Consider this question. Say the mother of a 22-year old student that you have treated requests to see her daughter’s medical records. The Bursar’s office confirms that the student is listed as a dependent for tax purposes. There seems to be no urgent reason for such a release and the student does not wish to give her mother access. How would you protect the privacy of her information?
Situations such as this one that require knowledge of privacy laws to resolve successfully are all too common in the average student health center, yet the acronyms HIPAA and FERPA tend to strike fear into the hearts of the staunchest of college health professionals. So much has been written anecdotally on the subject of how complicated and unspecific these laws are that some may be surprised to find that according to legal professionals, the intersections between the laws are generally clear-cut. This article aims to explain which laws apply to you and what you can do to avoid the headaches that ensue from a conflict between your principles as a care provider and the law.
Six golden rules of privacy law
* FERPA never applies to non-students
* FERPA only applies when the student’s medical records are released
* HIPAA doesn’t apply to records covered by FERPA or to student “treatment records”
* Even if you treat non-students, you’re not bound by HIPAA unless you perform electronic transactions.
* Student health and counseling centers that do perform electronic transactions for non-students only have to abide by HIPAA for those transactions.
* State laws are applicable whether or not other federal laws apply
This is how these rules break down.
RULE 1: FERPA never applies to non-students
RULE 2: FERPA only applies when the student’s medical records are released
The Family Educational Rights and Privacy Act (FERPA) is the older of the two federal privacy laws. Enacted in 1974, one aspect of its governance is the privacy of educational records. There is a popular myth circulating that student medical records fall under the FERPA’s umbrella term “educational records”. In fact, FERPA specifically excludes the treatment records of students in higher education from its definition of educational records (see USC 20, 1232g for a complete definition). It also excludes employees of an educational institution if they are not students. FERPA does come into play, but only if the records are released to someone outside the health center, whether that is the student, their parents, their professors, or another health provider outside the university, at which point they become “educational records” rather than treatment records.
It is important to note that it is not the request for the release that brings FERPA into effect. Many student health professionals believe that if a request to see the records is made that is in accordance with FERPA guidelines, they have to release them or be in violation of FERPA. Not so, says Kristine Dunne, BA, EdM, JD, an associate at the Washington, D.C. office of law firm Arent Fox, LLC.
“It's the release of the records that triggers FERPA,” she explains. “There are no rights extended under FERPA to those medical records until such time as they have been made available to someone other than the treating health professionals, at which point the FERPA protections of student records kick in.”
Applying this to the example at the beginning of the article, if state law doesn’t require you to release the student’s unreleased medical records to her mother, you are under no legal obligation to do so without a court order. Similarly, even if you think a professor may have a “legitimate educational interest” in requesting a student’s unreleased medical records, you still don’t have to release them.
FERPA is just one part of the puzzle, however. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is another relevant law that seeks to be the national privacy standard in health care. It was updated in 2003 to take into account the trend toward automation and electronic record-keeping. These privacy guidelines have been well publicized and generally uphold the kind of patient confidentiality that most health care providers are comfortable with and there has therefore been a widespread trend in health centers to apply these standards to student medical records, even if they are not legally required. It is important to realize, however, that while its principles of privacy and confidentiality are excellent, in most cases, compliance is not required by law.
RULE 3: HIPAA doesn’t apply to records covered by FERPA or to student medical records which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment.
RULE 4: Even if you treat non-students, you’re not bound by HIPAA unless you transmit health care information in electronic form in connection with the submission of claims for payment.
HIPAA’s definition of protected health information (PHI) specifically excludes education records covered by FERPA and the treatment records of students in higher education as defined above. Dunne explains that the goal of this exclusion is simplification.
“If student medical records were subject to HIPAA, there would be two completely different schemes – up until the health center released the record, it would be governed by HIPAA, and when it had been released it would be governed by FERPA,” she says.
This was apparently considered unworkable by Congress, hence the blanket exception that HIPAA makes for any kind of student medical records. However, many student health and counseling centers also treat non-students, and this is where it starts to get a little bit trickier. To be considered a “covered entity” (i.e., bound by HIPAA), your health center must electronically transmit health information in connection with a “HIPAA transaction”. More detailed information on what constitutes a HIPAA transaction can be found in this primer released by The American Council on Education, but essentially it is any administrative or financial task carried out in the course of health care that transmits PHI. If you don’t perform electronic transactions, you don’t have to comply with HIPAA.
RULE 5: Student health and counseling centers that do perform electronic transactions for non-students only have to abide by HIPAA for those transactions.
Usually, every transaction of “covered entities” has to be bound by HIPAA standards, even if they are not all electronic transactions. However, because of the intersection with FERPA, these health centers are able to be bound by HIPAA just for the non-student transactions.
RULE 6: State laws are applicable whether or not other federal laws apply
With all the fuss about HIPAA and FERPA, don’t forget about your state’s laws concerning privacy. In some cases, state laws are the only ones that will apply to student medical records, but even where HIPAA or FERPA apply, state law is still relevant. Despite the fact that HIPAA is a federal law, it bows to state law in those cases where state law is more stringent. Arent Fox Associate Richard Liner, BA, JD, MPH, elaborates:
“HIPAA has an enormous pre-emption problem because it sets a floor and not a ceiling for health care privacy. Congress only established a minimum for protecting patient information. If a state’s laws or regulations are more stringent than HIPAA in their protection of patient health information, then covered entities must follow state requirements.”
This may conjure up ideas of conflicting laws, but Arent Fox counsels that generally, state laws are more specific and will very rarely conflict directly with HIPAA or FERPA. If more than one law is applicable, generally the more stringent requirements will apply. When in doubt, consult counsel before taking action.
Knowing the theory is one thing, but applying it can be a lot more complicated. FERPA requires the student to give written, dated permission before his or her student records information is released – even to other health care providers outside the university, which is a source of frustration for many. But the same information can be released, unauthorized, to school officials who have a “legitimate educational interest”. Similarly, FERPA allows unauthorized disclosure in an emergency, if it is “necessary to protect the health or safety of the student or other persons”. Dunne counsels to rely on common sense to interpret these terms, and to consult counsel early in the process. No law can specifically cover every eventuality; the burden of responsibility and interpretation must, through necessity, rest on the care provider.
This responsibility weighs all the more heavy because schools are concerned about penalties for breaching FERPA. If the Family Policy Compliance Office (FPCO) found a pattern of violations of FERPA with no obvious attempts to follow the guidelines, it could result in a removal of federal funding. However, it is important to know that individuals cannot be prosecuted for a FERPA breach and individual students cannot sue for damages for such a breach. Schools should carefully develop, implement and maintain compliance oversight with regard to these important privacy laws in order to prevent unlawful release of student records. Likewise, if your school treats non-students, files electronic claims and is bound by HIPAA for those transactions, you should make sure that HIPAA protections are implemented, even though a HIPAA violation may not – for now – result in a fine being imposed. Liner explains:
“In the vast majority of cases where there’s found to be a violation of HIPAA, there is what’s called an ‘administrative resolution’, which generally means the mistake wasn’t intentional and the organization voluntarily agrees to take appropriate remedial action.”
No civil fines for violations of HIPAA have been imposed so far, although Liner warns that is likely to soon change.
Although information on the triumvirate of privacy laws has always been available to those who know where to look for it, there is also a wealth of partial and incorrect information available on the Internet that has muddied the waters for those health professionals attempting to do a little research on the laws that apply to them. Dunne and Liner counsel that you should speak to a professional who knows the law in your state and the ins and outs of FERPA and HIPAA if you are worried about misinterpretation of the law. Even if you know the basics, state laws vary greatly and knowing the details of how the three laws intersect will allow you the greatest leeway to interpret them in a way that is consistent with your ethics.
“It is complicated,” sympathizes Liner. “Talk to the privacy officer within the university, if there is one. There are also a few government Web sites that are really good in terms of user-friendly guidance to help people navigate through the more basic pitfalls.” For instance, the Office of Civil Rights, the enforcement agency for the HIPAA privacy standards, offers tremendously helpful information and FAQs on its Web site.
“Consult with your legal counsel to ensure you’re interpreting and applying the law correctly,” adds Dunne. “And be clear to those who use student health center services, especially students, about the laws that apply.”
by: Kristine Dunne