It all started when a University of Oregon student sued the school for what she alleged was a mishandling of her sexual assault case. The university, in an attempt to garner evidence in favor of its case, then accessed the plaintiff’s health records from the on-campus counseling center. The university argued that the move was protected under the Family Educational Rights and Privacy Act (FERPA), igniting a privacy firestorm resulting in questions that have legal experts, policy-makers and campus administrators scratching their heads. What about the Health Insurance Portability and Accountability Act (HIPAA)? Doesn't the law make the university's move illegal? And who has jurisdiction over student medical records, the patient or the school? How do universities best juggle their responsibilities to both the student and the law?
A recent IAPP Insight Series web conference, "Protecting Student Medical Privacy," aimed to tackle some of those questions by looking at FERPA, HIPAA and a handful of theoretical scenarios that would bring the two laws into play.
The consensus? Student privacy on college campuses is, well, murky, to say the least.
“There is a real need for this discussion that we are having today,” said Rep. Suzanne Bonamici (D-OR). “The treatment of sensitive medical records on campuses is quite complicated … even the U.S. Department of Education (DoE) is wrestling with how these separate statutes and their corresponding regulations affect the way institutions handle similar patient information.”
Sen. Ron Wyden (D-OR) echoed her sentiments, adding that the DoE responded to a letter both he and Bonamici wrote regarding the disconcerting gray areas of student privacy. The agency responded by saying it was “concerned about the possibility that FERPA may offer conflicting protection than the HIPAA privacy rules in some instances.”
Wyden pledged to listeners he would follow up with the DoE regarding what needs to be done to rectify the situation.
But to the chagrin of all involved, it seems, “what needs to be done” isn't so simple.
The typical university, Wyden explained, “wears multiple hats,” with an “inherent conflict of interest in the very underpinnings.” Sarah Van Orman, executive director of the University of Wisconsin-Madison’s University Health Services, agreed.
On-campus providers “walk this very interesting balance … of several different sets of rules that are operating at once," Van Orman said. While the “provider role is primary,” oftentimes said caregivers have manifold, conflicting roles across campus that can further blur the lines of what information is considered protected and private and what information may be shared.
“Many providers ... may provide healthcare, but then they may also participate in other education and teaching activities ... and the providers need to sort out what hat they are wearing when they obtain sensitive information,” she said. There’s also the matter of healthcare being handled differently at different institutions, which makes universal regulation and to-the-letter adherence even more difficult.
What can and can’t be divulged isn’t cut-and-dry, either. HIPAA governs only the individually identifiable information collected by a covered entity. i.e., doctors, hospitals and health insurers, which excludes the individually identifiable health information stored in education records; that data is covered by FERPA.
“For the most part, HIPAA and FERPA are mutually exclusive,” said Wiley Rein's Kirk Nahra, CIPP/US. This creates “compliance challenges,” he explained, with universities also working to comply with differing state regulations. The “incredibly complicated landscape ... creates enormous confusion for individuals."
Then there’s FERPA, which Rhode Island Institute of Design General Counsel Steven McDonald explained was a “very general statute” that sets a “floor for all student records” but “doesn’t prohibit the release of treatment records to persons other than individuals providing the treatment.”
Legalese aside, Bonamici said, “the complicated landscape is difficult not only for students but also for administrators, providers and other professionals, but my primary concern is if any confusion about how the students’ information is handled may discourage students from seeking treatment, and that would be a serious issue. So we need to work together to ensure that students that plan to seek counseling and medical treatment, that the information will be adequately protected.”
Students “must have the certainty that information they share with their healthcare providers, which is often just about the most intimate, personal, private information imaginable─those students have to know that that information is going to be protected,” Wyden said.
Lack of this inspires fear while deterring accurate treatment─ both problematic in their own right.
“How we think about reconciling those conflicts” will be important to future policy-makers, he continued.
Wyden’s comments proved prescient, with the DoE announcing August 18 the release of a draft guide for universities to better merge student privacy with student medical records.
“We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts without a court order or written consent,” said DoE CPO Kathleen Styles, CIPP/G, in the DoE announcement.
Indeed, student medical privacy seems to be a hot topic, with the web conference attracting more than 500 registrants and getting 255 attendees on its initial air date in June. It “touched a nerve about the issue of student privacy on campus,” said IAPP Knowledge Manager Dave Cohen, CIPP/E, CIPP/US, noting the string of recent high-profile cases involving campus sexual assault that coincided with its release.
To listen to the webcast for free, click here.
If you want to comment on this post, you need to login.