The legislative intent of Student Online Personal Protection Act (105 ILCS 85/), according to the legislation itself, is to address concerns raised about safeguards to protect student information that is shared specifically with educational technology companies. SHIELD Illinois is not an educational technology company. So, the terms of SOPPA are not applicable to the data provided to or by SHIELD Illinois. However, SHIELD Illinois does follow the guidelines set forth in the Privacy Rule (45 CFR Part 160 and Subparts A and E of 164) of the HHS HIPAA Standards for Privacy of Individually Identifiable Health Information which outlines data privacy not only for students, as is the case with SOPPA, but for all participants in the SHIELD Illinois COVID-19 testing program.
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, a
set of national standards for the protection of certain health information. The U.S. Department of Health
and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the
use and disclosure of individuals’ health information—called “protected health information” by
organizations subject to the Privacy Rule — called “covered entities,” as well as standards for
individuals' privacy rights to understand and control how their health information is used.
Protected Health Information. The Privacy Rule protects all "individually identifiable health
information" held or transmitted by a covered entity or its business associate, in any form or media,
whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information
(PHI).”
“Individually identifiable health information” is information, including demographic data, that relates
to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to
identify the individual.
Individually identifiable health information includes many common identifiers
(e.g., name, address, birth date, Social Security Number).
PHI collected by SHIELD Illinois and affiliated vendors is stored in accordance with HIPAA security rule
requirements. Point and Click Solutions, Inc., the electronic health record vendor engaged by SHIELD
Illinois for the purposes of collection, storage, and management of PHI is SOC 2 Type 2 compliant for
trust services criteria for security, availability, and confidentiality and undergoes annual SOC 2 and
HIPAA compliance audits by an independent third party.