Federal agencies require that institutions establish an Information Security Program which is defined as the administrative, technical, or physical safeguards used to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle constituent information.
FTC Requirements
As a participant in Student Financial Aid programs, Spring Arbor University (SAU) is subject to the information security requirements established by the Federal Trade Commission (FTC) for financial institutions as established in FTC regulations: 16 CFR 313.3(n) and 16 CFR 314.1–5 Gramm-Leach-Bliley Act: Sections 501 and 505(b)(2) U.S. Code: 15 USC 6801(b), 6805(b)(2).
HIPAA
As an institution, SAU is required to abide by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. It requires we abide by Security Rule located at 45 CFR Part 160 and Subparts A and C of Part 164 and the Privacy Rule located at 45 CFR Part 160 and Subparts A and E of Part 164.
FERPA
Additionally, SAU is subject to the Family Educational Rights and Privacy Act (FERPA) of 1974 for the protection and privacy of education records, the right of students to inspect and review their education records, and the guidelines for the correction of inaccurate or misleading data through informal and formal hearings. FERPA permits the University to release, without student consent, directory information. Directory information includes the student’s name, address (including email), telephone number, date and place of birth, major field of study, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most previous educational agency or institution attended.