Recent news articles regarding a New Jersey elementary school’s handling of the enrollment of two new students from Rwanda provided another glimpse of Ebola hysteria and the opportunity for me to follow up on Bill Maruca’s blog about Ebola and HIPAA with yet another (fairly obscure) statutory acronym. When it comes to protecting the privacy of students, HIPAA often does not even apply and it’s the Family Educational Rights and Privacy Act, known as FERPA, that matters.
The New Jersey elementary school apparently recognized that it had overreacted when it first announced that the Rwanda students’ parents would keep their children at home for 21 days. The school posted a revised website notice stating that it would “welcome the new students whose parents graciously offered to keep them close this week.” Setting aside the fact that Rwanda is located in East Africa, more than 2,500 miles away from the West African countries that have been reported to be affected by the Ebola virus, and is reportedly now screening all visitors to Rwanda who have been in the United States during the past 22 days, this elementary school incident offers a teachable moment.
If the school nurse at a public elementary school takes it upon himself or herself to identify students at risk for developing Ebola and decides to take twice-daily temperature readings of the students and record the information in student health records, the information would be protected under FERPA and parental consent would be required prior to its release. “Frequently Asked Questions” posted on the website of the U.S. Department of Health and Human Services (HHS) address the interplay between HIPAA and FERPA and a “Joint Guidance” document issued by HHS and the U.S. Department of Education provides even more detail on the relationship between HIPAA and FERPA. To the extent FERPA applies to the school nurse’s activities and information contained in the students’ health records, FERPA trumps HIPAA in one key privacy protection respect.
Under HIPAA, protected health information (PHI) can be used or disclosed without an authorization from the appropriate individual for certain public health activities. For example, a covered entity, such as a health care provider, may disclose PHI to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease. A covered entity may also disclose PHI to a person who may have been exposed to a communicable disease, under specific circumstances. However, FERPA generally does not allow this type of disclosure (without parental authorization or authorization of a student over the age of 18) of identifiable student information, even when it is for public health purposes, other than in “emergency” situations. Note that under both HIPAA and FERPA, withholding names but releasing other information that makes it possible to identify the individuals (ie, “students from Rwanda”) risks privacy violations.
The bottom line for public schools? Check your FERPA obligations, your possible HIPAA obligations, and, when it comes to Ebola fears, your geography.