The final months of 2008 included two important developments regarding the Family Educational Rights Privacy Act (FERPA). In December, the U.S. Department of Education (ED) published a Final Rule adopting several changes to its FERPA regulations at 34 C.F.R. Part 99. The Final Rule contains many of the revisions included in ED’s Notice of Proposed Rulemaking (Proposed Rule) issued in March 2008. Importantly, the Final Rule also modifies or retracts other aspects of the Proposed Rule.
Additionally, ED and the U.S. Department of Health and Human Services (HHS) jointly issued long-awaited guidance regarding the relationship between FERPA and the Heath Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As described in more detail below, which set of requirements applies to the health records of a student depends on the specific nature of the records at issue.
FERPA Final Rule
As described in our previous EDUCATION LAW ALERT regarding the proposed regulatory changes, FERPA is a federal law designed to protect the privacy of student records maintained by educational agencies or institutions, or those acting on their behalf. The law generally requires educational agencies or institutions that receive funds through programs administered by ED to obtain prior written consent from a student (or the student’s parent, as applicable ) to disclose a student’s education records or personally identifiable information within such education records to a third party. The discussion below summarizes some of the most significant provisions of the Final Rule, which became effective January 8, 2009.
Definition of Directory Information
The Final Rule prohibits an educational agency or institution from treating a student’s Social Security Number (SSN) as directory information. Whereas the Proposed Rule effectively equated other student ID numbers with SSNs for this purpose, the Final Rule allows an institution to include a student ID number in directory information provided the student ID number cannot be used to gain access to education records except when used with one or more other factors to authenticate the user’s identity.
Definition of Education Records
The definition is revised to clarify its applicability to alumni information. To be excluded from the definition, alumni records must be created or received by an institution after the individual is no longer a student in attendance and also must not be directly related to the individual’s attendance as a student. As proposed, the definition is further revised to exclude peer-graded papers that have not been collected and recorded by a teacher, codifying the U.S. Supreme Court’s decision in Owasso v. Falvo, 534 U.S. 426 (2002).
Definition of Personally Identifiable Information
In response to numerous comments on the proposed changes, the Final Rule adopts a definition slightly different from that set forth in the Proposed Rule. Specifically, the definition now includes, but is not limited to: (1) the student’s name; (2) the name of the student’s parent or other family members; (3) the address of the student or student’s family; (4) any personal identifier such as a SSN, student ID number, or biometric record; (5) other indirect identifiers such as the student’s date of birth, place of birth and mother’s maiden name; (6) other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and (7) information requested by a person who the institution reasonably believes knows the identity of the student to whom the education record relates.
Permissive Disclosures to Parents of Eligible Students
The Final Rule adopts the proposed clarifications regarding several statutory and regulatory provisions that permit disclosures of information to the parents of eligible students, including disclosures related to (1) health or safety emergencies; (2) a violation of law or school policies regarding alcohol or controlled substances by a student under 21 years of age; (3) court orders and subpoenas; and (4) students who are dependents for income tax purposes.
Non-Consensual Disclosures for Health and Safety Emergencies
As proposed last March, the regulations are amended to include a standard for determining whether a health and safety emergency warrants nonconsensual disclosure of students’ information. The Final Rule also removes the previous “strict construction” requirement for determining whether to disclose information that would otherwise be protected, and instead permits an institution to take into account the totality of the circumstances pertaining to a threat to the safety of a student or to other individuals. If the institution determines that there is an articulable and significant threat, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals. The institution must, however, make a record of (1) the articulable and significant threat that formed the basis for such disclosure and (2) the parties to whom information was disclosed.
Disclosures to Contractors Performing Institutions Services and Functions
The Final Rule adopts the proposed changes to explicitly include contractors, consultants, volunteers and other outside parties performing institutional services or functions within the “school officials” exception. Thus, nonconsensual disclosure may occur with respect to such entities if the outside contractor performs the type of institutional service for which the institution would otherwise use its own employees. In order to make such disclosures to contractors and vendors, the institution must have complied with FERPA’s annual notification requirements by specifying to students the criteria used in designating school officials, and identified the contractors, consultants, and/or volunteers that have been designated as “school officials” for the purposes of nonconsensual disclosures. The outside contractor is subject to the same conditions governing use and redisclosure of student information applicable to other school officials under FERPA, namely, that the student information may be used only for the purpose that the disclosure was made and redisclosure generally may not occur without prior written consent of the student. Importantly, the outside contractor must be under the direct control of the educational agency or institution with respect to the use and maintenance of students’ information. It also is incumbent upon the educational institution to ensure that its outside contractors use any student’s personally identifiable information in strict compliance with the institution’s requirements and for no purpose beyond that specifically underlying the disclosure.
The above matters constitute just some of the changes that took effect January 9, 2008. The complete text of the Final Rule, as published in the Federal Register, is available online at http://www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf.
Joint ED-HHS Guidance on FERPA and HIPAA
Since the enactment of HIPAA in 1996 and subsequent promulgation of the HIPAA Privacy Rule, there has been significant confusion on the part of school administrators, health care professionals and others as to how FERPA and HIPAA apply to health records maintained on students. The joint guidance from ED and HHS attempts to address this confusion and also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.
FERPA is designed to protect the privacy of students’ “education records” and applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. If an educational agency or institution receives funds under one or more of these programs, FERPA applies to the recipient as a whole, including each of its components, such as a department within a university. Additionally, the term “education records” is broadly defined to mean those records that are directly related to a student and are maintained by an educational agency or institution, or by a party acting for the agency or institution. At postsecondary institutions, medical and psychological treatment records of students are excluded from the definition of “education records” if they are (1) made, maintained and used only in connection with treatment of the student and (2) disclosed only to individuals providing the treatment. These records are commonly called “treatment records.” Under FERPA, an eligible student’s treatment records may be disclosed for purposes other than the student’s treatment, provided the records are disclosed pursuant to the student’s written consent or under one of the exceptions to written consent. If the treatment records for purposes other than treatment, the records lose their exclusion from the definition of “education records” and are subject to all other FERPA requirements.
The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information by requiring appropriate safeguards to protect privacy, and setting limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. When an educational institution provides health care to students in the normal course of business, such as through a health clinic, it becomes a “health care provider” as defined by HIPAA. If an educational institutions also conducts any covered transactions electronically in connection with that health care, it is then covered by HIPAA.
Thus, an educational institution that finds itself also a “health care provider” under HIPAA must determine whether a particular student record is protected by FERPA (in which case the HIPAA Privacy Rule does not apply) or whether the record is excluded from FERPA and likely protected by HIPAA.
Records of nonstudents maintained by an educational institution’s health clinic
While the health records of students at postsecondary institutions may be subject to FERPA, if the institution is also covered by HIPAA and provides health care to nonstudents, the individually identifiable health information of the clinic’s nonstudent patients is subject to the HIPAA Privacy Rule. For example, postsecondary institutions that are subject to both HIPAA and FERPA, and that operate clinics open to staff, or the public, or both (including family members of students) are required to comply with FERPA with respect to the health records of their student patients and with the HIPAA Privacy Rule with respect to the health records of their nonstudent patients.
Students who are university hospital patients
The guidance states that patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically “education records” or “treatment records” under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. Rather, these hospitals provide such services without regard to the person’s status as a student and not on behalf of a university. Assuming the hospital is covered by HIPAA, these records are subject to all of the HIPAA rules, including the HIPAA Privacy Rule. In a situation where a hospital does run the student health clinic on behalf of a university, however, the clinic records on students would be subject to FERPA, either as “education records” or “treatment records,” and not subject to the HIPAA Privacy Rule.
Disclosing education records and treatment records if the institution believes the student presents a serious danger to self or others
An eligible student’s education records and treatment records (which are considered education records if used or made available for any purpose other than the eligible student’s treatment) may be disclosed, without consent, if the disclosure meets one of the exceptions to FERPA’s general consent rule. One of the permitted disclosures is to appropriate parties, which may include law enforcement or parents of a student, in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
Health records of persons who are both students and employees
The individual’s health records would be considered “education records” protected under FERPA and excluded from coverage under the HIPAA Privacy Rule. FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution. While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees. The health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.
The above discussion highlights only a few aspects of the joint guidance from ED and HHS regarding the applicability of FERPA and HIPAA to student health records maintained by educational institution.