more productive and enjoyable for both student and parents.
Healthcare – HIPAA
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, includes the HIPAA Privacy Rule, which covers the handling of patients’ medical information, as well as the patient’s right to access your medical records. After all, although your doctor conducts examinations, prescribes tests, medications, therapy, procedures and so on, all of the associated information belongs to the patient. After all, the patient has paid for the services and information, either directly or through insurance that has been purchased.
Any facility where treatment is received, including doctors’ offices, hospitals and other care facilities, must provide the patient with its privacy statement. You can read more about these statements here.
Some highlights of the law include:
- A healthcare provider’s and insurance company’s duty to protect a patient’s private medical records.
- Full disclosure on how a provider or insurer is allowed lawfully to share a patient’s information.
- A patient’s right to obtain her or his medical records, request corrections and file a complaint with the U.S. Department of Health and Human Services.
Those who work for such healthcare services facilities are trained in HIPAA regulations so they can provide timely and accurate information, process requests and enforce this important privacy law. In doing so, workers are also protecting their employers from liability.
Recently, as I was waiting in line at a pharmacy, a pharmacy associate was speaking loudly on the phone to a customer’s insurance company. Everyone in the area could hear the details of the customer’s medication and medical issue. How many times has other personal information of a customer/patient been overheard by other customers waiting to speak to the pharmacist or pick up medications — including the name of the patient, date of birth, phone number, name of prescription, and so on? These patient details are also overheard by other patients in healthcare facilities. These incidents are violations of patient privacy and it is incumbent on everyone to be careful when having these conversations to ensure that his or her personal health information is not broadcast to strangers in the area. As well, employees in doctors’ office, hospitals, pharmacies and other healthcare facilities must be aware of the seemingly innocent ways in which patient privacy can be violated. It’s best to lower one’s voice or speak to the customer/patient in a private area.
Financial Services – GLBA
The Gramm-Leach Bliley Act (GLBA) of 1999 oversees the ways in which financial institutions handle the private information of individuals and gives eight federal agencies with the authority to administer and enforce the Financial Privacy Rule and the Safeguards Rule. There is some evidence, or at least opinion, that like many laws the GLBA privacy piece was prompted at least in part by businesses for their own financial gain playing fast and loose with consumer’s personal information.
Employees of financial services companies are trained in the GLBA law and how to maintain information security and protect from disclosure the non-public personal information (NPPI) of clients, customers, prospective customers and job applicants. NPPI can include names, addresses, telephone numbers, dates of birth, Social Security numbers, income information, account numbers, etc. Such information is restricted to those who need to know to be able to process loans and other financial services for customers or to process job applications, for example.
While working in the financial services industry, I learned some chilling facts, noted in the next section, that need to be more widely publicized and addressed.
Full Names, Birthdays, Zip Codes – Oh, My!
Chilling, indeed, is the ease in which one’s identity can be stolen by simply accessing one’s name, zip code and date of birth. And in some cases, simply a full name and zip code is all that is needed to learn far too much information about an individual. Please remember this the next time you call an online retailer to inquire about a product and are asked for your name and zip code; it is not required that you comply with this request, so my advice is don’t!
And how many times have you been asked for your DOB online when merely asking a question, entering a contest, opening a retail account, etc.? Again, don’t do it. As well, avoid posting your DOB on your Facebook Page and other social media; your family and close friends already know it and casual friends don’t need to know it. Sure, it’s a nice thing to be remembered on your birthday, but we are living in a fishbowl world where we have to make choices to withhold what seems to be a benign piece of information in favor of eliminating one more way in which we can compromise our privacy and identities.
Apropos this issue, I have contacted some of my elected officials and plan to contact others to lobby for the elimination of addresses and birthdates on driver’s licenses. A license number alone can allow law enforcement and other government agencies to access a driver’s complete information. Private sector parties that need to know your address and DOB in order to provide necessary services are those in the three industries covered in this entry: education, healthcare and financial. Department stores, sweepstakes sponsors, media websites, etc., do not need addresses and DOB information. To ascertain if someone is of legal age the questions, “Are you over 21?” or “Are you a legal adult of XYZ State?” should suffice. Your entire DOB or complete address is not their business (in the case of a sweepstakes contest this information should only be required if you win). As for driver’s licenses, states can provide color-coded licenses to identify an adult or minor.
I would love to know how my readers feel about this issue! Please feel free to comment.
“Mum’s” The Word
Once again, it comes down to the individual employee to protect the privacy of consumers, clients, customers, patients and students. Keeping mum as appropriate involves personal integrity, ethics and a moral code. Organizations should value and embrace these qualities in their employees.
Until next time,