The Increasing Compliance Burden on Colleges and Universities


Colleges and universities are akin to small cities. In addition to academic programs, athletics, and social and recreational opportunities, they are called upon to provide students with a host of ancillary services: housing, food, healthcare, banking and IT, just to name a few.

A number of government and industry regulations apply to these services, including the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and the Gramm-Leach-Bliley Act (GLBA) for student loans and other financial services. The Payment Card industry Data Security Standard (PCI-DSS) establishes requirements related to the processing of credit and debit card payments on campus.

In addition, colleges and universities must adhere to student privacy regulations. For example, student educational, health and financial aid data is protected by the Federal Education Rights and Privacy Act (FERPA).

Obviously, institutions of higher education would rather allocate funds and resources toward educational initiatives, research and financial aid as opposed to meeting complex regulatory requirements. In light of that, a bipartisan group of U.S. Senators organized the Task Force on Federal Regulation of Higher Education in 2013 to conduct an extensive study of the regulatory climate with the aim of identifying challenges and opportunities for improvement.

The task force issued its report, “Recalibrating Regulation of Colleges of Universities,” in early 2015. The report notes that many universities pay more than $100 million each year to meet regulatory requirements, some of which limit access to financial aid, hamper innovation and contribute to tuition increases. In some instances, these compliance costs can be attributed to vague and overbroad rules with confusing reporting requirements. According to the task force chair, Sen. Lamar Alexander of Tennessee, these regulations amount to “sloppy, inefficient governing that wastes money, hurts students, discourages productivity and impedes research.”

In 2014, the EDUCAUSE Center for Analysis and Research conducted a study focused on IT governance, risk and compliance (GRC) requirements in higher ed. In that study, more than half of respondents said that the regulatory requirements governing IT systems are too complex.

Just one in five institutions say they have the budget and staffing to support IT GRC requirements, which encompass the adherence to laws, rules, regulations, institutional policies and contracts involved in the operation of an institution’s IT systems and resources. More than a one-time project, IT compliance is an ongoing process that requires standardized, repeatable procedures in order to be effective. Most institutions are struggling to keep up.

In IT, regulatory compliance requirements are often linked to data. If an IT system processes, stores or transmits multiple data types — student, health and financial information, for example — it may be subject to more than one regulation. At the same time, however, a centralized student information system enables colleges and universities to focus their compliance efforts and be better prepared to meet reporting requirements across a variety of regulations. It can also help meet FERPA requirements by providing students with the ability to access and ensure the accuracy of any data stored by the institution.