Protecting Student Privacy: HIPAA
and FERPA in Schools
2014 Indiana Association of School Nurses
November 7, 2014
Martha Dewey Bergren
Martha Dewey Bergren, DNS, RN, NCSNFNASN, FASHA, FAAN
Director, Advanced Population Health Nursing
University of Illinois-Chicago
Consultant, National Confidentiality Taskforce
Testimony to NCVHS Privacy Subcommittee
Johnson & Johnson School Health Leadership Institute
Martha Dewey Bergren
Federal Laws & Privacy
FERPA – Family Education Rights and Privacy Act
HIPAA – Health Insurance Portability & Accountability Act
Interface:
Public Schools : FERPA
Student’s health care providers &
agencies: HIPAA
Martha Dewey Bergren
Family Educational Rights & Privacy Act
FERPA – passed in 1974
Protects the privacy of students and families
Sets standards of confidentiality for all education records
Does not address health records
www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Family Educational Rights & Privacy Act
Education Records: any records with personally identifiable information about a student maintained by the school, staff members, contracted employees
Education Records: student health records, pupil services records, & third-party health records
FERPA Permitted Disclosures
Permitted uses of student information without consent:
Internal sharing for “legitimate educational
interest” as defined by the school district External release if
• Directory information• To school which student intends to
enroll• Exceptions
LEGITIMATE EDUCATIONAL INTEREST
Should mean: Use is consistent with purposes for which
data are kept Written criteria for access Necessary to perform task/service or
relevant determination about student Used within context of school district
business Balanced interests – individual/community
HIPAA: Health Insurance Portability & Accountability Act
Improve portability & continuity of health insurance coverage
Reduce costs & simplify administrative burden
Standardize electronic transmission of administrative & financial transactions
Protect security & privacy
HIPAA Permitted Disclosures
Permitted without authorization = TPO
• Treatment
• Payment
• Healthcare Operations
• “Minimum disclosure” standard
HIPAA: Health Insurance Portability & Accountability Act
School Health Records
Education records: ExemptThey are covered by FERPA
Martha Dewey Bergren
FERPA
Annual notice of rights to students
Right to inspect education records
Right to request amendment
Record access log Transfer of ed
records to new school
HIPAA
Notice of Information Practices
Right to access information
Right to request amendment
Disclosure logs
FERPAEXCEPTIONS
Directory Emergencies Research Judicial order/subpoena Audit by state/federal
officials Studies Authorized representative
School officials with legitimate educational interest
HIPAAEXCEPTIONS
Directory Emergencies Research Judicial order/subpoena Audit by state/federal
officials
Quality Assurance Body Identification Public Health TPO
Martha Dewey Bergren
FERPA
Internal release: OK for “legitimate educational interest”
Educational purposes
No policies/ procedure
HIPAA
Internal release: OK for Treatment. Payment, Operation
Health purposes
Policies & procedures detailed
Martha Dewey Bergren
FERPA pre-dates:
IDEA Electronic Student Records Security Email Internet 3rd Party Reimbursement
Martha Dewey Bergren
FERPA: No TPO Exemption
Treatment
– HIPAA providers share information with schools for Treatment without authorization
– FERPA does not allow sharing information with prescribers of Treatment without authorization
– Immunizations, physical exams, & education assessments = No treatment = no exemption***
*** State exceptions
Martha Dewey Bergren
FERPA: No TPO Exemption
Payment
Letter to Iowa Department of Education re: Disclosure of Education Records to Medicaid Agency for Reimbursement Purposes (10/25/05)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/iowa101205.html
If submitting for Medicaid reimbursement, MUST have parent consent
Martha Dewey Bergren
FERPA: No Public Health Exemption
Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html
Letter to Pennsylvania Department of Education re: Disclosure of Education Records to CDC Grantees (2/25/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/pacdc.html
Letter to California Department of Education re: Disclosure of Education Records to CDC Grantees (2/18/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/ca21804.html
Martha Dewey Bergren
FERPA: No Public Health Exemption
Letter University of New Mexico: Applicability of FERPA to Health & Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html
State law requires principals, teachers, school nurses report immediately:– Communicable diseases, vaccine preventable & STDs– Bio-terrorism & chemical agents: anthrax, smallpox– Food, waterborne & environmental– Tic, encephalitis, hepatitis, Legionnaires, etc– Spinal cord, TBI, tumor registry
Decision: Subject to all FERPA requirements
Martha Dewey Bergren
FERPA: No Public Health Exemption
Letter University of New Mexico: Applicability of FERPA to Health & Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html
Emergency:– Imminent danger– Immediate need– Narrow interpretation– Case-by-Case determination
Decision: NO routine reporting = written consent
Martha Dewey Bergren
Spellings October 30, 2007
Balancing school privacy and safety - Letter to school officials
http://www.ed.gov/policy/gen/guid/secletter/071030.html – Virginia Tech
Law Enforcement Empowers school officials to “act quickly when need arises”
Disclose w/o consent student health or safety Release w/o consent to law enforcement,
public health, trained medical personnel
FERPA and H1N1 DOEd GuidanceOctober 2009
May disclose information from education records r/t emergency, if necessary to protect the health / safety of student or others
School determines on a case-by-case basis Emergency = significant threat Disclosure must be documentedhttp://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-h1n1.pdf
Martha Dewey Bergren
FERPA Disaster Guidance 2010
In emergency / disaster, schools may disclose:Directory informationPersonally identifiable information to protect health / safety of students / othersLimited to the period of the emergency Immunization information
May not disclose to prepare for emergencies
http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-disaster-guidance.pdf
Martha Dewey Bergren
Martha Dewey Bergren
Balancing school privacy and safety
Law enforcement units– Not covered by FERPA– No release needed– Access to student education records
Security video not FERPA
Martha Dewey Bergren
Balancing school privacy and safety
Observed or personal knowledge, not covered by FERPA
Transfer all records without consent (IDEA 2004)
Martha Dewey Bergren
FERPA Revisions- 2008
Authorized representative may audit records with written agreement
Physically protect records from unauthorized access
Restrict access to necessary portion of the record Specifies that student health records are high risk Threat to the health and safety of a student or
students may be taken into account Stronger penalties for breaches Electronic records
Martha Dewey Bergren
FERPA: Child Abuse Reporting
FERPA superseded by CAPTA
Child Abuse Prevention, Adoption and Family Services Act of 1988 amended the Child Abuse Prevention and Treatment Act (CAPTA)
Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html
Martha Dewey Bergren
USDA State Medicaid & CHIP Program
May disclose eligibility for free and reduced meals
Not required Names, eligibility status, & eligibility information
directly to Medicaid or SCHIP Must notify parents. Parental opt out Social security number Other disclosure of eligibility information is
punishable of $1000 , 1 year imprisonment
http://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf
Martha Dewey Bergren
Health Data at school level
Traditional practices Lack rudimentary security
– Locked file cabinets– Locked doors– Commingled files– Access to FAX machine and mailboxes– Intra-district transport
Paper records– Sequential multi-student records
– HIPAA providers share information with schools for Treatment without authorization
– FERPA does not allow sharing information with prescribers of Treatment without authorization
– Immunizations, physical exams, & education assessments = No treatment = no exemption***
Martha Dewey Bergren
Health Data at school level
No school nurse School decides if emergency * No TPO exceptions Dispersed throughout school – caretakers
may have no confidentiality background No FERPA training
Martha Dewey Bergren
Security and privacy: All records
Faxing Email E-Records Off campus / personal computers and evices Intra-office transport Exceptions
– Directory information– De-identified
Martha Dewey Bergren
Only acceptable strategies
Obtain parental authorization for ANY sharing outside school
De-identify
Martha Dewey Bergren
HIPAA De - identify information
– Name– SS#– State, zip– DOB, DOE…..– Vehicle #– Record number– Serial number– Device number
– Fax and phone number
– Email, IP address– Web address– Certificate and
license number– VIN & registration
Martha Dewey Bergren
FERPA De - identify information
– Name– ID#– Gender– DOB, place– Religion– Country of origin– Sports & clubs– Academic
performance
– Employer– Discipline– “Anything else
traceable”
Martha Dewey Bergren
HIPAA –FERPA unresolved issues
Ignorance – unintentional and intentional Inadequate direction from DOE & HHS Inconsistent federal laws Conflicts between federal education & health
laws Conflicts between state and federal laws Conflicts between laws and ethical codes Health Information Exchanges
References
Schwab, N., Rubin, M., Maire, J.A., Gelfman, M., Bergren, M.D., Mazyck, D. & Hine, B. (2005). Protecting and disclosing student health information: Guidelines for developing school district policies and procedures. Kent,
OH: American School Health Association.
HIPAA and Mental Health
New 2014 HIPAA Mental Health Guidelines
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
Martha Dewey Bergren
References
National Forum on Education Statistics. (2010). Forum Guide to Data Ethics. Washington, DC: National Center for Education Statistics. http://nces.ed.gov/pubs2010/2010801.pdf
References
Bergren, M.D. (2009). Confident about Confidentiality? HIPAA/FERPA Made Easy http://www.jackstreet.com/jackstreet/WNASN.bergern.cfm
Bergren, M.D. (2011). Being Confident about Confidentiality: Part II HIPAA/FERPA Made Easy http://www.jackstreet.com/jackstreet/WNASN.Bergren2.cfm
Office of Family Compliance Webinars
http://www2.ed.gov/policy/gen/guid/fpco/hottopics/index.html?exp=4
FERPA 101 Data Sharing Under FERPA Intersection of FERPA and IDEA
Confidentiality Provisions Elementary and Secondary School Officials FERPA model school policies
Uninterrupted Scholar’s Act of 2013
Permits disclosure of records of students in foster care to state/county social service agencies or child welfare agencies.
Amended the requirement that educational agencies and institutions notify parents before complying with judicial orders and subpoenas in certain situations.
Martha Dewey Bergren
References
Guidance for Reasonable Methods and Written Agreements http://www2.ed.gov/policy/gen/guid/fpco/pdf/reasonablemtd_agreement.pdf
Final FERPA regulatory changes Published in Federal Register on December 2, 2011
Effective January 3, 2012
http://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf