Recently Asked Questions (RAQs)

Hello,

We have had a huge increase in AI bots on our member library websites. My concern is that internal policies linked on member websites will be “learned” by AI and linked (cited) back to that member library. I’m concerned that members might have their Emergency Action Plan in their Personnel Policy Manual, and that financial controls could be used by ransomware hackers. We go by the following list to define internal and external policies: https://nyslibrary.libguides.com/Handbook-Library-Trustees/policy-checklist

Would it be a “good practice” to not post internal policies online? If there are a few internal policies that you feel should be posted online, would it be best to say online that you have the policy, but please contact the director (or library) for the file/print copy? That way, AI won’t be trained on the policy.

Thank you!

In this RAQ’s section 2, “Libraries, Fax Lines, and HIPAA,” you say, there is NO CIRCUMSTANCE under which a public, academic or public library should be engaging in a HIPAA-governed communication.” You also say, “If your library is not transmitting this type of information, you can stop sweating about HIPAA, even if patrons are using your fax to send it.”

Just so that we are crystal clear: this means that if patrons need to use a fax machine to correspond with a doctor’s office, it’s okay as long as they are the ones who physically use the fax machine? If they require help, can staff tell them how to use the machine as long as we don’t handle the physical documents?

Outside of best practices for staff handling of sensitive documents, are public libraries otherwise bound by HIPAA, FERPA and SOX when sending faxes for patrons, in terms of the privacy protections provided (or not) by the type of fax technology?

Our library currently uses a traditional standalone fax machine (staff mediated) to send and receive public faxes across a dedicated copper phone line, so there’s a direct connection between receiver and sender, maintaining privacy during transmission. Faxing remains a popular service here largely for that reason -- patrons are often told by the fax destination that documents must be sent via fax and not scanned to email.

We’ve been told that copper phone lines will soon be eliminated, so we’re investigating fax-to-email services, which are cheaper than our current method and can use our public copier as the faxing device. However, the Forbes article linked below says faxing by email does not offer privacy protections: “Virtual fax introduces an intermediary into the fax process; there’s no direct connection between the sending and receiving parties. This can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).” The article cites an encrypted kind of fax by IP, “T.38 Fax Lines,” which we suspect would not be cost effective for us.

Are libraries bound by HIPAA et al in the type of faxing technology they can use?

Recently a question has come up at our academic library concerning patron privacy and the notification to a patron (usually a student) concerning excessive downloading of content from databases in our collection. Our current practice has been to receive notification from the vendor about perceived illegal downloading. We then ask a member of our library IT team to investigate the situation, based on the information from the vendor. The contact information acquired by that IT staff member is then provided to the e-resource librarian. That librarian then contacts the individual via email, explaining the situation and indicating that such behavior must cease. Once that is done, the librarian notifies the vendor that the situation has been addressed, and there is no need to withhold access to the product from the campus. No personal identification of the user or student is provided to the vendor, nor distributed to anyone else. The question now: Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

My institution has a small number of documents in our archives related to previous graduate students. Some are definitely educational records (transcripts, field placement evaluations). Then there are a) letters of recommendation received by the school or written by school faculty/administrators and sent to other schools, b) some correspondence between a student and the school/administration, and other items like c) copies of images or articles from student publications.

The documents span decades.   Most --- but not all--- of these former students are confirmed deceased. Most items in this small group of documents relate to alumni who were/are notable, but in widely varying degrees.

A few of these documents concern a famous alum, who passed away.  An outside researcher is asking about the documents related to that alum, and unfortunately, there are no surviving institutional access policies related to student records or unpublished correspondence in our archives. We want to respect copyright, FERPA, and the alum's estate.

For the educational records, I can't find clear guidance on how long FERPA access restrictions last, but other academic collections seem to allow access 50-75 years after the former student's death.

So, a few questions:

1) When should on-site access to historical educational records be allowed (if ever), with reference to FERPA? What about providing copies of historical educational records?
 

2) When should on-site access to unpublished, non-educational records related to former students be allowed, in reference to state and federal copyright and privacy laws, and possibly FERPA? What about providing copies of these documents?
 

3) Should we take a more risk-averse approach to high-profile alumni materials, or should our policies apply equally to all alums?