FERPA and HIPAA: When Can You Share Student Education and Health Records?
The federal government’s updated FERPA and HIPAA guidance will help you make the appropriate determination.
The U.S. Department of Health and Human Services and U.S. Department of Education have just released joint FERPA and HIPAA guidance on student health and educational records that K-12 schools, institutions of higher education and healthcare facilities should review.
Titled Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, the updated guidance addresses when HIPAA or FERPA apply to schools, colleges and healthcare facilities, where FERPA and HIPAA intersect and what student educational and health records can be shared.
The revised guidance includes additional frequently asked questions and answers addressing when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Rule.
Quite a bit of the guidance covers when a student/patient poses a threat to himself or others. For example:
“Under HIPAA, when can information be shared about someone who presents a serious danger to self or others?
“The HIPAA Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat. This may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others whom the covered entity has a good faith belief can mitigate the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i).
“For example, consistent with other laws and ethical standards, a mental health provider whose teenage patient has made a credible threat to inflict serious and imminent bodily harm on one or more fellow students may alert law enforcement, a parent or other family member, school administrators or campus police, or others the provider believes may be able to prevent or lessen the chance of harm. In such cases, the covered entity is presumed to have acted in good faith where its belief is based upon the covered entity’s actual knowledge (i.e., based on the covered entity’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member or other person). See 45 CFR § 164.512(j)(4).
“For threats or concerns that do not rise to the level of “serious and imminent,” other HIPAA Privacy Rule provisions may apply to permit the disclosure of PHI. For example, covered entities generally may disclose PHI about a minor child to the minor’s personal representative (e.g., a parent or legal guardian), consistent with State or other laws. See 45 CFR § 164.502(b).
“Under FERPA, when can PII from a student’s education records be shared, without prior written consent, about someone who presents a serious danger to self or others?
“FERPA provides that PII from a student’s education records, including student health records, may be disclosed by educational agencies and institutions to appropriate parties in connection with a health or safety emergency, without the consent of the parent or eligible student, if knowledge of the information is necessary to protect the health or safety of the student or other individuals. 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36.
“For example, if an eligible student storms out of a teacher’s office stating that, “I know where my parents keep their guns, and someone is going to pay” and the teacher believes that the student is on his way home to and may try to use the weapons, FERPA’s health or safety exception would permit the teacher to contact the parents, police, or others in a position to help, to warn them that the student is on the way home and threatened to use a weapon against others. 19
“Educational agencies and institutions are responsible for making the determination as to whether a health or safety emergency exists….
“Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?
“Yes, if certain conditions are met. By way of background, many schools have their own law enforcement units to monitor safety and security and enforce any local, State, or Federal law or refer such enforcement matters to appropriate authorities. Those schools that do not have specific law enforcement units may designate a particular office or school official to be responsible for monitoring safety and security and referring potential or alleged violations of law to local authorities. Some smaller school districts and colleges employ off-duty police or sheriff’s department officers to serve as school security officers.
“If a law enforcement official is an employee of an educational agency or institution and meets the criteria specified in the school’s annual notification of FERPA rights to parents and eligible students for being a “school official” who has been determined to have a “legitimate educational interest” in the education records, then the law enforcement unit official may be considered a school official to whom PII from students’ education records may be disclosed, without prior written consent of a parent or eligible student. See 20 U.S.C. § 1232g(b)(1)(A); 34 CFR §§ 99.7(a)(3)(iii) and 99.31(a)(1)(i)(A). Educational agencies and institutions may also consider law enforcement unit officials, such as off-duty police or sheriffs’ department officers and School Resource Officers (SROs) who are not employees of the educational agency or institution, to be “school officials,” to whom PII from student’s education records may be disclosed, without appropriate consent, if the law enforcement unit officials:
- Perform an institutional service or function for which the educational agencies or institutions would otherwise use employees (for, e.g., to ensure school safety and security);
- Are under the “direct control” of the educational agencies or institutions with respect to the use and maintenance of the education records (for, e.g., through a memorandum of understanding (MOU) that establishes data use restrictions and data protection requirements);
- Are subject to FERPA’s use and re-disclosure requirements in 34 CFR § 99.33, which provides that the PII from education records may be used only for the purposes for which the disclosure was made (for, e.g., to promote school safety and the physical security of students), and which limits the redisclosure of PII from education records; and,
- Meet the criteria specified in the educational agencies’ or institutions’ annual notification of FERPA rights for being “school officials” who have been determined to have “legitimate educational interests” in the education records.
“See 20 U.S.C. § 1232g(b)(1)(A); 34 CFR §§ 99.7(a)(3)(iii) and 99.31(a)(1)(i)(A) and (B)(1)-(3).
“In situations where the law enforcement official is not a school official with a legitimate educational interest, the school may only disclose a student’s education records, including health records, to that official with the prior, written consent of the parent or eligible student, unless an exception applies. One such exception that could apply is FERPA’s health or safety emergency exception (discussed in greater detail in Question 21 above). Under this FERPA exception, a student’s education records, including health records, may be disclosed, without the prior written consent of a parent or eligible student, to appropriate parties in connection with an emergency, if knowledge of the information is necessary to protect the health or safety of the student or other individuals. See 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36.
“For more information on this issue, see the following guidance entitled, “School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act (FERPA),” issued by the U.S. Department of Education’s Privacy Technical Assistance Center in February 2019 – https://studentprivacy.ed.gov/sites/default/files/resource_document/file/SRO_FAQs_2-5 19_0.pdf.”
What has been quoted here is only a small portion of all the guidance that’s just been released. CS recommends educational and healthcare organizations review the guidance in its entirety.