News for Public Officials and the People They Serve

Newsletter Archives
Home Auctions By State

Get the newsletter

 
Related Articles
 
School Districts and HIPAA - What Are The Compliance Risks?
 
County Posts Private Medical Data Online
 
HIPAA Privacy Regulations Impact Schools & Local Government Entities
 
Ft. Bend County Balks at Release of HIPAA Audit
 

 

 
 
 
 
The content of this Alert is for informational purposes and not intended as legal advice.

HIPAA: A Minefield for School Districts

Recent Cases Highlight Potential Exposure

Sept-01-07

A series of court rulings has clarified and emphasized the need for school districts to reevaluate the direction of actions that they take related to compliance with the Health Insurance Portability and Accountability Act.

Many school administrators and risk managers have primarily focused on the effects of HIPAA Privacy and Security rules as they applied to employee benefits and group health plans, based on a belief that most student records that contain health information are covered by FERPA (Family Educational Records Privacy Act) and that HIPAA very narrowly impacted only employee records and health plan information.

Court rulings, along with recent updates to Federal and state regulations reveal that, in fact, HIPAA has a broad reach in relation to health information associated with students and FERPA's impact is narrow in many situations according to the US Supreme Court ruling in Owasso Independent School District v. Falvo

Districts that casually address privacy and security of student records containing health information may be unknowingly walking in a minefield of potential litigation.  Three instances of court rulings that follow below show the importance of staying up to date on the ways that the HIPAA regulations are being applied by courts.

In a 2006 court ruling, (Gloria Gaines-Hanna v. Farmington Public Schools, 2006 WL 932074 (E.D.Mich.), April 7, 2006) HIPAA and FERPA were both addressed and an appellate court clearly ruled that HIPAA does apply to school districts and minor students within schools.

In another ruling, (Harris v. Portland, 2006 WL 1317125 (M.D.Pa.), May 3, 2006), a  Federal District Court applied both HIPAA and FERPA to Penn State University,  concluding that both statutes apply to athletic trainers.

FERPA was used to protect the "grade point averages" of the students, and HIPAA was applied to their medical information.  The court required the execution of a confidentiality agreement in order for the information to be used according to these federal requirements. 

The court stated: "the Family Educational Rights and Privacy Act of 1974, 20 U.S .C. § 1232g, and the Health Insurance Portability and Accountability Act, Pub.L.  No. 104-191, 110 Stat.1936 (1996), shall not preclude the production by defendants of the following . . ."

The court outlined the medical information protected under HIPAA as follows: "all documents relating to team practices, games, strength training, conditioning, and voluntary athletically-related activities by team members for the years 2003-2004 and 2004-2005 including, without limitation, all visual and audio recordings."

In addition, the information protected under FERPA was specified as follows: "defendant the Pennsylvania State University shall produce a verified table or chart setting forth the grade point average of each team member for each semester during the period 2000 to the present, ranked from highest-to-lowest overall grade point average.  The names of the team members shall be redacted."

Special education was specifically addressed in another case (John A. v. Board of Education for Howard County) involving the parents of a disabled child who brought a due process complaint under the"Individuals with Disabilities Education Act ("IDEA") and its State counterpart, seeking an administrative order requiring public school to abide by physician's medical directives and administer prescribed medication to child during the school day." (2007 WL 2162517 (Md.)) 

In summary, an Appellate Court removed the medical privacy issue from the IDEA statutes, and consideration under that specific legal scheme,  essentially separating the HIPAA privacy issues from special education issues and consideration under IDEA regulations and laws. 

The court stated as follows . . . . "the IDEA does not intend to address claims such as these, even had the ALJ concluded that the administration of medication inferentially was provided for as a "related service" in A.A.'s IEP. The dispute in this case involves a medical treatment issue, not a special education one. As a result, the controversy resides outside of the expertise and training of an ALJ who adjudicates disputes regarding the IDEA. Allowing parties to use the IDEA as the mechanism for trying such disputes would open the doors to lawsuits under the IDEA for a multitude of matters unrelated to the proper scope of special education."  (2007 WL 2162517 (Md.))

As stated above, the court mentioned the fact that this was a HIPAA and a "statutory or common law medical information privacy, or privilege issue." not an IDEA, or specifically a FERPA issue.  Obviously, the Appellate Court is separating out the medical privacy issues from the special education issues, indicating that these issues should be handled separately from special education legal regulations.

HIPAA does not exist in a static environment and compliance can be effected by court rulings and regulatory changes.  Any school district that deals with Special Education, Nursing, Athletic Trainers or Counselors should carefully evaluate the ways that they address compliance requirements under HIPAA and make sure that all personnel are adequately trained on an ongoing basis about proper procedures and organizational processes involving protected information.

Get the newsletter


HIPAA SolutionsSpecific Tools for HIPAA Compliance In School Districts  

HIPAA Solutions, LC offers comprehensive and affordable compliance resources through the HIPAA ComplyPAK©, a suite of products and tools that can be implemented by ISD's to manage Privacy and Security elements of HIPAA. . . Learn more