On This Page
Part I — FERPA (Family Educational Rights and Privacy Act) Part II — PREA (Prison Rape Elimination Act) Part III — CJIS (Criminal Justice Information Services Security Policy) Part IV — NEMSIS 3.5.0 (National EMS Information System) Part V — Regulatory Applicability MatrixPart I — FERPA: Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. FERPA applies to educational agencies and institutions that receive funding under programs administered by the U.S. Department of Education. It restricts disclosure of personally identifiable information (PII) from education records without prior written consent of the parent or eligible student.
When FERPA Applies in Emergency Response
MayDay-IC's Facility Census and Roster Management System enables emergency responders to import and manage roster data from educational institutions (schools, colleges, and universities) during incidents such as fires, evacuations, active threat events, and mass casualty incidents. These rosters contain education records protected by FERPA. By importing such records into MayDay-IC, the educational institution must have a lawful basis for disclosure.
FERPA permits disclosure of education records without consent in the following emergency-relevant circumstances:
- Health and Safety Emergency (34 CFR 99.36): Educational agencies may disclose PII from education records to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. This exception is limited to the period of the emergency. After the emergency ends, FERPA's standard consent requirements resume.
- Disaster Relief (20 U.S.C. 1232g(b)(1)(I)): PII in education records may be disclosed to a federal, state, or local authority or to the American Red Cross in the context of a disaster or emergency for which that authority is responsible for coordinating disaster relief efforts.
- Audit and Evaluation (34 CFR 99.35): To authorized representatives of federal, state, and local educational authorities for audit and evaluation purposes.
How MayDay-IC Protects FERPA-Covered Data
When roster data is imported from an educational institution into MayDay-IC's Facility Census system:
- A mandatory FERPA acknowledgment gate is displayed to the importing user before the import proceeds
- All roster entries are encrypted at rest using AES-256-GCM encryption
- Permanent system IDs (e.g., TX-SCHL-004821) are assigned and never reused, but these IDs are not linked to external student ID systems without additional authorization
- Access to school roster records is restricted to users with appropriate role-based permissions
- All access events are logged in the immutable audit trail
- Suspicious changes (greater than 30% removal in a single update) are flagged for human review
- Data is not shared with or accessible to third parties not involved in the emergency response
FERPA Data Breach Notification
FERPA does not contain a standalone breach notification requirement equivalent to HIPAA's Breach Notification Rule. However, unauthorized access to or disclosure of FERPA-protected education records:
- Must be reported to the affected educational institution immediately
- Triggers applicable state breach notification laws, which generally require notification to affected students and/or parents
- Is reported to the U.S. Department of Education's Student Privacy Policy Office (SPPO) if required by applicable law or contract
- Is treated as a High or Critical severity incident under MayDay-IC's Breach Response Plan
Retention and Destruction of FERPA Records
School roster data imported into MayDay-IC is retained for the incident period plus 3 years (consistent with standard educational records retention under FERPA) unless a longer retention period is required by applicable law. Upon expiration of the retention period, records are cryptographically purged from the system and the purge event is audit-logged.
Part II — PREA: Prison Rape Elimination Act
The Prison Rape Elimination Act of 2003 (34 U.S.C. § 30301 et seq.) and implementing regulations (28 CFR Part 115) address the detection, prevention, reduction, and punishment of prison rape. PREA applies to all public and private institutions that house adult or juvenile offenders, including federal and state prisons, local jails, police lockups, community confinement facilities, and juvenile facilities. PREA establishes confidentiality requirements for information related to sexual abuse allegations and victim information.
When PREA Applies in Emergency Response
MayDay-IC's Facility Census and Roster Management System supports incidents involving correctional facilities, including evacuations, fires, natural disasters, and disturbances. Inmate census data and related records imported into MayDay-IC may contain information subject to PREA's confidentiality requirements, including:
- Information identifying an inmate as a victim or perpetrator of sexual abuse
- Investigative records related to sexual abuse allegations
- Medical and mental health records related to sexual abuse
- Retaliation-risk information for inmates who have reported abuse
PREA Confidentiality Requirements
Under 28 CFR 115.61, all information concerning allegations of sexual abuse is kept confidential and is not disclosed to other inmates. Under 28 CFR 115.86, investigators are prohibited from disclosing information related to an allegation except to the extent necessary to make treatment, investigation, and management decisions. MayDay-IC implements the following controls to support PREA compliance:
- A mandatory PREA acknowledgment is displayed to users importing correctional facility census data
- Inmate census records are encrypted at rest with AES-256-GCM encryption
- Role-based access controls ensure only authorized personnel can access inmate census records
- No inmate record is accessible to other inmates through any MayDay-IC interface
- All access to inmate records is audit-logged with user identity and timestamp
- PREA-sensitive fields (vulnerability flags, special housing assignments) are segregated and subject to enhanced access controls
PREA Breach Notification
Unauthorized access to or disclosure of PREA-protected information is treated as a High or Critical severity breach under MayDay-IC's Breach Response Plan. In addition to standard breach response procedures, MayDay-IC will:
- Notify the affected correctional facility immediately upon discovering the breach
- Provide a detailed breach report for the facility's mandatory PREA compliance documentation
- Cooperate fully with any investigation by the Department of Justice or relevant oversight body
Part III — CJIS: Criminal Justice Information Services Security Policy
The FBI's Criminal Justice Information Services (CJIS) Division manages the nation's criminal justice databases and establishes a security policy — the CJIS Security Policy — governing access to and use of Criminal Justice Information (CJI). CJI includes biometric, identity history, person, organization, and property information collected by criminal justice agencies and stored in CJIS Division databases, as well as information derived from those databases.
Current Scope of CJIS Within MayDay-IC
MayDay-IC does not currently serve as a CJIS Authorized Recipient and does not have direct access to CJIS Division databases (such as NCIC, NICS, or III). However, MayDay-IC acknowledges the following:
- Law enforcement agencies using MayDay-IC may be authorized CJIS users
- Information entered into MayDay-IC by law enforcement personnel may be derived from or related to CJI
- MayDay-IC may in the future seek to integrate with or exchange data with CJIS-authorized systems
CJIS-Aligned Security Controls
Although not currently a CJIS Authorized Recipient, MayDay-IC implements security controls that align with CJIS Security Policy requirements to support law enforcement users and prepare for potential future CJIS integration:
| CJIS Policy Area | MayDay-IC Control |
|---|---|
| Advanced Authentication (Policy Area 6) | TOTP multi-factor authentication enforced for all admin and law enforcement accounts |
| Configuration Management (Policy Area 10) | Version-controlled infrastructure; access changes are audit-logged |
| Incident Response (Policy Area 9) | Documented Breach Response Plan; 24-hour incident escalation procedures |
| Auditing and Accountability (Policy Area 2) | Immutable audit logs with user identity, timestamp, and action for all data access events |
| Access Control (Policy Area 5) | Role-based access controls with principle of least privilege; session timeouts enforced |
| Identification and Authentication (Policy Area 6) | Unique user IDs; password complexity requirements; brute-force lockout after failed attempts |
| Mobile Device Security (Policy Area 13) | AES-256 encryption for all data at rest on mobile devices; remote wipe capability |
| Encryption (Policy Area 12) | AES-256-GCM for data at rest; TLS 1.2+ for data in transit |
Future CJIS Integration
If MayDay-IC seeks to obtain direct access to CJI or to become a CJIS Authorized Recipient, the following additional requirements will be implemented prior to any such access:
- Execution of a CJIS Security Addendum with a CSO (Criminal Justice Agency System Officer)
- Completion of CJIS Security Awareness Training (Level 4) for all personnel with access to CJI
- Implementation of a CJIS-compliant Personnel Security Program including fingerprint-based background checks
- Completion of a formal CJIS Security Audit
Law enforcement agencies using MayDay-IC are responsible for ensuring that their use of MayDay-IC complies with any applicable CJIS requirements, including their own Security Addendums and their CJIS Agency Coordinator's (CAC) requirements.
Part IV — NEMSIS 3.5.0: National EMS Information System
The National EMS Information System (NEMSIS) is the national database that is used to store, share, and analyze EMS data from across the United States. NEMSIS defines a standard format for collecting and transmitting EMS patient care data. MayDay-IC supports export of patient care records in NEMSIS version 3.5.0 XML format.
Purpose and Legal Authority for NEMSIS Data Collection
NEMSIS data collection is authorized and encouraged under the Emergency Medical Services Systems Act and the Public Health Service Act. States are required to submit NEMSIS-compliant data to the National EMS Database as a condition of receiving certain federal grants administered by NHTSA and HRSA. NEMSIS data is used for:
- Quality improvement and evidence-based protocol development
- System performance measurement and benchmarking
- Research into EMS care outcomes and practices
- Public health surveillance and emergency preparedness planning
NEMSIS Data and PHI
NEMSIS patient care records contain Protected Health Information (PHI) as defined by HIPAA, including patient demographics, vital signs, assessment findings, treatment information, and outcome data. All NEMSIS data generated by or exported from MayDay-IC is subject to HIPAA's Privacy and Security Rules in addition to NEMSIS data governance requirements.
How MayDay-IC Handles NEMSIS Exports
- NEMSIS exports are available only to authorized users with the appropriate role-based permissions (EMS Coordinator, Incident Commander, or admin)
- A one-time NEMSIS disclaimer acknowledgment is required before accessing the NEMSIS export function, confirming the user's understanding of HIPAA requirements and data governance obligations
- All NEMSIS export events are logged in the immutable audit trail with user identity, timestamp, and the records exported
- NEMSIS XML exports generated by MayDay-IC conform to the NEMSIS v3.5.0 schema
- NEMSIS exports are intended for submission to authorized state EMS databases and NHTSA's national database only; further disclosure requires appropriate authorization
- MayDay-IC does not transmit NEMSIS data directly to any external system; the export is provided to the authorized user who is responsible for submission
Data Elements Included in NEMSIS Exports
| NEMSIS Section | Data Included |
|---|---|
| ePatient | Patient demographics: age, gender, race/ethnicity, home county, home state (exact address is excluded from standard exports) |
| eDispatch | Incident number, dispatch date/time, dispatch reason, response priority |
| eSituation | Chief complaint, primary impression, secondary impressions |
| eVitals | All vital signs recorded during the incident |
| eProtocols | Protocols followed, medication administered, procedures performed |
| eOutcome | Disposition, destination, patient acuity on arrival |
| eRecord | Record creation and submission metadata |
NEMSIS Data Retention
NEMSIS-compliant patient care records are retained for a minimum of 6 years from the date of the incident, consistent with HIPAA requirements (45 CFR 164.530(j)). State-specific retention requirements may be longer; MayDay-IC's configurable Retention Settings allow agencies to set retention periods consistent with their state's requirements.
Part V — Regulatory Applicability Matrix
The following matrix summarizes which regulations apply to each category of data managed within MayDay-IC's Facility Census and Roster Management System:
| Data Category | Primary Regulation(s) | Key Restriction |
|---|---|---|
| Patient/EMS records | HIPAA, NEMSIS, 42 CFR Part 2 (if SUD) | PHI — AES-256, BAA required, NEMSIS disclaimer |
| School/university rosters | FERPA, HIPAA (if medical records) | Consent required; emergency exception only during active incident |
| Correctional facility census | PREA, HIPAA | No inmate-to-inmate disclosure; vulnerability data segregated |
| Law enforcement-generated records | CJIS (agency responsibility), HIPAA | Agency-level CJIS compliance required; MayDay-IC provides aligned controls |
| Substance use treatment records | 42 CFR Part 2 (stricter than HIPAA) | Separate consent required; no re-disclosure; no use in criminal proceedings |
| Displaced persons records | HIPAA, state privacy laws | AES-256; privacy gate before caller identity disclosure |
Contact
For questions about FERPA, PREA, CJIS, or NEMSIS compliance within MayDay-IC:
Email: info@maydayic.com
For urgent security or breach concerns:
Email: info@maydayic.com
Blue Beard Solutions Inc.
Privacy & Compliance Officer