Confidentiality of School Health Records

from School Health Reporter, Fall 2003

Judith F. Harrigan, RN, MSN, School Health Services Consultant, Colorado Department of Education

Overview

Recently there has been much discussion about confidentiality of health information and its application specifically to school health records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the U.S. Department of Health and Human Services to develop a series of rules intended to:

• standardize communication of electronic health information between healthcare providers and health insurers and
• protect the privacy and security of individually identifiable health information.

Although many individuals and groups have expressed concern that school health records should be included in these regulations, that has not happened.  The exclusion of school health records is explained by the fact that the Family Educational Rights and Privacy Act (FERPA) already protects most school health records and no further protection is necessary.

FERPA

The Family Educational Rights and Privacy Act is a federal law designed to protect the privacy of student education records. School health records, according to FERPA, are part of a student’s education record. The school must have written permission from a parent or student over the age of 18 years to release information from a student’s record, except in specific instances that are defined by the law. Health-related information that will further a student’s academic achievement and/or maintain a safe and orderly teaching environment may be accessed by school staff that has a specific and legitimate educational interest in the information. The school must maintain a written log of who accesses the records and when access occurs. (National Center for Education Statistics, 1997.)

Records From Outside Agencies or Individuals

Health reports that have been generated by school personnel are part of the academic record and are stored, transferred and destroyed in the same manner as other education records. However, records that have been received from health professionals outside the school present a quandary. On the one hand, families and healthcare providers may expect a higher level of confidentiality with these health records than with other school records and may be reluctant to provide sensitive medical information that could be important to the student’s school program if they are not provided assurance that the records will be protected from further disclosure. On the other hand, there is no regulation that specifically addresses these records.  Districts should be aware of potential problems if these health records are shared without parental permission and should consult their own legal counsel, and consider implementing policies that require specific parental consent before those records are transferred outside the school district.  Within the district, FERPA regulations related to legitimate educational interest and need-to-know should be applied to ALL records (CASB, 2001.)

Healthcare Plans

The same principles should be applied when healthcare plans are developed for students with special healthcare needs who have Individualized Education Plans  (IEPs) or 504 plans.

• The IEP is the process and the document that outlines and communicates the educational program for a particular child who is eligible for special education services under the Individuals with Disabilities Education Act, determines the least restrictive environment for that child, and identifies the supplementary aids and services needed to allow full participation in the regular education environment, as well as the related services necessary to benefit from the special education program.
• The 504 plan is a document similar to the IEP developed for students that qualify for services under Section 504 of the Rehabilitation Act.

Health-related information that is necessary to benefit student health, education, and/or safety should be included in the plan. IEP or 504  “teams,” including school nursing personnel, should determine whether health information should be included in the plans. Information specific to the care of the student by school nursing personnel, but not essential to other personnel, should be contained in a separate, secure healthcare plan.  Information that may impact the child’s academic achievement must be shared with school staff members who work directly with the student and who have a legitimate need to know the information. School staff members who have access to any health-related information should be provided with information about confidentiality policies.

Health Problem Lists

It is clear in FERPA that health and education information should be shared only with those individuals who have a legitimate need to know the information in order to fulfill their responsibilities based on an individual student’s needs. The health-problem list that many schools have disseminated to all school staff in the past should not be sent. School nurses must make a determination of what staff has legitimate need to know health-related information. If a situation arises where it seems appropriate for information to be shared with every staff member, written permission to share the information should be obtained from the parents.

Applicability of HIPAA to Health Information in Schools

FERPA continues to be the only regulation that specifically addresses school records, including school health records. There is currently no new legislation that overrides this law. However, there are several situations in which HIPAA will impact school health records:

• School-based health centers are generally operated by such HIPAA-covered entities as hospitals or public health departments and their records are not part of the education record as it is defined by FERPA. Because the clinic’s records are not subject to FERPA, they are not excepted from the definition of “protected health information” as defined by HIPAA and so are subject to HIPAA regulations.
• Schools that bill private insurers or Medicaid for health services provided to students are engaging in HIPAA-covered transactions and must comply with HIPAA regulations for those transactions.
• School nurses will find it more difficult to obtain health-related information (i.e., immunization records) from such HIPAA-covered healthcare providers as doctors’ offices, hospitals and clinics because HIPAA privacy protections apply to preventive healthcare as well as other treatments. Asking parents to sign an Information Exchange Form that complies with HIPAA requirements will facilitate obtaining information from these agencies.

Colorado Department of Education Recommendations

A school that values the right to privacy might consider the following steps, in addition to those required by FERPA:

1. Establish policies and procedures that specifically address the handling of school health records;
2. Keep health records separate from other academic records;
3. Inform students and families about how student health information will be handled;
4. Provide training to all employees about confidentiality issues and the importance of protecting information;
5. When releasing data, provide only the minimum details necessary to benefit the student’s education, health and/or safety;
6. Assure security of records by assigning a trained individual to be accountable for health information security (Bergren, 2001).