What are FERPA, COPPA and HIPAA and why are they important?

Businesses that operate in the United States and collect data on US citizens will need to comply with US privacy laws. While everyone should know about the big names like PCI DSS, there are other compliance regulations you can’t let trip you up and land you and your business in legal hot water, especially considering that they’re not especially hard to implement when given thought.   

When dealing with personal identifiable information (PIIs) and privacy, it’s important that you take into account if your business has to comply with FERPA, COPPA and HIPAA, including their overlaps and differences, and if it is actually complying.  

FERPA 

Family Education Rights and Privacy Act (FERPA) concerns the privacy of student data and is a federal mandate in the US. If your organisation deals with student information, access to that information must be restricted to people who have an educational purpose for accessing it. For example, instructors and administrators whose work specifically relates to a student’s activity.  

Essentially, this aims to prevent people sharing student PIIs without the appropriate approval. If the student is underage, then the parent is responsible for the approval. On the other hand, if the student in question is an adult, then that student is the one with control over approval.  

The consequences of violating FERPA can include: 

• Fines, which can range from just 100 dollars to over 1.5 million depending on the severity. 
• Withdrawal of federal funding, which can really cut the legs out of an organisation. 

Primarily, FERPA compliance is administrative-orientated, focusing on having established rules that make sure reasonable protection methods are being employed in regards to student information and that it isn’t made arbitrarily available to people. For example, academic and administrative computing functions may be kept distinctly separate. 

COPPA 

The Children's Online Privacy Protection Act (COPPA) relates to computing services directed at children under thirteen years old. It’s important for an organisation to know that this is primarily determined by your actual users, where if a lot of children are using a web service or doing general internet activity on an app, it is assumed to be directed at that age group.  

If you’re collecting the PIIs of these users, you fall under COPPA. In regards to educational establishments like schools and their students, COPPA compliance is automatically approved as being in compliance due to overlaps with you complying with FERPA. 

The requirements of COPPA include that your organisation: 

• Publish your policy on privacy so that users and their parents/guardians can see how the data is used. 
• Have parents/guardians’ consent for their child to use the site if their information is being collected. Normally, the responsible adult has to provide some identification, like an ID card and perform a financial transaction to show they’re of legal age.  
• Organisations have to have the parent or guardian’s permission on file to be allowed to collect children’s data, but this approval can be reviewed and even revoked. 
• If you're storing children's information, it must be secure and not treated like public information. 

The thing about COPPA compliance is that it simply requires reasonable procedures. An organisation just needs to ensure things are kept reasonably separate and that privacy is maintained, making it very similar to the approach for FERPA compliance. It’s more orientated on an organisation showing they’re intentionally protecting things in a reasonable manner than the more stringent measures of something like PCI DSS, where it would be expected you’d create completely separate networks and major distinctions. 

In 2019, Google and its subsidiary Youtube were fined 170 million dollars for violating COPPA, showing that organisations need to take this regulation seriously. 

HIPAA 

The strictest of the three, Health Insurance Portability and Accountability Act (HIPAA) is quite rigorous in enforcing privacy and protecting health and patient information. While not as extreme as PCI DSS, which mandates encryption of specific data items and forbids certain data items from being stored, HIPAA is often very specific about what must be protected. 

 Two notable rules in HIPAA of particular interest here are: 

• The privacy rule, which concerns protecting sensitive health information and covers all modalities of information sharing, including talking in the hall among colleagues and electronic data distribution. 
• The security rule, which applies specifically to electronic protected health information. 

There are a number of reasons why maintaining privacy for health information is critical. It’s important to keep people’s sensitive health details confidential and only accessible by relevant parties because: 

• It might get in the way of them getting treatment, like during the HIV/AIDS crisis, where a lot of patients faced discrimination and denial of treatment due having the disease. 
• Patients may not want data shared, and this includes their information being shared between researchers in research datasets gathered from electronic medical records.  
• Leakage of VIPs and celebrities’ PIIs to news sources and gaining unwanted publicity.  
• Phishing, where the information is weaponised to trick victims into letting threat actors infect their computers, gain access to their accounts and/or gain more critical information like financial details. 

Last year, it was discovered that George Floyd's medical records had been accessed by 18 users after a county hospital in Minneapolis reviewed the audit logs from after his death. This was despite the fact that the hospital had taken the additional step of protecting his record by pseudonymisation. Five of the users were found to have legitimate reasons for looking up the records, while the other thirteen were fired for violating HIPAA guidelines. 

In regards to the HIPAA security rule, an organisation needs to: 

• Ensure the CIA (Confidentiality, Integrity and Availability) properties of all your organisation’s electronic sensitive health information.  
• Protect against reasonable threats to the security or integrity of the information, meaning you’ve got to understand what the threat landscape is.  
• Protect against anticipated disclosures, taking steps that include things like logging all the accesses and swapping the name with a pseudonym if needed.  
• Ensure compliance by the workforce, informing them that they only should access to them records that are part of their job otherwise they’re breaking patient confidentiality under HIPAA.  

Safeguards under HIPAA are broken down into three categories:  

• Administrative. 
• Physical.  
• Technical.  

Although, these categories tend to overlap with each other and have technical aspects. Notably, technical safeguards will be the most relevant to Cloud systems. 

HIPAA compared to FERPA and COPPA 

One of the main struggles for an organisation under HIPAA is confidentiality versus availability. You don't have rules allowing emergency access to information under FERPA or COPPA because it isn’t really an environment that often has life-and-death situations crop up like a hospital. 

Both HIPAA errors and delay in getting information can cost lives, which is why there's a lot of flexibility given so people can have easy access to information in the event of an emergency. This means a lot of organisations are forced to rely heavily on ‘trust but verify’, allowing access but logging all of it to detect malpractice and non-compliance from staff, instead of the zero trust method. 

HIPAA also has stronger authentication requirements and cryptographic requirements, while with FERPA and COPPA compliance really just requires customary routine and standard protections. Moreover, while most FERPA errors can be corrected and COPPA disclosures aren’t often as sensitive as the medical records and patient information that fall under HIPAA. 

Securiwiser 

Securiwiser is an excellent cybersecurity detection and monitoring tool that greatly complements an organisation’s aims to meet compliance. 

Securiwiser is able to evaluate the cybersecurity posture of your organisation and your vendors, flagging up vulnerabilities, exploits and exposures in real-time and showing them in an easy-to-read, straightforward dashboard. It can check the security of your network and cloud, if malware is propagating on your network, if there’s security misconfigurations exposing sensitive data, what data already exists out on the internet, and much, much more. 

Give yourself a free scan today.