Recently Asked Questions (RAQs)

Should librarians who use student or parent volunteers have them sign a statement on protecting patron privacy? If so, what would the wording look like?

Maybe something like this?

“As a library volunteer, I agree to follow all the policies and practices of the school library including ensuring patron privacy. What patrons check out or research in the library is confidential. I will not tell others, students or adults, who has what materials checked out or comment on what is being checked out. I understand that lack of privacy and confidentiality has a chilling effect on users’ selection, access to, and use of library resources. All users have a right to freely use the library and have their privacy protected. I will let the librarian know if I think I have violated any policies.”

In this RAQ’s section 2, “Libraries, Fax Lines, and HIPAA,” you say, there is NO CIRCUMSTANCE under which a public, academic or public library should be engaging in a HIPAA-governed communication.” You also say, “If your library is not transmitting this type of information, you can stop sweating about HIPAA, even if patrons are using your fax to send it.”

Just so that we are crystal clear: this means that if patrons need to use a fax machine to correspond with a doctor’s office, it’s okay as long as they are the ones who physically use the fax machine? If they require help, can staff tell them how to use the machine as long as we don’t handle the physical documents?

Outside of best practices for staff handling of sensitive documents, are public libraries otherwise bound by HIPAA, FERPA and SOX when sending faxes for patrons, in terms of the privacy protections provided (or not) by the type of fax technology?

Our library currently uses a traditional standalone fax machine (staff mediated) to send and receive public faxes across a dedicated copper phone line, so there’s a direct connection between receiver and sender, maintaining privacy during transmission. Faxing remains a popular service here largely for that reason -- patrons are often told by the fax destination that documents must be sent via fax and not scanned to email.

We’ve been told that copper phone lines will soon be eliminated, so we’re investigating fax-to-email services, which are cheaper than our current method and can use our public copier as the faxing device. However, the Forbes article linked below says faxing by email does not offer privacy protections: “Virtual fax introduces an intermediary into the fax process; there’s no direct connection between the sending and receiving parties. This can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).” The article cites an encrypted kind of fax by IP, “T.38 Fax Lines,” which we suspect would not be cost effective for us.

Are libraries bound by HIPAA et al in the type of faxing technology they can use?

I am a school librarian, and just found out my school district is using student-device monitoring software. The software uses AI to check for searches and content that could indicate consideration of self-harm. I am concerned the software will monitor access to school library content and violate student privacy. What can I do? 

Is the library at risk if a teen patron volunteers to share contents of a cell phone?

An adult patron recently called the library and said that her 11-year-old daughter reported being filmed outside the library (parking lot or backyard). The child reported that two teen patrons had been using cell phones to film her. No staff witnessed this, but all of the juveniles involved were known to library staff. The two teens had returned inside the library at the time the call came in, and staff asked them if what was reported was true. Both denied the claims, and one asked to “prove” that it wasn't true by showing the contents of his cellphone video library. Do we put ourselves at risk by allowing a patron (juvenile or otherwise) to show us such content? We can see a variety of ways that this might expose us to risk, but we also understand the teen’s impulse to defend himself.

Additional questions that came up (but maybe too much for a single query): If patrons do film each other without consent on library property, is that a further risk for us? If we were to explicitly state that filming others while on library property is against policy, how could we safely enforce that policy?