By Mary Kate McGrath - February 24, 2020
In Dec. of 2019, the Department of Education and the Department of Health and Human Services issued an updated guidance on the sharing of student health records under the Family Educational Rights and Privacy Act (FERPA) and the the Health Insurance Portability and Accountability Act (HIPAA), as per the HHS. The guidance, which was first published in 2008, is meant to help school and healthcare professionals better understand how HIPAA and FERPA apply to student educational and healthcare records. Given the update, education institutions and healthcare facilities should review the DoE and OCR’s document before making important decisions sharing student education and health records.
The DoE and OCR’s updated document, titled, “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records", aims to dispel myths about about student record sharing during an emergency, especially in light of a national student mental health crisis. The document expands on prior guidance to help address any confusion on behalf of school administrators, healthcare professionals, or others on how FERPA and HIPAA apply to students, especially during emergency health or safety situations. The guidance is not meant to bind the public, and does not have the force or effect of law; instead, it’s meant to increase transparency about the existing HIPAA and FERPA requirements and how these are enforced by respective agencies.
The Health Insurance Portability and Accountability Act, HIPAA, requires healthcare providers and organizations, as well as business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared, as per the Department of Healthcare Services. HIPAA applies to all forms of protected health information, including paper, oral, or electronic files, and it mandates that only the minimum healthcare information required to conduct business should be used.
HIPAA law aids several key functions in the healthcare industry, according to DHCS, including:
A main goal of the privacy rule is to assure that an individual's healthcare information is properly protected, while also allowing for the necessary flow of health information to provide high quality healthcare and protect the public’s health and well-being, as per the HHS.
Th Family Education Rights and Privacy Act, or FERPA , is a federal law that allows parents the right to have access to their children’s education records, the right to seek to have their records amended, and the right to have some control over disclosure of personally identifiable information from the education records, as per the Department of Education. When a student turns 18 years-old, or enters a post-secondary institution at any age, rights under FERPA transfer from the parent or guardian to the student.
The HIPAA privacy role excludes student educational records from its definition of protected health information, but there are situations where HIPAA and FERPA overlap in dealing with student records, as per HIPAA Journal. During emergencies and situations where the student’s health is at risk, educational institutions and healthcare providers may disclose a student’s health health information to someone in a position to prevent or lessen harm, including family, friends, guardians, or law enforcement.
One of the major goals of the updated guidance is to assure administrators and health professionals that sharing vital information is permitted when a student presents a threat to themselves or others. “This updated resource empowers school officials, healthcare providers, and mental health professionals by dispelling the myth that HIPAA prohibits the sharing of health information in emergencies,” OCR director Roger Severino told HIPAA Journal.
The guidance emphasizes that healthcare providers can share personal health information with anyone as necessary to prevent or lessen a serious imminent threat to the health or safety of an individual, another person, or the public. Before sharing PHI, administrators must be sure to comply with state statutes, regulations, or case law, as well as the healthcare providers code of ethical conduct. This permission to share files in cases of someone who is a danger to self or others also applies to psychotherapy notes, which otherwise receive a special protection under the privacy rule.
Policies for sharing HIPAA and FERPA records will likely vary from state to state, but a student who is a threat to themself or others is a universal exception. For administrators, healthcare professionals, parents or guardians looking to make a determination about whether or not a student is a danger to themselves or others should, under the guidance, prioritize two questions. Administrators or healthcare professionals must have a good faith belief that, “(1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is sharing records to a person(s) reasonably able to prevent or lessen the threat”, as per Campus Safety Magazine.
Under the guidance, the HIPAA Privacy Rule permits covered entities to disclose PHI without patient authorization in certain circumstances, including emergency or other situations.
Examples of Permitted HIPAA Disclosures During An Emergency:
It’s critical for administrators to communicate to teachers, counselors, or other relevant healthcare providers that student record privacy does not need to stand in the way of school safety. A mass notification system can help increase awareness of HIPAA and FERPA guidelines, including any updates to policy or protocol. The tool can be leveraged to reach out to community members at the beginning of the year, and provide further information about 1.) when it is appropriate to access student health records under HIPAA or FERPA, such as to prevent or lessen a serious threat 2.) what constitutes a serious threat to the health and safety of an individual, others, or public health 3.) who may reasonably be able to prevent or lessen the threat in the community, such as a law enforcement, family, or health professionals, as well as 4.) state and local laws and regulations regarding the use of student education or health records.
For schools looking to better understand their community, an anonymous two-way tip texting tool may also be valuable. The tip line allows students to report any behavior, whether it occurred on campus or online, in which a peer seems to be a danger to themselves or others. One benefit of the anonymous tool is that students can communicate directly with administrators or local law enforcement without fear of retaliation. Following a tip received via the line, safety leaders can make a determination about whether or not requesting HIPAA or FERPA records is an appropriate course of action, or how best to mitigate or prevent danger to a student or others.
Mary Kate is a content specialist and social media manager for the Rave Mobile Safety team. She writes about public safety for the state & local and education spheres.
If you have visited a college or university campus in the past thirty years, the likelihood is you will have seen an...