Another flight crashed this past week as I was writing this article. Similar accidents seem to happen too frequently. But something this time struck me as analogous to writing about students’ protected information.
Let me explain.
On each flight, the flight recorder box is the definitive repository of what happened during the flight and subsequent crash. It’s also referred to as the “black box” though they are never actually black – they’re always painted “international orange” which makes them easier to find in a crash.
So what’s similar here?
When college students head off to school or turn 18 y/o, all of the access to their education and healthcare information transfer to them. There are exceptions as we’ll discuss below but the most part, this important information, similar to the data recorded in a flight’s black box, is locked up until a disaster. This makes sense with airplanes, but why do we have the same data flow (or lack thereof) for our kids’ most important information when they are in the earliest stages of responsibility and decision making?

The Family Educational Rights and Privacy Act (also referred to as FERPA) is a federal law that gives parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 or enters college at any age, the rights under FERPA transfer from the parents to the student (students become what’s referred to as an “eligible student”). Most of us are familiar with HIPAA regulations. The Health Information Portability and Accountability Act of 1996 protects sensitive patient information. Patient is the key word here. Once a student turns 18, much like FERPA, HIPAA gives them control over their patient health care records.

Once you look at these protections with any specificity, you begin to realize what a complicated tapestry of statutes there are regarding academic and healthcare information. There are surprising exceptions, overlaps and even contradictory provisions. Health records maintained by college health centers are generally, but not always, actually covered by FERPA regulations rather than HIPAA. This information is considered part of the student’s educational record and so, is excluded from HIPAA. It’s confusing, and you could spend a lot of time trying to sort out the laws. Let’s keep going and attempt to untangle and maybe even understand what privacy laws apply when and what parents can do to keep informed while also protecting their college kids’ privacy.

Most parents and students don’t think about protecting privacy and especially don’t think about FERPA and HIPAA until it gets in the way. Kind of like someone’s plumbing in the kitchen or operating system on your laptop – we don’t pay any attention to it or even know it’s there until something goes wrong. 

I think most parents agree that protecting student information and confidentiality is vital. But what happens when FERPA exacerbates a problem? What if FERPA is actually outdated? The Department of Education, which interprets and enforces FERPA has never penalized any institution for violating FERPA. They’ve said repeatedly that FERPA is a narrow statute, protecting only the confidentiality of students’ education records. Need more evidence? 

In a 2006 Department of Education opinion letter, they reiterated more specifically that “FERPA applies to the disclosure of tangible records and of information derived from tangible records. FERPA does not protect the confidentiality of information in general, and, therefore, does not apply to the disclosure of information derived from a source other than education records, even if education records exist which contain that information.” What does this all mean? It means that when your son/daughter’s university refuses to even call you back when you’re concerned about their mental health, financial status, or some sort of legal issue, they are acting far outside the bounds of FERPA and clearly misinterpreting it. 

To summarize FERPA here are the two important take-aways: 

  1. Education Records. Students always have a right to review their education records though there are limits on how records can be used without written consent from students. Education records can be disclosed without written consent in connection with court proceedings or subpoena; and in connection with health and safety emergencies. However, education records can be disclosed without student consent to parents who claim their student as a dependent on taxes (though treatment records cannot). 
  1. Treatment Records. These are notes made by a doctor, psychiatrist, psychologist (or any recognized healthcare professional), created, maintained and used ONLY in connection with treatment, and either not shared, or shared ONLY with other treatment providers. Student health and counseling records are considered “Treatment Records” under FERPA. Treatment records under FERPA are handled in most ways like Protected Health Information (PHI) under HIPAA, but not in all ways. Under FERPA, treatment records, by definition, are not available to anyone other than professionals providing treatment to the student, or to physicians, counselors or other appropriate professionals of the student’s choice without explicit consent from the student.

We’ve gone over FERPA but how does HIPAA fit into all of this? Let’s answer this by looking at three commonly held misperceptions. 

  1. HIPAA applies to all medical information at college. While HIPAA’s privacy rule does govern the privacy of protected health information (PHI), HIPAA’s privacy rule only applies to HIPAA “covered entities.” As a general rule, covered entities include: (1) health plans; (2) health care clearinghouses; and (3) healthcare providers who electronically transmit health information in connection with certain electronic transactions relating to billing, payment, and/or insurance coverage.

    Taking HIPAA’s “covered entities” provisions at face value, college and university administrators often believe their institution is automatically a HIPAA-covered entity because, well, the student health center provides medical treatment to students and engages in electronic billing transactions. However… HIPAA’s privacy rule contains an important exception—it does not apply to health records maintained by an educational institution if those health records meet the definition of “education records” or “treatment records” under FERPA. Because student health records generally do fall within these FERPA definitions, they are exempted from the reach of HIPAA’s privacy rule.
  2. HIPAA prohibits a college from asking an employee or student for medical information. HIPAA’s privacy rule generally prohibits HIPAA covered entities from releasing PHI that is received or generated in the course of operating a health plan, a healthcare clearinghouse, or in the provision of health care services. It does not regulate the ability of institutions to request medical information from their employees and students for legitimate business reasons. So if an employee refuses to provide a doctor’s note that her supervisor has requested in order to substantiate a claimed sick day on the basis that “HIPAA prohibits you from asking for that,” the employee is wrong. Similarly, HIPAA in no way protects a student from having to provide medical documentation to substantiate absences or to provide the basis for a request for accommodations under the Americans With Disabilities Act (or a 504 for that matter).
  3. HIPAA applies to all healthcare providers. Because they receive training in HIPAA as part of their professional education, a nurse, athletic trainer, or counselor may believe that he or she has an individual obligation to comply with HIPAA whenever they come into receipt of medical information. While this type of caution in handling medical information is just generally good practice, HIPAA only applies to health care providers who are engaged in certain types of covered transactions, and even then, it does not apply to medical records that fall within the bounds of FERPA. Therefore, HIPAA’s privacy rule does not apply to records generated by an athletic trainer who provides free treatment to student athletes. Similarly, HIPAA’s privacy rule would not apply to medical information about a student that a healthcare provider receives in the course of teaching a class (for example, if a student provided a doctor’s note to substantiate an absence).

That was a lot so let’s summarize things here with a few additional nuggets…

  • HIPAA does not apply to student medical/counseling records at the college or university the student attends; FERPA does.
  • Treatment Records under FERPA are handled in most ways like Protected Health Information under HIPAA, but not in all ways.
  • A student does not have a FERPA right to “inspect and review” unshared treatment records.
  • A student does have a FERPA right to “inspect and review” treatment records that have been shared outside of the healthcare arena.

Of course, there are a few exceptions…

  • FERPA permits a school to disclose information from an eligible student’s education records to parents if a health or safety emergency involves their son or daughter.  
  • Another provision in FERPA permits a college or university to let parents of students under the age of 21 know when the student has violated any law or policy concerning the use of possession of alcohol or a controlled substance.  
  • School officials may also share information with a parent about an eligible student that is based on that official’s personal knowledge or observation and that is not based on information contained in an education record.

But are we really going to convince a university they’re wrong or, to be more generous, they’ve misunderstood the statute? Obviously no, unless of course you want to sue them which probably has a low ROI. Instead, let’s look at what you can do. First, let’s talk about what to do if your son or daughter is a rising freshman. Next, we’ll figure out some options if your kiddo is already at school. 

What to Do before freshman year starts?

Parents can establish a relationship with college officials before and during their student’s college years if they understand FERPA and how their child’s college interprets the law. Well before the excitement of freshman orientation (and even before high school graduation) students and their parents need to talk about what information students will share in college. I encourage parents to discuss the importance of having at least minimal access to healthcare info and financial information just in case things start going poorly. 

The easiest and most effective thing students can do if they want to share their information with parents is sign a written consent form or release of information for their parents and make it as broad as possible, as in “All categories of my educational records can be shared with my parents.

What can Parents do if it’s after Freshman Year?

The steps aren’t very different though you might have an emboldened student on your hands at this point. The first step is the conversation where you explain the importance of having basic updates about healthcare, academic and financial records. This is not so you can spy on them, it’s to keep them accountable and ensure any problems are addressed before they get too big. The next step is getting the release of information signed. Every school has consent forms on their website. Make sure your son or daughter signs one and submits it. The last thing is following up. It’s easier to feel a sense of relief when the release is signed and submitted but making contact with an actual human being on campus ensures you’re able to get a true sense as to the status of their health, grades and financials. 

In summary, I universities are not intentionally creating problems for parents. These institutions enact policies around privacy they believe protect students and the university. They take the most conservative approach with information meaning their default response is “no” until you force them to “yes.” In my experience, working with schools as part of a team to support students practicing their independent living skills while providing essential updates to parents leads to the absolute best outcome for most students. Know your rights. Know your students’ rights and know how to use this information to advocate for that best outcome. 

Ok, that’s it for FERPA, HIPAA and college student privacy. Check back here next time for more info on how to best help struggling college students. Don’t forget to sign up for my newsletter and check out my new podcast The Better Semester.

Search
Browse Posts
Archives
Share