University Student Data and COVID-19: What can be shared?

The long-awaited return of students to schools has arrived, with some students attending school remotely, while others are attending classes on-site at academic institutions. We’ve also seen the unintended spread of COVID-19 at these institutions and, as result, many schools have opted to discontinue on-site classes, switching to remote learning. In some instances, the students who have tested positive for COVID-19 have been asked to either return home or quarantine in specified dorms to prevent the spread of the virus to other students, faculty, and staff.

In these instances, there are people or organizations that may need to be notified if students, teachers, or other university staff have tested positive for COVID-19. Contact tracing may also be implemented at the university to help limit the spread of the virus. This raises a complicated question: who can the university notify, what information can they share, and what guidelines should be followed when dealing with COVID-19 at academic institutions? The answer depends on the situation, as a university must assess whether the information is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Personally Identifiable Information under the Family Educational Rights and Privacy Act (FERPA), or both.

HIPAA requires covered entities to protect the patient’s PHI through appropriate safeguards, as well as sets limits and conditions on the uses and disclosures of PHI without patient authorization. One such permissible disclosure is to prevent serious and imminent threat, which the Office for Civil Rights (OCR) has deemed COVID-19 as a serious threat, and therefore some patient information can be shared with the appropriate parties. Similarly, FERPA protects the privacy of student education records and prohibits educational institutions from disclosing PII in education records without written consent from the student (or parental guardian if the student is under 18 unless the underage student is enrolled in a university). “Educational records” include any information directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, a student’s health records fall under FERPA’s definition of “educational records”.1 FERPA does have a list of permitted disclosures, including cases of health and safety emergencies. So how do universities navigate these two policies when it comes to notifying others if a student, teacher, or other staff member has tested positive for COVID-19?

In normal situations, a student’s health record falls under FERPA, and HIPAA does not apply. So, for example, if a student visits the campus medical center operated by the university, that record falls under FERPA guidelines and the institution would need to have a permitted reason to disclose the information. In regards to hospitals affiliated with a university subject to FERPA, a student’s hospital record is not considered “education records” as these facilities provide services without regard to the person’s status at the university, so that record would fall under HIPAA guidelines. But, if that hospital runs a student clinic, then those records would fall under FERPA guidelines. The U.S Department of Health and Human Services together with the U.S. Department of Education issues a Joint Guidance on the Application of FERPA and HIPAA to Student Health Records in December of 2019, further elaborating on how these guidelines apply to records maintained on students. Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

In regards to the current COVID-19 pandemic, The U.S. Department of Education released a series of FAQs that cover questions related to FERPA and COVID-19 and includes a sample FERPA Consent Form: Deparment of Education Student Privacy Policy Office – FERPA & Coronavirus Disease 2019 FAQs – March 2020. The FAQ outlines that if a student has COVID-19, it is sufficient to only report a positive COVID-19 case has been found on campus to other students and/or the parents of other students rather than specifically identifying the student who is infected. For example, a university can email students and parents that there is a confirmed COVID-19 case on campus to help notify them of a potential risk of contraction. If a student’s PII needs to be disclosed, it must meet the health and safety disclosure exemption under FERPA, and can only be disclosed to appropriate parties, i.e. law enforcement, public health, trained medical personnel, and parents (PII cannot be disclosed to the media, as they are not considered an appropriate party under FERPA).

FERPA generally requires educational agencies and institutions to maintain a record of each request for access to and each disclosure of PII from the education records of each student. When making a disclosure under the health or safety emergency provision in FERPA, universities are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the university disclosed the information.

After finalizing the required analysis and assuming the university and/or HIPAA “covered entity” can notify appropriate parties, it may be prudent to also conduct contact tracing to prevent further spread of COVID-19. Both healthcare providers and academic institutions can benefit from the use of contact tracing technology to expedite this process and ensure the protection of student information. If a school intends on implementing contact tracing systems for COVID-19, it is advisable to prepare consent forms for parents and eligible students to allow for the potential sharing of “directory information” (i.e. a student’s name, address, phone number) that is linked to non-directory information (information regarding a students COVID-19 illness).

Protecting the student information is essential, and having an understanding of FERPA is key for universities to ensure the confidentiality, health, and safety of its students during the COVID-19 outbreak. Under these guidelines, the PII in student education records cannot be disclosed without written consent from the student, unless there is a reason for exemption. With the COVID-19 pandemic affecting the nation, the FERPA health and safety emergency exemption comes into play, allowing universities to release a student’s PII to appropriate parties (law enforcement, public health, trained medical personnel, and parents) if disclosure is needed. Having an understanding of the FERPA guidelines and exemptions will help universities protect the health and privacy of their students during this time.

Source:
1 Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

 

For questions or comments, email info@maizeanalytics.com

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience in developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Protecting Employee and Patient Privacy in the New Normal

Over the last several weeks, most of the United States has been in various phases of “re-opening” due to the COVID-19 pandemic shutdowns. As physical offices open back up, many employers are refreshing their telecommuting policies or initiating their own “return to work” programs.  Because this is such unchartered territory, many organizations have been engaging in dialogue about how to safely bring their employees back to the workplace.  Of course, this reintroduction is occurring under a “new normal” regulatory schema that intends to maintain employee privacy.

The COVID-19 pandemic has challenged the healthcare sector in unimaginable ways and as a consequence, government regulators have been forced to make seemingly instantaneous changes to complex laws (and/or issue additional guidance) in a host of compliance areas including HIPAA, the ADA, and other EEO Laws.

Per HIPAA, employee records are distinct from patient records, even if the information on your employee record is health-related (doctor’s note or other health information pertinent to sick leave, worker’s compensation, etc.).  However, the American with Disabilities Act (ADA) requires all medical information about a particular employee to be stored separately from the employee’s personnel file while also requiring limited access to this confidential information. In any healthcare organization, there are certainly instances when an employee has become a patient, maybe even a COVID-19 patient in this current climate. In such cases, there might be sensitive details related to the employee’s health in both their medical and patient record. HIPAA and ADA protections would apply, but it is important to ensure the organization has policies in place to monitor and protect both silos of information as well as who within the organization needs to have access to or knowledge of the employee’s health situation.

Healthcare Privacy Officers work to ensure patient medical data are protected.  Employees who are patients have unique privacy interests that should not be overlooked when developing any new policies or protocols. Policies on what information should be disclosed to managers and co-workers about an employee’s absence, for example, can ensure the proper care is taken to meet compliance regulations. Similarly, technology is needed to monitor for abuse of access rights, such as when employees snoop on medical records.

One way to ensure the privacy of patient and employee medical records is upheld is to implement a technology solution that can help Privacy Officers carry out these policies. Machine learning solutions like Maize Analytics Patient Privacy Monitoring solution assist Privacy teams in monitoring for inappropriate uses of medical data by learning how to differentiate normal from irregular access patterns.

The Maize Privacy Monitoring solution also includes a contact tracing system that leverages the access log to identify employee exposure and trace back infections. Contact tracing allows healthcare organizations to quickly notify employees who have come into contact with a patient who later tests positive for COVID, or even comes into contact with another employee who later tests positive. Being able to take action early is essential to protect the health and privacy of employees.

Inappropriately accessing medical records is an ongoing issue, even during the current COVID-19 pandemic. With hospitals being at the center of the response, and also a place where the virus is likely to spread, it is important that policies, procedures, and systems are put in place to track inappropriate access to patient records including employees snooping on co-worker’s COVID statuses.

The U.S. Equal Employment Opportunity Commission (EEOC) has published a list of resources on what employers should know about COVID-19, the ADA, the Rehabilitation Act, and other EEO laws that can be useful for Privacy Officers and compliance teams:

https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws

 

For questions or comments, email info@maizeanalytics.com

https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.