HIPAA and FERPA: The opinion of a street level OT
I am not a lawyer, so stop reading my opinion and go talk to one if you are having a real problem. Please.
But here is my OPINION that I want to rant about:
Everyone needs to go and read the recently published Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Helath Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records.
This is the most recent guidance document in a string of legal opinions and guidance documents that have been kicked around since HIPAA came into effect and schools were left trying to figure out what it meant. The bottom line problem is that we have created a system in the United States where a public health program (Medicaid) morphed into a broad funding stream for a variety of educational programs. The original stated purpose of Medicaid was for medically based interventions (and thus its common designation as a 'health insurance' system of sorts) - except that now it also pays for health related services in schools - but those health related services from the school's perspective have to be 'educationally related.'
For background purposes, FERPA came first and is a law governing privacy of educational records. HIPAA came second and is a law governing privacy of protected health information - except that the legal eagles cross-referenced and excluded FERPA from HIPAA in some situations. The confusion exponentially grows since schools are now in the business of billing insurance companies (including Medicaid) for some services. What is left in the confusing aftermath is a pair of legs devoid of a brain, each wondering who is supposed to take the first step forward.
School officials, from my experience, have no idea how to solve the problem - and what ends up happening is that on a regular basis I am witness to information being released to people and places that it should never be released to. The overwhelming majority of the time this release is not malicious but nevertheless it is problematic. Also, parents are infrequently aware of FERPA exclusions to need for consent - and when so-called protected health information is morphed into an educational 'treatment record' that is then FERPA controlled it is interesting to see who can get access to very personal information that someone initially thought was simply a private medical record.
So we have a new guidance document straight from DHHS and DOE. It is quite clear - to lawyers probably and those who like to rant about such things on blogs. People who are on the front lines of this issue will still grapple with the complexity of educational vs. medical records and make many unintentional mistakes. Individuals or parents can always address confidentiality breaches after the fact, but that will invariably leave people dissatisfied and wondering why the system was so vulnerable in the first place.
Our practice: we get consents from EVERYONE for EVERYTHING. We NEVER re-disclose information and only release our own documentation. We also educate families to exercise EXTREME caution in who they decide to give information to. We also don't release ANYTHING unless we have a direct and specific consent or a court order. Sometimes we have even cleared the court orders with our attorney just to be safe.
Let's just call it all broken and start over. Privacy rights should not be so complex and I can absolutely guarantee that individuals are not served well when the waters are this muddy.
But here is my OPINION that I want to rant about:
Everyone needs to go and read the recently published Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Helath Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records.
This is the most recent guidance document in a string of legal opinions and guidance documents that have been kicked around since HIPAA came into effect and schools were left trying to figure out what it meant. The bottom line problem is that we have created a system in the United States where a public health program (Medicaid) morphed into a broad funding stream for a variety of educational programs. The original stated purpose of Medicaid was for medically based interventions (and thus its common designation as a 'health insurance' system of sorts) - except that now it also pays for health related services in schools - but those health related services from the school's perspective have to be 'educationally related.'
For background purposes, FERPA came first and is a law governing privacy of educational records. HIPAA came second and is a law governing privacy of protected health information - except that the legal eagles cross-referenced and excluded FERPA from HIPAA in some situations. The confusion exponentially grows since schools are now in the business of billing insurance companies (including Medicaid) for some services. What is left in the confusing aftermath is a pair of legs devoid of a brain, each wondering who is supposed to take the first step forward.
School officials, from my experience, have no idea how to solve the problem - and what ends up happening is that on a regular basis I am witness to information being released to people and places that it should never be released to. The overwhelming majority of the time this release is not malicious but nevertheless it is problematic. Also, parents are infrequently aware of FERPA exclusions to need for consent - and when so-called protected health information is morphed into an educational 'treatment record' that is then FERPA controlled it is interesting to see who can get access to very personal information that someone initially thought was simply a private medical record.
So we have a new guidance document straight from DHHS and DOE. It is quite clear - to lawyers probably and those who like to rant about such things on blogs. People who are on the front lines of this issue will still grapple with the complexity of educational vs. medical records and make many unintentional mistakes. Individuals or parents can always address confidentiality breaches after the fact, but that will invariably leave people dissatisfied and wondering why the system was so vulnerable in the first place.
Our practice: we get consents from EVERYONE for EVERYTHING. We NEVER re-disclose information and only release our own documentation. We also educate families to exercise EXTREME caution in who they decide to give information to. We also don't release ANYTHING unless we have a direct and specific consent or a court order. Sometimes we have even cleared the court orders with our attorney just to be safe.
Let's just call it all broken and start over. Privacy rights should not be so complex and I can absolutely guarantee that individuals are not served well when the waters are this muddy.
Comments