S Barboza, S Epps, R Byington, S Keene
S Barboza, S Epps, R Byington, S Keene. HIPAA Goes To School: Clarifying Privacy Laws In The Education Environment. The Internet Journal of Law, Healthcare and Ethics. 2008 Volume 6 Number 2.
AbstractConfusion regarding the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) continues to be a concern for health care professionals working in the educational environment. Following the Virginia Tech tragedy and similar incidents of school violence in recent years, educational communities and governmental agencies are analyzing the balance between individual privacy and freedom versus the safety and security of all. Health care professionals working in the school environment must stay abreast of privacy regulations regarding student records while providing needed care.
For a health care professional, choosing to work in a school environment can be a rewarding experience. Yet the rewards can be coupled with frustrations, such as deciphering laws regarding the privacy of student records. Generally familiar in the health care setting, one intent of the Health Insurance Portability and Accountability Act (HIPAA) is to protect an individual’s personally identifiable health information. While HIPAA is familiar to those working in health care, the Family Educational Rights and Privacy Act (FERPA) is more often applicable in the school environment. Although FERPA does not specifically address health records, any record created and maintained in a school for school district purposes is considered part of the education record (Bergren, 2004). Confusion can arise as to which privacy regulation is applicable when related to student health records.
Confusion, Crisis and Clarity
Since April 2003, when the deadline for HIPAA compliance was reached, school health care personnel and administrators have been struggling for guidance on how HIPAA interacts with FERPA (Moore & Wall, 2003). Some believe this confusion may have contributed to at least one school’s tragedy. The misinformation and overzealousness to protect a student’s privacy may have indirectly contributed to the shootings at Virginia Tech. On April 16, 2007, Virginia Tech student Seung Hui Cho killed 27 fellow students and 5 faculty members as well as injuring 24 others. He then ended the massacre by taking his own life (CBS News, 2009). Prior to that horrific day, Cho displayed several warning signs of his mental illness. At various times during Cho’s college education, Virginia Tech professors recognized that he was mentally troubled. As a junior, Cho became known for his “silent and aloof manner, troubling behavior, and dark, disturbing writings” (Schuchman, 2007, p.105). During this same time, Cho’s suitemates wrote a letter to the resident advisor describing his behavior as
Following the tragedy, President George W. Bush requested the U.S. Department of Health and Human Services staff work together with the U.S. Department of Education leaders to consider whether “they have properly addressed and balanced the fundamental interests of privacy and individual freedom, safety and security, and assisting those with mental health needs in getting appropriate care” (U.S. Department of Health, 2008, p.1). As a result the
Health care providers who work in schools have long had questions about which of the many confidentiality laws and principles apply to student health information. Elementary and secondary school staff may employ a variety of health care providers such as school nurses, school-based health clinicians, and therapists. These health care professionals are often confused as to how the HIPAA Privacy Rule applies to the student record (Moore & Wall, 2003). An education record includes a range of information about a student including date and place of birth, parent address and emergency contact information; grades and test scores; special education records; disciplinary records; medical and health records that the school creates or collects; documentation of attendance, schools attended, courses taken; and personal information such as the student’s social security number. Personal notes made by teachers and other staff are not considered part of the education records. In addition, law enforcement records created and maintained by a school or district’s law enforcement agency are not considered part of the education record (Policy Studies Associates Inc., 1997).
Elementary and secondary schools acquire and maintain a great deal of information about their students. Much of this information is confidential in nature, and parents and students expect the schools to maintain privacy. Information concerning a student’s health is one type of confidential information schools maintain. Health information about a student may also be contained in a variety of other documents, such as the Individualized Education Plan (IEP) or athletic department records (Moore & Wall, 2003). Access to educational records by third parties is permitted only with written parental consent. Exceptions to this rule include school officials with
For postsecondary institutions, a student’s medical and psychological treatment records are excluded from the definition of
In 1974, Congress enacted the Family Educational Rights and Privacy Act (FERPA). The purpose of this Act, also known as the Buckley Amendment, is to guarantee parental access to student records and to permit access only to persons with legitimate reasons to view the records (Yell, 1996). FERPA only applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. Therefore, since private and religious schools at the elementary and secondary level generally do not receive funds from the U.S. Department of Education, these schools are not subject to FERPA (U.S. Department of Health, 2008). Under FERPA, parents have access to the education records of their minor children, including any health information contained within the records (English & Ford, 2004).
Since 1974, FERPA has been amended 28 times and in short, the role of FERPA is to ensure that private student records are not disclosed to anyone without the consent of the parent until the student reaches the age of 18, when the right is transferred to the student. Private records include transcripts, exams, enrollments, disciplinary actions and health records (Oliver, 2008). According to Yell (2006), FERPA applies to all students attending institutions receiving federal funding and requires that those institutions follow certain requirements including:
Each year the school must establish written policies regarding student records and inform parents of their rights under FERPA.
Parents are guaranteed access to their children’s educational record when requested.
Parents have the right to challenge the accuracy of the records.
Disclosure of personally identifiable information in these records to third parties is prohibited unless parental consent is first received.
Parents may file complaints under FERPA if a school fails to comply with the law.
However, schools are not required to obtain parental consent when records are shared with school staff involved in the education of the student, correctional facilities, school attorneys, special education service providers, and when disclosure of information is related to child-find activities under the Individuals with Disabilities Education Act (Yell, 1996).
As stated, since a public school receives federal funding, the student records are covered by FERPA, not the Privacy Rule of HIPAA. Therefore, written consent is not required for a physician to discuss with school health care personnel the students’ medical condition and care so that an appropriate individualized health care plan for the student can be developed (Schwab & Pohlman, 2004).
FERPA applies to educational institutions that receive funds under any program administered by the U. S. Department of Education. This includes virtually all public schools and most private and public postsecondary institutions, including medical and other professional schools (U.S. Department of Health, 2008). These records will be either education records or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. FERPA forbids colleges that receive federal funding from releasing most student records unless first granted permission from parents or the adult student. According to FERPA, a college that reveals private records without permission can lose federal financial-aid funds. However, as of 2003, nearly 20 years after FERPA became law, this penalty was never enforced (Arnone, 2003). Primary control over a student’s records shifts from the parents to the student when the student enrolls in college, even if the student is still a minor. Despite this, institutions can still disclose information to parents for a variety circumstances, including if the parent claims the student as a federal tax dependent; if the student is under 21 and has violated school alcohol or drug policies; or if the institution believes there to be a health or safety emergency involving the student (McDonald, 2008).
In 1996, Congress enacted HIPAA to improve the efficiency and effectiveness of the health care system through the establishment of national standards and requirements for electronic health care transactions and to protect the privacy and security of individually identifiable health information (Bergren, 2004). The HIPAA Privacy Rule requires that covered entities protect an individual’s health records and other identifiable health information by requiring appropriate safeguards to protect privacy. The rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records, and to request corrections (U.S. Department of Health, 2008). Most health care providers in the United States were required to comply with the HIPAA Privacy Rule no later than April 14, 2003.
HIPAA (1996) calls for protections and privacy of medical information including “any information whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearing house.” (as cited in Smith, 2000). Although schools were initially included in the drafts of the HIPAA regulations published prior to December 28, 2001, the Final Rule exempted school health providers because a federal law ensuring the privacy of education records was already in place. (Bergren, 2004). The Department of Health and Human Services (DHHS) explained that the education records covered by FERPA were appropriate because these records were already subject to a comprehensive regulatory scheme that allowed for access to information while protecting confidentiality. Therefore, additional regulation of these education records was unnecessary (Moore & Wall, 2003).
HIPAA in School
To be considered a covered health care provider under the HIPAA Privacy Rule, a person or organization must meet the definition of health care provider
Determining when the regulations of FERPA and HIPAA are applicable is critical for school personnel. Examples could include:
While attending an IEP meeting, a child’s single parent insists that the information in the IEP is not to be shared with the child’s noncustodial parent. However, a few weeks later the noncustodial parent calls to ask for a meeting to discuss the child’s IEP. Page v. Rotterdam-Mohonasen Central School District (1981) clarified that access to student records must be granted to both parents, even when only one parent has legal custody unless a court order has been issued denying access to the noncustodial parent. (Yell, 1996).
The star football player is injured during the game and the media is requesting a press release from the athletic trainer. In this case, HIPAA applies since the extracurricular activity is not part of the education record. Confidentially is required and no information can be released without consent of the parent, or athlete if he is of legal age.
A school employee believes that a student presents a serious danger to self or others when he submits a disturbing essay for an assignment. Both the HIPAA Privacy Rule and FERPA permit the disclosure of PHI (private health information) to a parent or others if the information is released in good faith. The disclosure must be deemed necessary to prevent or lessen the threat and the release of such information is given only to individuals who could intervene and/or lessen the threat. Depending on the circumstances, this may include disclosure to law enforcement, family members, the target of the threat, and/or others who the discloser has a good faith belief can mitigate the threat (U.S. Department of Health, 2008).
A physical therapist contracted with the local public school system is billing Medicaid for services provided for a child with cerebral palsy. The billing should be performed following HIPAA guidelines but the record itself is part of the education record, and subject to FERPA. “Even though the district engages in a HIPAA-covered transaction, the records maintained for billed services are educational records. The student’s personally identifiable information is protected by FERPA, not by HIPAA Privacy Rules” (Bergren, 2004, p. 109).
All health care providers are required by law to protect the privacy of the individuals they treat. However, privacy protection is not meant to interfere with the proper care of the patient. FERPA recognizes that decisions about