FERPA & HIPAA Crosswalk

FERPA applies to UW-Madison as a public post-secondary institution and requires UW-Madison to protect the privacy of student education records. The comparison between HIPAA and FERPA is tricky because while both laws are designed to protect the information of individuals and prevent anyone without authorization from accessing this information, unlike HIPAA, FERPA does not prescribe any controls. However, based upon the FERPA Data Security Checklist provided by the U.S. Department of Education Privacy Technical Assistance Center, the controls prescribed by HIPAA and NIST 800-53 also cover the FERPA requirements. As such, the same risk level assigned to ePHI applies to student education records as well.

 FERPA PTAC Data Security Checklist
Description
Matching HIPAA Requirement
 NIST 800-53 Control Group
 Policy and governance Develop a comprehensive data governance plan that outlines organizational policies and standards regarding data security and individual privacy protection.The plan should clearly identify staff responsibilities for maintaining data security and empower employees by providing tools they can use to minimize the risks of unauthorized access to PII. Refer to PTAC’s Data Governance Checklist for more information. 45 CFR § 164.316 - Policies and procedures and documentation requirements. A covered entity or business associate must, in accordance with § 164.306:

(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
 Planning (PL)
 Personnel security Create an Acceptable Use Policy that outlines appropriate and inappropriate uses of Internet, Intranet, and Extranet systems. Incorporate security policies in job descriptions and specify employee responsibilities associated with maintaining compliance with these policies. Conduct regular checks and trainings to ensure employee understanding of the terms and conditions of their employment. Confirm the trustworthiness of employees through the use of personnel security screenings, policy training, and binding confidentiality agreements.
45 CFR § 164.308 (a)(3)

(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
 Personnel Security (PS)
 Physical security Make computing resources physically unavailable to unauthorized users. This includes securing access to any areas where sensitive data (i.e., data that carry the risk for harm1from an unauthorized or inadvertent disclosure) are stored and processed, such as buildings and server rooms. An unlocked server room is an invitation for malicious or accidental damage. Monitor access to these areas to prevent intrusion attempts (e.g., by administering identification badges and requiring staff and visitors to log in prior to entering the premises or accessing the resources). 45 CFR § 164.310 Physical safeguards.
A covered entity or business associate must, in accordance with § 164.306:

(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
 PE-3
 Network mapping Network mapping provides critical understanding of the enterprise (servers, routers, etc.) and its connections. Furthermore, network mapping can capture applications and associated data. A robust mapping capability will map the dependencies between applications, data, and network layers, and highlight potential vulnerabilities. There are a number of network mapping tools available. 45 CFR § 164.312 (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.  Configuration Management (CM)
 Inventory of assets  The inventory should include both authorized and unauthorized devices used in your computing environment. These devices are often scanned and discovered by automated programs (continuously searching the internet for vulnerabilities) and if unsecured devices are discovered they can be compromised. Inventorying, when used in conjunction with network mapping, will give your organization a better understanding of the security requirements needed to protect your assets  164.308(a)(1)(ii)(A), 164.308(a)(8), 164.310(a)(1)  CM-8
 Authentication  The ways in which someone may be authenticated fall in to three categories: something you know, something you have, or something you are. Two-factor authentication (2FA) combines two of these elements and is more costly, but provides more security. Consider 2FA for remote users or privileged “superusers.” Authentication technologies provide assurance that the person is authorized to access network assets, services, and information. 45 CFR 164.308(a)(4)(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

45 CFR § 164.312 (a)(2)(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

45 CFR § 164.312 (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
 IA-2
 Provide a layered defense Employ a “Defense in Depth” architecture that uses a wide spectrum of tools arrayed in a complementary fashion. The most common layers to protect are hosts (individual computers), application, network, and perimeter. There are specific security controls that are suited for use at each of these layers. Relying on a firewall alone to protect your network is never adequate. § 164.312 (A)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
 PM-8
 Secure configurations It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security. Continuous scanning to ensure system components remain in a secure state is a critical capability that will enhance data security protection. Proactive management of security risks also involves establishing a comprehensive change management program to analyze and address security and privacy risks introduced by new technology or business processes. 45 CFR §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
 CM-6
Access controlSecuring data access includes requiring strong passwords and multiple levels of user authentication, setting limits on the length of data access (e.g., locking access after the session timeout), limiting logical access to sensitive data and resources, and limiting administrative privileges. Role-based access is essential for protecting PII and sensitive data; defining specified roles and privileges for users is a required security procedure. Sensitive data that few personnel have access to should not be stored on the same server as other types of data used by more personnel without additional protections for the data(e.g.,encryption).45 CFR §164.312 (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
AC-1, AC-2, AC-3, AC-6
Firewalls and Intrusion Detection/Prevention Systems (IDPS)A firewall is a device designed to permit or deny network transmissions based upon a set of rules. Firewalls are frequently used to protect networks from unauthorized access, while permitting legitimate communications to pass. An IDPS is a monitoring device that is designed to detect malicious activity on the network. Although some automatically take remediation action, most report suspicious activity to a central monitoring point for further analysis.
 45 CFR §164.312(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. SC-7
Automated vulnerability scanningWhen new vulnerabilities (to hardware, operating systems,applications, and other network devices) are discovered, hackers immediately scan networks for these vulnerabilities. Scanning your network and systems on a regular basis will minimize the time of exposure to known vulnerabilities.
45 CFR §164.308(a)(5)(ii)(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
RA-5
 Patch managementPatch management is the process of using a strategy and plan for the testing and roll out of software updates and patches on a regular basis. The plan should address how patches will be applied to which systems at a specified time. A patch is a piece of code that protects computers and applications by updating the security state against new threats or vulnerabilities. Used in conjunction with vulnerability scanning, the enterprise can quickly shutdown any vulnerability discovered. 45 CFR §164.308(a)(5)(ii)(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. SI-2
 Shut down unnecessary services Each port, protocol, or service is a potential avenue for ingress into your enterprise. A best practice, which should be part of a secure configuration, should include shutting down all services and ports that are not required in your computing environment. A secure enterprise will continually monitor for the use of unapproved ports, protocols, or services. 45 CFR §164.308(a)(5)(ii)(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. SI-4
 Mobile devicesWhen sensitive data are stored on servers or on mobile devices, such as laptops or smart phones, the data should be encrypted. There are far too many examples of mobile devices being lost or stolen and the subsequent exposure of the sensitive information stored on those devices in the public domain.45 CFR §164.312(a)(2)(iv)Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

45 CFR §164.312(e)(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
 AC-19
 Emailing confidential dataConsider the sensitivity level of the data to be sent over the email. Emailing unprotected PII or sensitive data poses a high security risk. It is recommended that organizations use alternative practices to protect transmissions of these data. These practices include mailing paper copies via secure carrier, de-sensitizing data before transmission, and applying technical solutions for transferring files electronically(e.g.,encrypting data files and/or encrypting email transmissions themselves).45 CFR §164.312(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
AT-2
 Incident handlingWhen an incident does occur it is critical to have a process in place to both contain and fix the problem. Procedures for users, security personnel, and managers need to be established to define the appropriate roles and actions. Outside experts may be required to do a forensics investigation of the incident, but having the correct procedures in place initially will minimize the impact and damage.45 CFR §164.308(a)(6)(i)Standard: Security incident procedures. Implement policies and procedures to address security incidents. IR-4
 Audit and compliance monitoringAudits are used to provide an independent assessment of your data protection capabilities and procedures and should be performed periodically. Auditors that are familiar with Family Educational Rights and Privacy Act statutory and regulatory requirements can further assist you in determining whether your systems are in compliance.45 CFR §164.308(a)(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
 CA-2