The information security and privacy laws and regulations listed here impart a duty upon the University of Washington (UW) to protect certain information. The list does not include all information security and privacy laws and regulations. The UW Chief Information Security Officer collaborates with the UW Privacy Official and UW subject matter experts to review and update the information in the table below.

Applicable Laws and Regulations

Academic Data Domain

Last updated on December 13, 2022

  • FERPA – Family Educational Rights and Privacy Act
  • HEOA – Higher Education Opportunity Act
  • HPEPA – Health Professions Education Partnerships Act
  • HPSL – Health Professions Student Loans
  • TILA – Truth in Lending Act

Cross Data Domain

Last updated on December 13, 2022

  • ADA – Americans with Disabilities Act
  • DMCA – Digital Millennium Copyright Act
  • ECPA – Electronic Communications Privacy Act
  • EOAA – Equal Employment Opportunity
  • EU GDPR – European Union General Data Protection Regulation
  • FCRA – Fair Credit Reporting Act
  • GINA – Genetic Information Non-Discrimination Act
  • GLBA – Gramm-Leach-Bliley Financial Services Modernization Act
  • Library User Identity
  • Medical Benefits
  • Notice of Security Breaches
  • Personal Identifiers
  • Red Flag Rules

Finance Data Domain

Last updated on December 13, 2022

  • Credit Card Receipts
  • PCI DSS – Payment Card Industry Data Security Standards

Patient Data Domain

Last updated on December 13, 2022

  • HIPAA – Health Insurance Portability and Accountability Act
  • HITECH – Health Information Technology for Economic and Clinical Health Act
  • Medical Records: RCW 70.02
  • Mental Illness

Research Data Domain

Last updated on December 13, 2022

  • EAR – Export Administration Regulations
  • FISMA – Federal Information Security Management Act
  • Human Subjects: 21 CFR 50
  • Human Subjects: 45 CFR 46
  • Informed Consent: 28 CFR 45.117
  • IRP Criteria: 21 CFR 56
  • ITAR – International Traffic and Arms Regulations
  • NISP – National Industrial Security Program
  • Prison Records: 28 CFR 512.11
  • Release of Records: RCW 42.48
  • Trade Sanctions

Youth Data Domain

Last updated on December 13, 2022

  • COPPA – Children’s Online Privacy Protection Act
  • Human Subjects: 21 CFR 50