Risk Management Internal Audit Internal Controls Management Oversight

  • Slides: 74
Download presentation
Risk Management • Internal Audit • Internal Controls • Management Oversight • Ethics •

Risk Management • Internal Audit • Internal Controls • Management Oversight • Ethics • Conflicts of Interest • FERPA/HIPAA

Internal Audit Who We Are What We Do How We Can Help

Internal Audit Who We Are What We Do How We Can Help

Charter Our mission is to assist the University in the accomplishment of its goals.

Charter Our mission is to assist the University in the accomplishment of its goals. We do this by providing a systematic, disciplined, approach to evaluating, advising, and improving the processes of resource application, risk management, control and governance throughout the University.

Organization & Reporting l l ISU Internal Audit Office consists of three employees: director,

Organization & Reporting l l ISU Internal Audit Office consists of three employees: director, senior auditor, and staff auditor. Also utilize two student auditors when funding is available. Director reports functionally to the State Board of Education Audit Committee and administratively to the University President. Staff are ISU employees. Internal Audit reports are submitted to the President and in summary form to the Audit Committee.

Objectives l l l l Appraise the economy and efficiency of operations Identify and

Objectives l l l l Appraise the economy and efficiency of operations Identify and evaluate significant risk exposures Verify the existence of and control over University assets Ascertain compliance with policies, regulations, and laws Provide guidance for new policies, procedures, processes, and systems Investigate fiscal misconduct, fraud, conflicts of interest, waste, and abuse Act as a liaison with external audit organizations

Services We Provide l l l l Risk-based operational audits Compliance audits Special request

Services We Provide l l l l Risk-based operational audits Compliance audits Special request reviews Investigations Purchase card audits Verification of assets Consultative services Assistance to external auditors

How We Help l l We are a constructive link between policymaking and operational

How We Help l l We are a constructive link between policymaking and operational levels of the University Early warning system to identify financial or other risks Identify opportunities for fiscal and operational improvement An independent, internal entity for employees and students to address concerns or present ideas for improvement

Where is Internal Audit? We are located in the Continuing Education Building - 1001

Where is Internal Audit? We are located in the Continuing Education Building - 1001 N. 7 th Ave, Suite 202 ISU Stop 8093 282 -3182

Internal Controls What They Are & Why I Should Care

Internal Controls What They Are & Why I Should Care

What are Internal Controls? Internal controls are processes designed to provide reasonable assurance regarding

What are Internal Controls? Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to: l Effectiveness and efficiency of operations l Reliability of financial reporting l Compliance with applicable laws, regulations and policies

What is Risk? Risk can be defined simply as anything that could prevent an

What is Risk? Risk can be defined simply as anything that could prevent an organization from accomplishing its goals and objectives.

Internal Controls are Designed to Minimize Risk by: l l l Protecting assets. Ensuring

Internal Controls are Designed to Minimize Risk by: l l l Protecting assets. Ensuring records are accurate. Promoting operational efficiency. Encouraging adherence to policies, rules, regulations, and laws. Reducing the opportunity for fraudulent activity.

Components of Internal Control – COSO Model l l Control Environment Control Activities Risk

Components of Internal Control – COSO Model l l Control Environment Control Activities Risk Assessment Information and Communication Monitoring

Control Environment l l Sets the tone for an organization – “Tone at the

Control Environment l l Sets the tone for an organization – “Tone at the Top”. Establishes the organizational culture. Provides discipline and structure. Is the foundation of the organization’s control system. Key factors include: – – Integrity and ethical values. Competence of institutional personnel. Leadership philosophy and management style. How management assigns authority & responsibility and organizes and develops its people.

Control Activities l l l Policies and procedures established to ensure management directives are

Control Activities l l l Policies and procedures established to ensure management directives are carried out. Actions taken to address risk. Include a range of activities: – – – Authorizations Verifications (e. g. physical inventory) Reconciliations Physical security of assets Access limitations Segregation of duties

Risk Assessment l l Identification and analysis of relevant risks (e. g. operational, financial,

Risk Assessment l l Identification and analysis of relevant risks (e. g. operational, financial, and compliance). After risks have been identified they must be evaluated using a formal/informal process which includes: – – – l Estimating the significance of a risk. Assessing the likelihood (or frequency) of the risk occurring. Assess the actions that could be taken to manage risk and their associated costs. Is an on-going process.

Information and Communication l l l Information systems produce reports containing operational, financial and

Information and Communication l l l Information systems produce reports containing operational, financial and compliance-related information. Information must flow down, across and up within in the organization. The effectiveness of information systems depends on many factors: – – – Information systems must be based on a strategic plan. Adequate resources must be allocated to the system. Information must reach the right people. Information must be in sufficient detail and be timely. Reports must be accurate and provide necessary information.

Information and Communication l The effectiveness of communication systems also depends on many factors:

Information and Communication l The effectiveness of communication systems also depends on many factors: – – – – Employees’ duties and control responsibilities must be effectively communicated. Channels of communication must exist for employees to report suspected improprieties. Management should be receptive to employee suggestions for improvement. Communication must be effective across departmental lines. Communication must be timely and sufficient for individuals to effectively discharge their responsibilities. Outside parties should be made aware of the institution’s standards. Their must be timely and appropriate follow-up to information feedback.

Monitoring l l Monitoring is a process that assesses the quality of the internal

Monitoring l l Monitoring is a process that assesses the quality of the internal control system through on-going monitoring activities and separate evaluations. On-going monitoring activities include: – – l Review of operating and financial reports to identify significant inaccuracies or exceptions. Investigation of information received from external parties. Organizational structure and supervisory activities. Comparison of data recorded in the information system to physical assets. Periodic confirmations by personnel that they understand are complying with the institution’s code of conduct. Separate evaluations can be conducted by management or by internal and external auditors.

Internal Control Objectives A good system of internal controls will accomplish the following objectives:

Internal Control Objectives A good system of internal controls will accomplish the following objectives: l l Authorization: All transactions are approved by responsible personnel. Completeness: All valid transactions are included in the accounting records. Accuracy: All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner. Validity: All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.

Internal Control Objectives l l l Physical Safeguards and Security: Access to physical assets

Internal Control Objectives l l l Physical Safeguards and Security: Access to physical assets and information systems are controlled and properly restricted to authorized personnel. Error Handling: Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management. Segregation of Duties: Duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.

Who is responsible for internal control? Management: l l l The President provides leadership

Who is responsible for internal control? Management: l l l The President provides leadership and direction to senior administrators. Vice presidents provide direction to senior administrators responsible for major functional areas. Deans and department heads have line responsibility for designing and implementing control systems at detailed levels.

Who else is responsible? All employees should: l l l Read and understand the

Who else is responsible? All employees should: l l l Read and understand the policies and procedures which affect their jobs. Evaluate the propriety of transactions (legal and ethical? ) Safeguard assets. Evaluate the economy and efficiency of operations. Follow the established internal controls. Notify management when internal controls are not effective or are being circumvented.

Limitations of Internal Control Internal controls, no matter how well designed and executed, can

Limitations of Internal Control Internal controls, no matter how well designed and executed, can only provide reasonable assurance regarding the achievement of objects. Limitations include: l l Judgment – Decisions must be made constrained by available time, information at hand under the pressures of getting a job done. Breakdowns – Employees may misunderstand instructions. Errors may occur from new technology or due to complex systems. Management override – High level personnel may be able to overrule controls for personal gain or advantage. Collusion – Two or more individuals may work together to bypass controls. No internal control system is immune from collusion!

Is cost of control consideration? Yes! In determining whether a particular control should be

Is cost of control consideration? Yes! In determining whether a particular control should be established, the risk of failure and the potential effect must be considered along with the cost of establishing the control. Excessive control is costly and counterproductive. Too little control presents undue risk. There should be a conscious effort made to strike an appropriate balance.

Management Oversight The Key to Control & Risk Management

Management Oversight The Key to Control & Risk Management

Management – The buck stops here! As a manager, you are responsible for: l

Management – The buck stops here! As a manager, you are responsible for: l l l Establishing the “tone at the top” and promoting an ethical business environment by providing structure, feedback, and discipline. Assessing risks specific to your operations and developing a control system to address risks that could prevent achieving established goals (see handouts). Establishing and maintaining control activities such as reconciliations, approvals, and review of operating activities. Ensuring appropriate access to and use of University information and systems. Monitoring control system and activities to identify and correct breakdowns timely.

Management – Best Practices 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Management – Best Practices 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Read all requests to spend University funds before approving them. Develop written procedures for critical operations. Develop measurable departmental goals based on strategic plans. Create an action plan that is communicated to all employees. Ensure every transaction involves at least two people. Review departmental transactions monthly and investigate concerns. Deposit funds daily (properly secure cash, check and CC info). Review processes on a continuous basis (a better way? ). Ensure all expenditures have a clear business purpose. Maintain good supporting documentation for all expenditures. Make sure time sheets are reviewed and approved by a supervisor who is familiar with the employee’s work hours.

Propriety of University Expenditures University expenditures will be considered proper if they meet all

Propriety of University Expenditures University expenditures will be considered proper if they meet all of the following seven tests: 1. 2. 3. 4. 5. 6. 7. Are in the best interest of the University and for official business only. Comply with all applicable federal and state laws, and University regulations, policies and procedures. Do not appear to or actually provide a personal benefit to employees. Are within approved budgets. Are necessary to accomplish University business. Are reasonable. Quality and quantity are sufficient to meet but not exceed identified need. Approved by the appropriate level of management.

Ethics The Foundation

Ethics The Foundation

What Does Ethics Mean to You? Sociologist Raymond Baumhart asked some business people this

What Does Ethics Mean to You? Sociologist Raymond Baumhart asked some business people this question. Replies included: l l l "Ethics has to do with what my feelings tell me is right or wrong. ” "Ethics has to do with my religious beliefs. ” "Being ethical is doing what the law requires. ” "Ethics consists of the standards of behavior our society accepts. ” "I don't know what the word means. "

What is Ethics? Simply stated, ethics refers to the standards of behavior that tell

What is Ethics? Simply stated, ethics refers to the standards of behavior that tell us how human beings ought to act in many situations in which they find themselves as friends, parents, children, citizens, employees, teachers, professionals, etc.

What Ethics is Not Ethics is not: l l l The same as feelings

What Ethics is Not Ethics is not: l l l The same as feelings Religion Just following the law Following culturally accepted social norms Science

Why is Identifying Ethical Standards Difficult? Two fundamental problems: l l On what do

Why is Identifying Ethical Standards Difficult? Two fundamental problems: l l On what do we base our ethical standards? How do those standards get applied to specific situations?

Framework for Ethical Decision Making l l l Recognize an Ethical Issue Get the

Framework for Ethical Decision Making l l l Recognize an Ethical Issue Get the Facts Evaluate Alternative Actions Make a Decision and Test It Act and Reflect on the Outcome

Recognize an Ethical Issue l l l Could this decision or situation be damaging

Recognize an Ethical Issue l l l Could this decision or situation be damaging to someone or to some group? Does this decision involve a choice between a good and bad alternative; between two “goods”; or between two “bads”? Is this issue about more than about what is legal or what is most efficient. If so, how?

Get the Facts l l l l What are the relevant facts of the

Get the Facts l l l l What are the relevant facts of the situation? What facts are not known? Do I have enough information to make a decision? What individuals and groups have an important stake in the outcome? Are some concerns more important? Why? What are the options for acting? Have I identified creative options?

Evaluate Alternative Actions Ask yourself the following questions: l l l Which option will

Evaluate Alternative Actions Ask yourself the following questions: l l l Which option will produce the most good and do the least harm (Utilitarian Approach)? Which option best respects the right of all who have a stake (Rights Approach)? Which option treats people equally (Justice Approach)? Which option best serves the community as a whole (Common Good Approach)? Which option leads me to act as the sort of person I want to be (Virtue Approach)?

Make a Decision and Test It l l l Considering all these approaches, which

Make a Decision and Test It l l l Considering all these approaches, which option best addresses the situation? Would I make the same decision if I knew it would be public—in a newspaper article or on a TV news report (newspaper test)? Would mom approve? Could I rationally and honestly defend my decision? If a colleague made the same decision, would I support him or her? Are there laws, policies, rules or directives governing or restricting my decision?

Act and Reflect on the Outcome l l l How can my decision be

Act and Reflect on the Outcome l l l How can my decision be implemented with the greatest care and attention to the concerns of all stakeholders? Reflect on how the decision turned out and what you learned from the situation. Be willing to reassess your decision if more facts become available.

Obstacles to Ethical Decision Making Rationalizations: l l l If it’s necessary, it’s ethical

Obstacles to Ethical Decision Making Rationalizations: l l l If it’s necessary, it’s ethical If it’s legal and permissible, it’s proper It’s just part of the job It’s all for a good cause I was just doing it for you I’m fighting fire with fire It doesn’t hurt anyone Everyone’s doing it It’s okay if I don’t gain personally I’ve got it coming It’s just politics

Ethical Rules Pertaining to ISU l l l ISU currently does not have a

Ethical Rules Pertaining to ISU l l l ISU currently does not have a comprehensive code of conduct or ethical policy. Have individual policies that need to be updated. State Board of Education Conflict of Interest and Ethical Conduct policy (Section II, Subsection Q). Idaho Statutes: – – – l Bribery and Corrupt Practices Act (Title 18, Chapter 13) Prohibitions Against Contracts with Officers (Title 59, Chapter 2) Ethics in Government Act (Title 59, Chapter 7) State Board of Education Compliance Program policy (not finalized yet). Institutions must establish: – – A code of ethics that applies to all employees. A published list of all major compliance areas categorized by risk. A mechanism for coordinating compliance oversight, monitoring, and enforcement. A means of assuring institutional policies are regularly reviewed for compliance with federal and state laws and regulations and Board policies.

SBo. E – Ethical Conduct All employees of the institutions and agencies shall: l

SBo. E – Ethical Conduct All employees of the institutions and agencies shall: l l l Not hold financial interests that are in conflict with the conscientious performance of their official duties and responsibilities; Not engage in any financial transaction in order to further any private interest; Put forth honest effort in the performance of their duties; Make no unauthorized commitments or promises of any kind purporting to bind the Board or any Board-governed entity; Not use their public offices for private gain; Act impartially and not give preferential treatment to any private or public organization or individual; Protect and conserve public property and shall not use it for other than authorized activities; Not engage in outside employment or activities, including seeking or negotiating for employment, that conflicts with official duties and responsibilities; Promptly disclose to their chief executive officer waste, fraud, abuse, or corruption; Endeavor to avoid any actions that would create the appearance that they are violating the law or the ethical standards of the Board or the relevant Board-governed entity; k. shall disclose potential conflicts of and avoid conflicts of interest, potential conflicts of interest, and circumstances giving rise to the appearance of a conflict of interest.

Current ISU Policies l l l l l Academic Freedom/Faculty Ethics Employment of Relatives/Nepotism

Current ISU Policies l l l l l Academic Freedom/Faculty Ethics Employment of Relatives/Nepotism Faculty/Student Relationships Outside Employment Private Consulting Outside the University Sexual Harassment Misconduct in Research and Scholarship Research Conflict of Interest Financial Interest Disclosure Form

How do you create an ethical work environment? l l l l l Establish

How do you create an ethical work environment? l l l l l Establish an enforceable code of conduct Ensure executive modeling – tone at the top Provide initial and on-going training Encourage regular communication Maintain an anonymous hotline Take action – hold individuals accountable Reward employees that maintain an ethical work environment Implement equitable policies that are communicated Provide fair compensation and reasonable working conditions.

Code of Ethical Conduct Driven by the University’s mission of teaching, research and public

Code of Ethical Conduct Driven by the University’s mission of teaching, research and public service: l l l l Sets expectation of highest standards of ethical conduct. Commits to upholding the reputation of the University. Encourages compliance with applicable laws, regulations, and University policies. Does not condone retaliation for any good faith report of improper activity. Be honest, ethical, truthful. Obey the law. Follow University policies and procedures.

What is Fraud? A dishonest and deliberate course of action that results in the

What is Fraud? A dishonest and deliberate course of action that results in the obtaining of money, property or an advantage to which the person committing the action would not normally be entitled. Intentional misleading or deceitful conduct that deprives another of his/her resources or rights. Fraud always involves intent and some violation of trust.

What is Waste? Waste occurs when someone makes careless or extravagant expenditures, incurs unnecessary

What is Waste? Waste occurs when someone makes careless or extravagant expenditures, incurs unnecessary expenses, or grossly mismanages resources. This activity results in unnecessary costs. It may or may not provide the person with personal gain. Waste is almost always the result of poor management decisions and practices or poor accounting controls.

What is Abuse? Abuse most often involves an employee exploiting “loopholes” in policies and

What is Abuse? Abuse most often involves an employee exploiting “loopholes” in policies and procedures for personal benefit. Abuse is very close to fraud, but often is not prosecutable as such. Abuse includes, but is not limited to the misuse or destruction of resources, using the powers of an official position inappropriately, or any other seriously improper practice that cannot be prosecuted as a fraud or other illegal act.

Examples of Fraud, Waste and Abuse l l An employee purchases a meal for

Examples of Fraud, Waste and Abuse l l An employee purchases a meal for a meeting which has a valid business purpose. The meal meets University policy, all receipts are provided and the proper form is completed. (Acceptable) The employee has a meeting with a valid business purpose. A meal is purchased, receipts are provided and required forms are completed. However, the meeting could have taken place without a meal. (Waste) The employee purchases a meal over a casual meeting with colleagues. The business purpose and necessity of the meeting is questionable. (Abuse) The employee purchases lunch for himself/herself and friends using University funds. (Fraud)

How Costly is Fraud? Association of Certified Fraud Examiners (ACFE) 2010 Report to the

How Costly is Fraud? Association of Certified Fraud Examiners (ACFE) 2010 Report to the Nations concluded: l l The typical organization is estimated to lose 5% of its annual revenues to fraud. Applied to the estimated 2009 Gross World Product, this translates to a potential total fraud loss of $2. 9 trillion worldwide.

What Other Costs of Fraud? Damages to the University go beyond dollars & cents:

What Other Costs of Fraud? Damages to the University go beyond dollars & cents: l l l Reputation Loss of public confidence Detrimental to attracting new potential donors & volunteers Damage to relationships Sagging staff morale Distraction from the mission

The Fraud Triangle There are three factors that must be present in order for

The Fraud Triangle There are three factors that must be present in order for an ordinary person to commit fraud: l l l Pressure Perceived opportunity Rationalization

How Can Fraud be Prevented? An effective fraud deterrence and prevention program should address

How Can Fraud be Prevented? An effective fraud deterrence and prevention program should address the fraud triangle by: l l l Reducing pressures on employees that might push them into committing fraud. Reducing perceived opportunities to commit fraud – strong internal controls. Dispelling rationalizations for engaging in fraudulent conduct. Create a sense of honesty and ethics in your area. Report fraud, waste, and abuse when it is detected.

What are Potential Red Flags? Although this list is not exhaustive, the following conditions

What are Potential Red Flags? Although this list is not exhaustive, the following conditions may be indicators of fraud: l l l l Accounts not reconciled and reviewed in a timely manner Continuous or unusual account transfers Employee wanting to control too much of a given process or procedure Frequent or unusual related party transactions Lack of interest in compliance with policies Unrecorded transactions or missing records Altered or counterfeit documents Excessive voids, credits, over-rings Unexpected results, i. e. , revenue decreasing & attendance increasing Inadequate screening of new employees Employee with lifestyle beyond their means Employee refusing to take time off and/or unwilling to share duties with co-workers Employee in close relationship with suppliers

How Do I Report Concerns? The following options for reporting fraud, waste, abuse and

How Do I Report Concerns? The following options for reporting fraud, waste, abuse and non-compliance are available for ISU employees: l Share your concern with your supervisor. l Contact ISU Internal Audit. l Utilize ISU’s anonymous hotline: – – Call My. Safe. Campus at 800 -716 -9007 Utilize www. mysafecampus. com, 24 hours a day, seven days a week. Confidential reports go to me and Brad Hall. Can communicate anonymously though online tool.

How Can I Be Protected from Retribution? The “Idaho Protection of Public Employees Act”

How Can I Be Protected from Retribution? The “Idaho Protection of Public Employees Act” (Title 6, Chapter 21) provides protections from “adverse action” for state employees who, in good faith, provide information concerning the waste of public funds, resources or manpower or who report potential violations of laws and regulations (both state and federal).

Conflicts of Interest Perception is Reality

Conflicts of Interest Perception is Reality

What is a Conflict of Interest? The State Board of Education policy (Section II,

What is a Conflict of Interest? The State Board of Education policy (Section II, Q) states: A conflict of interest occurs when a person's private interests compete with his or her professional obligations to the Boardgoverned entity to a degree that an independent observer might reasonably question whether the person's professional actions or decisions are materially affected by personal considerations, including but not limited to personal gain, financial or otherwise.

Examples of Conflicts of Interest? Let’s discuss: l l l Perceived Potential Actual

Examples of Conflicts of Interest? Let’s discuss: l l l Perceived Potential Actual

Potential Costs of Conflicts If conflicts of interest are not managed: l l l

Potential Costs of Conflicts If conflicts of interest are not managed: l l l Protection of human subjects may be compromised. Integrity of research may be at risk. The public may lose trust in the University and its research findings. The investigator/faculty member may lose the respect of the academic community. May violate terms of research grants and contracts (including failure to disclose COI) and federal regulations. Potential loss of research funding. University may lose public support and funding. Students may be negatively impacted: inability to pursue their research interests. University resources may be improperly used. Increased government regulations may result. Scandals or negative media attention may occur. .

Applicable Policies & Regulations l ISU Policies (need to be updated): – – –

Applicable Policies & Regulations l ISU Policies (need to be updated): – – – l State Board Policies: – – l Conflicts of Interest and Ethical Conduct – All Employees (Section II, Q) Conflict of Interest (Section I, G) State of Idaho Statutes: – – l Employment of Relatives/Nepotism Outside Employment Private Consulting Outside the University Research Conflict of Interest Financial Disclosure Form Academic Freedom/Faculty Ethics in Government Act Bribery and Corrupt Practices Act Applicable Federal Regulations: – Example: New NIH regulations

How to Handle Conflicts? Conflicts of interest must be: – Disclosed – Reviewed –

How to Handle Conflicts? Conflicts of interest must be: – Disclosed – Reviewed – Managed

How to Manage Conflicts of Interest? Management plans may include: l l l l

How to Manage Conflicts of Interest? Management plans may include: l l l l Avoidance Public disclosure Balance-third party interest participation Mediation-oversight by immediate supervisor Abstention-employee recuse him or herself Divestiture-employee forfeits outside interests Prohibition

FERPA/HIPAA Must Protect Information

FERPA/HIPAA Must Protect Information

What is FERPA? FERPA (Family Education Rights and Privacy Act) was enacted in 1974.

What is FERPA? FERPA (Family Education Rights and Privacy Act) was enacted in 1974. It is a set of regulations that applies to those institutions that receive funding from the Department of Education. FERPA was written specifically for students and guarantees them the right to inspect and review their education records, the right to seek to amend education records, and the right to have some control over the disclosure of information from those education records.

What is an Educational Record? An education record is defined as any record that

What is an Educational Record? An education record is defined as any record that directly identifies a student and is maintained by the institution or educational agency or by a party acting for the institution or educational agency. A key distinction of education records is that education records are shared. Education records can exist in any medium including the following: handwritten, typed, computer generated, videotape, audiotape, film, microfiche, email, and others.

FERPA – Public Information The following is referred to as directory information (can be

FERPA – Public Information The following is referred to as directory information (can be shared without the student’s consent – unless specifically blocked): – – – – Name Address Telephone number E-mail address Enrollment status Major Degrees & awards received Most recent previous school attended

FERPA – Protected Information The following student information can not be shared without the

FERPA – Protected Information The following student information can not be shared without the student’s written authorization: – – – Student number Grades/Exam Scores Grade Point Average Social Security Number Parent Address/Phone Detail of Registration Information (i. e. , courses, times) Race, Ethnicity, or Nationality Gender Date of Birth Total Credits Number of Credits Enrolled in a Quarter Emergency Contact

FERPA – Information at ISU Detailed information is available from the Registrar’s Office at

FERPA – Information at ISU Detailed information is available from the Registrar’s Office at http: //www. isu. edu/areg/ferpafacts. shtml including: – General FERPA information – ISU Student Rights – ISU Faculty/Staff & FERPA – FERPA General Guidance for Students – available from the U. S. Department of Education

What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of

What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. A major component of HIPAA addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed. This federal standard will generally preempt all state privacy laws except for those that establish stronger protections. The HIPAA privacy laws are effective April 14, 2003.

HIPAA at ISU maintains “individually identifiable health information” in accordance with the Health Insurance

HIPAA at ISU maintains “individually identifiable health information” in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160, 162, and 164). According to HIPAA, ISU is a “Hybrid Entity” which means it has specific areas, i. e. , ISU health care clinics, designated to comply with the Rule. Other ISU units may have access to and/or receive certain health information and also have responsibilities under HIPAA, (for example, those units performing research and education).

HIPAA at ISU The HIPAA Privacy Rule protects all “individually identifiable health information” held

HIPAA at ISU The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). ” The Security Rule calls this information “electronic protected health information (EPHI). ” The Security Rule also extends to individual remote use of EPHI such as: (1) the use of portable media/devices (such as USB flash drives) that store EPHI; and (2) offsite access or transport of EPHI via laptops, personal digital assistants (PDAs), home computers, or other non corporate equipment. “Individually identifiable health information” is information, including demographic data, that relates to: l The individual’s past, present or future physical or mental health or condition, l The provision of health care to the individual, or l The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

HIPAA Resources at ISU Please refer to the following information available at isu. edu:

HIPAA Resources at ISU Please refer to the following information available at isu. edu: – – – Summary of the HIPAA Privacy Rule – General Counsel ISU Statement of HIPAA – General Counsel Health Programs Guide – General Counsel Other information at: http: //www. isu. edu/ucounsel/hipaa. shtml Privacy Practice Notice (HIPAA) – Student Health Center HIPAA training – available from Workforce Training – Co. T Contact Sandi Rich – ISU HIPAA Privacy & Security Officer