News for Public Officials and the People They Serve

Get The News for Public Officials Newsletter - Its Free!

The content of this Alert is for informational purposes and not intended as legal advice.
Related Articles
School Districts and HIPAA - What Are The Compliance Risks?
County Posts Private Medical Data Online
HIPAA Privacy Regulations Impact Schools & Local Government Entities
Ft. Bend County Balks at Release of HIPAA Audit
HIPAA Privacy Regulations Impact Schools & Local Government Entities

New Technology Promises Easier Compliance with Federal Privacy Law
Need Legal Help? Use the LegalMatch Priority Service to Find Pre-screened Lawyers in Your Area Now!
School Districts and HIPAA - What Are The Compliance Risks?

Courts have applied the Federal regulations protecting the privacy of health information in the Health Insurance Portability and Accountability Act (HIPAA ) to schools and universities along with FERPA. Educational associations such as the National School Board Association recommend that school districts take steps to ensure compliance with HIPAA. It is important to understand that FERPA does not address many areas covered by HIPAA and HIPAA affects far more than benefits or Group Health Plans.

Compliance with FERPA is NOT a substitute for compliance with HIPAA. The Improper handling of health information belonging to employees or students by Texas ISD's can expose an ISD to serious risks. If the information qualifies as "Protected Health Information" (PHI), as regulated by the Health Insurance Portability and Accountability Act (HIPAA) that is used on a daily basis in Nursing, Counseling, Special Education, Public Health, Athletics, Safety and Human Resource departments, the consequences can be costly and disruptive. Reducing compliance risks is critical to every ISD.

Examples of how a school district might commit HIPAA violations . . .

If a student is injured on campus and a public statement is needed from the Superintendent - While the general instinct in this situation is to provide a compassionate response to requests from media, central administrators or campus staff, the improper release or exchange of information could violate privacy regulations of HIPAA. Requests and disclosure of health information must be handled within specific guidelines and documentation of the exchange of information may be specifically required by HIPAA.

If a Special Ed student needs physical therapy at school prescribed by a treating physician - The Admission Review and Dismissal Committee must meet to update the individualized education plan of a paraplegic student who is being taught how to transfer from their wheelchair to use the school restrooms. The homeroom teacher may wish to notify other teachers and staff of the plan details and the cause of the medical condition which might be in the best interests of the student. The release of more information than necessary or the failure to appropriately document the exchange of information might create an exposure to HIPAA violations and the potential for a legal action.

If a counselor observes erratic behavior from a student and fears that the student may be self destructive - During a counseling session, it becomes apparent that a student is undergoing severe personal crises and may be in imminent danger of self harm. The student is adamant that parents or a guardian should not be notified and behaves erratically and aggressively. The factors that may need to be considered relative the privacy regulations include the age of the student and whether they are an "emancipated minor". While the counselor may need to contact administration and or law enforcement representatives, the improper handling of this situation could result in litigation and or penalties at multiple levels in the school district.

If a student is injured in a bus accident and an insurance company demands access to medical records of all personnel involved in the accident - A parent has initiated legal action against the school district in an attempt to secure compensation for injury to their child. The school district claims adjustor assumes that they have access to all student records with no limitations. However, under HIPAA regulations, specific restrictions and guidelines exist about how information must be handled and communicated in this type of scenario. While it is in the best interest of the district for a free flow of information with the insurance company, the improper release or improper documentation may result in the potential for litigation or penalties.

If an employee submits leave paperwork with a medical certificate attached that may originate at the campus department level - The campus and department may wish to support the staff member who is diagnosed with an illness. The information shared through the human resources department will relate to the status of the illness and will be used in evaluations for filling that employee's position. While the Principal may wish to convey information to parents or students, the inappropriate release or use of the information or lack of documentation of information exchange could result in litigation or penalties.

Documenting Actions Is An Essential Element Of HIPAA Compliance

With the current heavy emphasis by Federal and State governments on issues of privacy, including health information covered under HIPAA, it is important to understand that true compliance with HIPAA is based on taking specific required actions to protect the health information related to students and employees that may be used in a school district on a daily basis and documenting those actions as required.

While enforcement has been relatively gentle in the past, in March of 2007 the Federal Department of HHS and the Office of Inspector General (OIG) announced the start of government conducted HIPAA security compliance audits on organizations that are subject to HIPAA. The OIG initiated the first audit activity of this kind on March 5, 2007 at Piedmont hospital in Atlanta. In addition the number of criminal prosecutions and litigation relating to HIPAA is growing and there is an increase of activity by State and Federal legislators to strengthen privacy laws, including HIPAA.

It is important that Privacy and Security Officers understand that "boilerplate" policies and procedures that are not supported by real compliance actions may not sufficiently protect an organization if an audit occurs. In addition, many districts have only considered HIPAA as it relates to Human Resources and benefits. In reality, there are many areas in a district which deal with health information of students and employees that can be subject to HIPAA. It is important that districts take proper actions to protect the health information in their custody to reduce potential risks to the district and to reduce the potential for damages to students and employees from improper use of health information.

Specific Tools for HIPAA Compliance In School Districts  

HIPAA Solutions, LC offers comprehensive and affordable compliance resources through the HIPAA ComplyPAK©, a suite of products and tools that can be implemented by ISD's to manage Privacy and Security elements of HIPAA. . . Learn more