Introduction

For a health care professional, choosing to work in a school environment can be a rewarding experience. Yet the rewards can be coupled with frustrations, such as deciphering laws regarding the privacy of student records. Generally familiar in the health care setting, one intent of the Health Insurance Portability and Accountability Act (HIPAA) is to protect an individual’s personally identifiable health information. While HIPAA is familiar to those working in health care, the Family Educational Rights and Privacy Act (FERPA) is more often applicable in the school environment. Although FERPA does not specifically address health records, any record created and maintained in a school for school district purposes is considered part of the education record (Bergren, 2004). Confusion can arise as to which privacy regulation is applicable when related to student health records.

Confusion, Crisis and Clarity

Since April 2003, when the deadline for HIPAA compliance was reached, school health care personnel and administrators have been struggling for guidance on how HIPAA interacts with FERPA (Moore & Wall, 2003). Some believe this confusion may have contributed to at least one school’s tragedy. The misinformation and overzealousness to protect a student’s privacy may have indirectly contributed to the shootings at Virginia Tech. On April 16, 2007, Virginia Tech student Seung Hui Cho killed 27 fellow students and 5 faculty members as well as injuring 24 others. He then ended the massacre by taking his own life (CBS News, 2009). Prior to that horrific day, Cho displayed several warning signs of his mental illness. At various times during Cho’s college education, Virginia Tech professors recognized that he was mentally troubled. As a junior, Cho became known for his “silent and aloof manner, troubling behavior, and dark, disturbing writings” (Schuchman, 2007, p.105). During this same time, Cho’s suitemates wrote a letter to the resident advisor describing his behavior as threatening and bizarre, stating that Cho often referred to an imaginary twin brother. At one point, Cho told his suitemate that he was going to kill himself. Campus police were notified and, after speaking with Cho, requested he meet with a counselor immediately. Cho went voluntarily and spoke with a representative from the Department of Mental Health. He was then admitted to a psychiatric hospital but discharged the next day with orders from a judge to seek outpatient treatment. However, misinterpretation of privacy laws prevented mental health professionals and Virginia Tech professors from communicating with each other about Cho. Although Cho’s parents gave permission for his counseling records to be released after his death, it is unclear if Cho received therapy after he left the psychiatric hospital (Schuchman, 2007).

Following the tragedy, President George W. Bush requested the U.S. Department of Health and Human Services staff work together with the U.S. Department of Education leaders to consider whether “they have properly addressed and balanced the fundamental interests of privacy and individual freedom, safety and security, and assisting those with mental health needs in getting appropriate care” (U.S. Department of Health, 2008, p.1). As a result the Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records was created in an effort to clarify any confusion regarding how and when HIPAA and FERPA interact (Schuchman, 2007).

Education Records

Health care providers who work in schools have long had questions about which of the many confidentiality laws and principles apply to student health information. Elementary and secondary school staff may employ a variety of health care providers such as school nurses, school-based health clinicians, and therapists. These health care professionals are often confused as to how the HIPAA Privacy Rule applies to the student record (Moore & Wall, 2003). An education record includes a range of information about a student including date and place of birth, parent address and emergency contact information; grades and test scores; special education records; disciplinary records; medical and health records that the school creates or collects; documentation of attendance, schools attended, courses taken; and personal information such as the student’s social security number. Personal notes made by teachers and other staff are not considered part of the education records. In addition, law enforcement records created and maintained by a school or district’s law enforcement agency are not considered part of the education record (Policy Studies Associates Inc., 1997).

Elementary and secondary schools acquire and maintain a great deal of information about their students. Much of this information is confidential in nature, and parents and students expect the schools to maintain privacy. Information concerning a student’s health is one type of confidential information schools maintain. Health information about a student may also be contained in a variety of other documents, such as the Individualized Education Plan (IEP) or athletic department records (Moore & Wall, 2003). Access to educational records by third parties is permitted only with written parental consent. Exceptions to this rule include school officials with legitimate educational interests such as the student’s teachers, counselors, principals, school psychologists, school nurses, speech therapists, occupational therapists, physical therapists, and social workers. Parental consent is also not required in emergency situations if the records are being used to protect the health and safety of the student (Yell, 1996).

For postsecondary institutions, a student’s medical and psychological treatment records are excluded from the definition of education records if they are created, maintained, and used only in connection with the treatment of the student and disclosed only to individuals providing the treatment. Without this assurance of confidentiality, many students may forgo the healthcare they need. However, if a school discloses a student’s treatment records for purposes other than treatment (such as to notify someone of a potential threat) the records are no longer excluded from the definition of education records and are subject to all other FERPA requirements (U.S. Department of Health, 2008).

FERPA Basics

In 1974, Congress enacted the Family Educational Rights and Privacy Act (FERPA). The purpose of this Act, also known as the Buckley Amendment, is to guarantee parental access to student records and to permit access only to persons with legitimate reasons to view the records (Yell, 1996). FERPA only applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. Therefore, since private and religious schools at the elementary and secondary level generally do not receive funds from the U.S. Department of Education, these schools are not subject to FERPA (U.S. Department of Health, 2008). Under FERPA, parents have access to the education records of their minor children, including any health information contained within the records (English & Ford, 2004).

Since 1974, FERPA has been amended 28 times and in short, the role of FERPA is to ensure that private student records are not disclosed to anyone without the consent of the parent until the student reaches the age of 18, when the right is transferred to the student. Private records include transcripts, exams, enrollments, disciplinary actions and health records (Oliver, 2008). According to Yell (2006), FERPA applies to all students attending institutions receiving federal funding and requires that those institutions follow certain requirements including:

Each year the school must establish written policies regarding student records and inform parents of their rights under FERPA.

Parents are guaranteed access to their children’s educational record when requested.

Parents have the right to challenge the accuracy of the records.

Disclosure of personally identifiable information in these records to third parties is prohibited unless parental consent is first received.

Parents may file complaints under FERPA if a school fails to comply with the law.

However, schools are not required to obtain parental consent when records are shared with school staff involved in the education of the student, correctional facilities, school attorneys, special education service providers, and when disclosure of information is related to child-find activities under the Individuals with Disabilities Education Act (Yell, 1996).

As stated, since a public school receives federal funding, the student records are covered by FERPA, not the Privacy Rule of HIPAA. Therefore, written consent is not required for a physician to discuss with school health care personnel the students’ medical condition and care so that an appropriate individualized health care plan for the student can be developed (Schwab & Pohlman, 2004).

FERPA applies to educational institutions that receive funds under any program administered by the U. S. Department of Education. This includes virtually all public schools and most private and public postsecondary institutions, including medical and other professional schools (U.S. Department of Health, 2008). These records will be either education records or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. FERPA forbids colleges that receive federal funding from releasing most student records unless first granted permission from parents or the adult student. According to FERPA, a college that reveals private records without permission can lose federal financial-aid funds. However, as of 2003, nearly 20 years after FERPA became law, this penalty was never enforced (Arnone, 2003). Primary control over a student’s records shifts from the parents to the student when the student enrolls in college, even if the student is still a minor. Despite this, institutions can still disclose information to parents for a variety circumstances, including if the parent claims the student as a federal tax dependent; if the student is under 21 and has violated school alcohol or drug policies; or if the institution believes there to be a health or safety emergency involving the student (McDonald, 2008).

HIPAA Basics

In 1996, Congress enacted HIPAA to improve the efficiency and effectiveness of the health care system through the establishment of national standards and requirements for electronic health care transactions and to protect the privacy and security of individually identifiable health information (Bergren, 2004). The HIPAA Privacy Rule requires that covered entities protect an individual’s health records and other identifiable health information by requiring appropriate safeguards to protect privacy. The rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records, and to request corrections (U.S. Department of Health, 2008). Most health care providers in the United States were required to comply with the HIPAA Privacy Rule no later than April 14, 2003.

HIPAA (1996) calls for protections and privacy of medical information including “any information whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearing house.” (as cited in Smith, 2000). Although schools were initially included in the drafts of the HIPAA regulations published prior to December 28, 2001, the Final Rule exempted school health providers because a federal law ensuring the privacy of education records was already in place. (Bergren, 2004). The Department of Health and Human Services (DHHS) explained that the education records covered by FERPA were appropriate because these records were already subject to a comprehensive regulatory scheme that allowed for access to information while protecting confidentiality. Therefore, additional regulation of these education records was unnecessary (Moore & Wall, 2003).

HIPAA in School

To be considered a covered health care provider under the HIPAA Privacy Rule, a person or organization must meet the definition of health care provider and transmit health information electronically. Health care provider is defined broadly to include any person who, in the normal course of business, furnishes, bills, and/or is paid for health care. The term health care is also defined quite broadly and includes counseling, physical assessment, and diagnostic, therapeutic, and rehabilitative care. Several individuals employed by schools could fall within these definitions, including physical, occupational, and speech therapists, school nurses, and psychologists. The second requirement is that a health care provider must transmit health information electronically. One common example of an electronic transaction to which HIPAA applies is the filing of an insurance claim to obtain payment for services. For example, if the school bills Medicaid for therapy services the student receives at school, this treatment would be classified as a HIPAA transaction. Health care providers must meet both parts of the rule in order to be considered covered entities under HIPAA (Moore & Wall, 2003). To clarify, a school that accepts federal funds yet bills for health care service provided by a school employee is required to comply with the HIPAA Administrative Simplification Rules for Transactions and Code Sets and Identifiers when requesting reimbursement electronically. However, even though the school engages in a HIPAA-covered transaction, the actual records maintained for billed services are educational records, thus covered by FERPA, not HIPAA (Bergren, 2004). On the other hand, if the school employs health care providers and does not bill the student’s insurance for treatment, HIPAA does not apply at all (U.S. Department of Health, 2008).

Applications

Determining when the regulations of FERPA and HIPAA are applicable is critical for school personnel. Examples could include:

• While attending an IEP meeting, a child’s single parent insists that the information in the IEP is not to be shared with the child’s noncustodial parent. However, a few weeks later the noncustodial parent calls to ask for a meeting to discuss the child’s IEP. Page v. Rotterdam-Mohonasen Central School District (1981) clarified that access to student records must be granted to both parents, even when only one parent has legal custody unless a court order has been issued denying access to the noncustodial parent. (Yell, 1996).

• The star football player is injured during the game and the media is requesting a press release from the athletic trainer. In this case, HIPAA applies since the extracurricular activity is not part of the education record. Confidentially is required and no information can be released without consent of the parent, or athlete if he is of legal age.

• A school employee believes that a student presents a serious danger to self or others when he submits a disturbing essay for an assignment. Both the HIPAA Privacy Rule and FERPA permit the disclosure of PHI (private health information) to a parent or others if the information is released in good faith. The disclosure must be deemed necessary to prevent or lessen the threat and the release of such information is given only to individuals who could intervene and/or lessen the threat. Depending on the circumstances, this may include disclosure to law enforcement, family members, the target of the threat, and/or others who the discloser has a good faith belief can mitigate the threat (U.S. Department of Health, 2008).

• A physical therapist contracted with the local public school system is billing Medicaid for services provided for a child with cerebral palsy. The billing should be performed following HIPAA guidelines but the record itself is part of the education record, and subject to FERPA. “Even though the district engages in a HIPAA-covered transaction, the records maintained for billed services are educational records. The student’s personally identifiable information is protected by FERPA, not by HIPAA Privacy Rules” (Bergren, 2004, p. 109).

Conclusion

All health care providers are required by law to protect the privacy of the individuals they treat. However, privacy protection is not meant to interfere with the proper care of the patient. FERPA recognizes that decisions about when emergency disclosure is needed and what disclosure is appropriate is subjective in nature and sometimes must be made before all of the facts are known. The Family Policy Compliance Office has expressly stated that it “will not fault good-faith decisions even if they turn out, in hindsight, to have been wrong” (McDonald, 2008, p. 4). Neither FERPA nor HIPAA deny the ability to discuss care with other professionals involved in the direct care of the patient. FERPA allows health care professionals treating in the school environment to discuss the student with teachers, counselors, nurses, and any others who may be involved in the direct education of the student. This communication is critical in providing adequate education to students with disabilities who require health care professionals to improve their ability to thrive in the school environment. Officials at Virginia Tech may never know if improved communication could have made a difference in helping Seung-Hui Cho find the help he needed, therefore preventing the massacre. Hopefully, this catastrophe will ultimately lead to improved clarity and understanding of the privacy laws and encourage crucial communication to take place.