Item ID Topic Statute Name

2026 Privacy & Information Security Americans with Disabilities Act of 1990

1949 Privacy & Information Security Children’s Online Privacy Protection Act of 1998 (COPPA)

1950 Privacy & Information Security Electronic Communications Privacy Act

2028 Privacy & Information Security Fair Credit Reporting Act (FCRA)

2027 Privacy & Information Security Fair and Accurate Credit Transaction Act (FACTA)

2029 Privacy & Information Security Family Educational Rights and Privacy Act (FERPA)

1951 Privacy & Information Security Federal Information Security Management Act (FISMA)

1952 Privacy & Information Security Freedom of Information Act

2030 Privacy & Information Security Gramm Leach Bliley Act (GLBA)
2032 Privacy & Information Security HIPAA

Health Information Technology for Economic and Clinical

2031 Privacy & Information Security Health (HITECH) Act of 2009
Statute 1 Statute 2 Statute 3

42 U.S.C. §§ 12101-12213

15 U.S.C. § 6501

18 U.S.C. §§ 2510-2522 (Wiretap)

18 U.S.C. §§ 2701-2711 (Stored Communications)

15 U.S.C. §§ 1681-1681x

Public Law No. 108-159

20 U.S.C. § 1232g

44 U.S.C. § 35

5 U.S.C. § 552

15 U.S.C. § 6801
Public Law No. 104-191

Public Law No. 111-5

Statute 4 Statute IDs Regulation 1 Regulation 2 Regulation 3

1701 28 C.F.R. §§ 36.101-36.104

29 C.F.R. § 1640

1580 16 C.F.R. 312

1601,1602

1593 16 C.F.R. § 600

1758 16 C.F.R. § 681

1625 34 C.F.R. § 99

1716

1726

1587 17 C.F.R. § 248 16 C.F.R. § 314

1746 45 C.F.R. § 160 45 C.F.R. § 164

1774 45 C.F.R. § 160 45 C.F.R. § 164

Regulation 4 Regulation 5
Statutory Summary
The ADA contains strict confidentiality requirements for medical information related to employee's disabilities.

Enforced by multiple federal agencies, including the Department of Justice, Department of Labor, and the EEOC.

Regulates the collection, use and protection of information from children (up to age 13) via websites or on-line services.

Any for-profit websites that are directed to and collect personal info from children must, among other requirements: 1)
Provide notice on the website of what info is collected, how it's used, and the operator's disclosure practices; 2) respond to
parental requests for info; 3) maintain procedures to protect confidentiality, security and integrity of personal information
collected.

The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are i
transit, and when they are stored on computers.

The Act applies to email, telephone conversations, and data stored electronically.

Employers, before obtaining a consumer report (including criminal background checks) must disclose in writing to the applican
or employee that it may obtain a consumer report for employment purposes, and secondly, secure the written consent of the
applicant or employee.

Note that when using a third party consumer reporting agency to request motor vehicle record checks for employment
purposes, the FCRA should be followed, and notice given to the applicant or employee.

Amends the Fair Credit Reporting Act

Establishes requirements for maintaining information privacy, accuracy, and disposal

Limits the ways consumer information can be shared

The University must provide students the right to inspect their education records and obtain written consent to release the
records to anyone other than school officials, authorized government personnel, in connection with financial aid, in an
emergency, or for other specifically-allowed purposes.

The act, applicable to federal agencies, also covers the University as a federal contractor where it is holding federal data
pursuant to federally-funded research.

The Act requires that the University: 1) implement security programs and policies; 2) assess risk; and 3) periodically test
controls.

Provides a process by which every person may request access to a public college or university's records or information.

Governs the collection, disclosure, and protection of consumers' personal information and personally identifiable information.

Requires institutions that offer consumers financial products or services like loans, financial or investment advice, or
insurance to explain their information-sharing practices to their customers and to safeguard sensitive data.
Establishes national standards to protect individuals' medical records and other personal health information.

Requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on
the uses and disclosures that may be made of such information without patient authorization.

Gives patients rights to examine and obtain a copy of their health records, and to request corrections.

HITECH broadens HIPAA by extending coverage to business associates.

Covered providers must implement administrative/ physical/technical safeguards for Protected Health Information (PHI).

Section 13402 of HITECH requires that covered entities notify affected individuals and the Secretary of the DHHS and, in
some cases, the media following the discovery of a breach of unsecured PHI.

Unsecured PHI is PHI that is not secured via technologies and methodologies, as defined by DHHS guidance, that make th
PHI unusable, unreadable, or indecipherable to unauthorized individuals.
Reporting Requirements

20 U.S.C. § 1232g(e); 34 C.F.R. § 99.7 and 20 U.S.C. § 1092(a):

Each educational agency or institution shall annually notify
students currently in attendance, of their rights under FERPA.
Notification of these rights concurrent with fall registration is
suggested, as the student needs to be told what information
the student has identified as directory information and notified
of his/her opportunity to place a hold on release of directory
information.

Requires financial institutions to provide consumers with

privacy notices at the beginning of the loan and annually.
Health plans must provide a Notice of Privacy Policy to
enrollees once every three years and when there is a change to
the policy.
 Additional Additional
Deadlines Resources 1 Resources 2

Not Applicable Privacy / Student Records

Not Applicable Privacy / Student Records

Not Applicable Privacy / Student Records

Not Applicable Privacy / Student Records

Not Applicable Privacy / Student Records

Privacy / Student Records

Not Applicable Privacy / Student Records

Not Applicable Information Technology

Privacy / Student Records

 Privacy / Student Records

Not Applicable Privacy / Student Records

Sortable Month Topic ID Last Updated

14-No Deadline 44 January 26, 2014

14-No Deadline 44 January 26, 2014

14-No Deadline 44 January 26, 2014

14-No Deadline 44 January 26, 2014

14-No Deadline 44 January 26, 2014

13-Multiple
Deadlines 44 January 26, 2014

14-No Deadline 44 January 26, 2014

14-No Deadline 44 January 26, 2014

13-Multiple
Deadlines 44 January 26, 2014
13-Multiple
Deadlines 44 January 26, 2014

14-No Deadline 44 January 26, 2014

Topic Statute Name

Privacy & Information Security Americans with Disabilities Act of 1990

Privacy & Information Security Children’s Online Privacy Protection Act of 1998 (COPPA)

Privacy & Information Security Electronic Communications Privacy Act

Privacy & Information Security Fair Credit Reporting Act (FCRA)

Privacy & Information Security Fair and Accurate Credit Transaction Act (FACTA)

Privacy & Information Security Family Educational Rights and Privacy Act (FERPA)

Privacy & Information Security Federal Information Security Management Act (FISMA)
Privacy & Information Security Freedom of Information Act

Privacy & Information Security Gramm Leach Bliley Act (GLBA)

Privacy & Information Security HIPAA

Health Information Technology for Economic and Clinical Health (HITECH)

Privacy & Information Security Act of 2009
Statute 1 Statute 2 Statute 3 Statute IDs

42 U.S.C. §§ 12101-12213 1701

15 U.S.C. § 6501 1580

18 U.S.C. §§ 2510-2522 (Wiretap)18 U.S.C. §§ 2701-2711 (Stored Communications) 1601,1602

15 U.S.C. §§ 1681-1681x 1593

Public Law No. 108-159 1758

20 U.S.C. § 1232g 1625

44 U.S.C. § 35 1716
5 U.S.C. § 552 1726

15 U.S.C. § 6801 1587

Public Law No. 104-191 1746

Public Law No. 111-5 1774

Regulation 1 Regulation 2 Regulation 3 Regulation 4 Regulation 5

28 C.F.R. §§ 36.101-36.10429 C.F.R. § 1640

16 C.F.R. 312

16 C.F.R. § 600

16 C.F.R. § 681

34 C.F.R. § 99
17 C.F.R. § 248 16 C.F.R. § 314

45 C.F.R. § 160 45 C.F.R. § 164

45 C.F.R. § 160 45 C.F.R. § 164

Statutory Summary

The ADA contains strict confidentiality requirements for medical information related to
employee's disabilities.

Enforced by multiple federal agencies, including the Department of Justice, Department

of Labor, and the EEOC.

Regulates the collection, use and protection of information from children (up to age 13) via
websites or on-line services.

Any for-profit websites that are directed to and collect personal info from children
must, among other requirements: 1) Provide notice on the website of what info is collected,
how it's used, and the operator's disclosure practices; 2) respond to parental requests for
info; 3) maintain procedures to protect confidentiality, security and integrity of personal
information collected.

The ECPA, as amended, protects wire, oral, and electronic communications while those
communications are being made, are in transit, and when they are stored on computers.

The Act applies to email, telephone conversations, and data stored electronically.

Employers, before obtaining a consumer report (including criminal background checks)

must disclose in writing to the applicant or employee that it may obtain a consumer report
for employment purposes, and secondly, secure the written consent of the applicant or
employee.

Note that when using a third party consumer reporting agency to request motor vehicle
record checks for employment purposes, the FCRA should be followed, and notice given to
the applicant or employee.

Amends the Fair Credit Reporting Act

Establishes requirements for maintaining information privacy, accuracy, and disposal

Limits the ways consumer information can be shared

The University must provide students the right to inspect their education records and obtain
written consent to release the records to anyone other than school officials, authorized
government personnel, in connection with financial aid, in an emergency, or for other
specifically-allowed purposes.

The act, applicable to federal agencies, also covers the University as a federal contractor
where it is holding federal data pursuant to federally-funded research.

The Act requires that the University: 1) implement security programs and policies; 2)
assess risk; and 3) periodically test controls.
Provides a process by which every person may request access to a public college or
university's records or information.

Governs the collection, disclosure, and protection of consumers' personal information and
personally identifiable information.

Requires institutions that offer consumers financial products or services like loans,
financial or investment advice, or insurance to explain their information-sharing practices to
their customers and to safeguard sensitive data.

Establishes national standards to protect individuals' medical records and other personal
health information.

Requires appropriate safeguards to protect the privacy of personal health information,

and sets limits and conditions on the uses and disclosures that may be made of such
information without patient authorization.

Gives patients rights to examine and obtain a copy of their health records, and to
request corrections.

HITECH broadens HIPAA by extending coverage to business associates.

Covered providers must implement administrative/ physical/technical safeguards for

Protected Health Information (PHI).

Section 13402 of HITECH requires that covered entities notify affected individuals and
the Secretary of the DHHS and, in some cases, the media following the discovery of a breach
of unsecured PHI.

Unsecured PHI is PHI that is not secured via technologies and methodologies, as defined
by DHHS guidance, that make the PHI unusable, unreadable, or indecipherable to
unauthorized individuals.
Reporting Requirements

20 U.S.C. § 1232g(e); 34 C.F.R. § 99.7 and 20 U.S.C. § 1092(a):

Each educational agency or institution shall annually notify students currently in
attendance, of their rights under FERPA. Notification of these rights concurrent with fall
registration is suggested, as the student needs to be told what information the student
has identified as directory information and notified of his/her opportunity to place a
hold on release of directory information.
Requires financial institutions to provide consumers with privacy notices at the
beginning of the loan and annually.

Health plans must provide a Notice of Privacy Policy to enrollees once every three years
and when there is a change to the policy.
Deadlines Additional Resources 1 Additional Resources 2 Sortable Month Topic ID

Not Applicable Privacy / Student Records 14-No Deadline 44

Not Applicable Privacy / Student Records 14-No Deadline 44

Not Applicable Privacy / Student Records 14-No Deadline 44

Not Applicable Privacy / Student Records 14-No Deadline 44

Not Applicable Privacy / Student Records 14-No Deadline 44

Privacy / Student Records 13-Multiple Deadlines 44

Not Applicable Privacy / Student Records 14-No Deadline 44

Not Applicable Information Technology 14-No Deadline 44

Privacy / Student Records 13-Multiple Deadlines 44

Privacy / Student Records 13-Multiple Deadlines 44

Not Applicable Privacy / Student Records 14-No Deadline 44

Last Updated

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019

February 19, 2019