Colleges and universities must navigate the inter-related, sometimes mutually exclusive, and always complex laws governing the privacy of student medical records. Since the University of Oregon came under intense criticism for accessing a student’s counseling records to defend itself in a lawsuit earlier this year, the maze of privacy laws has received significant attention.
Higher education institutions, depending on their size and how they offer health services to students, must comply with up to three different sets of privacy laws. At the federal level, there are the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). Depending on the situation, these two laws either supercede or are subordinate to state privacy laws, which vary significantly across the country.
"It’s an incredibly complicated landscape and it's one that creates real challenges to manage and to apply these laws for the entities that have to follow them, but I also think it creates enormous confusion for individuals," said Kirk Nahra, a partner with Wiley Rein LLP in Washington, DC, who has worked on HIPAA issues since the legislation was being drafted in the 1990s. Nahra participated in a panel organized by the International Association of Privacy Professionals last week.
From its inception, HIPAA privacy laws only applied to certain types of health records — individually identifiable ones — collected by certain types of organizations, and only in certain circumstances. According to Nahra, campus clinics that do not bill patients for treatment are not actually organizations that fall under HIPAA regulations. Beyond that, HIPAA specifically excludes privacy protections for individually identifiable health information if it is part of an educational record governed by FERPA.
"If it’s covered by FERPA, it's excluded by HIPAA," Nahra said.
The widely publicized Oregon case has captivated privacy advocates across the country. Many have argued that students can't possibly feel safe seeking treatment from colleges or universities given the holes in the privacy landscape. U.S. Rep. Suzanne Bonamici and U.S. Sen. Ron Wyden, both of Oregon, wrote a letter to the Department of Education demanding clarification about the limits of FERPA.
As it turns out, most health records, whether collected by a university health center or an unaffiliated office, aren't likely to stay private during legal proceedings if either side deems them relevant. If not considered educational records and easily shared within the university, a legal team could subpoena medical professionals for the information. The difference is simply procedural.
But the Oregon case has prompted calls for greater privacy protections in ways that could very seriously affect higher education institutions nationwide.
In a letter responding to Wyden and Bonamici’s questions, the Department of Education noted concern with the possibility that FERPA offers fewer confidentiality protections than HIPAA. Both elected officials are committed to following up to figure out whether new regulations should be considered.
During the IAPP panel, Nahra said he doesn’t think adding a third federal privacy law would be the best route but suggested modifying rules so HIPAA covers all medical records, not just ones outside of the educational realm.
Sarah Van Orman, executive director of University Health Services at the University of Wisconsin-Madison, thinks that's the best option.
"Ideally, I think, from those of us working in this, simply having student records covered under HIPAA would probably be a better scenario," she said. "I don’t think there's anything about HIPAA that would be problematic for student health."
At a major university system like UW-Madison, health services professionals are already well-versed in both HIPAA and FERPA, as they treat patients whose records are covered under both laws. But Steve McDonald, general counsel for the Rhode Island School of Design and an expert on FERPA, said that could cause problems for thousands of smaller colleges all over the country that haven't traditionally needed to worry about HIPAA on campus.
As with most federal regulation, if change comes in the name of student privacy, many colleges and universities will have a good deal of work ahead of them.
Would you like to see more education news like this in your inbox on a daily basis? Subscribe to our Education Dive email newsletter! You may also want to read Education Dive's look at how 3 institutions built corporate partnerships.