01.D.06 – Protection of Confidential Information
Section: General Administration
Area: Legal Affairs
1. PURPOSE AND SCOPE
It is the policy of the University of Houston System (the "System") to ensure that there are guidelines, safeguards, and controls in place to effectively manage and protect confidential information in accordance with applicable laws, regulations, and best practices. Such confidential information includes, but is not limited to, social security numbers, educational records as defined by the Family Educational Rights and Privacy Act ("FERPA"), health care information as defined by the Health Insurance Portability and Accountability Act ("HIPAA") and other applicable law, and customer information as defined by the Gramm-Leach-Bliley Act ("GLB Act").
2. POLICY
2.1. Each university shall appoint its own Privacy Coordinator who will be responsible for the university's compliance with the guidelines issued by the General Counsel as described in Sections 2.2 and 2.3. The Privacy Coordinator for each university will also provide training, in consultation with the General Counsel, as well as report to the General Counsel any known or suspected instances of non-compliance with the General Counsel's guidelines. At the end of each fiscal year, the Privacy Coordinator for each university will submit a report to the General Counsel detailing the training that has been provided to the university during the fiscal year, any instances of non-compliance during the fiscal year, and the actions taken in response to any instances of non-compliance.
2.2. The General Counsel will issue guidelines with regard to the use of social security numbers, educational records, health care information, customer information, and other confidential information, as well as appropriate steps to follow in the event of a suspected security incident/breach involving sensitive personal information as required by applicable law. These guidelines will be posted on the web site for the UHS Office of the General Counsel . In addition to issuing guidelines, the General Counsel will provide legal advice as requested in relation to the applicable laws and regulations governing the protection of confidential information.
2.3. The guidelines will be issued by the General Counsel to help each university ensure that:
a. The release, use, display, transmission, and retention of social security numbers are only allowed if permitted by law.
b. Information that is considered an educational record (as defined by FERPA) will only be disclosed to someone other than an "eligible student" or an "eligible parent" with the consent of the student or as otherwise authorized by law.
c. The use, receipt, or transmission of an individual's health care information (as defined by HIPAA and other applicable law) is allowed only as permitted by law.
d. Customer information (as defined by the GLB Act), including financial information, which is collected or maintained, will be safeguarded as required by law.
e. Appropriate steps are taken by the universities consistent with applicable law in the event of a suspected security incident/breach involving sensitive personal information.
f. The use and/or release of any other information determined by the General Counsel to be confidential is allowed only as required by and consistent with applicable law.
2.4. No person having access to confidential information shall disclose confidential information in any manner contrary to applicable law and/or the guidelines issued by the General Counsel. Any such disclosure of confidential information, whether intentional or unintentional, could subject the person to disciplinary action, up to and including termination.
2.5. It is the responsibility of each university of the System and its employees to adhere to the guidelines that are issued by the General Counsel.
2.6. The General Counsel will revise its guidelines whenever necessary to conform to changes in applicable law or regulations.
Issued: 08/31/2007
Last Reviewed/Revised: 01/24/2023
Responsible Office(s): Legal Affairs