University Student Data during COVID-19: What can be shared?

The long-awaited return of students to schools has arrived, with some students attending school remotely, while others are attending classes on-site at academic institutions. We’ve also seen the unintended spread of COVID-19 at these institutions and, as result, many schools have opted to discontinue on-site classes, switching to remote learning. In some instances, the students who have tested positive for COVID-19 have been asked to either return home or quarantine in specified dorms to prevent the spread of the virus to other students, faculty, and staff.

In these instances, there are people or organizations that may need to be notified if students, teachers, or other university staff have tested positive for COVID-19. Contact tracing may also be implemented at the university to help limit the spread of the virus. This raises a complicated question: who can the university notify, what information can they share, and what guidelines should be followed when dealing with COVID-19 at academic institutions? The answer depends on the situation, as a university must assess whether the information is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Personally Identifiable Information under the Family Educational Rights and Privacy Act (FERPA), or both.

HIPAA requires covered entities to protect the patient’s PHI through appropriate safeguards, as well as sets limits and conditions on the uses and disclosures of PHI without patient authorization. One such permissible disclosure is to prevent serious and imminent threat, which the Office for Civil Rights (OCR) has deemed COVID-19 as a serious threat, and therefore some patient information can be shared with the appropriate parties. Similarly, FERPA protects the privacy of student education records and prohibits educational institutions from disclosing PII in education records without written consent from the student (or parental guardian if the student is under 18 unless the underage student is enrolled in a university). “Educational records” include any information directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, a student’s health records fall under FERPA’s definition of “educational records”.1 FERPA does have a list of permitted disclosures, including cases of health and safety emergencies. So how do universities navigate these two policies when it comes to notifying others if a student, teacher, or other staff member has tested positive for COVID-19?

In normal situations, a student’s health record falls under FERPA, and HIPAA does not apply. So, for example, if a student visits the campus medical center operated by the university, that record falls under FERPA guidelines and the institution would need to have a permitted reason to disclose the information. In regards to hospitals affiliated with a university subject to FERPA, a student’s hospital record is not considered “education records” as these facilities provide services without regard to the person’s status at the university, so that record would fall under HIPAA guidelines. But, if that hospital runs a student clinic, then those records would fall under FERPA guidelines. The U.S Department of Health and Human Services together with the U.S. Department of Education issues a Joint Guidance on the Application of FERPA and HIPAA to Student Health Records in December of 2019, further elaborating on how these guidelines apply to records maintained on students. Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

In regards to the current COVID-19 pandemic, The U.S. Department of Education released a series of FAQs that cover questions related to FERPA and COVID-19 and includes a sample FERPA Consent Form: Deparment of Education Student Privacy Policy Office – FERPA & Coronavirus Disease 2019 FAQs – March 2020. The FAQ outlines that if a student has COVID-19, it is sufficient to only report a positive COVID-19 case has been found on campus to other students and/or the parents of other students rather than specifically identifying the student who is infected. For example, a university can email students and parents that there is a confirmed COVID-19 case on campus to help notify them of a potential risk of contraction. If a student’s PII needs to be disclosed, it must meet the health and safety disclosure exemption under FERPA, and can only be disclosed to appropriate parties, i.e. law enforcement, public health, trained medical personnel, and parents (PII cannot be disclosed to the media, as they are not considered an appropriate party under FERPA).

FERPA generally requires educational agencies and institutions to maintain a record of each request for access to and each disclosure of PII from the education records of each student. When making a disclosure under the health or safety emergency provision in FERPA, universities are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the university disclosed the information.

After finalizing the required analysis and assuming the university and/or HIPAA “covered entity” can notify appropriate parties, it may be prudent to also conduct contact tracing to prevent further spread of COVID-19. Both healthcare providers and academic institutions can benefit from the use of contact tracing technology to expedite this process and ensure the protection of student information. If a school intends on implementing contact tracing systems for COVID-19, it is advisable to prepare consent forms for parents and eligible students to allow for the potential sharing of “directory information” (i.e. a student’s name, address, phone number) that is linked to non-directory information (information regarding a students COVID-19 illness).

Protecting the student information is essential, and having an understanding of FERPA is key for universities to ensure the confidentiality, health, and safety of its students during the COVID-19 outbreak. Under these guidelines, the PII in student education records cannot be disclosed without written consent from the student, unless there is a reason for exemption. With the COVID-19 pandemic affecting the nation, the FERPA health and safety emergency exemption comes into play, allowing universities to release a student’s PII to appropriate parties (law enforcement, public health, trained medical personnel, and parents) if disclosure is needed. Having an understanding of the FERPA guidelines and exemptions will help universities protect the health and privacy of their students during this time.

Source:
1 Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

 

For questions or comments, email info@maizeanalytics.com

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience in developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Protecting Employee and Patient Privacy in the New Normal

Over the last several weeks, most of the United States has been in various phases of “re-opening” due to the COVID-19 pandemic shutdowns. As physical offices open back up, many employers are refreshing their telecommuting policies or initiating their own “return to work” programs.  Because this is such unchartered territory, many organizations have been engaging in dialogue about how to safely bring their employees back to the workplace.  Of course, this reintroduction is occurring under a “new normal” regulatory schema that intends to maintain employee privacy.

The COVID-19 pandemic has challenged the healthcare sector in unimaginable ways and as a consequence, government regulators have been forced to make seemingly instantaneous changes to complex laws (and/or issue additional guidance) in a host of compliance areas including HIPAA, the ADA, and other EEO Laws.

Per HIPAA, employee records are distinct from patient records, even if the information on your employee record is health-related (doctor’s note or other health information pertinent to sick leave, worker’s compensation, etc.).  However, the American with Disabilities Act (ADA) requires all medical information about a particular employee to be stored separately from the employee’s personnel file while also requiring limited access to this confidential information. In any healthcare organization, there are certainly instances when an employee has become a patient, maybe even a COVID-19 patient in this current climate. In such cases, there might be sensitive details related to the employee’s health in both their medical and patient record. HIPAA and ADA protections would apply, but it is important to ensure the organization has policies in place to monitor and protect both silos of information as well as who within the organization needs to have access to or knowledge of the employee’s health situation.

Healthcare Privacy Officers work to ensure patient medical data are protected.  Employees who are patients have unique privacy interests that should not be overlooked when developing any new policies or protocols. Policies on what information should be disclosed to managers and co-workers about an employee’s absence, for example, can ensure the proper care is taken to meet compliance regulations. Similarly, technology is needed to monitor for abuse of access rights, such as when employees snoop on medical records.

One way to ensure the privacy of patient and employee medical records is upheld is to implement a technology solution that can help Privacy Officers carry out these policies. Machine learning solutions like Maize Analytics Patient Privacy Monitoring solution assist Privacy teams in monitoring for inappropriate uses of medical data by learning how to differentiate normal from irregular access patterns.

The Maize Privacy Monitoring solution also includes a contact tracing system that leverages the access log to identify employee exposure and trace back infections. Contact tracing allows healthcare organizations to quickly notify employees who have come into contact with a patient who later tests positive for COVID, or even comes into contact with another employee who later tests positive. Being able to take action early is essential to protect the health and privacy of employees.

Inappropriately accessing medical records is an ongoing issue, even during the current COVID-19 pandemic. With hospitals being at the center of the response, and also a place where the virus is likely to spread, it is important that policies, procedures, and systems are put in place to track inappropriate access to patient records including employees snooping on co-worker’s COVID statuses.

The U.S. Equal Employment Opportunity Commission (EEOC) has published a list of resources on what employers should know about COVID-19, the ADA, the Rehabilitation Act, and other EEO laws that can be useful for Privacy Officers and compliance teams:

https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws

 

For questions or comments, email info@maizeanalytics.com

https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Engagement with Executive Management: How to Arm Compliance with Specific Data That Informs Decision Making

I was recently listening to a webinar when someone asked a question that I often ask: “how do I get business executives to care as much about compliance as I do?” I expected the answer to be the same one I have heard a hundred times, “you have to make them understand the risks… you have to make sure they understand the potential for personal liability.. you have to explain the government’s expectations… etc.” The answer the speaker gave was more insightful; she said, “you can’t”. She went on to explain that if you, as the compliance officer, are not the individual in your company who cares most about compliance, who is the most excited about your compliance program, then you are probably in the wrong position.

I think rather than asking how to get business executives excited about compliance, we should ask how we can frame our compliance metrics in a way that supports the things that make the business executives really excited about the work compliance does.

Metrics: What’s Important to Executives?

Many of us in the compliance field produce benchmarking data for the board and executive management teams. A small sampling of typical metrics include:

  • Number of hotline calls received (by location, business unit, anonymous/identified, allegation, etc.)
  • Length of time to respond to hotline call
  • Source of hotline awareness
  • Number and type of privacy violations
  • Number of active compliance investigations (by type, location, allegation, etc.)
  • Length of time to close investigation
  • Number of training programs delivered
  • Training completion rates
  • Policy dissemination acknowledgements

While these metrics can give important information about the performance of the compliance program, they don’t really convey meaning to the executive team and its impact on the business. I would argue that it is often difficult to engage executive management in your compliance program because you are not providing them with any information that is framed in a manner that helps them mange their critical strategic and operational priorities. 

So, let’s think about some of those business priorities. In my experience, healthcare executives are focused on quality, revenue, costs, growth, patient, employee and physician satisfaction, and reputational, financial and operational risk. How do you use these priorities to effectively show executives what is going well in your compliance program and what requires their attention? How can your metrics help executives understand their risk position? How do you help executives establish a meaningful risk tolerance level?

To answer these questions, you first need to determine the types of data you will provide. Generally, there are two types of metrics: process metrics and outcome metrics. 

Process Metrics and Outcome Metrics

Process metrics are those data that show program effectiveness (hotline reports received, number responded to timely, trainings completed, policies distributed, etc.). Process metrics should include an indication of how the measure is trending over time and some indication of criticality to help your executives understand those data that require their attention, those that don’t, and those that should be celebrated.

Outcome metrics are those data that show the results of your auditing, monitoring, and investigation programs which address specific risk areas (new physician coding audit, focused claim coding audits, employee access audit, etc.). Outcome measures should be tied to your risk assessment priorities and are often easier to align with strategic priorities.

 

Gather and Connect Metrics

Your metrics should derive from the seven elements of an effective compliance program , your risk assessment priorities, and specific risk areas. It is important, however, that you don’t try to use data to develop metrics for every aspect of your compliance program. Remember, your executives are getting data from various departments across the organization, and data fatigue is a very real problem. Copious amounts of data will cause your executive’s eyes to glaze over and the messaging you are trying to convey will be lost.

Consider aggregating some of your department data into a few key metrics that can drive a story aligned with the organizational strategy. For example, you may want to take all of your compliance program effectiveness measures and provide a single effectiveness score which can be trended over time. Similarly, you can take specific risk area measures that affect one of the key strategic priorities and aggregate them into a single strategy score (i.e. provide a Readiness for Growth measure that combines your auditing results that affect Growth).

Keep in mind that not every audience requires the same data. Your compliance Committee may need significantly more information about specific reporting elements than other members of your executive management team. Know what actions, decisions, or discussion you want to elicit from the group and tailor your data and metrics specific to the audience charter.

Finally, consider how to connect your information with other information gathered by the organization. For example, if Quality is collecting information specific to patient satisfaction, think about how your data may inform the quality data. Are you seeing more hotline calls coming in from units that are reporting poor patient satisfaction? Are you seeing more data breaches from units that are reporting poor patient satisfaction? When you can integrate your data with other data collected in the organization executives can better understand what the data means on an overall scale.

 

Engage Executives

To engage your executive management in your compliance program you need to provide them with information that can help inform their strategic priorities. This approach requires a different mindset by compliance officers. Most compliance data provided to the executive team is designed to express potential compliance risk without being tied more closely to the organization’s strategic priorities. However, the data your provide should include both process measures as well as outcome measures and should be tailored to the audience you are presenting the information to. By aligning your compliance metrics with the organization’s strategic priorities, you are seen as a partner in achieving organizational goals rather than just managing goals separate from the rest of your organization.

As your organization’s compliance professional, you have a lot of data available to you. Your challenge is taking all that data and leveraging it into meaningful and actionable information for your executives that aligns with the organization’s strategic, financial, and operational objectives. This engagement will form the partnership you need to minimize risk and grow your program’s visibility.

OIG HHS Healthcare Compliance Program Tips 

Margaret has over twenty years of experience in healthcare compliance, including roles as Cheif Compliance officer for large integrated health systems providing services in multi-state geographies. She is recognized as an industry thought leader and speaker, including addressing the US Senate Finance Committee and other government agencies. Margaret is also the past President and current member of the Board of Directors of the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) supporting and promoting integrity programs nationally and internationally.