MARSHALL UNIVERSITY BOARD OF GOVERNORS

Policy No. GA-___

PRIVACY POLICY

1 General Information.

1.3 Scope: Policy regarding the safeguarding and implementation of measures to address privacy issues and to promote compliance with the requirements of West Virginia state law and the federal privacy regulations including the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability Accountability Act (HIPAA).

1.4 Authority: W. Va. Code

1.5 Passage Date:

1.6 Effective Date: Upon passage

2 Policy

2.3 The university is committed to the best practices concerning student, patient and employee privacy. To the extent permissible by law, the university will safeguard the generation, collection, use, storage, disposal and disclosure of protected personal information.

2.4 Provided that, nothing herein shall prohibit the University from disclosing information in the course of investigations and lawsuits, in response to subpoenas or requests under the West Virginia Freedom of Information Act (FOIA), for the proper functioning of the of the University, to protect the safety and well-being of the individuals or the community, and as permitted or required by law.

3 Family Educational and Privacy Act (FERPA)

3.1 The Family Educational Rights and Privacy Act (FERPA) of 1974, as amended, provides students with certain rights with respect to their educational records. These rights include:

3.1.1 The right to inspect and review the student’s education records within 45 days of the day the University receives a request for access.

3.1.2 The right to request the amendment of the student’s education records that the student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

3.1.3 The right to provide written consent before the University discloses personally indentifiable information from the student’s education records, except to the extent FERPA authorized disclosure without consent.

3.1.4 The right to file a complaint with the U.S. Department of Education concerning alleged failures by the University to comply with the requirements of FERPA.

3.1.5 The University has defined the following as “Directory Information” or public information which may be released without written consent, unless the student has refused disclosure: name, address, email address, telephone numbers (permanent and campus), date and place of birth, major field of study, dates of attendance, degree, and honors and awards received and classification.

3.1.6 Students requesting that their “Directory Information” not be disclosed are excluded from Dean’s list announcements made available to hometown and other media. Some “Directory Information” (e.g. student names, honors, college, etc.) is normally disclosed in graduation programs and lists distributed to hometown newspapers and other media. A separate refusal (as part of the application for graduation) is required to suppress this disclosure.

4 Deceased Students

4.1 A student’s FERPA rights cease upon death. Within the first year following the death of a student, the educational records of a deceased student may be disclosed, upon written request, to a spouse, parent, legal guardian, an executor of the estate or pursuant to a court order or a subpoena.

4.2 The person making the request must provide the following information in a signed written request:

4.2.1 Students’ name.

4.2.2 Copy of the Death Certificate or Letters of Administration.

4.2.3 Name, Address, telephone number of person making the request.

4.2.4 Evidence that the requestor is qualified to receive the records based upon the above criteria.

4.2.5 Signature.

4.2.6 Date of the request.

4.3 After one year has elapsed following the death of a student, the University may release the educational records of the student at its discretion or as required by law.

5 Health Care Portability And Accountability Act of 1996 (HIPAA)

5.1 Marshall University is a hybrid entity as defined in the HIPAA regulations. As a hybrid entity, some organizations within the University may be providers of health care services, while other organizations are not. Therefore, your specific rights under HIPAA will be defined by the organization within the University as it relates to your medical records or health information.

5.2 In all cases, however, the University requires the “minimum necessary” standard as described in HIPAA to be applied to safeguard the privacy of individuals. The minimum necessary standard stipulates that the amount of individually identifiable health information used, obtained, or disclosed to others is restricted to the minimum amount necessary to achieve the specific purpose of the use, request or disclosure.

6 Limitations on Release of Certain Personal Information (W. Va. Code §5A-8-21&22)

6.1 The following personal information maintained by the University of its officers, employees, retirees or the legal dependents thereof is hereby deemed to be confidential and exempt from disclosure to non-governmental entities in documents otherwise subject to the West Virginia Freedom of Information Act (FOIA):

6.1.1 An individual’s home address;

6.1.2 An individual’s social security number;

6.1.3 An individual’s credit or debit card number;

6.1.4 An individual’s driver’s license number; and

6.1.5 An individual’s marital status or maiden name.

6.2 The following information maintained by the University with respect to individuals and their dependents, is personal information exempted from disclosure from the Freedom of Information Act (FOIA) and may not be released to non-governmental entities:

6.2.1 An individual’s social security number; or

6.2.2 An individual’s credit or debit card number.

6.3 Notwithstanding the provisions of section 6, the information enumerated in said section may be released for such purposes as are authorized by federal or state law, FERPA, or regulation.

7 Violations

7.1 Anyone found to have violated this policy will be subject to the appropriate disciplinary process.

8 Applicable Laws

8.1 The Family Educational Rights and Privacy Act of 1974 (FERPA) 20 U.S.C. § 1232g; 34 C.F.R. §99.1 et. seq.

8.2 Health Insurance Portability and Accountability Act of 1996 (HIPAA)

8.3 West Virginia Code § 5A-8-21 &22

MUBOG GA- Privacy Policy 2/3