Protecting Student Privacy: HIPAA and FERPA in Schools 2014 Indiana Association of School Nurses November 7, 2014

Protecting Student Privacy: HIPAA

and FERPA in Schools

2014 Indiana Association of School Nurses

November 7, 2014

Martha Dewey Bergren

Martha Dewey Bergren, DNS, RN, NCSNFNASN, FASHA, FAAN

[email protected]

Director, Advanced Population Health Nursing

University of Illinois-Chicago

Consultant, National Confidentiality Taskforce

Testimony to NCVHS Privacy Subcommittee

Johnson & Johnson School Health Leadership Institute


Federal Laws & Privacy

FERPA – Family Education Rights and Privacy Act

HIPAA – Health Insurance Portability & Accountability Act

Interface:

Public Schools : FERPA

Student’s health care providers &

agencies: HIPAA


Family Educational Rights & Privacy Act

FERPA – passed in 1974

Protects the privacy of students and families

Sets standards of confidentiality for all education records

Does not address health records

www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Family Educational Rights & Privacy Act

Education Records: any records with personally identifiable information about a student maintained by the school, staff members, contracted employees

Education Records: student health records, pupil services records, & third-party health records

FERPA Permitted Disclosures

Permitted uses of student information without consent:

Internal sharing for “legitimate educational

interest” as defined by the school district External release if

• Directory information• To school which student intends to

enroll• Exceptions

LEGITIMATE EDUCATIONAL INTEREST

Should mean: Use is consistent with purposes for which

data are kept Written criteria for access Necessary to perform task/service or

relevant determination about student Used within context of school district

business Balanced interests – individual/community

HIPAA: Health Insurance Portability & Accountability Act

Improve portability & continuity of health insurance coverage

Reduce costs & simplify administrative burden

Standardize electronic transmission of administrative & financial transactions

Protect security & privacy

HIPAA Permitted Disclosures

Permitted without authorization = TPO

• Treatment

• Payment

• Healthcare Operations

• “Minimum disclosure” standard

HIPAA: Health Insurance Portability & Accountability Act

School Health Records

Education records: ExemptThey are covered by FERPA


FERPA

Annual notice of rights to students

Right to inspect education records

Right to request amendment

Record access log Transfer of ed

records to new school

HIPAA

Notice of Information Practices

Right to access information

Right to request amendment

Disclosure logs

FERPAEXCEPTIONS

Directory Emergencies Research Judicial order/subpoena Audit by state/federal

officials Studies Authorized representative

School officials with legitimate educational interest

HIPAAEXCEPTIONS

Directory Emergencies Research Judicial order/subpoena Audit by state/federal

officials

Quality Assurance Body Identification Public Health TPO


FERPA

Internal release: OK for “legitimate educational interest”

Educational purposes

No policies/ procedure

HIPAA

Internal release: OK for Treatment. Payment, Operation

Health purposes

Policies & procedures detailed


FERPA pre-dates:

IDEA Electronic Student Records Security Email Internet 3rd Party Reimbursement


FERPA: No TPO Exemption

Treatment

– HIPAA providers share information with schools for Treatment without authorization

– FERPA does not allow sharing information with prescribers of Treatment without authorization

– Immunizations, physical exams, & education assessments = No treatment = no exemption***

*** State exceptions


FERPA: No TPO Exemption

Payment

Letter to Iowa Department of Education re: Disclosure of Education Records to Medicaid Agency for Reimbursement Purposes (10/25/05)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/iowa101205.html

If submitting for Medicaid reimbursement, MUST have parent consent


FERPA: No Public Health Exemption

Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html

Letter to Pennsylvania Department of Education re: Disclosure of Education Records to CDC Grantees (2/25/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/pacdc.html

Letter to California Department of Education re: Disclosure of Education Records to CDC Grantees (2/18/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/ca21804.html



Letter University of New Mexico: Applicability of FERPA to Health & Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html

State law requires principals, teachers, school nurses report immediately:– Communicable diseases, vaccine preventable & STDs– Bio-terrorism & chemical agents: anthrax, smallpox– Food, waterborne & environmental– Tic, encephalitis, hepatitis, Legionnaires, etc– Spinal cord, TBI, tumor registry

Decision: Subject to all FERPA requirements



Letter University of New Mexico: Applicability of FERPA to Health & Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html

Emergency:– Imminent danger– Immediate need– Narrow interpretation– Case-by-Case determination

Decision: NO routine reporting = written consent


Spellings October 30, 2007

Balancing school privacy and safety - Letter to school officials

http://www.ed.gov/policy/gen/guid/secletter/071030.html – Virginia Tech

Law Enforcement Empowers school officials to “act quickly when need arises”

Disclose w/o consent student health or safety Release w/o consent to law enforcement,

public health, trained medical personnel

FERPA and H1N1 DOEd GuidanceOctober 2009

May disclose information from education records r/t emergency, if necessary to protect the health / safety of student or others

School determines on a case-by-case basis Emergency = significant threat Disclosure must be documentedhttp://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-h1n1.pdf


FERPA Disaster Guidance 2010

In emergency / disaster, schools may disclose:Directory informationPersonally identifiable information to protect health / safety of students / othersLimited to the period of the emergency Immunization information

May not disclose to prepare for emergencies

http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-disaster-guidance.pdf



Balancing school privacy and safety

Law enforcement units– Not covered by FERPA– No release needed– Access to student education records

Security video not FERPA


Balancing school privacy and safety

Observed or personal knowledge, not covered by FERPA

Transfer all records without consent (IDEA 2004)


FERPA Revisions- 2008

Authorized representative may audit records with written agreement

Physically protect records from unauthorized access

Restrict access to necessary portion of the record Specifies that student health records are high risk Threat to the health and safety of a student or

students may be taken into account Stronger penalties for breaches Electronic records


FERPA: Child Abuse Reporting

FERPA superseded by CAPTA

Child Abuse Prevention, Adoption and Family Services Act of 1988 amended the Child Abuse Prevention and Treatment Act (CAPTA)

Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements (11/29/04)http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html


USDA State Medicaid & CHIP Program

May disclose eligibility for free and reduced meals

Not required Names, eligibility status, & eligibility information

directly to Medicaid or SCHIP Must notify parents. Parental opt out Social security number Other disclosure of eligibility information is

punishable of $1000 , 1 year imprisonment

http://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf


Health Data at school level

Traditional practices Lack rudimentary security

– Locked file cabinets– Locked doors– Commingled files– Access to FAX machine and mailboxes– Intra-district transport

Paper records– Sequential multi-student records

– HIPAA providers share information with schools for Treatment without authorization

– FERPA does not allow sharing information with prescribers of Treatment without authorization

– Immunizations, physical exams, & education assessments = No treatment = no exemption***


Health Data at school level

No school nurse School decides if emergency * No TPO exceptions Dispersed throughout school – caretakers

may have no confidentiality background No FERPA training


Security and privacy: All records

Faxing Email E-Records Off campus / personal computers and evices Intra-office transport Exceptions

– Directory information– De-identified


Only acceptable strategies

Obtain parental authorization for ANY sharing outside school

De-identify


HIPAA De - identify information

– Name– SS#– State, zip– DOB, DOE…..– Vehicle #– Record number– Serial number– Device number

– Fax and phone number

– Email, IP address– Web address– Certificate and

license number– VIN & registration


FERPA De - identify information

– Name– ID#– Gender– DOB, place– Religion– Country of origin– Sports & clubs– Academic

performance

– Employer– Discipline– “Anything else

traceable”


HIPAA –FERPA unresolved issues

Ignorance – unintentional and intentional Inadequate direction from DOE & HHS Inconsistent federal laws Conflicts between federal education & health

laws Conflicts between state and federal laws Conflicts between laws and ethical codes Health Information Exchanges

References

Schwab, N., Rubin, M., Maire, J.A., Gelfman, M., Bergren, M.D., Mazyck, D. & Hine, B. (2005). Protecting and disclosing student health information: Guidelines for developing school district policies and procedures. Kent,

OH: American School Health Association.

HIPAA and Mental Health

New 2014 HIPAA Mental Health Guidelines

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html


References

National Forum on Education Statistics. (2010). Forum Guide to Data Ethics. Washington, DC: National Center for Education Statistics. http://nces.ed.gov/pubs2010/2010801.pdf

References

Bergren, M.D. (2009). Confident about Confidentiality? HIPAA/FERPA Made Easy http://www.jackstreet.com/jackstreet/WNASN.bergern.cfm

Bergren, M.D. (2011). Being Confident about Confidentiality: Part II HIPAA/FERPA Made Easy http://www.jackstreet.com/jackstreet/WNASN.Bergren2.cfm

Office of Family Compliance Webinars

http://www2.ed.gov/policy/gen/guid/fpco/hottopics/index.html?exp=4

FERPA 101 Data Sharing Under FERPA Intersection of FERPA and IDEA

Confidentiality Provisions Elementary and Secondary School Officials FERPA model school policies

Uninterrupted Scholar’s Act of 2013

Permits disclosure of records of students in foster care to state/county social service agencies or child welfare agencies.

Amended the requirement that educational agencies and institutions notify parents before complying with judicial orders and subpoenas in certain situations.


References

Guidance for Reasonable Methods and Written Agreements http://www2.ed.gov/policy/gen/guid/fpco/pdf/reasonablemtd_agreement.pdf

Final FERPA regulatory changes Published in Federal Register on December 2, 2011

Effective January 3, 2012

http://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf

Documents

Protecting Student Privacy: HIPAA and FERPA in Schools 2014 Indiana Association of School Nurses November 7, 2014