Dear Colleague Letter - Clarification to Early Intervention Providers on Parental Consent to Use E-mail to Exchange Personally Identifiable Information

October 2009

Dear Colleague:

This letter is to provide clarification on the Department's requirements for the use of e-mail containing personally identifiable information in the New York State Early Intervention Program (EIP). Pursuant to Title 34 of the Code of Federal Regulations § 303.460(a), the Department must develop policies and procedures that ensure the confidentiality of personally identifiable information. 34 CFR Part 303 states, "Each State shall adopt or develop policies and procedures that the State will follow in order to ensure the protection of any personally identifiable information collected, used, or maintained under this part, including the right of parents to written notice of and written consent to the exchange of this information among agencies consistent with Federal and State law."

The use of e-mail is inherently unsecure. Protecting records in computer systems begins by identifying potential threats to the system. Unauthorized access to confidential information can occur at an unattended workstation that has not been locked and password protected, during transit when communication can be intercepted, and from unapproved access from outside an unprotected network. One risk is that unauthorized users may gain access to e-mail stored on servers. Password protection helps restrict access to authorized users at the workstation. In addition to any security measures designed specifically for e-mail, a network-based computing system needs to have in place standard pieces of information security such as a firewall. During transmission, encryption can ensure that the contents of an e-mail remain secret and unreadable, even if an outside party captures the e-mail. For these reasons, the Department requires that, to ensure confidentiality when sending personally identifiable information via e-mail or e-mail attachments, providers must use:

  1. password protection
  2. firewall software
  3. encryption

Providers should also be aware that e-mail communications with parents or others authorized by the parent are considered "education records" under FERPA and should be maintained in the same manner as other EIP records.

A parent may request that providers transmit personally identifiable information to an e-mail address that is unsecure. In this situation, the parent must provide written, informed consent authorizing this manner of transmission. The parent must be aware of, and consent in writing to, the use of unencrypted e-mail, and the consent must clearly identify the dangers of e-mail communication. The written consent must further identify the e-mail address to which the communication is to be sent and the parties who may correspond with the parent via e-mail, and who may receive or be copied on such e-mails. The written consent must be kept in a child's file. Enclosed is a draft template consent form that providers can use. Providers must develop policies and procedures to ensure that only those authorized in the written consent to communicate with the parent via e-mail are allowed to do so.

If you have any questions regarding the use of e-mail to communicate personally identifiable information, please contact Mary Lou Clifford of the Bureau of Early Intervention at (518) 473-7016.

Sincerely,

Bradley Hutton, M.P.H.
Director
Bureau of Early Intervention