|
|
| The content of this Alert is for informational purposes
and not intended as legal advice. |
 School
Districts and HIPAA - What Are The Compliance Risks?
Courts have applied the Federal regulations protecting the privacy
of health information in the Health Insurance Portability and
Accountability Act (HIPAA ) to schools and universities along with
FERPA. Educational associations such as the National School Board
Association recommend that school districts take steps to ensure
compliance with HIPAA. It is important to understand that FERPA
does not address many areas covered by HIPAA and HIPAA affects far
more than benefits or Group Health Plans.
Compliance with FERPA is NOT a substitute for compliance with
HIPAA. The Improper handling of health information belonging to
employees or students by Texas ISD's can expose an ISD to serious
risks. If the information qualifies as "Protected Health
Information" (PHI), as regulated by the Health Insurance
Portability and Accountability Act (HIPAA) that is used on a daily
basis in Nursing, Counseling, Special Education, Public Health,
Athletics, Safety and Human Resource departments, the consequences
can be costly and disruptive. Reducing compliance risks is
critical to every ISD.
Examples of how a school district might commit HIPAA violations
. . .
If a student is injured on campus and a public statement is needed
from the Superintendent - While the general instinct in this
situation is to provide a compassionate response to requests from
media, central administrators or campus staff, the improper
release or exchange of information could violate privacy
regulations of HIPAA. Requests and disclosure of health
information must be handled within specific guidelines and
documentation of the exchange of information may be specifically
required by HIPAA.
If a Special Ed student needs physical therapy at school
prescribed by a treating physician - The Admission Review and
Dismissal Committee must meet to update the individualized
education plan of a paraplegic student who is being taught how to
transfer from their wheelchair to use the school restrooms. The
homeroom teacher may wish to notify other teachers and staff of
the plan details and the cause of the medical condition which
might be in the best interests of the student. The release of more
information than necessary or the failure to appropriately
document the exchange of information might create an exposure to
HIPAA violations and the potential for a legal action.
If a counselor observes erratic behavior from a student and fears
that the student may be self destructive - During a counseling
session, it becomes apparent that a student is undergoing severe
personal crises and may be in imminent danger of self harm. The
student is adamant that parents or a guardian should not be
notified and behaves erratically and aggressively. The factors
that may need to be considered relative the privacy regulations
include the age of the student and whether they are an
"emancipated minor". While the counselor may need to contact
administration and or law enforcement representatives, the
improper handling of this situation could result in litigation and
or penalties at multiple levels in the school district.
If a student is injured in a bus accident and an insurance company
demands access to medical records of all personnel involved in the
accident - A parent has initiated legal action against the school
district in an attempt to secure compensation for injury to their
child. The school district claims adjustor assumes that they have
access to all student records with no limitations. However, under
HIPAA regulations, specific restrictions and guidelines exist
about how information must be handled and communicated in this
type of scenario. While it is in the best interest of the district
for a free flow of information with the insurance company, the
improper release or improper documentation may result in the
potential for litigation or penalties.
If an employee submits leave paperwork with a medical certificate
attached that may originate at the campus department level - The
campus and department may wish to support the staff member who is
diagnosed with an illness. The information shared through the
human resources department will relate to the status of the
illness and will be used in evaluations for filling that
employee's position. While the Principal may wish to convey
information to parents or students, the inappropriate release or
use of the information or lack of documentation of information
exchange could result in litigation or penalties.
 Documenting
Actions Is An Essential Element Of HIPAA Compliance
With the current heavy emphasis by Federal and State governments
on issues of privacy, including health information covered under
HIPAA, it is important to understand that true compliance with
HIPAA is based on taking specific required actions to protect the
health information related to students and employees that may be
used in a school district on a daily basis and documenting those
actions as required.
While enforcement has been relatively gentle in the past, in March
of 2007 the Federal Department of HHS and the Office of Inspector
General (OIG) announced the start of government conducted HIPAA
security compliance audits on organizations that are subject to
HIPAA. The OIG initiated the first audit activity of this kind on
March 5, 2007 at Piedmont hospital in Atlanta. In addition the
number of criminal prosecutions and litigation relating to HIPAA
is growing and there is an increase of activity by State and
Federal legislators to strengthen privacy laws, including HIPAA.
It is important that Privacy and Security Officers understand that
"boilerplate" policies and procedures that are not supported by
real compliance actions may not sufficiently protect an
organization if an audit occurs. In addition, many districts have
only considered HIPAA as it relates to Human Resources and
benefits. In reality, there are many areas in a district which
deal with health information of students and employees that can be
subject to HIPAA. It is important that districts take proper
actions to protect the health information in their custody to
reduce potential risks to the district and to reduce the potential
for damages to students and employees from improper use of health
information.
Specific
Tools for HIPAA Compliance In School Districts
HIPAA Solutions, LC offers comprehensive and affordable
compliance resources through the HIPAA ComplyPAK©, a suite of
products and tools that can be implemented by ISD's to
manage Privacy and Security elements of HIPAA. . .
Learn more
|