Data Privacy Laws

Dartmouth employees have obligations to maintain privacy and security of personal information. Either or both of the following data privacy laws may apply to your work here at Dartmouth.

Family Educational Rights and Privacy ACT (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)

Family Educational Rights and Privacy Act (FERPA)

• Protects student education records, including grades, transcripts, class schedules, social security/national identity numbers, account balances, or any other information that can be connected to an individual student
• Student rights under FERPA
  • Student must be notified of their rights, including the right to review their education records and seek amendments to them
  • Students can prevent unauthorized disclosure of their records
  • In case of a FERPA violation, students have the right to complain to the U.S. Department of Education
  • Students can waive these rights in writing
• Steps to protect education records
  • Any transmissions to collect student data must be automated
    • Students should be cautioned against transmitting sensitive data (account numbers, etc.) via email or pop-up message
  • Do not share any student information with a faculty or staff member unless you have legitimate educational reasons and/or job responsibilities to do so.
  • Parents’ rights to education records transfer to the student once the student turns 18. Therefore, in most cases, you cannot transfer student records to a parent, guardian, or spouse of a student.
    • However, students can provide written/electronic authorization to disclose their records to a designee
  • If you receive a request to disclose student information but do not have authorization from the student, refer the request to the information security team
• Conditions where FERPA allows student information to be released without student consent
  • School officials with a legitimate educational interest
  • Schools to which a student is transferred
  • Specialized officials for audit, evaluation, enforcement, or compliance purposes
  • In connection with student’s financial aid, health, and safety
  • Studies conducted for or on behalf of the school
  • Accrediting organizations
  • Judicial orders/subpoenas
  • State and local authorities
• Directory information can be disclosed without a student’s consent unless a student has requested confidentiality. 
  • Directory information includes:
    • Dates of attendance
    • Honors and degrees
    • Email address
    • Student name
  • Directory information does NOT include
    • Religion
    • Citizenship
    • Grades
    • Gender
    • Race

Health Insurance Portability and Accountability Act (HIPAA)

• Governs use, transfer, and disclosure of health-related information
• ​​​​​​​Protection of protected health information (PHI)
  • Any piece of individual health info that can identify an individual, including a person’s medical record, street address, or telephone number
• Under the Breach Notification Rule, when there is a PHI data breach, we must notify affected individuals, the Secretary of the U.S. Department of Health & Services, and in certain cases, the media
• When handling PHI:
  • Only share patient data with authorized personnel on a “need to know” basis
  • Any use or disclosure of PHI not for direct care or treatment must be approved by the individual through written authorization 
• Minimal necessary use and disclosure
  • Central principle of HIPAA
  • Must make efforts to only use, disclose, and request the minimum amount of PHI data that is necessary for business purposes
• Dartmouth must remain compliant with all industry and regulatory requirements in relation to patiently privacy and safety

Any loss or compromise of FERPA or HIPAA data must be reported immediately to the information security team!