Why do we need to send email securely?
HDESD programs collect and share data that is protected by FERPA, e.g., student records in migrant education programs (and less often, but still important, HIPAA, e.g., patient records in EI/ECSE). If you have questions about which law governs your program’s data security, please contact your program manager, the CIO, or the legal services team.
- Please watch this short video on Email and Student Privacy created by the USDOE Privacy Technical Assistance Center for a practical introduction.
- Both FERPA and HIPAA include security considerations when sharing Personally Identifiable Information (PII) in electronic format.
- In addition, for HIPAA compliance, email containing Protected Health Information must be sent using secure email. (source: HHS)
- What is Personally Identifiable Information (PII)? Personally identifiable information for education records is a FERPA term referring to identifiable information that is maintained in education records and includes direct identifiers, such as a student’s name or identification number, indirect identifiers, such as a student’s date of birth, or other information which can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. (source: PTAC)
- What is PHI (Protected Health Information)? Protected Health Information (or “individually identifiable health information”) is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers, e.g. name, address, birth date, Social Security Number. (source: HHS)
How do we share information securely via email?
Federal guidance and general information security practices in 2020 encourage us to think first before sending personally identifiable information via email. When practical, we recommend developing program standards for identifying students without PII in email. For example, the CORP and Evaluation teams use student and therapist (or teacher) initials together to communicate easily in email and shared docs. When you need to share a greater level of detail via email, please use HDESD ownCloud. You can see specific instructions and screenshots here.