Policies & Procedures

I. PURPOSE

To ensure Longwood University is in compliance with Federal and State regulations governing privacy and security including, but not limited to, the Gramm-Leach-Bliley Act (GLBA), the Family Education Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act (HIPAA).

II. DEFINITIONS

1. Information Privacy and Security: The manner in which the University protects its constituents' personal information from unauthorized access or use. Privacy addresses who the University allows to access the information; security addresses how the University physically protects the information regardless of its format (i.e. electronic or paper).
2. Constituents' Personal Information: Any personal information gathered about any constituent of the University including, but not limited to, students, parents, faculty, and staff.
3. Gramm-Leach-Bliley Act (GLBA): Administered by the Federal Trade Commission (FTC); requires financial institutions such as Longwood University to establish policies and procedures for the privacy and safeguarding of constituent financial information. The FTC has ruled that higher education institutions complying with the Family Education Rights and Privacy Act (FERPA) satisfy the privacy component of GLBA, but not the safeguarding component. The safeguarding component of GLBA requires a written constituent information security plan addressing specific key components.
4. Family Education Rights and Privacy Act (FERPA): A Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a post-secondary institution. Students to whom the rights have transferred are "eligible students."

5. Health Insurance Portability and Accountability Act, Privacy and Security Rules (HIPAA): These rules deal mainly with personal health information (PHI) and ensuring its privacy and security during transmission as well as storage in electronic form. While Longwood University currently does not transmit PHI to other entities electronically, there are some components of HIPAA that affect the University and the sharing of information that fall under the definition of PHI. There are also specific departments that deal with PHI as a part of their duties and they are required to implement more detailed procedures to ensure the privacy and security of any health records they maintain. The Virginia Department of Human Resource Management Office of Health Benefits Programs acts as the coordinating agency for statewide HIPAA compliance and provides policy and guidance to all state agencies on the act. Longwood University is responsible for ensuring its members understand and comply with these regulations.

III. POLICY

It shall be the policy of Longwood University to comply with applicable Federal and State regulations governing the privacy and security of constituents' personal information through the creation of appropriate policies and procedures and education and training of faculty and staff.

1. Responsible Party: The President's Office is responsible for overseeing the Privacy and Security Compliance Policy. The President will designate a committee consisting of representatives from those areas defined as responsible for compliance with privacy and security regulations. The committee will serve as the responsible party for ensuring that the University has identified and is in compliance with all applicable Federal, State and University regulations governing the privacy and security of constituent information.
2. No Third-Party Rights: While this policy/program is intended to promote the security of information, it does not create any consumer, constituent, or other third-party rights or remedies, or establish or increase any standards of care that would otherwise not be applicable.
3. References: The following policies and guidelines supplement and help to create a comprehensive information privacy and security plan. Referral and adherence to these documents is imperative to overall protection of constituent information. The following documents are incorporated by reference into the plan. (html links will be included when created)
   1. Customer Information Security Program
   2. Student Records and Annual Notification
   3. Health Insurance Portability and Accountability Act Privacy Policy
   4. IT Policies

Approved by the Board of Visitors, June 17, 2004.