Explore UAB

Colleges & Schools

Privacy

PCI CC Purchase2

Privacy Laws and Standards

Some or all of these laws and standards may apply to you, depending on your relationship with the university. Please see below for more information.

  • The Family Educational Rights and Privacy Act of 1974 (FERPA) governs the privacy and handling of educational records and giving specific rights for students. For more information, please see the FERPA pages.
  • The Federal Information Security Management Act (FISMA) is a federal law that requires the implementation of specific sets of security and privacy controls for information systems that process, transmit, or store federal data. As a major research institution, UAB is awarded federal contracts or grants, and as a result, its researchers may need to comply with FISMA. For more information, please see the FISMA pages.
  • The Payment Card Industry (PCI) Data Security Standards (DSS) are a mandated set of security controls created by the major credit card companies that, when followed, protect the privacy of those that use credit cards to pay for transactions at the University. If you have been approved by UAB’s Office of the Chief Financial Officer (CFO) to receive and operate a payment card account as a PCI Entity, you must meet the security requirements mandated by the PCI DSS and abide by all UAB policies related to PCI compliance. For more information please see the PCI pages.
  • The Gramm-Leach-Bliley Act (GLBA) is a law enacted in 1999 that requires financial institutions to protect the privacy of consumer information. UAB is required to comply with the GLBA because of the information collected from students for financial aid, grants, payment history, and loan information. For more information, please see the GLBA pages.
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law covering healthcare and health insurance industries. HIPAA addresses a number of topics, including access to health insurance, standardizing electronic healthcare-related records, and protecting the privacy and security of health data, which HIPAA calls protected health information (PHI). For more information, please see the HIPAA pages.