Welcome to the New Minnesota Health IT Blog. There have been some cosmetic changes and over the next few weeks you will see even more substantive changes.
I hope you enjoy the new look and the new substance. Please post a comment or email me with your thoughts.
Friday, December 5, 2008
Thursday, December 4, 2008
AHIMA Proposes National Health Data Stewardship Entity
The American Health Information Management Association ("AHIMA") has issued a Statement on Data Stewardship that calls for the creation of a National Health Data Stewardship Entity ("NHDSE"). The NHDSE would coordinate the bodies that support the life cycle and collection of data exchanged over electronic and other health information exchange ("HIE") systems and the data stored in a variety of repositories. AHIMA's Statement proclaims that there is currently no universal authoritative source, law, or regulation which governs stakeholders' rights and obligations or that ensures consistency and integrity of the data.
AHIMA concludes:
In order to move toward a nationwide goal of uniformity and consistency of data, AHIMA recommends the following:
Objective: Identify and authorize a partnership of stakeholders that will establish national coordination in a transparent process with other entities to set uniform rules and the requirements for principles of data stewardship to achieve uniformity and consistency of data.
Action: Establish mechanisms for collaboration among representative groups to ensure support and utilize the strengths from all organizations.
Objective: Increase transparency in the operation and management of data access, use, and control. Individuals should have the opportunity to be informed of all potential uses of their health data.
Action: Develop a framework for policy development to enable patients and consumers to meet their informational needs of transparency.
Objective: Establish coordinated objectives at the federal, state, and local levels to improve data collection and use efficiencies and reduce the burden of cost.
Action: In concert with all partners, identify and coordinate priorities, policies, and practices that are needed to develop and implement harmonized data reporting initiatives. As the need for data collection and reporting continue to increase, the administrative burden increases as well. These initiatives could benefit from improved coordination among the bodies through standards in reporting requirements.
Objective: Enable an effective method for the standardized release of data to approved agencies and organizations as permitted by law.
Action: Develop and implement a data release framework for policy development to promote and advance the trusted release of data for other uses.
I don't quibble with the proposed Objectives and Action steps for proper data stewardship. However, the creation of an entity does not follow directly from those proposals. The structure of this entity, where it will be located, who will have a say within it, and many other questions remain unanswered. Clearly the appearance is of a national body to reign supreme over state laws and restrictions. Will physicians buy into such a model? Will consumers/patients? Not without specific benefits in addition to express limitations on usage of the data. If the NHDSE will address those concerns and those of other stakeholders this idea may get off the ground.
AHIMA concludes:
In order to move toward a nationwide goal of uniformity and consistency of data, AHIMA recommends the following:
Objective: Identify and authorize a partnership of stakeholders that will establish national coordination in a transparent process with other entities to set uniform rules and the requirements for principles of data stewardship to achieve uniformity and consistency of data.
Action: Establish mechanisms for collaboration among representative groups to ensure support and utilize the strengths from all organizations.
Objective: Increase transparency in the operation and management of data access, use, and control. Individuals should have the opportunity to be informed of all potential uses of their health data.
Action: Develop a framework for policy development to enable patients and consumers to meet their informational needs of transparency.
Objective: Establish coordinated objectives at the federal, state, and local levels to improve data collection and use efficiencies and reduce the burden of cost.
Action: In concert with all partners, identify and coordinate priorities, policies, and practices that are needed to develop and implement harmonized data reporting initiatives. As the need for data collection and reporting continue to increase, the administrative burden increases as well. These initiatives could benefit from improved coordination among the bodies through standards in reporting requirements.
Objective: Enable an effective method for the standardized release of data to approved agencies and organizations as permitted by law.
Action: Develop and implement a data release framework for policy development to promote and advance the trusted release of data for other uses.
I don't quibble with the proposed Objectives and Action steps for proper data stewardship. However, the creation of an entity does not follow directly from those proposals. The structure of this entity, where it will be located, who will have a say within it, and many other questions remain unanswered. Clearly the appearance is of a national body to reign supreme over state laws and restrictions. Will physicians buy into such a model? Will consumers/patients? Not without specific benefits in addition to express limitations on usage of the data. If the NHDSE will address those concerns and those of other stakeholders this idea may get off the ground.
Wednesday, December 3, 2008
EHR Vendor Liability
EHR vendors are on the forefront of a push towards adopting electronic health records ("EHRs") -- for obvious reasons. I don't fault them for the push as there is ample independent evidence to support the claims for EHR adoption - increased efficiency, reduced medical errors, and less waste in time and resources. However, little has been said about the potential liability these vendors/developers face as technology continues to evolve. Soon we will see clinical decision support capabilities that surpass the skills of physicians from the past. In addition, we will see interconnectedness and interoperability that will allow for the sharing of information -- both good and bad -- among various providers. Further, the EHR will begin to become more automated in terms of coding and billing.
To what extent should the vendor be liable in the event of a poor outcome? What if the clinical decision support is faulty? What if the social networking component transmits incorrect data? What if a patient receives an email communication purportedly from his/her physician but it is actually a hacker based in Pakistan? What if the EHR "suggests" a code for a procedure or office visit that is not correct; i.e. "upcoding."
Legal liability is a question that has historically been left to the courts to decide after the fact. What if legal liability were addressed proactively? What if vendors, developers, and medical providers gathered together in a common forum to discuss, debate, and present potential assignments or limitations on liability? We are doing it now with respect to interoperability. Why can't we do it with liability?
This posting will be the first in many on the issue of legal liability and the EHR. In future postings I intend to present the case for proactive steps by the medical and technology communities. Your comments, as always, are warmly welcomed.
To what extent should the vendor be liable in the event of a poor outcome? What if the clinical decision support is faulty? What if the social networking component transmits incorrect data? What if a patient receives an email communication purportedly from his/her physician but it is actually a hacker based in Pakistan? What if the EHR "suggests" a code for a procedure or office visit that is not correct; i.e. "upcoding."
Legal liability is a question that has historically been left to the courts to decide after the fact. What if legal liability were addressed proactively? What if vendors, developers, and medical providers gathered together in a common forum to discuss, debate, and present potential assignments or limitations on liability? We are doing it now with respect to interoperability. Why can't we do it with liability?
This posting will be the first in many on the issue of legal liability and the EHR. In future postings I intend to present the case for proactive steps by the medical and technology communities. Your comments, as always, are warmly welcomed.
Tuesday, December 2, 2008
MedCom of Denmark
I had an opportunity to meet Christina E. Wanscher, Chief Consultant and Head of MedCom International during my recent trip to Copenhagen to present at the World of Health Information Technology Conference. MedCom is an example of Europe's advanced HIT status and I thought I would give you a little background.
MedCom is a co-operative venture between public and private agencies and organizations. Established in 1999, the following is its overall objective:
"MedCom will contribute to the development, testing, dissemination and quality assurance of electronic communication and information in the healthcare sector with a view to supporting good patient progression".
MedCom is financed by a number of Danish organizations:
Ministry of Health and Prevention
Ministry of Social Welfare
Danish National Board of Health
Danish Regions
Local Government Denmark
Danish Pharmaceutical Association
The first MedCom project was carried out in 1995-1996, with the aim of developing and testing nationwide EDI communication standards for the messages most commonly used between general practitioners and the rest of the healthcare sector - for example discharge letters, laboratory results and prescriptions.
The most recent MedCom project relates to "Digital Sundhed" connected digital health in Denmark. There are eight elements to this plan.
1. "FMK" - Practice Sector
FMK (The Common Medicine Card) makes updated information about patients' medication available across the healthcare sector. MedCom is responsible for dissemination of the FMK to general practitioners' practices and to specialists.
2. "SIP" - Reporting
The objective of the SIP (standardised reporting from the primary sector) is to secure standardized integration between the general practitioners' IT-systems and national registers by the use of the following instruments: "Sundhedsdatanettet - SDN" (The Danish Healthcare Data Network), the standards from "Den Gode Web Service" - DGWS (The Good Web Service), and "Den Dynamiske Blanket" (The Dynamic Blanket).
3. "SDN" - The Danish Healthcare Data Network
An expanded SDN is included in the strategies for the infrastructure in the Danish healthcare sector where, to begin with, supporting initiation of the FMK includes establishment of fixed high-speed connections and improved support and surveillance.
4. MedCom Standards
In the period of MedCom VI, maintenance of existing and development of new MedCom standards is also needed. This includes setting of health professional content and appurtenant practical testing and certification of the supplier's implementation.
5. e-journal
The e-journal solution contains data about patients' treatments at the hospitals and is established as a tool for clinical information distribution between practitioners at the hospitals and practices and also for patients. In the MedCom VI period, the eJournal project will be passed on in a close collaboration with the Danish Regions, sundhed.dk, and Digital Sundhed.
6. Consolidation / Dissemination
The daily electronic communication in relation to the practical sector and the laboratory area give rise to a number of different activities. These could for example be: dissemination of the special doctors' referral hotel, a number of laboratory medicinal projects, development of the PLO-format for exchange of patients' journals in the practical sector, and consolidation of MedCom's test centre.
7. Municipality projects
The Municipality projects are broadly grounded in the municipal part of the healthcare sector: the home care's communication with hospitals, general practitioners, and pharmacies, exchange of rehabilitation plans, healthcare communication/childbirth reporting, social medical collaboration / "LÆ" blanket exchange, and finally prevention, including standards of referral.
8. Telemedicine
The national program for increased use of telemedicine has the overall goal to deal with the short-staff situation in the healthcare sector through increased use of telemedicine without loss in the quality of delivered healthcare service. MedCom manages the program management for the telemedicine venture.
MedCom and Denmark are certainly excellent models for the US to look to as HIT implementation heats up in the States.
MedCom is a co-operative venture between public and private agencies and organizations. Established in 1999, the following is its overall objective:
"MedCom will contribute to the development, testing, dissemination and quality assurance of electronic communication and information in the healthcare sector with a view to supporting good patient progression".
MedCom is financed by a number of Danish organizations:
Ministry of Health and Prevention
Ministry of Social Welfare
Danish National Board of Health
Danish Regions
Local Government Denmark
Danish Pharmaceutical Association
The first MedCom project was carried out in 1995-1996, with the aim of developing and testing nationwide EDI communication standards for the messages most commonly used between general practitioners and the rest of the healthcare sector - for example discharge letters, laboratory results and prescriptions.
The most recent MedCom project relates to "Digital Sundhed" connected digital health in Denmark. There are eight elements to this plan.
1. "FMK" - Practice Sector
FMK (The Common Medicine Card) makes updated information about patients' medication available across the healthcare sector. MedCom is responsible for dissemination of the FMK to general practitioners' practices and to specialists.
2. "SIP" - Reporting
The objective of the SIP (standardised reporting from the primary sector) is to secure standardized integration between the general practitioners' IT-systems and national registers by the use of the following instruments: "Sundhedsdatanettet - SDN" (The Danish Healthcare Data Network), the standards from "Den Gode Web Service" - DGWS (The Good Web Service), and "Den Dynamiske Blanket" (The Dynamic Blanket).
3. "SDN" - The Danish Healthcare Data Network
An expanded SDN is included in the strategies for the infrastructure in the Danish healthcare sector where, to begin with, supporting initiation of the FMK includes establishment of fixed high-speed connections and improved support and surveillance.
4. MedCom Standards
In the period of MedCom VI, maintenance of existing and development of new MedCom standards is also needed. This includes setting of health professional content and appurtenant practical testing and certification of the supplier's implementation.
5. e-journal
The e-journal solution contains data about patients' treatments at the hospitals and is established as a tool for clinical information distribution between practitioners at the hospitals and practices and also for patients. In the MedCom VI period, the eJournal project will be passed on in a close collaboration with the Danish Regions, sundhed.dk, and Digital Sundhed.
6. Consolidation / Dissemination
The daily electronic communication in relation to the practical sector and the laboratory area give rise to a number of different activities. These could for example be: dissemination of the special doctors' referral hotel, a number of laboratory medicinal projects, development of the PLO-format for exchange of patients' journals in the practical sector, and consolidation of MedCom's test centre.
7. Municipality projects
The Municipality projects are broadly grounded in the municipal part of the healthcare sector: the home care's communication with hospitals, general practitioners, and pharmacies, exchange of rehabilitation plans, healthcare communication/childbirth reporting, social medical collaboration / "LÆ" blanket exchange, and finally prevention, including standards of referral.
8. Telemedicine
The national program for increased use of telemedicine has the overall goal to deal with the short-staff situation in the healthcare sector through increased use of telemedicine without loss in the quality of delivered healthcare service. MedCom manages the program management for the telemedicine venture.
MedCom and Denmark are certainly excellent models for the US to look to as HIT implementation heats up in the States.
Monday, December 1, 2008
Higher Education: HIPAA v. FERPA -- New Guidance from HHS and DOE
The Department of Health and Human Services ("HHS") and the Department of Education ("DOE") have released joint guidance on the application of HIPAA and FERPA to student health records. HIPAA, the Health Insurance Portability and Accountability Act, and FERPA, the Federal Educational Rights and Privacy Act, each address the privacy of student health records. The guidance is meant to address the confusion expressed by some school administrators and student health care providers as to how each of the laws applied to student records containing health information.
FERPA is a Federal law that protects the privacy of students’ “education records.” See generally 20 U.S.C. § 1232g; 34 C.F.R. Part 99. FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes most public schools and school districts and most private and public postsecondary institutions, including medical and other professional schools. Private and religious schools at the elementary and secondary level generally do not receive funds from the DOE and are, therefore, not subject to FERPA. The school itself must receive funds from a program administered by the DOE to be subject to FERPA.
A school subject to FERPA may not have a policy or practice of disclosing student education records, or personally identifiable information from education records, without a parent or eligible student’s written consent. See 34 C.F.R. § 99.30. However, there are several exceptions to this general consent rule. See 34 C.F.R. § 99.31. An “eligible student” is a student who is at least 18 years of age or who attends a postsecondary institution at any age. See 34 C.F.R. §§ 99.3 and 99.5(a). Under FERPA, parents and eligible students have the right to inspect and review the student’s education records and to seek to have them amended in certain circumstances. See 34 C.F.R. §§ 99.10 – 99.12 and §§ 99.20 – 99.22. The term “education records” is broadly defined to mean those records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 C.F.R. § 99.3. At the elementary or secondary level, a student’s health records, including immunization records, maintained by by a school, as well as records maintained by a school nurse, are “education records” subject to FERPA. In addition, records that schools maintain on special education students, including records on services provided to students under the Individuals with Disabilities Education Act ("IDEA"), are “education records” under FERPA. This is because these records are (1) directly related to a student, (2) maintained by the school or a party acting for the school, and (3) not excluded from the definition of “education records.”
At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 C.F.R. § 99.3. These records are commonly called “treatment records.”
An eligible student’s treatment records may be disclosed for purposes other than the student’s
treatment, provided the records are disclosed under one of the exceptions to written consent under 34 C.F.R. § 99.31(a) or with the student’s written consent under 34 C.F.R. § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
Most readers are familiar with the Privacy and Security Rules promulgated under HIPAA, so the background of those regulations will not be repeated here.
When a school provides health care to students in the normal course of business, such as through its health clinic, it is also a “health care provider” as defined by HIPAA. If a school also conducts any covered transactions electronically in connection with that health care, it is then a covered entity under HIPAA. As a covered entity, the school must comply with the HIPAA Administrative Simplification Rules, including the Privacy and Security Rules.
However, many schools, even those that are HIPAA covered entities, are not required to comply
with the HIPAA Privacy Rule because the only health records maintained by the school are
“education records” or “treatment records” of eligible students under FERPA, both of which are
excluded from coverage under the HIPAA Privacy Rule. See the exception at paragraph (2)(i) and (2)(ii) to what is considered “protected health information” ("PHI") at 45 C.F.R. § 160.103. In addition, the exception for records covered by FERPA applies both to the HIPAA Privacy Rule, as well as to the HIPAA Security Rule, because the Security Rule applies to a subset of information covered by the Privacy Rule (i.e., "electronic PHI").
Frequently Asked Questions and Answers
The following are 16 FAQs included in the Guidance:
1. Does the HIPAA Privacy Rule apply to an elementary or secondary school?
Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or
secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA
covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
• The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health
plans, health care clearinghouses, and those health care providers that transmit health
information electronically in connection with certain administrative and financial
transactions (“covered transactions”). See 45 C.F.R. § 160.102. Covered transactions are
those for which the U.S. Department of Health and Human Services has adopted a standard,
such as health care claims submitted to a health plan. See the definition of “transaction” at
45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though a school
employs school nurses, physicians, psychologists, or other health care providers, the school
is not generally a HIPAA covered entity because the providers do not engage in any of the
covered transactions, such as billing a health plan electronically for their services. It is
expected that most elementary and secondary schools fall into this category.
• The school is a HIPAA covered entity but does not have “protected health information.”
Where a school does employ a health care provider that conducts one or more covered
transactions electronically, such as electronically transmitting health care claims to a health
plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA
Transactions and Code Sets and Identifier Rules with respect to such transactions. However,
even in this case, many schools would not be required to comply with the HIPAA Privacy
Rule because the school maintains health information only in student health records that are
“education records” under FERPA and, thus, not “protected health information” under
HIPAA. Because student health information in education records is protected by FERPA,
the HIPAA Privacy Rule excludes such information from its coverage. See the exception at
paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy
Rule at 45 CFR § 160.103. For example, if a public high school employs a health care
provider that bills Medicaid electronically for services provided to a student under the IDEA,
the school is a HIPAA covered entity and would be subject to the HIPAA requirements
concerning transactions. However, if the school’s provider maintains health information
only in what are education records under FERPA, the school is not required to comply with
the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy
requirements with respect to its education records, including the requirement to obtain
parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about
a service provided to a student.
2. How does FERPA apply to health records on students maintained by elementary or secondary schools?
At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. Some schools may receive a grant from a foundation or government agency to hire a nurse. Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA. Parents have a right under FERPA to inspect and review these health and medical records because they are “education records” under FERPA. See 34 CFR §§ 99.10 – 99.12. In addition, these records may not be shared with third parties without written parental consent unless the disclosure meets one of the exceptions to FERPA’s general consent requirement. For instance, one of these exceptions allows schools to disclose a student’s health and medical information and other “education records” to teachers and other school officials, without written consent, if these school
officials have “legitimate educational interests” in accordance with school policy. See 34 CFR §
99.31(a)(1). Another exception permits the disclosure of education records, without consent, to
appropriate parties in connection with an emergency, if knowledge of the information is necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36.
3. Does FERPA or HIPAA apply to elementary or secondary school student health
records maintained by a health care provider that is not employed by a school?
If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that
provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly. This is the case regardless of whether the health care is provided to students on school grounds or off-site. As education records, the information is protected under FERPA and not HIPAA. Some outside parties provide services directly to students and are not employed by, under contract to, or otherwise acting on behalf of the school. In these circumstances, these records are not “education records” subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school. For example, the records created by a public health nurse who provides immunization or other health services to
students on school grounds or otherwise in connection with school activities but who is not acting
on behalf of the school would not be “education records” under FERPA. In such situations, a
school that wishes to disclose to this outside party health care provider any personally identifiable information from education records would have to comply with FERPA and obtain parental consent. See 34 CFR § 99.30. With respect to HIPAA, even where student health records maintained by a health care provider are not education records protected by FERPA, the HIPAA Privacy Rule would apply to such records only if the provider conducts one or more of the HIPAA transactions electronically, e.g., billing a health plan electronically for his or her services, making the provider a HIPAA covered entity.
4. Are there circumstances in which the HIPAA Privacy Rule might apply to an
elementary or secondary school?
There are some circumstances in which an elementary or secondary school would be subject to the HIPAA Privacy Rule, such as where the school is a HIPAA covered entity and is not subject to FERPA. As explained previously, most private schools at the elementary and secondary school levels typically do not receive funding from the U.S. Department of Education and, therefore, are not subject to FERPA. A school that is not subject to FERPA and is a HIPAA covered entity must comply with the HIPAA Privacy Rule with respect to any individually identifiable health information it has about students and others to whom it provides health care. For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients. The only exception would be where the school, despite not being subject to FERPA, has education records on one or more students to whom it provides services on behalf of a school or school district that is subject to FERPA. In this exceptional case, the education records of only those publicly placed
students held by the private school would be subject to FERPA, while the remaining student
health records would be subject to the HIPAA Privacy Rule.
5. Where the HIPAA Privacy Rule applies, does it allow a health care provider to
disclose protected health information (PHI) about a troubled teen to the parents of the teen?
In most cases, yes. If the teen is a minor, the HIPAA Privacy Rule generally allows a covered entity to disclose PHI about the child to the child’s parent, as the minor child’s personal representative, when the disclosure is not inconsistent with state or other law. For more detailed information, see 45 CFR § 164.502(g) and the fact sheet regarding personal representatives at:
http://www.hhs.gov/ocr/hipaa/guidelines/personalrepresentatives.pdf. In some cases, such as when a minor may receive treatment without a parent’s consent under applicable law, the parents are not treated as the minor’s personal representative. See 45 CFR § 164.502(g)(3). In such cases where the parent is not the personal representative of the teen, other HIPAA Privacy Rule provisions may allow the disclosure of PHI about the teen to the parent. For example, if a provider believes the teen presents a serious danger to self or others, the HIPAA Privacy Rule permits a covered entity to disclose PHI to a parent or other person(s) if the covered entity has a good faith belief that: (1) the disclosure is necessary to prevent or lessen the threat and (2) the parent or other person(s) is reasonably able to prevent or lessen the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i). In addition, the Privacy Rule permits covered entities to share information that is directly relevant to the involvement of a family member in the patient’s health care or payment for care if, when given the opportunity, the patient does not object to the disclosure. Even when the patient is not present or it is impracticable, because of emergency circumstances or the patient’s incapacity, for the covered entity to ask the patient about discussing his or her care or payment with a family member, a covered entity may share this information with the family member when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR § 164.510(b).
6. Where the HIPAA Privacy Rule applies, does it allow a health care provider to disclose protected health information (PHI) about a student to a school nurse or physician?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.
7. Does FERPA or HIPAA apply to records on students at health clinics run by
postsecondary institutions?
FERPA applies to most public and private postsecondary institutions and, thus, to the records on
students at the campus health clinics of such institutions. These records will be either education
records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. See the exceptions at
paragraphs (2)(i) and (2)(ii) to the definition of “protected health information” at 45 CFR § 160.103. The term “education records” is broadly defined under FERPA to mean those records that are: (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR § 99.3, “Education records.” “Treatment records” under FERPA, as they are commonly called, are: records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice. See 20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3, “Education records.” For example, treatment records would include health or medical records that a university psychologist maintains only in connection with the provision of treatment to an eligible student, and health or medical records that the campus health center or clinic maintains only in connection with the provision of treatment to an
eligible student. (Treatment records also would include health or medical records on an eligible
student in high school if the records otherwise meet the above definition.) “Treatment records” are excluded from the definition of “education records” under FERPA. However, it is important to note, that a school may disclose an eligible student’s treatment records for purposes other than the student’s treatment provided that the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the treatment records are no longer excluded from the definition of “education
records” and are subject to all other FERPA requirements, including the right of the eligible student to inspect and review the records. While the health records of students at postsecondary institutions may be subject to FERPA, if the institution is a HIPAA covered entity and provides health care to nonstudents, the individually identifiable health information of the clinic’s nonstudent patients is subject to the HIPAA Privacy Rule. Thus, for example, postsecondary institutions that are subject to both HIPAA and FERPA and that operate clinics open to staff, or the public, or both (including family members of students) are required to comply with FERPA with respect to the health records of their student patients, and with
the HIPAA Privacy Rule with respect to the health records of their nonstudent patients.
8. Under FERPA, may an eligible student inspect and review his or her “treatment
records”?
Under FERPA, treatment records, by definition, are not available to anyone other than professionals providing treatment to the student, or to physicians or other appropriate professionals of the student’s choice. However, this does not prevent an educational institution from allowing a student to inspect and review such records. If the institution chooses to do so, though, such records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
9. Under FERPA, may an eligible student’s treatment records be shared with parties other than treating professionals?
As explained previously, treatment records, by definition, are not available to anyone other than
professionals providing treatment to the student, or to physicians or other appropriate professionals of the student’s choice. However, this does not prevent an educational institution from using or disclosing these records for other purposes or with other parties. If the institution chooses to do so, a disclosure may be made to any party with a prior written consent from the eligible student (see 34 CFR § 99.30) or under any of the disclosures permitted without consent in 34 CFR § 99.31 of FERPA. For example, a university physician treating an eligible student might determine that treatment records should be disclosed to the student’s parents. This disclosure may be made if the eligible student is claimed as a dependent for federal income tax purposes (see 34 CFR § 99.31(a)(8)). If the eligible student is not claimed as a dependent, the disclosure may be made to parents, as well as other appropriate parties, if the disclosure is in connection with a health or safety emergency. See 34 CFR §§ 99.31(a)(10) and 99.36. Once the records are disclosed under one of the exceptions to FERPA’s general consent requirement, the treatment records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements as “education records” under FERPA.
10. Under what circumstances does FERPA permit an eligible student’s treatment records to be disclosed to a third-party health care provider for treatment?
An eligible student’s treatment records may be shared with health care professionals who are
providing treatment to the student, including health care professionals who are not part of or not
acting on behalf of the educational institution (i.e., third-party health care provider), as long as the information is being disclosed only for the purpose of providing treatment to the student. In
addition, an eligible student’s treatment records may be disclosed to a third-party health care
provider when the student has requested that his or her records be “reviewed by a physician or other appropriate professional of the student’s choice.” See 20 U.S.C. § 1232g(a)(4)(B)(iv). In either of these situations, if the treatment records are disclosed to a third-party health care provider that is a HIPAA covered entity, the records would become subject to the HIPAA Privacy Rule. The records at the educational institution continue to be treatment records under FERPA, so long as the records are only disclosed by the institution for treatment purposes to a health care provider or to the student’s physician or other appropriate professional requested by the student. If the disclosure is for purposes other than treatment, an eligible student’s treatment record only may be disclosed to a third party as an “education record,” that is, with the prior written consent of the eligible student or if one of the exceptions to FERPA’s general consent requirement is met. See 34 CFR § 99.31. For example, if a university is served with a court order requiring the disclosure of the mental health records of a student maintained as treatment records at the campus clinic, the university may disclose the records to comply with the court order in accordance with the provisions of § 99.31(a)(9) of the FERPA regulations. However, the mental health records that the university disclosed for non-treatment purposes are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements as “education records” under FERPA.
11. Are all student records maintained by a health clinic run by a postsecondary
institution considered “treatment records” under FERPA?
Not all records on eligible students that are maintained by a college- or university-run health clinic are treatment records under FERPA because many such records are not made, maintained, or used only in connection with the treatment of a student. For example, billing records that a college- or university-run health clinic maintains on a student are “education records” under FERPA, the disclosure of which would require prior written consent from the eligible student unless an exception applies. See 34 CFR § 99.30. In addition, records relating to treatment that are shared with persons other than professionals providing treatment to the student are “education records” under FERPA. Thus, to the extent a health clinic has shared a student’s treatment information with persons and for purposes other than for treatment, such information is an “education record,” not a treatment record under FERPA.
12. Does FERPA or HIPAA apply to records on students who are patients at a university hospital?
Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically “education records” or “treatment records” under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. Rather, these hospitals provide such services without regard to the person’s status as a student and not on behalf of a university. Thus, assuming the hospital is a HIPAA covered entity, these records are subject to all of the HIPAA rules, including the HIPAA Privacy Rule. However, in a situation where a hospital does run the student health clinic on behalf of a university, the clinic records on students would be subject to FERPA, either as “education records” or “treatment records,” and not subject to the HIPAA Privacy Rule.
13. Where the HIPAA Privacy Rule applies, does it permit a health care provider to disclose protected health information (PHI) about a patient to law enforcement, family members, or others if the provider believes the patient presents a serious danger to self or others?
The HIPAA Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat. This may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others who the covered entity has a good faith belief can mitigate the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i). For example, consistent with other law and ethical standards, a mental health provider whose teenage patient has made a credible threat to inflict serious and imminent bodily harm on one or more fellow students may alert law enforcement, a parent or other family member, school administrators or campus police, or others the provider believes may be able to prevent or lessen the chance of harm. In such cases, the covered entity is presumed to have acted in good faith where its belief is based upon the covered entity’s actual knowledge (i.e., based on the covered entity’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member or other person). See 45 CFR § 164.512(j)(4). For threats or concerns that do not rise to the level of “serious and imminent,” other HIPAA Privacy Rule provisions may apply to permit the disclosure of PHI. For example, covered entities generally
may disclose PHI about a minor child to the minor’s personal representative (e.g., a parent or legal guardian), consistent with state or other laws. See 45 CFR § 164.502(b).
14. Does FERPA permit a postsecondary institution to disclose a student’s treatment records or education records to law enforcement, the student’s parents, or others if the institution believes the student presents a serious danger to self or others?
An eligible student’s education records and treatment records (which are considered education
records if used or made available for any purpose other than the eligible student’s treatment) may be disclosed, without consent, if the disclosure meets one of the exceptions to FERPA’s general consent rule. See 34 CFR § 99.31. One of the permitted disclosures is to appropriate parties, which may include law enforcement or parents of a student, in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36. There are other exceptions that apply to disclosing information to parents of eligible students that are discussed on the “Safe Schools & FERPA” Web page, as well as other information that should be helpful to school officials, at: http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html/.
15. Are the health records of an individual who is both a student and an employee of a university at which the person receives health care subject to the privacy provisions of FERPA or those of HIPAA?
The individual’s health records would be considered “education records” protected under FERPA and, thus, excluded from coverage under the HIPAA Privacy Rule. FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3 (“education records”). While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion, such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees. Thus, the health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.
16. Can a postsecondary institution be a “hybrid entity” under the HIPAA Privacy Rule?
Yes. A postsecondary institution that is a HIPAA covered entity may have health information to
which the Privacy Rule may apply not only in the health records of nonstudents in the health clinic, but also in records maintained by other components of the institution that are not education records or treatment records under FERPA, such as in a law enforcement unit or research department. In such cases, the institution, as a HIPAA covered entity, has the option of becoming a “hybrid entity” and, thus, having the HIPAA Privacy Rule apply only to its health care unit. The school can achieve hybrid entity status by designating the health unit as its “health care component.” As a hybrid entity, any individually identifiable health information maintained by other components of the university (i.e., outside of the health care component), such as a law enforcement unit, or a research department, would not be subject to the HIPAA Privacy Rule, notwithstanding that these components of the institution might maintain records that are not “education records” or treatment records under FERPA. To become a hybrid entity, the covered entity must designate and include in its health care component all components that would meet the definition of a covered entity if those components were separate legal entities. (A covered entity may have more than one health care component.)
However, the hybrid entity is not permitted to include in its health care component other types of components that do not perform the covered functions of the covered entity or components that do not perform support activities for the components performing covered functions. That is,
components that do not perform health plan, health care provider, or health care clearinghouse
functions and components that do not perform activities in support of these functions (as would a
business associate of a separate legal entity) may not be included in a health care component.
Within the hybrid entity, most of the HIPAA Privacy Rule requirements apply only to the health
care component, although the hybrid entity retains certain oversight, compliance, and enforcement obligations. See 45 CFR § 164.105 of the Privacy Rule for more information.
FERPA is a Federal law that protects the privacy of students’ “education records.” See generally 20 U.S.C. § 1232g; 34 C.F.R. Part 99. FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes most public schools and school districts and most private and public postsecondary institutions, including medical and other professional schools. Private and religious schools at the elementary and secondary level generally do not receive funds from the DOE and are, therefore, not subject to FERPA. The school itself must receive funds from a program administered by the DOE to be subject to FERPA.
A school subject to FERPA may not have a policy or practice of disclosing student education records, or personally identifiable information from education records, without a parent or eligible student’s written consent. See 34 C.F.R. § 99.30. However, there are several exceptions to this general consent rule. See 34 C.F.R. § 99.31. An “eligible student” is a student who is at least 18 years of age or who attends a postsecondary institution at any age. See 34 C.F.R. §§ 99.3 and 99.5(a). Under FERPA, parents and eligible students have the right to inspect and review the student’s education records and to seek to have them amended in certain circumstances. See 34 C.F.R. §§ 99.10 – 99.12 and §§ 99.20 – 99.22. The term “education records” is broadly defined to mean those records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 C.F.R. § 99.3. At the elementary or secondary level, a student’s health records, including immunization records, maintained by by a school, as well as records maintained by a school nurse, are “education records” subject to FERPA. In addition, records that schools maintain on special education students, including records on services provided to students under the Individuals with Disabilities Education Act ("IDEA"), are “education records” under FERPA. This is because these records are (1) directly related to a student, (2) maintained by the school or a party acting for the school, and (3) not excluded from the definition of “education records.”
At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 C.F.R. § 99.3. These records are commonly called “treatment records.”
An eligible student’s treatment records may be disclosed for purposes other than the student’s
treatment, provided the records are disclosed under one of the exceptions to written consent under 34 C.F.R. § 99.31(a) or with the student’s written consent under 34 C.F.R. § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
Most readers are familiar with the Privacy and Security Rules promulgated under HIPAA, so the background of those regulations will not be repeated here.
When a school provides health care to students in the normal course of business, such as through its health clinic, it is also a “health care provider” as defined by HIPAA. If a school also conducts any covered transactions electronically in connection with that health care, it is then a covered entity under HIPAA. As a covered entity, the school must comply with the HIPAA Administrative Simplification Rules, including the Privacy and Security Rules.
However, many schools, even those that are HIPAA covered entities, are not required to comply
with the HIPAA Privacy Rule because the only health records maintained by the school are
“education records” or “treatment records” of eligible students under FERPA, both of which are
excluded from coverage under the HIPAA Privacy Rule. See the exception at paragraph (2)(i) and (2)(ii) to what is considered “protected health information” ("PHI") at 45 C.F.R. § 160.103. In addition, the exception for records covered by FERPA applies both to the HIPAA Privacy Rule, as well as to the HIPAA Security Rule, because the Security Rule applies to a subset of information covered by the Privacy Rule (i.e., "electronic PHI").
Frequently Asked Questions and Answers
The following are 16 FAQs included in the Guidance:
1. Does the HIPAA Privacy Rule apply to an elementary or secondary school?
Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or
secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA
covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
• The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health
plans, health care clearinghouses, and those health care providers that transmit health
information electronically in connection with certain administrative and financial
transactions (“covered transactions”). See 45 C.F.R. § 160.102. Covered transactions are
those for which the U.S. Department of Health and Human Services has adopted a standard,
such as health care claims submitted to a health plan. See the definition of “transaction” at
45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though a school
employs school nurses, physicians, psychologists, or other health care providers, the school
is not generally a HIPAA covered entity because the providers do not engage in any of the
covered transactions, such as billing a health plan electronically for their services. It is
expected that most elementary and secondary schools fall into this category.
• The school is a HIPAA covered entity but does not have “protected health information.”
Where a school does employ a health care provider that conducts one or more covered
transactions electronically, such as electronically transmitting health care claims to a health
plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA
Transactions and Code Sets and Identifier Rules with respect to such transactions. However,
even in this case, many schools would not be required to comply with the HIPAA Privacy
Rule because the school maintains health information only in student health records that are
“education records” under FERPA and, thus, not “protected health information” under
HIPAA. Because student health information in education records is protected by FERPA,
the HIPAA Privacy Rule excludes such information from its coverage. See the exception at
paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy
Rule at 45 CFR § 160.103. For example, if a public high school employs a health care
provider that bills Medicaid electronically for services provided to a student under the IDEA,
the school is a HIPAA covered entity and would be subject to the HIPAA requirements
concerning transactions. However, if the school’s provider maintains health information
only in what are education records under FERPA, the school is not required to comply with
the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy
requirements with respect to its education records, including the requirement to obtain
parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about
a service provided to a student.
2. How does FERPA apply to health records on students maintained by elementary or secondary schools?
At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. Some schools may receive a grant from a foundation or government agency to hire a nurse. Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA. Parents have a right under FERPA to inspect and review these health and medical records because they are “education records” under FERPA. See 34 CFR §§ 99.10 – 99.12. In addition, these records may not be shared with third parties without written parental consent unless the disclosure meets one of the exceptions to FERPA’s general consent requirement. For instance, one of these exceptions allows schools to disclose a student’s health and medical information and other “education records” to teachers and other school officials, without written consent, if these school
officials have “legitimate educational interests” in accordance with school policy. See 34 CFR §
99.31(a)(1). Another exception permits the disclosure of education records, without consent, to
appropriate parties in connection with an emergency, if knowledge of the information is necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36.
3. Does FERPA or HIPAA apply to elementary or secondary school student health
records maintained by a health care provider that is not employed by a school?
If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that
provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly. This is the case regardless of whether the health care is provided to students on school grounds or off-site. As education records, the information is protected under FERPA and not HIPAA. Some outside parties provide services directly to students and are not employed by, under contract to, or otherwise acting on behalf of the school. In these circumstances, these records are not “education records” subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school. For example, the records created by a public health nurse who provides immunization or other health services to
students on school grounds or otherwise in connection with school activities but who is not acting
on behalf of the school would not be “education records” under FERPA. In such situations, a
school that wishes to disclose to this outside party health care provider any personally identifiable information from education records would have to comply with FERPA and obtain parental consent. See 34 CFR § 99.30. With respect to HIPAA, even where student health records maintained by a health care provider are not education records protected by FERPA, the HIPAA Privacy Rule would apply to such records only if the provider conducts one or more of the HIPAA transactions electronically, e.g., billing a health plan electronically for his or her services, making the provider a HIPAA covered entity.
4. Are there circumstances in which the HIPAA Privacy Rule might apply to an
elementary or secondary school?
There are some circumstances in which an elementary or secondary school would be subject to the HIPAA Privacy Rule, such as where the school is a HIPAA covered entity and is not subject to FERPA. As explained previously, most private schools at the elementary and secondary school levels typically do not receive funding from the U.S. Department of Education and, therefore, are not subject to FERPA. A school that is not subject to FERPA and is a HIPAA covered entity must comply with the HIPAA Privacy Rule with respect to any individually identifiable health information it has about students and others to whom it provides health care. For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients. The only exception would be where the school, despite not being subject to FERPA, has education records on one or more students to whom it provides services on behalf of a school or school district that is subject to FERPA. In this exceptional case, the education records of only those publicly placed
students held by the private school would be subject to FERPA, while the remaining student
health records would be subject to the HIPAA Privacy Rule.
5. Where the HIPAA Privacy Rule applies, does it allow a health care provider to
disclose protected health information (PHI) about a troubled teen to the parents of the teen?
In most cases, yes. If the teen is a minor, the HIPAA Privacy Rule generally allows a covered entity to disclose PHI about the child to the child’s parent, as the minor child’s personal representative, when the disclosure is not inconsistent with state or other law. For more detailed information, see 45 CFR § 164.502(g) and the fact sheet regarding personal representatives at:
http://www.hhs.gov/ocr/hipaa/guidelines/personalrepresentatives.pdf. In some cases, such as when a minor may receive treatment without a parent’s consent under applicable law, the parents are not treated as the minor’s personal representative. See 45 CFR § 164.502(g)(3). In such cases where the parent is not the personal representative of the teen, other HIPAA Privacy Rule provisions may allow the disclosure of PHI about the teen to the parent. For example, if a provider believes the teen presents a serious danger to self or others, the HIPAA Privacy Rule permits a covered entity to disclose PHI to a parent or other person(s) if the covered entity has a good faith belief that: (1) the disclosure is necessary to prevent or lessen the threat and (2) the parent or other person(s) is reasonably able to prevent or lessen the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i). In addition, the Privacy Rule permits covered entities to share information that is directly relevant to the involvement of a family member in the patient’s health care or payment for care if, when given the opportunity, the patient does not object to the disclosure. Even when the patient is not present or it is impracticable, because of emergency circumstances or the patient’s incapacity, for the covered entity to ask the patient about discussing his or her care or payment with a family member, a covered entity may share this information with the family member when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR § 164.510(b).
6. Where the HIPAA Privacy Rule applies, does it allow a health care provider to disclose protected health information (PHI) about a student to a school nurse or physician?
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school.
7. Does FERPA or HIPAA apply to records on students at health clinics run by
postsecondary institutions?
FERPA applies to most public and private postsecondary institutions and, thus, to the records on
students at the campus health clinics of such institutions. These records will be either education
records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. See the exceptions at
paragraphs (2)(i) and (2)(ii) to the definition of “protected health information” at 45 CFR § 160.103. The term “education records” is broadly defined under FERPA to mean those records that are: (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR § 99.3, “Education records.” “Treatment records” under FERPA, as they are commonly called, are: records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice. See 20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3, “Education records.” For example, treatment records would include health or medical records that a university psychologist maintains only in connection with the provision of treatment to an eligible student, and health or medical records that the campus health center or clinic maintains only in connection with the provision of treatment to an
eligible student. (Treatment records also would include health or medical records on an eligible
student in high school if the records otherwise meet the above definition.) “Treatment records” are excluded from the definition of “education records” under FERPA. However, it is important to note, that a school may disclose an eligible student’s treatment records for purposes other than the student’s treatment provided that the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the treatment records are no longer excluded from the definition of “education
records” and are subject to all other FERPA requirements, including the right of the eligible student to inspect and review the records. While the health records of students at postsecondary institutions may be subject to FERPA, if the institution is a HIPAA covered entity and provides health care to nonstudents, the individually identifiable health information of the clinic’s nonstudent patients is subject to the HIPAA Privacy Rule. Thus, for example, postsecondary institutions that are subject to both HIPAA and FERPA and that operate clinics open to staff, or the public, or both (including family members of students) are required to comply with FERPA with respect to the health records of their student patients, and with
the HIPAA Privacy Rule with respect to the health records of their nonstudent patients.
8. Under FERPA, may an eligible student inspect and review his or her “treatment
records”?
Under FERPA, treatment records, by definition, are not available to anyone other than professionals providing treatment to the student, or to physicians or other appropriate professionals of the student’s choice. However, this does not prevent an educational institution from allowing a student to inspect and review such records. If the institution chooses to do so, though, such records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
9. Under FERPA, may an eligible student’s treatment records be shared with parties other than treating professionals?
As explained previously, treatment records, by definition, are not available to anyone other than
professionals providing treatment to the student, or to physicians or other appropriate professionals of the student’s choice. However, this does not prevent an educational institution from using or disclosing these records for other purposes or with other parties. If the institution chooses to do so, a disclosure may be made to any party with a prior written consent from the eligible student (see 34 CFR § 99.30) or under any of the disclosures permitted without consent in 34 CFR § 99.31 of FERPA. For example, a university physician treating an eligible student might determine that treatment records should be disclosed to the student’s parents. This disclosure may be made if the eligible student is claimed as a dependent for federal income tax purposes (see 34 CFR § 99.31(a)(8)). If the eligible student is not claimed as a dependent, the disclosure may be made to parents, as well as other appropriate parties, if the disclosure is in connection with a health or safety emergency. See 34 CFR §§ 99.31(a)(10) and 99.36. Once the records are disclosed under one of the exceptions to FERPA’s general consent requirement, the treatment records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements as “education records” under FERPA.
10. Under what circumstances does FERPA permit an eligible student’s treatment records to be disclosed to a third-party health care provider for treatment?
An eligible student’s treatment records may be shared with health care professionals who are
providing treatment to the student, including health care professionals who are not part of or not
acting on behalf of the educational institution (i.e., third-party health care provider), as long as the information is being disclosed only for the purpose of providing treatment to the student. In
addition, an eligible student’s treatment records may be disclosed to a third-party health care
provider when the student has requested that his or her records be “reviewed by a physician or other appropriate professional of the student’s choice.” See 20 U.S.C. § 1232g(a)(4)(B)(iv). In either of these situations, if the treatment records are disclosed to a third-party health care provider that is a HIPAA covered entity, the records would become subject to the HIPAA Privacy Rule. The records at the educational institution continue to be treatment records under FERPA, so long as the records are only disclosed by the institution for treatment purposes to a health care provider or to the student’s physician or other appropriate professional requested by the student. If the disclosure is for purposes other than treatment, an eligible student’s treatment record only may be disclosed to a third party as an “education record,” that is, with the prior written consent of the eligible student or if one of the exceptions to FERPA’s general consent requirement is met. See 34 CFR § 99.31. For example, if a university is served with a court order requiring the disclosure of the mental health records of a student maintained as treatment records at the campus clinic, the university may disclose the records to comply with the court order in accordance with the provisions of § 99.31(a)(9) of the FERPA regulations. However, the mental health records that the university disclosed for non-treatment purposes are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements as “education records” under FERPA.
11. Are all student records maintained by a health clinic run by a postsecondary
institution considered “treatment records” under FERPA?
Not all records on eligible students that are maintained by a college- or university-run health clinic are treatment records under FERPA because many such records are not made, maintained, or used only in connection with the treatment of a student. For example, billing records that a college- or university-run health clinic maintains on a student are “education records” under FERPA, the disclosure of which would require prior written consent from the eligible student unless an exception applies. See 34 CFR § 99.30. In addition, records relating to treatment that are shared with persons other than professionals providing treatment to the student are “education records” under FERPA. Thus, to the extent a health clinic has shared a student’s treatment information with persons and for purposes other than for treatment, such information is an “education record,” not a treatment record under FERPA.
12. Does FERPA or HIPAA apply to records on students who are patients at a university hospital?
Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically “education records” or “treatment records” under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. Rather, these hospitals provide such services without regard to the person’s status as a student and not on behalf of a university. Thus, assuming the hospital is a HIPAA covered entity, these records are subject to all of the HIPAA rules, including the HIPAA Privacy Rule. However, in a situation where a hospital does run the student health clinic on behalf of a university, the clinic records on students would be subject to FERPA, either as “education records” or “treatment records,” and not subject to the HIPAA Privacy Rule.
13. Where the HIPAA Privacy Rule applies, does it permit a health care provider to disclose protected health information (PHI) about a patient to law enforcement, family members, or others if the provider believes the patient presents a serious danger to self or others?
The HIPAA Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat. This may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others who the covered entity has a good faith belief can mitigate the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i). For example, consistent with other law and ethical standards, a mental health provider whose teenage patient has made a credible threat to inflict serious and imminent bodily harm on one or more fellow students may alert law enforcement, a parent or other family member, school administrators or campus police, or others the provider believes may be able to prevent or lessen the chance of harm. In such cases, the covered entity is presumed to have acted in good faith where its belief is based upon the covered entity’s actual knowledge (i.e., based on the covered entity’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member or other person). See 45 CFR § 164.512(j)(4). For threats or concerns that do not rise to the level of “serious and imminent,” other HIPAA Privacy Rule provisions may apply to permit the disclosure of PHI. For example, covered entities generally
may disclose PHI about a minor child to the minor’s personal representative (e.g., a parent or legal guardian), consistent with state or other laws. See 45 CFR § 164.502(b).
14. Does FERPA permit a postsecondary institution to disclose a student’s treatment records or education records to law enforcement, the student’s parents, or others if the institution believes the student presents a serious danger to self or others?
An eligible student’s education records and treatment records (which are considered education
records if used or made available for any purpose other than the eligible student’s treatment) may be disclosed, without consent, if the disclosure meets one of the exceptions to FERPA’s general consent rule. See 34 CFR § 99.31. One of the permitted disclosures is to appropriate parties, which may include law enforcement or parents of a student, in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36. There are other exceptions that apply to disclosing information to parents of eligible students that are discussed on the “Safe Schools & FERPA” Web page, as well as other information that should be helpful to school officials, at: http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html/.
15. Are the health records of an individual who is both a student and an employee of a university at which the person receives health care subject to the privacy provisions of FERPA or those of HIPAA?
The individual’s health records would be considered “education records” protected under FERPA and, thus, excluded from coverage under the HIPAA Privacy Rule. FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3 (“education records”). While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion, such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees. Thus, the health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.
16. Can a postsecondary institution be a “hybrid entity” under the HIPAA Privacy Rule?
Yes. A postsecondary institution that is a HIPAA covered entity may have health information to
which the Privacy Rule may apply not only in the health records of nonstudents in the health clinic, but also in records maintained by other components of the institution that are not education records or treatment records under FERPA, such as in a law enforcement unit or research department. In such cases, the institution, as a HIPAA covered entity, has the option of becoming a “hybrid entity” and, thus, having the HIPAA Privacy Rule apply only to its health care unit. The school can achieve hybrid entity status by designating the health unit as its “health care component.” As a hybrid entity, any individually identifiable health information maintained by other components of the university (i.e., outside of the health care component), such as a law enforcement unit, or a research department, would not be subject to the HIPAA Privacy Rule, notwithstanding that these components of the institution might maintain records that are not “education records” or treatment records under FERPA. To become a hybrid entity, the covered entity must designate and include in its health care component all components that would meet the definition of a covered entity if those components were separate legal entities. (A covered entity may have more than one health care component.)
However, the hybrid entity is not permitted to include in its health care component other types of components that do not perform the covered functions of the covered entity or components that do not perform support activities for the components performing covered functions. That is,
components that do not perform health plan, health care provider, or health care clearinghouse
functions and components that do not perform activities in support of these functions (as would a
business associate of a separate legal entity) may not be included in a health care component.
Within the hybrid entity, most of the HIPAA Privacy Rule requirements apply only to the health
care component, although the hybrid entity retains certain oversight, compliance, and enforcement obligations. See 45 CFR § 164.105 of the Privacy Rule for more information.
Subscribe to:
Posts (Atom)
