The Expert's View with David Holtzman

Governance & Risk Management , Privacy

The Controversy Over Protecting Students' Medical Records

Why a Security Expert Contends Regulatory Reform Is Needed
The Controversy Over Protecting Students' Medical Records
CynergisTek's David Holtzman

When a university student had the records of her counseling sessions used against her in a fight over how the school handles sexual assault complaints, surely, privacy advocates thought, the institution would be held accountable for its blatant violation of her privacy. After all, the confidentiality of what a patient says to a therapist in a treatment session is protected by federal laws, including HIPAA and the regulations guarding the behavioral health treatment records, right?

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

But in this case, unfortunately, the sector-based approach we take in setting the rights an individual has to control the confidentiality of their sensitive, personal information played a role.

The Family Educational Rights and Privacy Act, or FERPA, allows schools and institutions of higher education to use, and in some cases disclose, the education records of students without their consent. Education records are broadly defined by FERPA as any record created or maintained about a student kept by the educational institution.

Medical or behavioral health records receive enhanced protections under FERPA only if the healthcare professional providing the care designates them as "treatment records." The protections generally afforded healthcare or mental health records by other federal laws yield to FERPA when the records are of students enrolled in educational institutions.

FERPA, enacted in 1974, has been a frequent target of blistering criticism in recent years because of the poor job it does in allowing students to control who uses or sees their personal information. Among the problems often cited are that FERPA only applies to schools and institutions that are recipients of federal funds, but not the third party vendors who receive student data.

Critics also point out that FERPA's enforcement mechanism is inadequate. FERPA's primary penalty is "all or nothing." If schools violate FERPA, they lose federal funding. To date, the Department of Education has not exercised this option. And students and their families currently have no redress in the case of violations. FERPA does not allow for private civil action by victims and their families if a student's privacy is violated.

The University of Oregon's handling of the student's mental health records brought loud calls by Congress and privacy advocates to increase privacy protections that higher education institutions are required to use for the healthcare information of students.

Guidance Drafted

The DoE recently issued draft guidance for colleges and universities on when they are permitted to disclose student medical records when the institution is involved in a lawsuit or other legal action with a student.

The draft guidance follows an incident in which the University of Oregon obtained a student's treatment records from its on-campus counseling center and then disclosed the information to its attorneys when the student sued the university over how it handled a sexual assault complaint.

The HIPAA Privacy Rule restricts when a healthcare provider or health insurer can disclose an individual's health information without their authorization. If a patient and healthcare provider get into a dispute, other than a malpractice claim or to collect for non-payment, HIPAA says treatment information can only be provided through a court order or with the authorization of the individual.

But if a student and their institution of higher learning get into a dispute, FERPA allows a university or college access to a student's medical records and to use them as evidence if they are relevant to a legal defense.

When legislation was introduced into Congress to close this loophole, DoE decided to weigh in on the need for higher education institutions to not only comply with FERPA, but also to respect the expectation of confidentiality when receiving treatment from a healthcare provider or therapist.

The draft guidance in the form of a "Dear Colleague Letter" issued by Kathleen Styles, DoE's chief privacy officer, tells higher education institutions to handle the privacy of student medical records under FERPA similar to the way healthcare providers and hospitals are required to handle a patient's treatment records under the HIPAA Privacy Rule.

Specifically addressing the situation of when there is litigation between institutions of higher education and their students, institutions should not share the student's medical records with school attorneys or courts without a court order or the written authorization of the student, Styles recommends in the letter.

Styles points out that the only exception would be when the student's legal action directly relates to healthcare treatment provided by the college or university, or the payment for those services. Even in that circumstance, the disclosure of any treatment records should be limited to those relevant or necessary to the litigation.

Provide Your Feedback

DoE has asked for input on the development of final guidance on the disclosure of student health data by institutions of higher education. Comments should be submitted to no later than Oct. 2 to The draft guidance is available online.

While any action by DoE to strengthen the privacy protections for the personal information of students at any stage of their educational development is welcomed, FERPA is a problem that only Congress can fix. FERPA is up for reauthorization, and a committee in the House of Representatives has been developing "FERPA 2.0".

It's time to provide students with privacy protections in a learning environment and free them of the fear of being victimized by their own educational institutions.

About the Author

David Holtzman

David Holtzman

Principal and Founder, HITprivacy LLC

Holtzman, an attorney and experienced consultant, previously served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights, where he led many OCR initiatives, including integration of the administration and enforcement of the HIPAA Security Rule and health information technology policies. Holtzman has two decades of experience in developing, implementing and evaluating health information privacy and security compliance programs for both government and private sector organizations. He is also a member of the HHS CISA 405-d Workgroup and the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.