Client Alert

The tragic mass shooting at Virginia Tech last year has prompted federal officials to reconsider the delicate balance between student privacy and public safety.

On December 9th, the U.S. Department of Education published final regulations regarding the Family Educational Rights and Privacy Act (FERPA) that give educational institutions more flexibility in the case of an emergency. Also, the Department of Health and Human Services and the Department of Education have jointly issued new guidance on the application of the Health Insurance Portability and Accountability Act (HIPAA) to student health records.

Final Regulations
FERPA applies to educational agencies and institutions that receive funds under any program administered by the DOE. Almost all school districts and public schools are subject to FERPA, as are most private and public postsecondary institutions, including professional schools.

FERPA protects the privacy of students’ education records, which are defined as records that are:

• Directly related to a student
• Maintained by an educational agency or institution or by a party acting for the agency or institution, and
• Not specifically excluded from the definition of “education records.”

Generally, an educational agency or institution subject to FERPA may only disclose education records (or personally identifiable information from education records) with an eligible student’s written consent. (An eligible student is a student who is at least 18 or who attends a postsecondary institution. If a student is not an eligible student, parental consent is usually required.) However, there are several exceptions to this general rule, some of which are clarified in the Final Regulations.

For example, under FERPA, an educational agency or institution may, without a student’s consent, disclose personally identifiable information from an education record to appropriate parties, including parents, in connection with a health or safety emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

However, until now, the regulations required that this health and safety exception be “strictly construed.” The Final Regulations, effective January 8, 2009, eliminate the “strictly construed” language and instead state that if the educational agency or institution determines there is an articulable and significant threat to the health or safety of a student or others, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or others. When an educational agency or institution makes a disclosure under this health and safety exception, it must record both the articulable and significant threat that formed the basis for the disclosure and the parties to whom the information was disclosed.

The Final Regulations state that these changes are intended to provide educational agencies and institutions with greater flexibility to respond to threats. In fact, the Final Regulations expressly state that the DOE will not substitute its judgment for that of the educational institution or agency if, based on the information available at the time of the determination, there was a rational basis for the agency’s or institution’s determination and the disclosure was made to appropriate parties.

Joint Guidance on FERPA and HIPAA

FERPA
At postsecondary institutions, medical and psychological treatment records of eligible students are specifically excluded from the FERPA definition of education records if they are made, maintained, and used only in connection with the treatment of the student and disclosed only to individuals providing the treatment.

These records, commonly called “treatment records,” may be disclosed for purposes other than the student’s treatment and without the student’s consent if the disclosure meets the requirements of an exception under FERPA (for example, the health and safety exception described above). However, when treatment records are used or disclosed for any purpose other than treatment, the records are no longer excluded from the definition of education records and are then education records subject to all other FERPA requirements (including the right of an eligible student to inspect and review the records).

HIPAA
HIPAA applies to “covered entities,” which are health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with certain transactions for which the Secretary of HHS has adopted standards (called “covered transactions”). The definition of “health care provider” includes any organization that furnishes, bills, or is paid for health care in the normal course of business. Therefore, when a school provides health care to students in the normal course of business, it is considered a health care provider under HIPAA. If the school also conducts covered transactions electronically, it is a covered entity under HIPAA.

HIPAA, through regulations often referred to as the Privacy Rule and Security Rule, requires covered entities to protect the privacy and security of individuals’ “protected health information” and gives individuals certain rights with respect to protected health information about them.

Intersection of FERPA and HIPAA
The Joint Guidance explains that even if a school is a HIPAA covered entity, if the school is also subject to FERPA, the school does not have to comply with the HIPAA Privacy or Security Rule with respect to student records because the HIPAA definition of protected health information specifically excludes education records and treatment records. Of course, if a school is not subject to FERPA and is a HIPAA covered entity, it must comply with the HIPAA Privacy and Security Rules.

Also, the Joint Guidance states that while the health records of students at health clinics of postsecondary institutions are most likely subject to FERPA and not the HIPAA Privacy and Security Rules, if the institution is a HIPAA covered entity and provides health care to non-students, the individually identifiable health information of the non-students is subject to the HIPAA Privacy Rule. (Presumably, the institution must also comply with the HIPAA Security Rule with respect to electronic protected health information of non-students.)

In short, an institution subject to FERPA and HIPAA that provides health care to students as well as non-students must comply with FERPA with respect to the health records of student patients and with HIPAA with respect to the health records of non-student patients.

A hospital affiliated with a university generally provides health care to an individual regardless of the individual’s status as a student. Because such a hospital does not normally provide health care to students on behalf of the university, the hospital’s records would be subject to the HIPAA Privacy and Security Rules (assuming the hospital is a covered entity). Of course, if a hospital runs a student health clinic on behalf of a university, the student health records of the clinic would be subject to FERPA and not HIPAA.

Conclusion
As described above, an educational agency or institution subject to FERPA may disclose information from a student’s education record without the student’s consent in connection with a health or safety emergency as long as the requirements of the health and safety exception are met. Because treatment records become education records as soon as they are used or disclosed for any purpose other than treatment, those records can also be disclosed pursuant to the health and safety exception.

Similarly, for any student health records that are covered by HIPAA and not FERPA, HIPAA permits a covered entity to disclose protected health information if the covered entity has a good faith belief that the disclosure (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, and (2) is to a person reasonably able to prevent or lessen the threat. Such persons may include parents, law enforcement, or anyone else the covered entity believes can mitigate the threat. The disclosure must also be consistent with any other applicable law (such as state law) and ethical standards.

The Final Regulations and Joint Guidance address a number of other issues, including the use of social security numbers, redisclosure of education records by state and local authorities, and the application of the HIPAA Privacy Rule to an elementary or secondary school. You may review the Final Regulations by clicking here, and you may review the Joint Guidance by clicking here.

Readers who would like more information are urged to consult with their regular contacts at the firm or Beth Tyner Jones, (919) 755-8177 or Jill Girardeau, (404) 879-2426.