Does HIPAA Apply to School-Based Mental Health?

(Jan. 17, 2007) - Guidance counselor Elizabeth Prince facilitates an Anchors Away program for children at Christopher Farms Elementary, Virginia Beach, Va. The program was created 10 years ago to help children with deployed parents cope with separation anxiety. U.S. Navy photo by Mass Communication Specialist Seaman Apprentice John K. Hamilton (RELEASED)

(Jan. 17, 2007) – Guidance counselor Elizabeth Prince facilitates an Anchors Away program for children at Christopher Farms Elementary, Virginia Beach, Va. The program was created 10 years ago to help children with deployed parents cope with separation anxiety. U.S. Navy photo by Mass Communication Specialist Seaman Apprentice John K. Hamilton (RELEASED)

Exceptional Delaware wrote about the possibility of a state day treatment center being located in public schools which raised an interesting question – How much does HIPAA apply to school-based mental health and what falls under FERPA instead?

HIPAA, in case you are not aware, stands for the Health Insurance Portability and Accountability Act of 1996. When it passed it elevated privacy standards for health insurance companies, health care providers and some third parties.

FERPA most of us I’m sure are aware is the Family Educational Rights and Privacy Act that governs privacy standards surrounding a student’s education standards. Regulations implementing FERPA has changed under the Obama administration that have caused great concern for those of us who care about student privacy, but more on that in a second.

I won’t get into the weeds on what is going on in the state because, well, I don’t completely understand it (I’m not sure they do either). Mental health treatment programs in public schools is not a foreign concept or unique to Delaware when you consider many school districts themselves employ school psychologists and school social workers. Also the idea of third parties establishing programs in schools is nothing new as well.

So how does HIPAA apply to a school?

The U.S. Department of Health and Human Services state on their website that “most schools and school districts” do not have to follow HIPAA.

They delve further into this issue on another webpage that answers the question: “Does the HIPAA privacy rule apply to an elementary or secondary school?”

Generally, no.  In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.

  • The school is not a HIPAA covered entity.  The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102.  Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan.  See the definition of “transaction” at 45 CFR § 160.103 and 45 CFRPart 162, Subparts K–R.  Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.  It is expected that most elementary and secondary schools fall into this category.

  • The school is a HIPAA covered entity but does not have “protected health information.”  Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions.  However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA.  Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage.  See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103.  For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions.  However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule.  Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.

FERPA in 2011 changed the regulations to include additional parties to be able to receive a student’s medical records.

(6)(i) The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to:

(A) Develop, validate, or administer predictive tests;

(B) Administer student aid programs; or

(C) Improve instruction.

This falls under several groups that can receive personally identifiable information without parental or student consent.

This should be a cause for concern for those of us who care about student privacy.

“Noncognitive” Factors: Are they Fair Game for Data Collection and Instruction?

In February 2013, the U.S. Department of Education’s Office of Educational Technology released a draft of Promoting Grit, Tenacity, and Perseverance: Critical Factors for Success in the 21st Century. To many who were aware of this report, it was alarming and controversial. In the summary of this report it says. “There is a growing movement to explore the potential of the “noncognitive” factors—attributes, dispositions, social skills, attitudes, and intrapersonal resources, independent of intellectual ability—that high-achieving individuals draw upon to accomplish success.” It seems typical that when the U.S. Department of Education releases a report like this the groundwork has already been laid for implementation of the ideas, if they have not already been embedded into existing and newly proposed practice. (this report does not seem to be available on the website anymore)

The Strengthening Research Through Education Act (SETRA S227) would allow for the collection of data on “noncognitive” factors like those mentioned in the summary (see above). Karen Effrem has done a wonderful job of presenting issues and recommendations for SETRA in the brief she has prepared called Issues of Data Privacy, Parental Rights, and Federally Sponsored Psychological Screening in the Education Sciences Reform Act (ESRA)/Strengthening Education Through Research Act (SETRA) in the Context of Current Federal Law and Programs. Karen Effrem, M.D., is the president of Education Liberty Watch and Executive Director of the Florida Stop Common Core Coalition. She identifies and expands on four major issues and makes recommendations about them. The four major issues she addresses in this document are:

  1. SETRA seeks to expand federal psychological profiling of our children.
  2. SETRA only appears to prohibit a national database.
  3. There is continued reliance on a severely outdated and weakened FERPA.
  4. Reliance on PPRA that allows sensitive data prohibited in surveys to be collected in curriculum and assessments.

The Summary Response to the U.S. House Education and Workforce Committee March Hearing “Strengthening Research and Privacy Protections to Better Serve Students” is a brief summary that Karen has prepared.

A one page handout has been prepared for people to download and share. This one pager is a good initial attention getter that may be followed up with Karen Effrem’s brief.

You should be able to download a pdf copy of this one pager by clicking in the upper right hand corner of the document or by clicking here.

The National Assessment of Education Progress (NAEP) intends to begin assessing “noncognitive” factors. To do so, they will collect data on socio-economic status, technology use, school climate, grit, and desire for learning. The NAEP is making a leap from gathering academic content knowledge data to gathering “noncognitive” data. In making this move to gather data on “mindsets” that could be used for psychological profiling, NAEP will likely be in violation of federal law. For more information about this, you are encouraged to read the letter RE: Proposed National Education Assessment Plan and student/parental rights that the Liberty Counsel has addressed to Dr. Karen Effrem.

There seems to be a whole industry involved in the collection, storage, and sharing of student data, including “noncognitive” factors. Emmett McGroarty and Jane Robbins have written an article called The War on Student Privacy that features some of the players in this industry.

The education system, legislative bodies, government agencies, and industry all seem to think and act as if they are entitled to student data, including student-level (personally identifiable information) and “noncognitive” factors. Are student data, including student-level (personally identifiable information) and “noncognitive” factors really fair game? Many parents would not think so.


APIA Blasts Congressional Leadership for Attempting to Ram Child Data Collection Bill Through Congress

Washington, D.C.–American Principles in Action is calling on Congress to oppose S.227, the Strengthening Education through Research Act (SETRA), which would violate the privacy of millions of students and parents.
SETRA is scheduled to be voted on Wednesday, February 25th in the U.S. House—even though the Senate has not yet voted on the bill. Congressional leadership intends to call a vote on the matter in both the House and the Senate this week, despite neither body holding a hearing on the bill.
“SETRA is dangerous legislation that would expand federal psychological profiling of children through expanding research on ‘social and emotional learning,’” said Jane Robbins, Senior Fellow at American Principles in Action.  “It would facilitate sharing of education statistics across states and agencies. It would continue to rely on the now-gutted FERPA statute to protect student data. SETRA must be defeated to protect student privacy rights.”
Emmett McGroarty, Director of Education at American Principles in Action, said, “Leadership is betraying the Constitution and the American people by rushing this bill through. Having so blithely disrespected the American people, it is difficult to see how they will ever regain their trust.”
American Principles in Action’s concerns with SETRA are three-fold:
1.) SETRA reauthorizes ESRA, the Education Sciences Reform Act, first passed in 2002, which facilitates intrusive data collection on students. ESRA began the idea of state longitudinal databases, which created the structure that would facilitate a de facto national student database. ESRA also eliminated previous penalties for sharing and otherwise misusing student data.
2.) SETRA allows for psychological profiling of our children, raising serious privacy concerns. Section 132, page 28 of SETRA: “…and which may include research on social and emotional learning, and the acquisition of competencies and skills, including the ability to think critically, solve complex problems, evaluate evidence, and communicate effectively…”
This means the federal government will continue to promote collection of students’ psychological information. APIA does not support allowing the federal government to maintain psychological dossiers on our children.
3.) SETRA depends on FERPA to protect student privacy, legislation that is now outdated and has been gutted by regulation. FERPA, the Family Educational Rights and Privacy Act, passed in 1974, and is no longer sufficient to protect student privacy in the age of technology. Even worse, the Obama Administration gutted FERPA so that it no longer offers the protections it once did.
American Principles In Action is a 501(c)(4) organization dedicated to preserving and propagating the fundamental principles on which our country was founded. It aims to return our nation to an understanding that governance via these timeless principles will strengthen us as a country.
For further information or to schedule an interview with Jane Robbins or Emmett McGroarty, please contact Kate Bryan at American Principles in Action at 202-503-2010 or


P.E. Monitors and Student Privacy in Small Town Iowa

Grundy Center Community Schools have been using Polar Monitors in their P.E. classes for a decade now.  That still shouldn’t eliminate our concern for privacy.  The Revered Review did an investigation of the usage of these monitors which has garnered international attention in the past.  TRR’s article brings up the question of privacy:

Some have questioned the use of monitors in schools and outside the classroom, and the possible intrusion of students’ privacy. In addition, some Polar software allows health risk assessments by students to be completed, enabling personal information—such as alcohol use, sexual activity and even risk for heart disease and cancer—on students to be collected. So far, schools questioned by The Revered Review said they do not use these health risk assessments.

Indeed, the ACLU and Emmett McGroarty, the executive director of the Preserve Innocence Initiative of the American Principles Project, also indicated parental consent and the opportunity to opt in to the monitor use were important. However, they also expressed concern about student privacy.

Superintendent Cassandra Murra said they received parental consent for the monitors and they gave the opportunity to opt-in or opt-out. In this interview while trying to alleviate the privacy concern actually raises a few more.

She said that communication is important. “We have to communicate with parents and the community,” Murra said. She explained that as part of the state’s health standards, some data on students is necessary, and parents now are more cautious and want to know more.

“It is a legitimate concern, and we have to be open and honest on what data is being used for.” She said they take FERPA rules very seriously. “The school district is looking out for the best interest of our students.”

“We’re not going to turn anyone into the Department of Health and Human Services,” Murra said. “We want parents to be responsible for their own children.”

The Grundy Center , according to Murra, “does not use the health care assessment software by Polar that contains personal student health and lifestyle data.”

However, 12th grade high school students do fill out a family history form—that includes immediate family, maternal and paternal family history. The family health history includes what diseases family members have, how a grandparent died, and other chronic illnesses that may run in the family.

According to Murra, this information is completed by the students and is completely private. “It is not anything that is presented or shared with anyone else.” The students alone have access to it, and she said it helps them understand what their risk is for certain diseases based on their family history, she said.

First off the U.S. Department of Education released new regulations which weaken FERPA.  So saying they take FERPA rules seriously doesn’t mean anything in light of what the Obama Administration now permits schools to do in terms of data mining.  Secondly, they currently don’t use the Polar software, again under new FERPA regulations who is to say that won’t change?  Third, the comment Superintendent Murra that they are “not going to turn anyone into the Department of Health and Human Services” demonstrates that it is a possibility.  She said, “we want parents to be responsible for their own children.”  What if Grundy Center gets a new superintendent who feels differently?

Heart monitors and equipment that help students learn to keep track of their progress is great.  Data collection of any sort is not.

Originally posted at American Principles in Action

U.S. Education Department Announces New Measures to Safeguard Student Privacy

U.S. Education Department Announces New Measures to Safeguard Student Privacy
DECEMBER 1, 2011

The U.S. Department of Education today announced new regulations to safeguard student privacy while giving states the flexibility to share school data that can be helpful in judging the effectiveness of government investments in education.

“Data are a powerful tool needed to improve the state of education in this country,” said U.S. Secretary of Education Arne Duncan. “At the same time, the benefits of using student data must always be balanced with the need to protect students’ privacy rights and ensure their information is protected.”

The regulations announced today will strengthen the Family Educational Rights and Privacy Act (FERPA) by protecting the safety of student information, increasing the Department’s ability to hold those who misuse or abuse student data accountable and ensuring our taxpayer funds are invested wisely and effectively.

In the past, uncertainty about where state sunshine laws left off and where FERPA picked up created confusion for institutions about when and with whom student information could and should be shared. Schools need the flexibility to pursue routine uses of information without getting prior consent while allowing them to prevent those who may misuse or abuse student information from accessing it. The regulations announced today allow schools to do just that.

The new regulations announced today will also help the Department of Education more effectively hold those who misuse or abuse student information accountable for violating FERPA. When FERPA was first conceived in the 1970s, it only applied to institutions with students in attendance—like high schools and colleges. Since then, a growing number of institutions and entities without students in attendance—like student lenders for example—have access to student records that should be protected by FERPA, but aren’t. Today’s announcement fixes that gap in student protection.

The changes announced today will also help policymakers determine if state and federally funded education programs are adequately preparing children for success in the next stage of life, whether that is in kindergarten or the workforce. States will be able to determine which early childhood programs prepare kids for kindergarten. High school administrators will now be able to tell how their graduates did in college. And states will be able to enter into research agreements on behalf of their districts to determine how best to use limited education funding during tough economic times.

Today’s announcement comes on the heels of several efforts undertaken by the Obama Administration to ensure that private student data is protected. These include the appointment of Kathleen Styles as the Department’s Chief Privacy Officer, the establishment of a Privacy Technical Assistance Center, and the publication of guidance documents on best practices for protecting confidential information about students.

The full regulation may be found at:

National Opt-Out Campaign Informs Parents How to Protect the Privacy of their Children's School Records

National Opt-Out Campaign Informs Parents How to Protect the Privacy of their Children’s School Records
Sheila Kaplan  Education New York & Information Policy Watch

As cases of identity theft, database hacking, and the sale of personal information increase daily, the need to protect children’s privacy becomes even more urgent. Schools are a rich source of personal information about children that can be legally and illegally accessed by third parties.