FERPA

Comparison of eight Governance Risk Control (GRC) Regulatory Compliances from Health Insurance Portability and Accountability Act (HIPAA), European Union Data Protection Directive (EUDPD), AICPA Generally Accepted Privacy Principles (GAPP), Payment Card Industry Data Security Standard (PCI DSS, ISO 27002 Code of Practice for Information Security Management, COBIT, The Sarbanes-Oxley Act of 2002 (SOX), Gramm-Leach-Bliley Act (GLBA)

1. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA includes among its components privacy and security rules for the handling of personal and medical information within the health care industry. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) that result from efforts to streamline the health care system in the United States and mandate the standardization of electronic transactions, code sets, and identifiers. The privacy and security rules for this act are detailed and prescriptive. Although the regulation focuses on organizations in the U.S. health care industry, it can extend to other organizations if they engage in certain activities, such as managing employee group health plans, or providing services to organizations that this regulation directly affects. If your organization is in the United States and maintains a health plan for its employees, HIPAA most likely applies to the collected and stored information. The U.S. Health and Human Services department (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.

The Federal Family Educational Rights and Privacy Act ("FERPA") provides parents of students and eligible students (students who are 18 or older) with privacy protections and rights for "education records" maintained by federally funded educational agencies or institutions (either private or public) or persons acting for these agencies or institutions .

The privacy regulations under the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA privacy regulations") contain a specific exemption for "education records" covered by FERPA. In fact, the HIPAA privacy regulations specifically exclude from the definition of "protected health information" any individually identifiable health information defined under FERPA as "education records" (See 45 CFR Part 164.501). The HIPAA privacy regulations also do not apply to certain records exempt from FERPA requirements. These are records: