In the Improving Head Start for School Readiness Act of 2007, Congress required the Office of Head Start to implement regulations to protect the confidentiality of personally identifiable information (“PII”). Nearly ten years later, those regulations are finally here, as part of the new Head Start Program Performance Standards (“HSPPS”).
The new privacy regulations are divided into three main parts:
- Disclosure of PII from child records;
- Parents’ rights to access child records; and
- Maintenance of child records
In this four-part blog series, we’ll address each aspect of the new privacy regulations. But first, it is important to understand some basic terms.
What is PII?
PII is defined in the performance standards as “any information that could identify a specific individual, including but not limited to a child’s name, name of a child’s family member, street address of the child, social security number, or other information that is linked or linkable to the child.” 45 C.F.R. § 1305.2.
It’s important to remember that PII is context-dependent. In other words, the same information could be considered PII in one setting, but not in another. Take, for example, a chart showing the percentage of children enrolled in a Head Start program that have a dental home. Generally, this type of aggregate data would not be considered PII. What if the data is broken down into categories based on race? Is it now PII? The answer is a lawyer’s favorite: It depends. If the category contains such a small sample size that the information can be linked to a specific child, the data could be considered PII. On the other hand, if the category is large, the aggregate data likely is not considered PII.
What is a child record?
The performance standards define child records as “records that (1) [a]re directly related to the child; (2) [a]re maintained by the program, or by a party acting for the program; and (3) [i]nclude information recorded in any way, such as print, electronic, or digital means, including media, video, image or audio formats.” 45 C.F.R. § 1305.2.
Certain records are easy to identify as child records. Enrollment paperwork, for example, is a child record. Other types of records are less obvious. Let’s say that a Head Start teacher is making notes about which letters a student, Eliza, knows. Is that a child record? Yes — it is directly related to Eliza, maintained by the teacher and recorded in print.
What should you do now?
As we work our way through the privacy regulations, we’d like you to follow along at home! Take a few moments to add these “introductory steps” to your HSPPS to-do list:
- Appoint a committee to oversee implementation of the new privacy regulations. You’ll want to include an employee responsible for maintaining child records and an information technology specialist, at a minimum.
- Work on a self-assessment. What privacy policies and procedures does your program currently have? Are they enforced? Do they work? Are there any areas of weakness?
- Check back for the second blogpost in this four-part series. We’ll tackle disclosures of PII, and the procedures you need to have in place to minimize the risk of non-compliance findings, deficiencies and legal liability from inappropriate disclosures.
- Want to know more? Check out our upcoming webinar “Privacy Policies Under the New Performance Standards” Wednesday, February 15, 2017 at 3PM EST. And don’t forget to follow us on Twitter and Facebook for more tips on Head Start and the HSPPS!