News for Public Officials
Newsletter Archives The Campaign Tool Chest
Home Auctions By State Campaigner's Bookstore

Get the newsletter
 
Related Articles
 
School Districts and HIPAA - What Are The Compliance Risks?
 
County Posts Private Medical Data Online
 
HIPAA Privacy Regulations Impact Schools & Local Government Entities
 
Ft. Bend County Balks at Release of HIPAA Audit
 
 Click here for legal help and a free evaluation of your possible case

 

Understanding Privacy Rule Might Have Avoided Virginia Tech Tragedy *

BY PETER MACKOUL, ESQ.

Reprinted with permission

Sept-19-07

Many people think HIPAA (the Federal Health Insurance Portability and Accountability Act) restricts the disclosure of medical information, including psychological information such as that associated with the facts of the Virginia Polytechnic Institute, (Virginia Tech. case).
 

The Virginia Tech. case involved a student with severe psychological problems who represented a threat to the public. Although these cases are not common, the HIPAA Privacy rule does have an exception to disclosure, “to avert a serious threat to health or safety,” applicable to the facts of the Virginia Tech case.

Although the HIPAA Privacy rule imposes new business processes on organizations that use and disclose medical information, in cases such as that of Cho Seung-Hui, the shooter at Virginia Tech, HIPAA may have assisted in preventing the massacre if the rules had been implemented by Virginia Tech and the public schools Hui attended prior to entering college.

The United States Supreme Court’s decision in the Owasso case narrowly defined the term education records and there is no question that HIPAA applied to Hui’s medical records, both at Virginia Tech. and at the public schools he attended prior to attending Virginia Tech.

The HIPAA Privacy rule is very clear on the ability of health care providers, including school and university counselors and psychologists, to disclose the “Protected Health Information,” (PHI), about individuals with severe mental problems who represent a threat to public safety.

The rule allows the disclosure of PHI to “avert a serious threat to health or safety “involving individuals like Cho Seung Hui to a “person or persons reasonably able to prevent or lessen the threat,” like law enforcement officials.

However, using HIPAA to lessen the threat to pubic safety by a severely disturbed person like Hui would only be effective if the Privacy rule were implemented by all educational institutions that are supposed to follow the HIPAA rules.

HIPAA has many exceptions to the disclosure of PHI, including an exception involving persons that represent a threat to the public safety. Section 164.512 (j) (1) of the Privacy rule, contains a section entitled, “Uses and disclosures to avert a serious threat to health or safety.”

Specific disclosures are permitted under this portion of the Privacy rule; “a covered entity,” [a school or university], “may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:

“Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or…”

Although this section goes on in detail, obviously there is an exception to “avert a serious threat to health and safety,” that may assist schools and universities in situations in the future in these rare cases like the one at Virginia Tech.

In addition, there is a “good faith presumption,” in the Privacy rule that specifically addresses this issue. This good faith presumption section directly relates to section (j) (1) cited directly above. It is entitled “Presumption of good faith belief;” and states as follows: “a covered entity that uses or discloses protected health information pursuant to paragraph (j)(1) of this section is presumed to have acted in good faith with regard to a belief described in paragraph (j)(1)(i) or (ii) of this section, if the belief is based upon the covered entity's actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.”

The purposes of the HIPAA rules are to alter certain business practices to promote efficiency, reduce fraud, and protect health information. However, it is important to educate healthcare staff in organizations subject to HIPAA on those “business practice procedures” that, if implemented consistently, would cause educational staff members to routinely report individuals that display “odd” or even “frightening behaviors” to prevent like tragedies in the future.

Proper training of those who are in a position to interact with individuals such as Mr. Hui should be a top priority of administrators and board members at every educational institution in the nation.

(*** A Note to the Reader: Please use the information contained in this article for informational purposes only. This document is NOT intended as legal advice. Please consult an Attorney before relying on any information presented in this document
 

Get the newsletter

HIPAA SolutionsSpecific Tools for HIPAA Compliance In School Districts  

HIPAA Solutions, LC offers comprehensive and affordable compliance resources through the HIPAA ComplyPAK©, a suite of products and tools that can be implemented by ISD's to manage Privacy and Security elements of HIPAA. . . Learn more