Institutions of higher education frequently offer students access to on-campus medical services resulting in institutionally maintained student medical records. These services have grown over the last several years and, in light of this growth, the Family Policy Compliance Office (“FPCO”) of the United States Department of Education recently reemphasized student privacy interests in connection with the maintenance and disclosure of student medical records. Through a September 14, 2016 Dear Colleague Letter (“DCL”), FPCO issued significant guidance discussing the application of the Family Education Rights and Privacy Act (“FERPA”) to the disclosure of student medical records by institutions of higher education. Specifically, the DCL addresses the disclosure of student medical records for litigation and health and safety purposes, and includes best practices for colleges and universities to follow, including issuing a notice of privacy rights to students.
We have prepared this alert to provide background on these aspects of FERPA and to offer recommendations on how colleges and universities may seek to comply with the new guidance.
FERPA protects parental and student privacy interests by requiring, unless an exception applies, written consent from a parent or eligible student before an institution of higher education discloses personally identifiable information from the student’s education records. Student medical records, including counseling records, are generally considered education records under FERPA and thus written consent must be obtained before disclosure unless an exception applies.
One such exception to FERPA’s consent requirement is the “school official” exception. Pursuant to this exception, disclosure of education records (including medical records) is permitted without needing to obtain consent when the disclosure is made to school officials with a legitimate educational interest in the records. Educational institutions have significant discretion to define precisely who qualifies as a school official and what constitutes a legitimate educational interest. Generally, a school official has a legitimate educational interest in student education records when access is necessary to fulfill the function and requirements of his or her job. However, because of the sensitivity of medical records, FPCO has indicated that disclosure of medical information pursuant to the “school official” exception should be thoughtfully and conservatively executed.
B. Review of FPCO’s Guidance
The following sections discuss FPCO’s guidance to colleges and universities utilizing the school official exception in the following four situations: (i) litigation, (ii) litigation holds, (iii) disclosures to a court, and (iv) disclosures for health and safety purposes.
1. Disclosure for Litigation Purposes
Under FERPA, attorneys representing institutions of higher education in litigation are generally considered school officials. However, FPCO has indicated through this DCL that such attorneys should be considered to have a legitimate educational interest for purposes of access to a student’s medical records only if the litigation the attorney is handling directly relates to the underlying medical treatment itself or payment for the medical treatment. FPCO emphasized that this narrow interpretation of “legitimate educational interest” is necessary because “to apply FERPA otherwise could discourage students from seeking viable on-campus medical treatment by affording lower confidentiality protections within campus health centers compared to health facilities off-campus, which may not be financially viable options for some students.”
FPCO’s interpretation of “legitimate educational interest” in the litigation context mirrors a similar privacy rule under the Health Insurance Portability and Accountability Act (“HIPAA”) (a medical records privacy law governing health care providers and health insurance plans). Institutions faced with litigation issues involving access to student medical records may look to HIPAA and its interpretative guidance as a resource to examine similar circumstances within their own institutions. Important aspects of HIPAA that may be instructive for educational institutions include the following:
- When determining if a student’s medical records directly relate to litigation, ask if the records are reasonably necessary for the attorney to adequately represent the institution in the matter;
- If the records are reasonably necessary for the representation, ask what records constitute the “minimum necessary” the attorney needs to perform her or his representation; and
- While an institution should make its own determination of the above two issues, an institution may reasonably rely upon advice of its counsel when considering if, and which, medical records are reasonably necessary for litigation.
2. Disclosures During a Litigation Hold
At the beginning of litigation (or even expected litigation), one of the first steps your counsel may take is to issue a “litigation hold.” Typically in the form of a memorandum, a litigation hold orders employees and staff to maintain and not destroy records and files that may be pertinent to the litigation. At times, counsel may also take custody of the records. In such situations, FPCO clarifies that while counsel may take physical custody of student medical records, counsel should otherwise access, use, or disclose those records only upon issuance of a valid written consent, court order, or subpoena.
3. Disclosure to Court without Court Order or Subpoena
When institutions of higher education are engaged in litigation with a student, it may be desirable to disclose the student’s education records to a court. The DCL states that student medical records should only be disclosed to a court if the lawsuit relates directly to the medical treatment or the payment for such treatment and the records are relevant and necessary with regard to the lawsuit.
4. Disclosure for Health or Safety Emergency
Institutions of higher education have a responsibility to take reasonable steps to ensure the health and safety of its student body and the security of its campus. Institutions may do so through many means, including use of a threat assessment team, behavioral intervention team or similar group of professionals tasked with reviewing threats emanating from students and/or staff.
When a student poses a significant and articulable threat to his- or herself or the health and safety of others, FERPA permits the disclosure of information from education records, including medical records, in order to involve individuals who will use the disclosed information to protect the health and safety of the student and others. The decision to disclose is left to the discretion of school officials, who must consider whether provision of actual records is necessary or whether summative statements are sufficient. Through the DCL, FPCO notes that in most cases, summative statements may suffice and blanket releases of information are generally unnecessary.
C. Action Items and Best Practices
The guidance from the FPCO provides important insight into how the government interprets FERPA and what it expects from institutions of higher education. As data privacy, and particularly health care privacy, continues to be a priority of students, parents, government regulators and other stakeholders, institutions of higher education should expect further guidance and scrutiny from FPCO and others with respect to how institutions use, disclose and safeguard student health information. In light of this guidance, institutions should consider the following steps:
- Review current policies and procedures regarding the use and disclosure of student educational records. Emphasis should be placed on any policies specific to student health records, such as policies for on-campus infirmaries, health centers and counseling programs.
- For those institutions that have health centers or counseling programs that are subject to both FERPA and HIPAA, consider how this DCL may allow those facilities to harmonize medical record policies and practices.
- Evaluate current bylaws, charters or policies for behavioral health teams or similar bodies at your institution for compliance with the guidance. If no such bylaws or charters exist, consider drafting them to guide the teams with respect to the proper use and disclosure of student records. In light of how quickly these teams must often act in the event of a potential threat, clear and direct guidance and tools for team members is crucial to ensure compliance. Privacy training may also be useful to ensure the proper functioning of these teams.
While not required by FERPA or this DCL, FPCO suggests as a best practice that institutions notify students of the privacy of their medical records at the time they receive treatment. This suggestion is similar to what HIPAA requires of health care providers, and institutions that are subject to HIPAA may already be providing notices to non-student patients (e.g. a “Notice of Privacy Practices”). With respect to student privacy, institutions should consider the following:
- Develop a privacy notification to distribute to students presenting for care in a campus health center.
- Consider including in the notification information about privacy rights, contact information for questions or complaints, and resources to obtain additional information.
- Evaluate the most appropriate manner in which to provide the notice to students, such as providing the notice only once upon initial contact with a student or annually thereafter.
- Address how to handle updates to the notification and methods to make the notification’s information available through other means, such as on the school website or in a student handbook.