Recently Asked Questions (RAQs)

Hello,

We have had a huge increase in AI bots on our member library websites. My concern is that internal policies linked on member websites will be “learned” by AI and linked (cited) back to that member library. I’m concerned that members might have their Emergency Action Plan in their Personnel Policy Manual, and that financial controls could be used by ransomware hackers. We go by the following list to define internal and external policies: https://nyslibrary.libguides.com/Handbook-Library-Trustees/policy-checklist

Would it be a “good practice” to not post internal policies online? If there are a few internal policies that you feel should be posted online, would it be best to say online that you have the policy, but please contact the director (or library) for the file/print copy? That way, AI won’t be trained on the policy.

Thank you!

In this RAQ’s section 2, “Libraries, Fax Lines, and HIPAA,” you say, there is NO CIRCUMSTANCE under which a public, academic or public library should be engaging in a HIPAA-governed communication.” You also say, “If your library is not transmitting this type of information, you can stop sweating about HIPAA, even if patrons are using your fax to send it.”

Just so that we are crystal clear: this means that if patrons need to use a fax machine to correspond with a doctor’s office, it’s okay as long as they are the ones who physically use the fax machine? If they require help, can staff tell them how to use the machine as long as we don’t handle the physical documents?

Outside of best practices for staff handling of sensitive documents, are public libraries otherwise bound by HIPAA, FERPA and SOX when sending faxes for patrons, in terms of the privacy protections provided (or not) by the type of fax technology?

Our library currently uses a traditional standalone fax machine (staff mediated) to send and receive public faxes across a dedicated copper phone line, so there’s a direct connection between receiver and sender, maintaining privacy during transmission. Faxing remains a popular service here largely for that reason -- patrons are often told by the fax destination that documents must be sent via fax and not scanned to email.

We’ve been told that copper phone lines will soon be eliminated, so we’re investigating fax-to-email services, which are cheaper than our current method and can use our public copier as the faxing device. However, the Forbes article linked below says faxing by email does not offer privacy protections: “Virtual fax introduces an intermediary into the fax process; there’s no direct connection between the sending and receiving parties. This can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).” The article cites an encrypted kind of fax by IP, “T.38 Fax Lines,” which we suspect would not be cost effective for us.

Are libraries bound by HIPAA et al in the type of faxing technology they can use?

I’m assuming the age requirement for youth cards varies widely even among NYS libraries, but what are the key determining legal factors which inform how libraries settle on an age range for this policy? I can think of three factors, and libraries likely conflate all of them together. I’d like to extrapolate the real legal concerns so that I can more clearly determine our own library’s circulation policies regarding permission for youth cards.

1. Is the signature to allow for “parent permission” to access the library? Are public libraries legally obligated to obtain parent permission before a child of a certain age accesses library materials or services? I’m assuming that the library would not be liable if, for example, staff allowed an 11-year-old without a library card to read any book they liked within the walls of the library. Does this apply to a child of any age? (I realize unaccompanied minors will eventually come into play). So, by extension, is granting an 11-year-old a library card without parent consent legally permissible?

2. Is the signature an acknowledgement of responsibility for the library materials on behalf of the child? Many library card applications prompt for this specifically, but according to NYS law, is a parent/guardian responsible for library materials checked out to a minor in their care regardless? (If a 15-year-old minor lost library materials or incurred fines or fees, would their parents still be legally responsible even without giving permission for the card?)

3. COPPA and the collection of PII (for online library card signup). Though not required as a non-profit, our library chooses to comply with this policy, requiring parent/guardian consent of online card signup for children 12 and under. Does this mean that a child aged 11 could still, within legal boundaries, apply for a library card in person without collecting consent?

A school district public library is considering installing closed-circuit cameras and thinking of enabling sound recordings, too. Is it legal to record sound, thinking it is a violation of patron privacy? Can board members review the tapes?