Privacy Standards

ISSUE BRIEF

School Health Nurse's Role in Education

PRIVACY STANDARDS FOR STUDENT HEALTH RECORDS

INTRODUCTION

Management of student health records is one of the most challenging responsibilities of school nurses. These responsibilities, usually shared with school district administrators, include the generation, maintenance, protection, disclosure, and destruction of students' school health records. Integrally related to these responsibilities are the legal and ethical principles of privacy, confidentiality, and consent. Complex to begin with, these record-management responsibilities and related legal precepts are frequently problematic for nursing professionals working with minor clients in school settings. This is particularly so today, for the reasons listed below.

While school health records include personally identifiable health information of students and are generated by health professionals, they are, in most situations, considered education records, rather than health care records.
Federal and state laws governing health and education records have different standards, language, requirements, and interpretations, even though the underlying principles have common roots. Today, more than in the past, the records include some of the same content.
It is difficult to discern from the literature—due to the complexities involved—which law(s), if any, take precedence regarding students’ health records (i.e., education versus medical, federal versus state).
There are conflicts between health and education laws governing student records, confidentiality requirements, and access rights of parents and minor students.
There are fundamental differences between legal standards in health and those in education related to adolescents’ competence to give consent and make decisions for themselves. These differences sometimes cause practice dilemmas for school nurses (Schwab & Gelfman, 2001).
Many school nurses are contract personnel, that is, they are hired by a health care agency to provide nursing services in the community’s or county’s public schools. Often the hiring agency, for example, a local health department, assumes that any records generated by the nursing staff are governed by health care laws, while the school district assumes that those same records are governed by education laws.
School districts rarely have sufficient policies, procedures, and systems in place to ensure the privacy, security, and appropriate sharing of students’ health and mental health information contained in today’s health office and other school records.
School nurses, like other school health professionals, are educated in the health care system and practice under health care laws. They rarely have pre-service preparation regarding education laws and standards relevant to the records they generate in schools, including student health and special education records.
While the Preamble to the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) specifically excludes, as covered entities, schools and universities already covered by the Family Education Rights and Privacy Act (FERPA) (U.S. Department of Health and Human Services (USDHHS), 2000), there are both exceptions to that provision and a myriad of related legal and practice issues at the interface of HIPAA and FERPA. These have yet to be addressed through technical assistance by the U.S. Department of Health and Human Services or the U.S. Department of Education.

In addition to remaining questions regarding HIPAA and FERPA standards in relation to personally identifiable student health information and student health records, questions and conflicts remain between FERPA and the federal regulations governing records of patients in drug and alcohol treatment programs, and between FERPA and state minor consent-to-treatment laws. Both clarifications and remaining issues are briefly described below.

FERPA and School Health Records

The Family Education Rights and Privacy Act of 1974 (20 U.S.C. § 1232g) and its regulations (34 CFR § 99), as periodically revised by the U.S. Department of Education, set forth requirements for the protection and release of personally identifiable student information, including student health information. These requirements are applicable to all "education records" in public and private schools that receive any federal financial assistance. Education records are defined in the regulations as those records that are:

Directly related to a student; and
Maintained by an educational agency or institution or by a party acting for the agency or institution.

FERPA governs all student health records maintained by school employees or by contracted employees who provide "school health services" (Cheung, Clements, & Pechman, 1997), that is, health services directed to supporting students’ participation and progress in school. These services are generally considered health promotion, health maintenance, and "related" or "support" services that enable students, especially those with special health care needs, to attend school, maintain (or improve) their health status during the school day, progress toward independence in self-care in the school setting, and achieve educational success. The matter of whether FERPA provides protection for oral communications of student information not otherwise documented in "student records" is not addressed in the regulations, remains subject to interpretation, and raises HIPAA-related issues. See Gelfman (2001) and Claghorn (2003). FERPA does not govern records of school-based health centers (SBHCs), although where a SBHC is fully operated by a school district, the applicable legal standards may require careful exploration and clarification by expert health and education attorneys.

The term "contracted employees" applies to school nurses who are employed by other agencies, including public ones, such as a town’s department of health, and private ones, such as a "visiting nurse association," hospital, or other type of health care organization, when they are contracted by the school district (even via "handshake" across town departments) to provide "school health services" for the school district. The term may also include school-based health center personnel when, as employees of another community agency, they are contracted by the school district to provide "school health services" as support services for the school’s student population. These contracted services are entirely separate and distinct responsibilities from the primary health care services (diagnostic and treatment services for parent-enrolled students) that are the primary mission of school-based health centers.

Health records are among the most sensitive records of both children and adults in our society and, traditionally, have been highly protected under law, medical practice standards, and the ethical codes of health professionals. Yet in schools, these records are often not distinguished from other types of education records (National Task Force on Confidential Student Health Information, 2000). FERPA provides a basic framework for protecting and disclosing student records, but leaves wide discretion to school districts for interpretation and implementation of the FERPA regulations. For example, FERPA permits school districts to define who in their district has a "legitimate educational interest" in accessing and disclosing various types of student records, including those generated by school health professionals, and those generated and released to schools with parental authorization by outside health care professionals.

FERPA does not require school district personnel to be trained in confidentiality requirements, nor does it impose consequences on school employees for non-permitted disclosures. Rather, it provides that, if a school district violates the requirements of FERPA, the district may be sanctioned through the loss of federal financial assistance.

HIPAA Privacy Rule and School Health Records

The Privacy Rule of the 1996 Health Insurance Portability and Accountability Act was published on December 28, 2000, by the U.S. Department of Health and Human Services, with an effective date of April 14, 2001. Significant modifications to the rule were published on August 14, 2002; compliance was required for most covered entities by April 14, 2003. This rule (45 CFR Parts 160 and 164) sets national standards for the privacy of individually identifiable health information and gives patients increased access to their medical records. Two other essential components of HIPAA address standard code and transaction sets for electronic transmissions of "individually identifiable health care information" (Transaction Rule) and security protections for protected health information (Security Rule) (USDHHS, 2003).

HIPAA and its regulations apply to health information created or maintained by: (1) health care providers who engage in certain electronic transactions, (2) health plans, and (3) health care clearinghouses (USDHHS, 2000). School-based health centers administered by covered entities and, in most instances, school-based health care providers employed by an agency other than a school district and who engage in certain electronic transactions, are subject to HIPAA. Schools and school health professionals whose records are covered by FERPA and who engage in certain electronic transactions (such as Medicaid billing) are likely covered by the HIPAA Transaction Rule, but not the HIPAA Privacy Rule (Bergren, 2003; Campanelli et al., 2003). Schools that receive no federal financial assistance and the health professionals that work in them may or may not be directly subject to the HIPAA Privacy Rule but, in any event, are advised to employ HIPAA standards as minimum criteria for practice.

In public schools, and non-public schools covered by FERPA, general implications of the HIPAA Privacy Rule for student health records include the following:

The fundamental ethical and legal principles underlying FERPA and HIPAA are the same. FERPA protects student information in education records, while HIPAA protects individually identifiable health information, in any form, that is used or disclosed by a covered entity.
HIPAA privacy requirements, which are more detailed and directive than FERPA privacy requirements, provide useful reference standards for school district policy, procedures, and practices related to the protection and disclosure of student health information. Guidelines for developing school district policy and procedures, using HIPAA, FERPA, IDEA, and ethical standards, are currently being developed by the American School Health Association in collaboration with the National Association of School Nurses, National Association of State School Nurse Consultants, and a national task force comprised of 12 national organizations, with funding from the Division of Adolescent and School Health in the Centers for Disease Control (Schwab et al., 2004). [Au: Change OK? Should the Schwab et al., 2004, be changed to 2004 in the references?]
The HIPAA Privacy Rule excludes from its definition of "protected health information" education records covered by FERPA. As such, student records in schools and school districts that receive federal funding are generally not subject to HIPAA privacy provisions (USDHHS, 2000, p. 82483).
School nurses are HIPAA-covered entities if they engage in HIPAA transactions, but the FERPA-covered records they are responsible for are not covered by the Privacy Rule. Thus, the records that are transmitted are subject to the HIPAA Transaction Rule, but not the Privacy Rule (Bergren, 2003; Campanelli et al., 2003; Grimms & Cordy, 2002).
Clarification is still required in many states regarding the permissibility of communications between students’ health care providers and school nurses about student health procedures that are mandated by state statute for public health policy reasons (e.g., immunization status, the results of health assessments that are required for school attendance, and communicable disease reporting). Some states have provided guidance or passed clarifying legislation.
Education is required regarding the Privacy Rule provision that permits the disclosure of protected health information (PHI) by HIPAA-covered entities without specific informed consent, if the disclosure is for "treatment" purposes. Representatives of the Office of Civil Rights of the U.S. Department of Health and Human Services interpret the Rule’s language to permit disclosures of PHI to school nurses who are providing treatment to a student (Campanelli et al., 2003), because school nurses meet the definition of "health care provider" under HIPAA. Nevertheless, many providers and their attorneys believe that they cannot disclose PHI, even for treatment purposes, to noncovered entities, even other health care providers. This becomes a barrier to care and is especially critical when physicians, or other authorized prescribers, issue a "medical order" for a student to receive a medication or medical treatment in school and the nurse, according to the state’s Nurse Practice Act, may only carry out the treatment under the order of an authorized prescriber. The safety and efficacy of the treatment plan can be compromised if communication between the prescriber and nurse, related to a medical order and its execution in school, is hampered.
Practice dilemmas continue for FERPA-covered entities related to conflicts between minors’ legal rights to privacy in the health care system and parental rights to access and control the release of all education records of their minor children. HIPAA-covered entities, such as school-based health centers, have no such conflict, because HIPAA defers to state laws and professional practice standards in the health care community to determine when minors, rather than their parents or legal guardians, may give consent for the release of their own PHI (e.g., treatment for sexually transmitted diseases or drug and alcohol dependence). FERPA, however, does not recognize minor consent-to-treatment statutes, either in state or federal law. Thus, when student health records are covered by FERPA and a minor student consults the nurse for counseling or referral related to a health care need for which the minor student has the right under state law to consent to treatment, conflicts regarding documentation, access to, and release of related records remain. See Schwab and Gelfman (2001) for a more in-depth discussion of confidentiality, conflicts in the law, and related practice issues.

Other implications of the HIPAA Privacy Rule and related issues of importance to school nurses can be found in Bergren (2001a, 2001b, 2003, and 2004).

Federal Drug and Alcohol Confidentiality Regulations

Federal law and confidentiality regulations governing drug and alcohol treatment programs (42 U.S.C. § 290dd-2 and 42 C.F.R. Part 2) apply to a student assistance program (SAP) within a school, if it "specializes, in whole or in part, in providing treatment, counseling, or assessment and referral services for students with alcohol or drug abuse problems" (Legal Action Center, 1996). These regulations protect the records of students who obtain services through an SAP team and prohibit their disclosure outside the team except under very limited circumstances (Legal Action Center, 1996). Conflicts remain between the confidentiality regulations and FERPA regarding parental access to such records (Gelfman & Schwab, 2001). Additionally, it is unclear whether, absent an SAP, the federal regulations apply to the record of a student referred by a school nurse to an outside community agency for assessment and treatment of a drug or alcohol problem. Nevertheless, individual states may have laws that apply to this circumstance.

State Minor Consent-to-Treatment Laws

Although extremely variable, most states have laws giving "mature" minors the right to consent to health care treatment for one or more types of health problems, including drug and alcohol abuse, sexually transmitted diseases, human immune virus (HIV), reproductive health, and mental health (Cohn, 2002). Because the right to consent to health care includes the right to determine whether, under what circumstances, and to whom the record of that care can be released, the mature minor who chooses to seek care under a mature minor statute or prevailing practice standards in the state has the right to privacy regarding that care. Conflicts exist when school health professionals refer students for health care to which the students have such a privacy right, because any record of the referral or related discussion with the student is also subject to FERPA, permitting parents to access all of their minor children’s school records (Schwab & Gelfman, 2001; Siegler, 1996).

Role of the School Health Nurse

Although some conflicts and questions regarding legal standards remain, the underlying principles of federal and state health care and education privacy laws are remarkably similar. Furthermore, although FERPA governs education records as defined above, HIPAA provides more detailed and additional requirements, such as staff training and penalties for failure to follow the law. Similar provisions can and should be used to strengthen school district policies and administrative procedures governing student health information that is in oral, written, electronic, or another form, whether or not the districts are subject to HIPAA. School districts with school-based health centers operating in their buildings and those that bill Medicaid for school-based health services or otherwise do business with an entity covered by HIPAA are encouraged to employ HIPAA privacy standards, even if they are not required to do so by law. Such compliance demonstrates the district’s respect for the sensitivity and confidentiality of student health information, augments their procedural compliance with FERPA, and enhances trust and communication among schools, parents, students, and health care providers.

School health nurses can provide leadership regarding the security and privacy of student health information in their school districts by:

Becoming educated and staying current regarding relevant laws, regulations, and guidelines or technical assistance, both federal and state.
Educating administrators and colleagues about relevant laws, regulations, and guidelines as they apply to school health records, whether oral, written, electronic, or in another form.
Educating students and parents about their rights to privacy and the limitations to those rights, particularly in terms of health office procedures.
Providing suggested language for policy and procedures that will enhance school district and staff compliance with the spirit and letter of the laws.
Providing staff training, annually and as needed, on the legal and ethical principles of, and school district policy and procedures regarding, the privacy and confidentiality of student health information.
Ensuring that health room procedures, records (electronic and paper), and equipment provide adequate security and privacy of health records, as well as appropriate internal sharing "for legitimate educational purposes."
Using functional health problems (i.e., standardized nursing diagnoses) in combination with individualized Section 504 plans, individualized education programs, and/or individualized health care plans for communicating student health and safety needs to other staff. Functional health problems should be used in lieu of medical diagnoses, whenever appropriate (National Task Force on Confidential Student Health Information, 2000), and individualized plans should be distributed to appropriate staff instead of circulating a list of students with their medical conditions (Schwab & Gelfman, 2001).
Notifying state health and education leaders and legislators about conflicts and problems that interfere with student services and safe nursing practice.

Of critical importance, school nurses need to collaborate with school medical advisors, school administrators, educators, other school health professionals and staff, parents, adolescent students, and community experts in ethics, privacy of health care information, and education records, to develop clear and specific policies and procedures based on law and ethics. School health advisory councils may provide excellent forums for addressing policy, procedure, and practice issues related to student health information. School districts need to consult with their attorneys regarding the implications of HIPAA for school operations, policies, and procedures. School nurses also need to promote and support local, state, and national initiatives to address and, where possible, resolve conflicts in the law.

REFERENCES

Bergren, M. D. (2004). HIPAA-FERPA revisited, Journal of School Nursing, accepted for publication.

Bergren, M. D. (2003). National Conference on HIPAA Privacy Rule, NASNewsletter, 18(4), 20–22. Available at http://www.nasn.org.

Bergren, M. D. (2001a). Electronic records and technology. In N. Schwab & M. Gelfman (Eds.) Legal issues in school health services: A resource for school nurses, administrators and attorneys. North Branch, MN: Sunrise River Press.

Bergren, M. D. (2001b). HIPAA hoopla: Privacy and security of identifiable health information. Journal of School Nursing, 17(6), 336–340.

Campanelli, R., McAndrew, S. D., Altarescu, L., Heide, C., Mayer, D., Kaminsky, S., & Seeger, R. K. (2003, March). Presented at the National Conference on the HIPAA Privacy Rule. Chicago, IL: U. S. Department of Health and Human Services. [Video. Available for $50 from: Workgroup for Electronic Data Interchange, 12020 Sunrise Valley Dr., Suite 100, Reston, VA 20191 (703) 391-2743.]

Cheung, O., Clements, B., & Pechman, E. (1997). Protecting the privacy of student records: guidelines for education agencies. Washington, DC: National Center for Education Statistics, U.S. Department of Education. Retrieved on July 20, 2002, from http://nces.ed.gov/pubs97/p97527/.

Claghorn, H, (2003). HIPAA Privacy Rule: What is it? Should your district care? Texas Lone Star, 21(1). Cohn, S. (with Gelfman, M., & Schwab, N.). (2001). Adolescent issues and rights of minors. In N. C. Schwab & M. H. B. Gelfman, Eds. Legal issues in school health services. North Branch, MN: Sunrise River Press.

Gelfman, M. (with Schwab, N.). (2001). School health records and documentation. In N. C. Schwab & M. H. B. Gelfman, Eds. Legal issues in school health services. North Branch, MN: Sunrise River Press.

Grimms, L., & Cordy, G. (2002). Medicaid reimbursement of school-based health care at the state-operated schools and HIPAA. Memorandum from the Oregon Department of Justice, Office of the Attorney General, to Alm, J., at the Oregon Department of Human Services and Hunt, M., at the Oregon Department of Education, November 12.

Legal Action Center. (1996). Legal issues for school-based programs. (2nd ed.). New York: Legal Action Center of the City of New York.

National Task Force on Confidential Student Health Information. (2000). Guidelines for protecting confidential student health information. Kent, OH: American School Health Association.

Schwab, N., & Gelfman, M. (2001). Confidentiality: Principles and practice issues. In N. C. Schwab & M. H. B. Gelfman, Eds. Legal issues in school health services. North Branch, MN: Sunrise River Press.

Schwab, N.C., Ruben, M., Maire, J. A., Gelfman, M. H. B., Bergren, M. D., Mazyck, D., & Hine, B. (2004). Protecting and sharing student health information: Guidelines for developing school district policies and procedures. Kent, OH: American School Health Association.

Siegler, G. E. (1996). What should be the scope of privacy protections of student health records? A look at Massachusetts and federal law. Journal of Law and Medicine 25(2), 237–269.

U.S. Department of Health and Human Services (USDHHS). (2003). HIPAA Privacy Rule: Complete Privacy, Security, and Enforcement (Procedural) Regulation Text. Retrieved January, 2004, from http://www.hhs.gov/ocr/hipaa/finalreg.html.

USDHHS. (2002). Final modifications to the HIPAA Privacy Rule. Retrieved January, 2004, from http://www.hhs.gov/ocr/hipaa/finalreg.html.

USDHHS. (2000, December 28). Preamble to the Standards for Privacy of Individually Identifiable Health Information [HIPAA Privacy Rule]. Federal Register, 65(250). Retrieved January 2004 from http://www.hhs.gov/ocr/part1.pdf.

2004