Kathleen Styles, the Chief Privacy Officer at the U.S. Department of Education, writes:
Protecting students’ privacy and ensuring colleges and universities promote a safe and healthy campus for their students has never been more important. As Chief Privacy Officer at ED, I help to lead the Department of Education in overseeing the administration of FERPA (the Family Educational Rights and Privacy Act). My office strives to provide helpful and meaningful guidance on student privacy issues and challenges that the field faces, and we’re asking the higher education community for input on protecting student medical records.
Under FERPA there are certain instances when schools can release a student’s information without their consent (known as exceptions). Recently, the Department has been asked if it is possible and/or appropriate for campus officials to share confidential medical records from on-campus services with university attorneys in the context of litigation between a university and a student. This type of sharing is potentially allowable under the “school official” exception to consent if the university attorneys have a “legitimate educational interest” in the records.
Institutions of higher education have a strong interest in ensuring that students have uncompromised access to the support they need, without fear that the information they share will be disclosed inappropriately. Providing on-campus access to medical services, including mental health services, can help promote a safe and healthy campus. The practice of sharing a student’s sensitive medical records with others not involved in their treatment may discourage the use of medical services provided on campus.
While state law plays a key role in setting the rules about disclosing medical information, we believe that HIPAA, the Health Insurance Portability and Accountability Act, provides a helpful guide for those situations where federal law is controlling.
Under the HIPAA Privacy Rule, a covered health care provider, such as a hospital, may use or disclose the minimum necessary protected health information (PHI) for its own legal purposes related to its treatment or payment functions (for example, by providing the information to its own counsel to seek legal advice, or submitting briefs in a court action to which it is a party) without an individual’s authorization or a court order or other lawful process.
We think this standard makes sense, and that FERPA’s school official exception should be construed to offer protections that are similar to HIPAA’s. We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts, without a court order or written consent.
The only exception is if the litigation in question relates directly to the medical treatment itself or the payment for that treatment, and even then institutions should only disclose those records that are relevant and necessary to the litigation. To provide a clarifying example, if an institution provided counseling services to a student and the student subsequently sued the institution claiming that the services were inadequate, the school’s attorneys should be able to access the student’s treatment records to defend the school without obtaining a court order or consent.
However, if instead the litigation between the institution and the student concerned the student’s eligibility to graduate, the school should not access the student’s treatment records without first obtaining a court order or consent. Thus, I am issuing a draft Dear Colleague letter that provides guidance on this and related issues.
Considering the complex nature of this issue however, we are seeking public input on our draft guidance, as we believe that this input will result in a better product. To the extent practicable, we commit to making all comments public as they are submitted; though depending on the volume of comments, we may wait and publish all comments at the conclusion of the comment period. While we welcome input on all aspects of this letter, we are particularly interested in your views on the following matters:
- Whether this guidance would create any unintended consequences. For example, would this guidance in any way restrict the work of threat assessment teams, as we believe these teams are often the best method for schools and colleges to assess whether a given student constitutes a threat to him/herself or others?
- Recognizing that getting a court order or consent will create additional burden on institutions, is there a way to mitigate that burden without lessening the protections given to students?
- If this guidance is extended outside the postsecondary context to include K-12 and early childhood, what other factors need to be considered? For example, how would this guidance fit within the context of elementary and secondary school counselors, or disputes regarding special education services?
We welcome your input for 45 days, until October 2nd. Please send your comments via email to [email protected].