|
education
records (FERPA/HIPAA)
The definition
of protected health
information (PHI) under the Health
Insurance Portability and Accountability Act (HIPAA) specifically
excludes identifiable health information in "education
records" subject to the Family Education Rights and Privacy
Act (FERPA, 20
USC 1232g).
FERPA provides
privacy protections for such records when held by federally
funded educational institutions. Failure to adhere to FERPA
rules can result in the loss of federal funds, though that
punishment is very rare.
(It is a rare educational
institution that is not "tainted" by federal funding
of some sort, and so within the reach of FERPA. Note, however,
that parochial and private schools at the elementary school
levels do not generally receive such funding and thus are
not subject to these federal protections. In such cases, state
education records laws still apply and may provide privacy
protections.)
FERPA defines an
"education record" as "those records, files,
documents, and other materials" that
- "contain
information directly related to a student;" and
- "are maintained
by an educational agency or institution or by a person acting
for such agency or institution."
Students who are
at least 18 years of age, or attending postsecondary institutions
-- or otherwise their parents -- generally have a right to:
- gain access
to their education records (obtain copies) within 45 days
of a written request;
- seek to amend
any information therein considered to be in error;
- control how
information in such records is disclosed to other institutions
-- in general, such disclosures must be authorized by the
student or parent, with some exceptions; and
- complain to
the US Department of Education if these rights appear to
have been violated.
There is no right
of access to confidential letters of recommendation, if the
right of access has been waived in advance; students' access
to parents' financial information is also limited. A court
order may condition a parent's access to a minor student's
records.
The amendment right
includes an "opportunity for a hearing" to seek
deletion or correction -- or the insertion of a "written
explanation" -- of any information in the educational
record which the student (or parent) deems "inaccurate,
misleading or otherwise inappropriate."
Disclosure without
consent is permitted to "school officials" with
"legitimate educational interests"; for compliance
with judicial orders and subpoenas; for audit and evaluation
of federally-supported education programs; and for other legally-mandated
record keeping.
For example, as
regards the first, education records may be disclosed without
consent to officials of another school at which a student
seeks or intends to enroll.
In the case of
a judicial order or subpoena, the student (or parent) must
be notified in advance of compliance, providing an opportunity
to seek a counter-order to stop the disclosure. (Note that
searches conducted on the basis of section 215 of the USA
Patriot Act, under a FISA warrant, do not require prior notification.
Nor do the persons affected by such a search need to be contacted
subsequently to inform them of the process. Indeed, the educational
institution can be prohibited from providing such information
to the objects of the search under section 215.)
In general, disclosures
to third parties can only be made on the condition that the
recipient observes FERPA rules. Recipients can be banned from
receiving educational records for five years if they fail
to do so.
An institution
must give public notice of the categories of "directory
information" it has designated, and allow students (or
parents, if a minor) the opportunity to request prior consent
for such disclosures.
There are several
important exclusions from FERPA's definition of an education
record, the last of which is important for HIPAA. FERPA excludes:
- "records
of instructional, supervisory, and administrative personnel
and educational personnel ancillary thereto which are in
the sole possession of the maker thereof and which are not
accessible or revealed to any other person except a substitute";
- "records
maintained by a law enforcement unit of the educational
agency or institution that were created by that law enforcement
unit for the purpose of law enforcement";
- "in the
case of persons who are employed by an educational agency
or institution but who are not in attendance at such agency
or institution, records made and maintained in the normal
course of business which relate exclusively to such person
in that person's capacity as an employee and are not available
for use for any other purpose"; or
- "records
on a student who is eighteen years of age or older, or is
attending an institution of postsecondary education, which
are made or maintained by a physician, psychiatrist, psychologist,
or other recognized professional or paraprofessional acting
in his professional or paraprofessional capacity, or assisting
in that capacity, and which are made, maintained, or used
only in connection with the provision of treatment to the
student, and are not available to anyone other than persons
providing such treatment, except that such records can be
personally reviewed by a physician or other appropriate
professional of the student's choice."
In addition to
excluding FERPA-protected records generally, HIPAA excludes
this fourth category from the definition of PHI as well. The
exclusion is narrower than it first appears, however, since
most "student health" records will indeed be shared
beyond the immediate clinical practitioner(s) providing treatment
(e.g., to file an insurance claim or for other reporting).
That would then (re)qualify a student health record as a kind
of education record, subject to FERPA (but not HIPAA).
Note that the same
general approach applies to health information in education
records at the primary and secondary level, where there may
be school clinics but rarely a student health facility as
such. Incidental bits of information on a student's health
(such as notes from a school nurse) do not convert an education
record into a health record.
HIPAA's protections
extend to health information broadly defined, for a broad
range of covered entities.
Fundamentally, it is the type of information held that triggers
the protection, rather that type of holder. (To be sure, the
type of use
envisioned by the holder determines the particulars of protection.)
The FERPA carve-out for health information represents a different
approach -- health information held by an educational institution
becomes education information instead. (Note that state law,
which HIPAA only sometimes preempts,
may have a different view.)
An education facility
may voluntarily elect to give to its student health records
any additional protections accorded under HIPAA, as well as
the required ones afforded by FERPA. Fortunately, the general
privacy rights under each are very similar, so there is no
fundamental conflict. Note, however, that the Family
Policy Compliance Office of the US Department of Education
(which enforces FERPA) has taken the position that "students'
medical records and education records under FERPA are not
subject to HIPAA and should not be disclosed to HHS under
HIPAA."
Further refinement
of the precise boundaries between the two laws can probably
be expected from DHHS and DEd in future.
See also:
|
