By Mercedes L. Varasteh

In response to a federal investigation linked to the Virginia Tech shootings, the U.S. Departments of Health and Human Services and Education have recently issued joint guidance detailing the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).  The guidelines are directed at health care professionals and school administrators, and are intended to eliminate confusion over the regulations’ privacy requirements – including when certain disclosures can be made relating to health and safety emergency situations.

The April 16, 2007 Virginia Tech shootings claimed the lives of 32 students and faculty members and is considered to be the deadliest shooting by an individual in United States history.  Home videos made by the gunman, Virginia Tech senior Seung Hui Cho, were later broadcast on national television, revealing a psychologically damaged youth whose erratic behavior had been noted by teachers, campus police and even a Virginia special justice.  Investigations following the shootings revealed that information about Cho’s mental problems and violent tendencies should have been shared with his parents or university officials who worked with troubled youths, but a misunderstanding of privacy laws such as FERPA and HIPAA prevented such disclosures from being made.  The findings of a task force assembled by President Bush uncovered that many mental health providers, educational staff and public safety officials nationwide are confused over or incorrectly interpret state and federal privacy laws, thus limiting their ability to legally disclose information about students who may be a threat to themselves or others.

FERPA and HIPAA both contain carefully delineated requirements on when information can be shared with parents, schools officials and law enforcement in the interest of the patient’s/student’s own protection and public safety.  This article will provide an overview of both HIPAA and FERPA, the differences and similarities between the two, and how health care professionals can comply with both and still protect their patients and the public.  
            

FERPA is a federal law that protects the privacy of a student’s “education records” and applies to all educational agencies and institutions that receive funds under any program administered by the United States Department of Education.  This encompasses almost all public schools and school districts and most private and postsecondary institutions (such as colleges and universities), including medical and other professional schools.  K-12 private and religious schools generally do not receive funds from the Department of Education and are therefore exempt from FERPA. 

“Education records” are generally defined as records that are: 1) directly related to a student, and 2) maintained by an educational agency or institution or by a party acting for the agency or institution.  An example at the elementary and junior high/high school level would be a student’s health records (such as immunization records or records maintained by a school nurse).  This also includes records on special education students and records on services provided to students under the Individuals with Disabilities Education Act (IDEA).  In order to qualify as “educational records,” they must be maintained by a health-care provider under contract with or otherwise in direct control of the school.

At post-secondary institutions such as colleges and universities (or for students 18 years of age or older), medical and psychological treatment records are excluded from the definition to “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment.  These are commonly referred to as “treatment records.”  A common example would be the medical records of a university student who seeks treatment at a campus health clinic.  Since the university receives federal education funding, the student’s records are subject to FERPA; however, since the records will only be used for treatment, they do not fall within the broader range of “education records.”

HIPAA was enacted in 1996 to improve the efficiency and effectiveness of the health care system, and to protect the privacy and security of individually identifiable health information.  Entities covered under HIPAA include health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions.  HIPAA requires covered entities to protect patients’ health information by implementing strict safeguards limiting unauthorized disclosures.

The main difference between FERPA and HIPAA laws are the heightened privacy protection afforded by HIPAA, and the increased penalties for HIPAA violations.  HIPAA violations may carry fines from $100 up to $25,000 per year, and HIPAA violators may also be sent to criminal court where the penalties range up to $250,000 and ten years imprisonment.  HIPAA also has a more complex consent system.  Generally, FERPA requires written permission to disclose education or treatment records that is signed and dated, and states the purpose of the disclosure.   Under HIPAA, consent authorization must be signed, dated, specifically refer to the information to be disclosed, the people disclosing and receiving the data, must contain an expiration date and a statement of a right to revoke the permission in writing, and other data.

In certain situations, FERPA and HIPAA regulations may intersect.  For example, a school that provides health care to students in the normal course of business, such as through its health clinic, it would be a “health care provider” as defined by HIPAA.  The education records and treatment records of the students who undergo mental health or medical treatment at the university health care center would be covered under FERPA.  However, the individually identifiable health care information of the clinic’s nonstudent patients (such as staff or faculty members) will be subject to HIPAA privacy rules.


    Both FERPA and HIPAA regulations contain certain delineated circumstances where the contents of education records and protected health information may properly be shared with third parties.   First, it is important to again recognize the distinction between “treatment records” and “education records” under FERPA.  By definition, “treatment records” may be disclosed only to professionals providing treatment to the student, physicians or other professionals of the student’s choice.  This means that a student may not inspect or review his or her own treatment records, and if the school chooses to allow the student to do so, such records are no longer “treatment records” and instead fall under the definition of “education records” and are subject to all other FERPA requirements. 

FERPA permits a postsecondary institution, such as a college or university, to disclose a student’s education records to law enforcement or the student’s parents if the institution believes the student presents a serious danger to himself or others.  (Again, if an institution decides to use “treatment records” for purposes other than treatment – for example, to disclose to a student’s parents that the student presents a danger to himself – the records immediately become “education records.”)  Education records may also be disclosed without student consent for other specified reasons, including but not limited to:

• Determining eligibility for financial aid for which the student has applied;

• For an audit or evaluation of Federal or State-supported education programs, or for the enforcement of an compliance with Federal legal requirements which relate to those programs;

• To assist an accrediting organization to carry out their accreditating functions, and;

• If the disclosure is made to parents of a dependant student in accordance with tax records.

See 34 CFR §99.31.

    Under HIPAA, a covered entity may disclose protected health information without patient consent if the covered entity in good faith believes the use of disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.  In addition, the disclosure must be made to a person or persons reasonably able to prevent or lessen the threat.   (The HIPAA disclosure standard is broader than Michigan’s disclosure standard for mental health providers, which imposes a duty for providers to take action if a patient manifests intent of physical violence in certain circumstances.)

    Permissible disclosures under HIPAA may also be made for reasons including but not limited to:

• Reporting the commission and nature of a crime which resulted in the provision of emergency health care;

• Reporting to public health authorities certain information for the purpose or preventing or controlling disease, injury or disability;

• Reporting child abuse or neglect, and;

• Reporting certain adverse events, problem defects or biological product deviations in FDA-regulated products to appropriate FDA officials.

See 45 C.F.R. §164.512.


    The Virginia Tech tragedy serves as a stark reminder that a murky understanding of privacy laws can have a more devastating outcome than just warning letters and fines.  To that effect, all physicians – especially those working in an educational setting – should strive for a full understanding of applicable laws and regulations, and should not be afraid to seek guidance from legal counsel or the appropriate agency when questions arise. 

    The full report from the Departments of Health and Human Services and Education can be obtained online at www.hhs.gov/ocr/hipaa.

Mercedes L. Varasteh is an associate with Frank, Haron, Weiner and Navarro PLC, where she focuses her practice on federal False Claims Act/qui tam litigation, and representing physician groups, individual physicians and home health agencies with issues pertaining to reimbursement, licensing, hospital governance, and medical staff credentialing/privileges.