Does HIPAA Apply to School-Based Mental Health?

(Jan. 17, 2007) - Guidance counselor Elizabeth Prince facilitates an Anchors Away program for children at Christopher Farms Elementary, Virginia Beach, Va. The program was created 10 years ago to help children with deployed parents cope with separation anxiety. U.S. Navy photo by Mass Communication Specialist Seaman Apprentice John K. Hamilton (RELEASED)

(Jan. 17, 2007) – Guidance counselor Elizabeth Prince facilitates an Anchors Away program for children at Christopher Farms Elementary, Virginia Beach, Va. The program was created 10 years ago to help children with deployed parents cope with separation anxiety. U.S. Navy photo by Mass Communication Specialist Seaman Apprentice John K. Hamilton (RELEASED)

Exceptional Delaware wrote about the possibility of a state day treatment center being located in public schools which raised an interesting question – How much does HIPAA apply to school-based mental health and what falls under FERPA instead?

HIPAA, in case you are not aware, stands for the Health Insurance Portability and Accountability Act of 1996. When it passed it elevated privacy standards for health insurance companies, health care providers and some third parties.

FERPA most of us I’m sure are aware is the Family Educational Rights and Privacy Act that governs privacy standards surrounding a student’s education standards. Regulations implementing FERPA has changed under the Obama administration that have caused great concern for those of us who care about student privacy, but more on that in a second.

I won’t get into the weeds on what is going on in the state because, well, I don’t completely understand it (I’m not sure they do either). Mental health treatment programs in public schools is not a foreign concept or unique to Delaware when you consider many school districts themselves employ school psychologists and school social workers. Also the idea of third parties establishing programs in schools is nothing new as well.

So how does HIPAA apply to a school?

The U.S. Department of Health and Human Services state on their website that “most schools and school districts” do not have to follow HIPAA.

They delve further into this issue on another webpage that answers the question: “Does the HIPAA privacy rule apply to an elementary or secondary school?”

Generally, no.  In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.

  • The school is not a HIPAA covered entity.  The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102.  Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan.  See the definition of “transaction” at 45 CFR § 160.103 and 45 CFRPart 162, Subparts K–R.  Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.  It is expected that most elementary and secondary schools fall into this category.

  • The school is a HIPAA covered entity but does not have “protected health information.”  Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions.  However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA.  Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage.  See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103.  For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions.  However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule.  Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.

FERPA in 2011 changed the regulations to include additional parties to be able to receive a student’s medical records.

(6)(i) The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to:

(A) Develop, validate, or administer predictive tests;

(B) Administer student aid programs; or

(C) Improve instruction.

This falls under several groups that can receive personally identifiable information without parental or student consent.

This should be a cause for concern for those of us who care about student privacy.

Big Data Laid Bare

student-photo-privacyValarie Strauss at the Washington Post last Thursday shared a guest article by Leonie Haimson and Cheri Kiesecker with the Parent Coalition for Student Privacy.

It’s pretty eye-opening for those who are not familiar about privacy issues in the public school system.

An excerpt:

Most student data is gathered at school via multiple routes; either through children’s online usage or information provided by parents, teachers or other school staff. A student’s education record generally includes demographic information, including race, ethnicity, and income level; discipline records, grades and test scores, disabilities and Individual Education Plans (IEPs), mental health and medical history, counseling records and much more.

Under the federal Family Educational Rights and Privacy Act (FERPA), medical and counseling records that are included in your child’s education records are unprotected by HIPAA (the Health Insurance Portability and Accountability Act passed by Congress in 1996). Thus, very sensitive mental and physical health information can be shared outside of the school without parent consent.

Many parents first became aware of how widely their children’s personal data is being shared with third parties of all sorts when the controversy erupted over inBloom in 2012, the $100 million corporation funded by the Gates Foundation. Because of intense parent opposition, inBloom closed its doors in 2014, but in the process, parents discovered that inBloom was only the tip of the iceberg, and that the federal government and the Gates Foundation have been assisting the goal of amassing and disclosing personal student data in many other ways.

Ten organizations joined together, funded by the Gates Foundation, to create the Data Quality Campaign in 2005, with the following objectives:

  • Fully develop high-quality longitudinal data systems in every state by 2009;
  • Increase understanding and promote the valuable uses of longitudinal and financial data to improve student achievement; and
  • Promote, develop, and use common data standards and efficient data transfer and exchange.

Since that time, the federal government has mandated that every state collect personal student information in the form of longitudinal databases, called Student Longitudinal Data Systems or SLDS, in which the personal information for each child is compiled and tracked from birth or preschool onwards, including medical information, survey data, and data from many state agencies such as the criminal justice system, child services, and health departments.

A state’s SLDS, or sometimes called a P20 database (pre-K to 20 years of age), P12, or B-20 (data tracking from birth), have been paid for partly through federal grants awarded in five rounds of funding from 2005-2012. Forty-seven of 50 states, as well as the District of Columbia, Puerto Rico, and the Virgin Islands, have received at least one SLDS grant.

Although Alabama, Wyoming and New Mexico are not included on the site linked to above, Alabama’s governor recently declared by executive order that “Alabama P-20W Longitudinal Data System is hereby created to match information about students from early learning through postsecondary education and into employment.” Wyoming uses a data dictionary, Fusion, that includes information from birth. New Mexico’s technology plan shows that they moved their P-20 SLDS to production status in 2014 and will expand in 2015. This site run by the Data Quality Campaign tracks each state’s SLDS.

Valarie’s headline is appropriate as the amount of data being collected on our kids is astonishing… Actually disturbing is probably a better word.  Be sure to read the whole piece as they give parents advice on how to address this.