Confidentiality and Information Security

Washington and Lee University provides computing and network resources to its students primarily for educational purposes and to its faculty and staff primarily for work purposes. The University may provide access to other users at its discretion. Use of the University’s computing and network resources is a privilege. All users are expected to exercise personal and professional responsibility and integrity when using these resources.

Increasingly, confidential information about employees, students and others resides in W&L’s information and business systems to assist with overall operations. Laws and regulations dealing with information and data privacy and security obligate employers and institutions of higher education to take affirmative steps to safeguard confidential information and deal with the risks of information security and privacy breaches proactively. The purpose of this policy is to inform employees, student workers, and volunteers of their duty to protect and safeguard all confidential information acquired during the course of employment or service to Washington and Lee University. This policy applies to all faculty and staff employees, student workers, and volunteers of Washington and Lee University.

This policy provides direction on handling payment card and cardholder data at Washington and Lee University ("WLU"). Electronic commerce provides an expedient way to handle business transactions; however credit card industry regulations and general best practices require certain reasonable steps designed to protect the personal information and privacy of those who submit credit card information to the university. This policy applies to all departments, individuals, and organizations (as well as third parties, as particular subsections may be applicable) involved in the storing, processing, transmitting, or receiving of payment card or cardholder data at WLU.

The Family Educational Rights and Privacy Act of 1974, as amended, ("the Act,” commonly referred to as “FERPA” or the “Buckley Amendment") is designed to protect the confidentiality of the records that educational institutions maintain on their students and to give students access to their records to assure the accuracy of their contents. The purposes of W&L’s Student Education Records Policy are: to inform students of their rights under the Act; to inform employees, student workers, third-party contractors, and volunteers of Washington and Lee’s responsibilities under the Act; and to describe the circumstances under which the university may disclose student education records. This policy applies to all “education records” of W&L “students” as those two terms are defined within this policy. All faculty and staff employees, student workers, third-party contractors, and volunteers of W&L are expected to comply with this policy.

It is the policy of the University to comply, and to require its employees, student workers, volunteers, and other agents to comply, with all applicable federal, state, and local laws and regulations, as well as University policies and procedures, governing information security, confidentiality, and privacy. The Program incorporates, voluntarily and by reference, existing University or department policies and procedures that address the security and confidentiality of data encompassed by the definition of “covered data and information” below, and is in addition to any University or department policies and procedures required under other federal and state laws and regulations. This policy applies to all employees of Washington and Lee University.

The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations apply to individuals and organizations designated in the law/regulations as covered entities. These covered entities include: (1) group health plans; (2) health care providers who conduct certain transactions electronically, including but not limited to transmission of health care claims, health care payments, enrollment in a health plan, and referral authorizations; and (3) health care clearinghouses. Although Washington and Lee University (W&L) does not primarily engage in any of these activities, some units within the University may perform functions that bring them within the definition of a covered health care provider under HIPAA.

Organizations such as W&L that have both covered entity departments and non-covered entity departments may choose to be designated as hybrid entities. In this case, W&L must designate and include in its HIPAA “health care component” those departments of the University that would meet the definition of a covered entity if they were separate legal entities. In this case, although W&L as a hybrid entity remains responsible for oversight, compliance, and enforcement obligations, the HIPAA requirements apply only to the health care component.

The health privacy provisions contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the related regulations ("Privacy Rule” and “Security Rule"), impose certain legal obligations on the Washington and Lee University Health Benefit Plan (employee medical, dental, flexible spending account, and employee assistance plan benefits and retiree health benefits). The obligations include maintaining the privacy of health information, notifying plan participants and beneficiaries about their legal rights and the Plan’s legal duties, policies and practices to protect the confidentiality of their protected health information, and abiding by the terms of this Notice and Plan policies and practices. This document is intended to satisfy HIPAA’s Privacy Notice requirement, as well as its privacy policy/procedures requirement, with respect to all protected health information created, received, or maintained by the Washington and Lee University Health Benefit Plan ("the Plan"), as sponsored by Washington and Lee University ("the Plan Sponsor"). This document is also intended to notify plan participants and beneficiaries of the identity of the Plan’s Security Official responsible for overseeing the Plans’ compliance with HIPAA Security Standards.

The Plan needs to create, receive, and maintain records that contain certain health information about you in order to administer the Plan and provide you with health care benefits. The Plan collects this health information, which identifies you, from various sources, which could include applications and other forms that you complete, conversations you may have with the Plan’s administrative staff and health care providers, and from reports and data provided to the Plan by health care service providers or other employee benefit plans. This health information includes, among other things, your name, address, phone number, birth date, social security number, employment information, and enrollment and claims information. This Notice describes the Plan’s health information privacy policy and practices with respect to your medical, dental, flexible spending account, and employee assistance plan benefits, and retiree health benefits. The Notice tells you the ways the Plan may use and disclose protected health information about you, describes your rights, and the obligations the Plan has regarding the use and disclosure of your protected health information.

This policy serves to identify relevant individual policies and programs in a single policy document that addresses information security at Washington and Lee University.

The Family Educational Rights and Privacy Act of 1974, as amended, ("the Act,” commonly referred to as “FERPA” or the “Buckley Amendment") is designed to protect the confidentiality of the records that educational institutions maintain on their students and to give students access to their records to assure the accuracy of their contents. The purposes of W&L’s Student Education Records Policy are: to inform students of their rights under the Act; to inform employees, student workers, third-party contractors, and volunteers of Washington and Lee’s responsibilities under the Act; and to describe the circumstances under which the university may disclose student education records. This policy applies to all “education records” of W&L “students” as those two terms are defined within this policy. All faculty and staff employees, student workers, third-party contractors, and volunteers of W&L are expected to comply with this policy.