Student Health Privacy: University Disclosure Requirements?

In the United States, the privacy of student health information is protected by the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). While FERPA applies to educational agencies and institutions that receive funding from the US Department of Education, HIPAA applies to covered entities such as health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. Generally, student health records maintained by a school are considered part of students' education records and are therefore subject to FERPA. Schools can disclose FERPA-protected information only after obtaining consent from either a parent or the eligible student, unless an exception applies. One such exception is FERPA's health or safety emergency exception, which allows schools to disclose information without prior consent if there is a significant threat to the health or safety of a student or other individuals. On the other hand, HIPAA allows covered healthcare providers to disclose protected health information (PHI) about students to school nurses, physicians, or other healthcare providers for treatment purposes without authorization from the student or their parent.

Teachers' disclosure of students' health information to other students

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. FERPA protects the rights of parents or eligible students to:

• Inspect and review education records.
• Seek to amend education records.
• Consent to the disclosure of personally identifiable information (PII) from education records, except as specified by law.

FERPA does, however, authorise school officials to disclose information without consent in emergency situations where the health and/or safety of students is at risk. Relevant information can be released to law enforcement, public health, and medical officials.

FERPA does not protect information obtained through a school official's personal knowledge or observation. This includes observations, notes, drawings, pictures, anonymous tips, security videos, and all investigating interviews. Therefore, a teacher is permitted to disclose a student's health information to other students if it is obtained through their personal knowledge or observation.

In the case of a student's protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) applies. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to "covered entities", including healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers are defined as any provider, regardless of the size of their practice, who electronically transmits health information in connection with certain transactions, such as benefit eligibility inquiries and referral authorization requests. Health plans include health, dental, vision, and prescription drug insurers, as well as Medicare, Medicaid, and employer-sponsored group health plans. Healthcare clearinghouses are entities that process or facilitate the processing of non-standard health information into a standard format or vice versa.

HIPAA permits covered entities to disclose protected health information (PHI) without an individual's authorization in certain situations. This includes disclosure to the individual, for treatment, payment, and healthcare operations, and for public interest and benefit activities. PHI can also be disclosed to prevent or lessen a serious threat to health or safety, for essential government functions, and for workers' compensation.

The Act also outlines penalties for wrongful disclosure of PHI, with fines of up to $100,000, imprisonment of up to one year, or both. If the offense is committed under false pretenses, the fines can increase to $100,000 and imprisonment of up to five years. If the offense is committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, the fines can reach $250,000 with imprisonment of up to ten years.

In the context of schools and universities, the Family Educational Rights and Privacy Act (FERPA) of 1974 also comes into play. FERPA protects the privacy of personally identifiable information from student education records and applies to educational entities that receive funding from the U.S. Department of Education. School nurses, therefore, need to understand the interplay between HIPAA and FERPA, especially in public health emergency situations like the COVID-19 pandemic. While FERPA generally requires parental consent to disclose student health information, there are exceptions during health or safety emergencies, allowing disclosure to appropriate parties to protect the health and safety of students or others.

The Family Educational Rights and Privacy Act (FERPA)

FERPA serves two main purposes:

• To grant parents (and students aged 18 or older) access to information in the student's education record.
• To protect that information from disclosure to third parties without parental consent.

Under FERPA, educational institutions are required to allow parents or eligible students to inspect and review the student's education record, schedule a hearing to challenge the content of the record, and insert a written explanation by the parents regarding the content. Schools cannot charge fees for granting access to inspect and review the record, but they may charge a fee for providing copies.

FERPA withholds federal funds from any school with "a policy or practice of permitting the release of education records" or "personally identifiable information" without adult student or parental consent, or where another exception does not apply. This means that if a school has a policy or practice of improperly disclosing students' education records, it could lose all federal funding.

FERPA only prevents the disclosure of education records. It does not protect the confidentiality of information in general and does not apply to information derived from a source other than education records. It is important to note that FERPA has been amended and interpreted numerous times, making it challenging to determine what information is and is not protected as part of an education record.

According to FERPA, an education record must "directly relate" to a student and be "maintained by an educational agency or institution or by a person acting for such agency or institution." The U.S. Supreme Court has described education records as "institutional records kept by a single central custodian, such as a registrar."

FERPA also recognizes a class of basic demographic information known as "directory information," which can be released without violating the law. This includes a student's name, address, phone number, honors and awards, and other general demographics. However, even this basic directory information can be subject to FERPA if, when combined with other information, it would allow a reasonable person to identify a particular student.

In terms of enforcement, the U.S. Department of Education (DOE) is in charge of enforcing FERPA and can impose financial penalties on schools that do not comply. However, as the penalty for FERPA violation is a total revocation of eligibility to receive federal education funding, the DOE has never imposed a financial penalty.

Disclosing student health information during a public health emergency

During public health emergencies, schools are responsible for keeping students safe while also balancing safety measures with privacy protections. In the United States, the Family Educational Rights and Privacy Act (FERPA) is the federal law that protects the privacy of personally identifiable information from student education records. FERPA applies to all educational entities that receive funding from the US Department of Education.

FERPA prohibits schools from disclosing student records without the written consent of the parent or student. However, there are limited exceptions, including one that permits disclosure in emergency situations. This includes natural disasters, disease outbreaks, terrorist threats, and active-shooter situations. In these cases, schools may disclose personally identifiable information from student records to "appropriate parties" without consent. These "appropriate parties" refer to any person whose knowledge of the information will help protect a person from threat, including public health or law enforcement officials, and medical or safety personnel.

In the context of a public health emergency, such as the COVID-19 pandemic, FERPA rules still apply but with limited waivers and exceptions that allow for increased information sharing. For example, schools may disclose a student's COVID-19 diagnosis to public health officials, medical professionals, and other individuals who need the information to stop the spread of the virus. However, this exception is limited to the period of the emergency and does not allow for a blanket release of sensitive information. Schools must still obtain parental consent before releasing detailed information about a student's health.

Additionally, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes privacy requirements for patients' protected health information. School nurses, who are the designated health professionals in the educational setting, must understand the interplay between FERPA and HIPAA. While FERPA applies to educational agencies and institutions that receive federal funding, the HIPAA Privacy Rule applies to "covered entities" such as health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. In some cases, school nurses may be subject to both FERPA and HIPAA regulations.

To ensure compliance with privacy laws during a public health emergency, schools should implement clear guidelines and procedures for disclosing student health information. This includes providing in-depth training on FERPA to staff, developing procedures for reporting symptoms, instructing staff to refrain from gossip or unnecessary communications about students' health, and considering partitioned spaces for health screenings to protect students' privacy.

Disclosing student health information to law enforcement

Understanding FERPA and HIPAA:

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records, including health records maintained by schools. FERPA prohibits schools from disclosing student records without written consent from the parent or eligible student. However, there are limited exceptions, such as disclosures in response to lawful subpoenas or court orders. FERPA's health or safety emergency exception allows schools to disclose information without consent if there is a significant threat to the health or safety of a student or others.

On the other hand, The Health Insurance Portability and Accountability Act (HIPAA) establishes privacy requirements for protected health information (PHI). HIPAA generally applies to "covered entities" like health plans and healthcare providers. In the context of schools, HIPAA allows covered healthcare providers to disclose PHI to school nurses or physicians for treatment purposes without the authorization of the student or their parents.

Law Enforcement Access to Student Records:

Law enforcement may request access to student records through various processes, including informal requests, subpoenas, and court orders. Schools should consult legal counsel before responding to such requests to determine their obligations and avoid violating student privacy rights. The Electronic Communications Privacy Act (ECPA) is another relevant law that protects the privacy of electronic communications and stored data.

Disclosure of Student Health Information During COVID-19:

During the COVID-19 pandemic, schools faced challenges in balancing the need to inform communities and public health officials about infections while maintaining student privacy. FERPA and HIPAA both have emergency provisions that allow for increased information sharing during public health emergencies. Schools can disclose student health information without consent if it is necessary to protect the health or safety of students or others. However, schools should only disclose the minimum amount of information required and avoid directly or indirectly identifying students whenever possible.

Role of School Resource Officers (SROs):

SROs are generally subject to the same restrictions as other law enforcement officials under FERPA. They can access student record data only under specific exceptions, such as the school official exception or the health and safety exception. Schools should consult legal counsel if there are doubts about an SRO's access to certain information.

In conclusion, disclosing student health information to law enforcement requires a careful balance between protecting student privacy rights and addressing legitimate concerns related to health and safety. Schools should consult legal counsel, follow applicable laws, and only disclose the minimum amount of information necessary to protect the well-being of students and the wider community.

Frequently asked questions