Most Educational Institutions Don’t Know…
Imagine the following scenario taking place in your school’s administrative offices.
An employee in your Admissions and Records Department takes a phone call from the father of a student. The man asks to have all of his daughter’s disability-related school records faxed to him because, as he explains, he needs the documentation for the family’s new healthcare policy.
At this point, there are two ways that the next step your employee takes — even if she’s acting entirely in good faith — could actually place your institution in violation of the Family Educational Rights and Privacy Act (FERPA), the federal law protecting student’s personal information.
2 Ways an Innocent Mistake with a Faxed Document Can Lead to a FERPA Violation
1. The employee fails to authenticate the requester’s identity before faxing the student’s records
As part of its guidance on complying with FERPA, the Department of Education created the Privacy Technical Assistance Center (PTAC) to help educational institutions improve their data privacy and protection strategies. On its Identity Authentication Best Practices, PTAC explains that educators “must have procedures in place to be able to establish the same level of identity authentication assurance regardless of whether the data are accessed via electronic systems, fax, telephone or in person.”
In other words, if your employee failed to take steps to verify that the man on the phone was in fact the student’s father before faxing over her personal files, that misstep could place your institution in violation of FERPA.
Moreover, it could still be deemed a violation even if the man were in fact the student’s father. Neither FERPA nor any of the government’s other data privacy laws award points for getting lucky.
2. The employee faxes the student’s records from a desktop fax machine in a common area of the office — but then leaves the documents unattended on the machine
Here’s one area where a traditional fax infrastructure — consisting of office fax machines or multifunction printers (MFPs) with fax capability in areas shared by several employees — can be highly vulnerable to falling out of compliance with data privacy laws like FERPA.
On its Data Security Checklist for FERPA compliance, PTAC explains that an acceptable plan for protecting student’s private records must include — among other measures — physical security, personnel security and access control.
What all of these requirements have in common is that they demand educational institutions restrict access to any room or area, any hardware device, any software application and any hardcopy documents where students’ personally identifiable information might be found.
When your employees fax this private information — student transcripts, records of disciplinary action, medical records, financial information, etc. — and those documents are then left sitting for any period of time on a fax machine in a common area of your offices, this could constitute a FERPA violation.
Of course, the scenario I described above could also lead to the same FERPA violation if no fax machine were involved. If the hypothetical employee failed to authenticate the requester’s identity and then emailed him the student’s records, or sent them by FedEx, or simply printed them out and handed them to the man without first checking ID, all of these could still land your school on the wrong side of FERPA regulators.
Still, fax has some unique challenges when it comes to document security, particularly for a heavily regulated organization like yours. Additionally, if your organization’s IT team is still operating a traditional in-house fax infrastructure, there are other reasons to consider a new technology.
As an institution regulated by FERPA, you face several unique security and compliance challenges every time your employees send or receive a student’s personal data by fax.
Let me walk you through a few of the challenges that your fax infrastructure likely still poses for your organization. Then I’ll offer you a simple, cost-effective and far more compliant solution, one that doesn’t require your staff to abandon fax and can in fact help you streamline and improve your fax processes. That solution is a cloud fax service developed with the specific regulatory needs of academic institutions in mind.
The Challenges of Traditional Fax for an Educational Institution
1. Traditional fax transmissions are typically unsecure
In its guidance on sending students’ personal data by email, PTAC suggests educational institutions should be “encrypting data files and/or encrypting email transmissions themselves.”
Interestingly, neither PTAC nor the language of the FERPA law itself make more than a couple of vague references to faxing at all. By the time that FERPA’s regulators made their more recent updates to the law’s guidance, within the last few years, email had become the predominant communication protocol for most industries and much of academia.
But for an idea of what FERPA will likely require in terms of your fax security, these references to email transmissions — specifically the Education Department’s guidance that educators should use encryption — can serve as a good indicator of what the law could demand of your fax transmissions of student records.
And traditional fax transmissions, sent over the public telephone network, are generally not encrypted.
To be fair, analog faxes delivered over the phone network aren’t the top target for hackers, either. Unencrypted email seems to be the top target of opportunity these days. But remember, if FERPA’s auditors come knocking, they won’t reward your unsecure fax practices just because you’ve been fortunate enough not to be hacked, yet.
2. Desktop fax machines’ hard drives are vulnerable
Another security vulnerability with traditional fax hardware, including MFPs, is that their hard drives actually store unsecured copies of every fax document they have sent and received —often indefinitely, or at least until this data is overwritten by newer faxes, or printed out for storage.
This means anyone with access to that fax machine or multifunction printer could print and take copies of any personal student information transmitted by that machine – access controls on these devices are often overlooked and not restricted, and the contents are usually not encrypted. Large office printers are often leased and could be returned to the distributor, chock full of privacy violations!
In other words, unless you have physical security measures in place limiting access to the areas where you keep your office fax machines, the mere act of maintaining a typical fax machine in your school’s offices could be deemed noncompliant with FERPA.
3. The traditional in-house fax infrastructure probably falls short of FERPA compliance on several fronts
I’ve already discussed the reasons your fax machines are likely exposing your institution to at least a few types of FERPA vulnerabilities, so I won’t rehash those here. But I should also point out that if you are operating in-house fax servers, those too could land you on the wrong side of FERPA, for a couple of reasons.
First, many onsite fax servers run non-secured hard drives. So if these servers are on your institution’s network, they could be vulnerable to data breaches.
Second, even if your fax servers’ hard drives are secure and encrypted, they can still represent a security weakness. That’s because when a fax server’s drive fills up, many institutions will print out its contents so they can wipe the drive clean and start the process over again. And it’s during this “purging” process — with sensitive student data sitting unsecured on a desk awaiting filing — when the institution can be in violation of FERPA.
4. Fax machines and onsite fax servers are neither the most productive nor the most cost-effective way for an educational institution to fax
Finally, setting aside the security and compliance vulnerabilities of an in-house fax infrastructure comprised of fax machines and onsite servers, you should also consider whether your institution’s current fax processes make the most sense from a cost and productivity standpoint.
And the answer is: They don’t.
Maintaining an aging fax infrastructure costs far more than you should be spending to give your staff the ability to fax. It’s costing your organization the ongoing expenses of dedicated fax phone lines ($50 to $100 per month per line) for each machine, maintenance and repairs of the machines themselves, fax software licenses (if you’re operating fax servers), paper, ink and other fax supplies.
Plus, as you know, it’s diverting your IT team’s time and energy from more productive initiatives to troubleshooting employees’ fax-machine issues, rebooting crashed fax servers and training new employees on how to use the equipment.
As if all of that weren’t enough, consider how much of a productivity bottleneck your fax machines can create for your staff. With a shared fax machine/MFP in your office, for example, you might have several employees standing around waiting for their turn. Or, even if there is no line, when a single employee needs to make sure a long fax transmission goes through — say, a student’s transcript that runs dozens of pages — that employee will have to stand at the machine until the final page is transmitted and your fax machine prints out a delivery confirmation receipt.
In an era of email, smartphone-enabled file sharing and Dropbox, does this paper-based, time-consuming process make any sense for your institution?
There is a far more cost-effective, secure and compliant approach to faxing, one that lets your employees send and receive faxes securely from anywhere. That solution is a secure, compliant, cloud fax platform designed for the education industry.
With FERPA governing your transmissions of personal student records, why continue risking compliance to paper-based faxes?
Outsource Your Institution’s Faxing Processes to a Trusted Cloud Fax Partner — One That Knows How to Comply with FERPA
With the right cloud fax service, your institution can outsource your entire fax infrastructure to a trusted expert and enjoy a host of benefits, including:
– Improved FERPA and HIPAA compliance for those institutions that are also responsible for handling and transmitting student medical records.
– Strengthened data security — both for fax transmissions and for your faxes in storage in highly secure data centers.
– Enhanced audit trails and record-keeping – easily produce detailed custom reports on every fax sent or received.
– Increased productivity — because your staff will be able to send and receive fax documents by email, securely, from anywhere.
– Improved visibility by your IT team into your organization’s overall fax usage — by providing your team a web portal with a dashboard view of your monthly usage stats.
– Lowered costs — by eliminating the on-premises fax infrastructure and legacy phone line expenses and instead using only the Internet access bandwidth your institution already has in place.
If I’ve convinced you of the value to your educational institution of cloud faxing in general, let me now suggest one partner in particular. eFax Corporate is the cloud fax provider of choice for more than half of the Fortune 500, and the company trusted more than any other by organizations for whom secure and compliant document transmission is mission-critical.
