Many college health centers are struggling with this issue right now. The conflicting priorities of both the federal and state/local laws have never been thornier. Under the provision of FERPA, any record generated by a college or university that receives federal monies (whether research dollars, financial aid, or some other form of money) is protected as an academic record. This record cannot be disclosed outside of the university except for certain defined scenarios, but within the university any person conducting the business of that university could presumably have access. Under the provision of HIPAA, any medical or counseling record (hereafter defined as a treatment record) is protected from disclosure without patient consent except in certain pre-defined conditions such as payment for care, continuity of care and so forth. Nobody should be accessing the treatment record unless they are involved in the healthcare process.
The issue arises when a treatment record is generated by a college entity such as a counseling or health center. Are such records HIPAA, FERPA or some hybrid variation? Many colleges answer this question by ignoring HIPAA completely and choosing to only follow the rules spelled out in FERPA. Some of these entities follow the HIPAA guidelines unofficially but ultimately FERPA will trump HIPAA in every case. This is a simple way of addressing the issue for the college but it makes it difficult to legally participate in other facets of care that are increasingly becoming common at the college health center, such as filing electronically, filing on Medicare/Medicaid, participating in a state or local Health Information Exchange (HIE) or other collaborations in the community. Other schools, like what we do here at the University of Texas, choose to follow a hybrid approach. Treatement records are considered HIPAA protected and would not be released without patient consent to any entity not previously defined by the law. However, our organization also participates in the academic record. For example, the State of Texas has immunization requriements for admission. Our campus health center processes these. Those records are FERPA records, however if the student subdquently becomes a patient, we may pull those records into the treatment record. At that point these immunization records might be both HIPAA and FERPA. It's a narrow tight rope.
Recently a case at the University of Oregon has brought attention to this thorny issue. The basic facts appear to be that a student accused three members of the university basketball team of raping her. An internal investigation cleared these students of the rape charge but subsequently charged them with "sexual conduct without consent" (I will not speculate what the difference might be as I'm not a lawyer). The players were dismissed from the team and the university itself. In the meantime, the student, feeling as if she did not receive justice in the case, sued the university of not handling her accusations properly. The university released her psychotherapy records to itself in order to create a legal defense, in essence attempting to use the private record of her post-rape therapy against her. The university backed down but strenuously claimed it acted well within it's rights under the terms of FERPA law. It would appear that FERPA law stipulates
"the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under Ferpa, both of which are excluded from coverage under the Hipaa Privacy Rule." -http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdfThe case is still playing itself out in one way or another. There are Oregon state legislators seeking to amend state law, and Oregon congressional reps hoping to close the perceived FERPA loophole. It remains to be seen what will come of it.
In the meantime, my take on the matter, admittedly heavily influenced by my own experience and values leads me to believe that just because FERPA says a university can do something doesn’t mean it has to, or should...experts argue. There is a definite line between what is technically legal and what is ethical. In the same article Brett A. Sokolow, executive director of the Association of Title IX Administrators is on record as stating
even if the university was legally entitled to the student’s therapy records, he said, "it is certainly a very aggressive use of Ferpa that is inconsistent with the normally obsessive adherence to privacy that colleges exhibit when disclosure does not serve their public-relations interests." -https://chronicle.com/article/Just-How-Private-Are-College/228229/>If I wanted to obtain my college records, I would expect to find transcripts, grade reports a GPA and other relevant items, I certainly wouldn't expect to find my health record. Conversely if I release my medical record to another healthcare provider, I would not think that that provider would be in receipt of my grades and course records. I think it will take a lot of thinking outside the box but I definitely think a college healthcare facility can operate in a FERPA environment as a HIPAA covered entity.
No comments:
Post a Comment