| -- End Ad Box ---> | | | | says. |
| Consider this question. Say the mother of a 22-year | | | | This was apparently considered unworkable by |
| old student that you have treated requests to see her | | | | Congress, hence the blanket exception that HIPAA |
| daughter’s medical records. The Bursar’s | | | | makes for any kind of student medical records. |
| office confirms that the student is listed as a | | | | However, many student health and counseling centers |
| dependent for tax purposes. There seems to be no | | | | also treat non-students, and this is where it starts to |
| urgent reason for such a release and the student | | | | get a little bit trickier. To be considered a covered |
| does not wish to give her mother access. How would | | | | entity (i.e., bound by HIPAA), your health center |
| you protect the privacy of her information? | | | | must electronically transmit health information in |
| Situations such as this one that require knowledge of | | | | connection with a HIPAA transaction. More |
| privacy laws to resolve successfully are all too | | | | detailed information on what constitutes a HIPAA |
| common in the average student health center, yet the | | | | transaction can be found in this primer released by |
| acronyms HIPAA and FERPA tend to strike fear into | | | | The American Council on Education, but essentially it is |
| the hearts of the staunchest of college health | | | | any administrative or financial task carried out in the |
| professionals. So much has been written anecdotally | | | | course of health care that transmits PHI. If you |
| on the subject of how complicated and unspecific | | | | don’t perform electronic transactions, you |
| these laws are that some may be surprised to find | | | | don’t have to comply with HIPAA. |
| that according to legal professionals, the intersections | | | | RULE 5: Student health and counseling centers that do |
| between the laws are generally clear-cut. This article | | | | perform electronic transactions for non-students only |
| aims to explain which laws apply to you and what you | | | | have to abide by HIPAA for those transactions. |
| can do to avoid the headaches that ensue from a | | | | Usually, every transaction of covered entities |
| conflict between your principles as a care provider and | | | | has to be bound by HIPAA standards, even if they are |
| the law. | | | | not all electronic transactions. However, because of |
| Six golden rules of privacy law | | | | the intersection with FERPA, these health centers are |
| * FERPA never applies to non-students | | | | able to be bound by HIPAA just for the non-student |
| * FERPA only applies when the student’s | | | | transactions. |
| medical records are released | | | | RULE 6: State laws are applicable whether or not |
| * HIPAA doesn’t apply to records covered by | | | | other federal laws apply |
| FERPA or to student treatment records | | | | With all the fuss about HIPAA and FERPA, |
| * Even if you treat non-students, you’re not | | | | don’t forget about your state’s laws |
| bound by HIPAA unless you perform electronic | | | | concerning privacy. In some cases, state laws are the |
| transactions. | | | | only ones that will apply to student medical records, but |
| * Student health and counseling centers that do | | | | even where HIPAA or FERPA apply, state law is still |
| perform electronic transactions for non-students only | | | | relevant. Despite the fact that HIPAA is a federal law, |
| have to abide by HIPAA for those transactions. | | | | it bows to state law in those cases where state law is |
| * State laws are applicable whether or not other | | | | more stringent. Arent Fox Associate Richard Liner, BA, |
| federal laws apply | | | | JD, MPH, elaborates: |
| This is how these rules break down. | | | | HIPAA has an enormous pre-emption problem |
| RULE 1: FERPA never applies to non-students | | | | because it sets a floor and not a ceiling for health care |
| RULE 2: FERPA only applies when the | | | | privacy. Congress only established a minimum for |
| student’s medical records are released | | | | protecting patient information. If a state’s laws |
| The Family Educational Rights and Privacy Act | | | | or regulations are more stringent than HIPAA in their |
| (FERPA) is the older of the two federal privacy laws. | | | | protection of patient health information, then covered |
| Enacted in 1974, one aspect of its governance is the | | | | entities must follow state requirements. |
| privacy of educational records. There is a popular | | | | This may conjure up ideas of conflicting laws, but |
| myth circulating that student medical records fall under | | | | Arent Fox counsels that generally, state laws are |
| the FERPA’s umbrella term educational | | | | more specific and will very rarely conflict directly with |
| records. In fact, FERPA specifically excludes the | | | | HIPAA or FERPA. If more than one law is applicable, |
| treatment records of students in higher education from | | | | generally the more stringent requirements will apply. |
| its definition of educational records (see USC 20, 1232g | | | | When in doubt, consult counsel before taking action. |
| for a complete definition). It also excludes employees | | | | Knowing the theory is one thing, but applying it can be |
| of an educational institution if they are not students. | | | | a lot more complicated. FERPA requires the student to |
| FERPA does come into play, but only if the records | | | | give written, dated permission before his or her student |
| are released to someone outside the health center, | | | | records information is released — even to other |
| whether that is the student, their parents, their | | | | health care providers outside the university, which is a |
| professors, or another health provider outside the | | | | source of frustration for many. But the same |
| university, at which point they become educational | | | | information can be released, unauthorized, to school |
| records rather than treatment records. | | | | officials who have a legitimate educational |
| It is important to note that it is not the request for the | | | | interest. Similarly, FERPA allows unauthorized |
| release that brings FERPA into effect. Many student | | | | disclosure in an emergency, if it is necessary to |
| health professionals believe that if a request to see the | | | | protect the health or safety of the student or other |
| records is made that is in accordance with FERPA | | | | persons. Dunne counsels to rely on common sense |
| guidelines, they have to release them or be in violation | | | | to interpret these terms, and to consult counsel early in |
| of FERPA. Not so, says Kristine Dunne, BA, EdM, JD, | | | | the process. No law can specifically cover every |
| an associate at the Washington, D.C. office of law firm | | | | eventuality; the burden of responsibility and |
| Arent Fox, LLC. | | | | interpretation must, through necessity, rest on the care |
| It's the release of the records that triggers | | | | provider. |
| FERPA, she explains. There are no rights | | | | This responsibility weighs all the more heavy because |
| extended under FERPA to those medical records until | | | | schools are concerned about penalties for breaching |
| such time as they have been made available to | | | | FERPA. If the Family Policy Compliance Office (FPCO) |
| someone other than the treating health professionals, | | | | found a pattern of violations of FERPA with no |
| at which point the FERPA protections of student | | | | obvious attempts to follow the guidelines, it could result |
| records kick in. | | | | in a removal of federal funding. However, it is important |
| Applying this to the example at the beginning of the | | | | to know that individuals cannot be prosecuted for a |
| article, if state law doesn’t require you to | | | | FERPA breach and individual students cannot sue for |
| release the student’s unreleased medical | | | | damages for such a breach. Schools should carefully |
| records to her mother, you are under no legal | | | | develop, implement and maintain compliance oversight |
| obligation to do so without a court order. Similarly, even | | | | with regard to these important privacy laws in order to |
| if you think a professor may have a legitimate | | | | prevent unlawful release of student records. Likewise, |
| educational interest in requesting a student’s | | | | if your school treats non-students, files electronic |
| unreleased medical records, you still don’t have | | | | claims and is bound by HIPAA for those transactions, |
| to release them. | | | | you should make sure that HIPAA protections are |
| FERPA is just one part of the puzzle, however. The | | | | implemented, even though a HIPAA violation may not |
| Health Insurance Portability and Accountability Act | | | | — for now — result in a fine being |
| (HIPAA) of 1996 is another relevant law that seeks to | | | | imposed. Liner explains: |
| be the national privacy standard in health care. It was | | | | In the vast majority of cases where there’s |
| updated in 2003 to take into account the trend toward | | | | found to be a violation of HIPAA, there is |
| automation and electronic record-keeping. These | | | | what’s called an administrative |
| privacy guidelines have been well publicized and | | | | resolution’, which generally means the mistake |
| generally uphold the kind of patient confidentiality that | | | | wasn’t intentional and the organization voluntarily |
| most health care providers are comfortable with and | | | | agrees to take appropriate remedial action. |
| there has therefore been a widespread trend in health | | | | No civil fines for violations of HIPAA have been |
| centers to apply these standards to student medical | | | | imposed so far, although Liner warns that is likely to |
| records, even if they are not legally required. It is | | | | soon change. |
| important to realize, however, that while its principles of | | | | Although information on the triumvirate of privacy laws |
| privacy and confidentiality are excellent, in most cases, | | | | has always been available to those who know where |
| compliance is not required by law. | | | | to look for it, there is also a wealth of partial and |
| RULE 3: HIPAA doesn’t apply to records | | | | incorrect information available on the Internet that has |
| covered by FERPA or to student medical records | | | | muddied the waters for those health professionals |
| which are made, maintained, or used only in connection | | | | attempting to do a little research on the laws that |
| with the provision of treatment to the student, and are | | | | apply to them. Dunne and Liner counsel that you should |
| not available to anyone other than persons providing | | | | speak to a professional who knows the law in your |
| such treatment. | | | | state and the ins and outs of FERPA and HIPAA if |
| RULE 4: Even if you treat non-students, you’re | | | | you are worried about misinterpretation of the law. |
| not bound by HIPAA unless you transmit health care | | | | Even if you know the basics, state laws vary greatly |
| information in electronic form in connection with the | | | | and knowing the details of how the three laws |
| submission of claims for payment. | | | | intersect will allow you the greatest leeway to interpret |
| HIPAA’s definition of protected health | | | | them in a way that is consistent with your ethics. |
| information (PHI) specifically excludes education | | | | It is complicated, sympathizes Liner. Talk to |
| records covered by FERPA and the treatment | | | | the privacy officer within the university, if there is one. |
| records of students in higher education as defined | | | | There are also a few government Web sites that are |
| above. Dunne explains that the goal of this exclusion is | | | | really good in terms of user-friendly guidance to help |
| simplification. | | | | people navigate through the more basic pitfalls. For |
| If student medical records were subject to HIPAA, | | | | instance, the Office of Civil Rights, the enforcement |
| there would be two completely different schemes | | | | agency for the HIPAA privacy standards, offers |
| — up until the health center released the record, | | | | tremendously helpful information and FAQs on its Web |
| it would be governed by HIPAA, and when it had been | | | | site. |
| released it would be governed by FERPA, she | | | | |