Student Health Records and the Coronavirus

March 26, 2020

By: Gail M. Norris

What student health information may be shared with whom in the event a student tests positive for the virus is one of the many interconnected issues for colleges and universities related to the COVID-19 pandemic.

The applicable privacy laws governing student health records are the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA). FERPA protects students’ educational, directory and personally identifiable information. HIPAA applies to all patients of covered entities and governs covered institutions’ electronic exchange, disclosure and security of individually identifiable health information. Generally, institutions may not disclose personally identifiable information without the written consent of the eligible student under FERPA (or parent if applicable), or the patient under HIPAA. 

To clarify these rules, in December 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education issued “Joint Guidance on the Applicability of (FERPA) and HIPAA to Student Health Records.” The Guidance explains the factual circumstances under which FERPA and/or HIPAA might apply to student health records. If you have any questions about whether HIPAA applies to your student health records in addition to FERPA, we refer you to the guidance, which can be found here.

Both FERPA and HIPAA have exceptions to the prohibition on disclosure of health records without the student/patient’s consent if such disclosure is required by law in order to prevent or lessen a serious or imminent threat to the public health or safety. For FERPA, see 34 CFR §§ 99.31(a)(10) and 99.36. For HIPAA, see 45 CFR §§ 164.501 and 164.512(b)(1)(i).

The Office for Civil Rights at the HHS and the U.S. Department of Education Student Privacy Policy Office each recently issued guidance to assist institutions in determining when, how much and to whom student/patient information may be shared in compliance with HIPAA and FERPA in an outbreak of infectious disease, and to remind institutions that the protection of protected health information is not simply set aside during an emergency. The guidance explains that while HIPAA and FERPA generally prohibit institutions from disclosing students/patients’ personally identifiable information without consent, the “health and safety emergency” exception may apply to the COVID-19 pandemic. This exception could allow institutions to disclose necessary information to public health agencies. Notwithstanding this possible exception, institutions should obtain written consent from patients and parents or eligible students if possible.

The guidance can be found here:  HIPAA  |  FERPA

If, under FERPA, an institution has a rational basis to disclose a student’s unauthorized personally identifiable information to parties such as public health officials, medical workers, parents, or law enforcement officials, institutions should ensure that the disclosure relates to a specific emergency which threatens the health and safety of the student or other individuals. The institution must be able to articulate the basis for the unauthorized disclosure in the student’s records. 

Under HIPAA, before disclosing a patient’s information without authorization, an institution should determine whether the disclosure is to an authorized public health authority, furthers the patient’s treatment and care, or supports other critical purposes, and, if a response is necessary, the institution should only disclose “minimum[ly] necessary” information. 

Under both FERPA and HIPAA, institutions must avoid unnecessary or overly-broad disclosures, and, when possible, personally identifiable information should be excluded or minimized to protect the anonymity of the student/patient.

Applying these standards in the fast-changing COVID-19 situation will seldom be easy. For instance, it may be possible to justify releasing personally identifiable information to public health officials for students who have traveled to areas where the CDC has assessed a high risk assessment level, but the disclosure must be narrowly tailored to provide only the information needed for the public health purpose. Additionally, the rationale for the disclosure must be clearly documented.

Disclosure of protected health information to the public, on the other hand, would be hard to justify. You should consider this if you need to publicly disclose that there has been a confirmed case at your institution. While that simple confirmation is probably not a privacy concern, be prepared for the additional questions the media might ask or how you would respond to rumors that specific students or employees were diagnosed with the virus.

If you have any questions about the disclosure of student health records for COVID-19 public health reasons, please contact Gail Norris, any attorney in the Higher Education Practice Group, or the attorney in the firm with whom you are regularly in contact.