American College Health Association (ACHA)
Testimony by Joan Kiel, PhD, CHPS
ACHA HIPAA Committee Chair
Hearing of the National Committee on Vital and Health Statistics
September 15, 2006
Good Morning. My name is Joan Kiel and I am the designated spokesperson for the American College Health Association regarding the application of the Health Insurance Portability and Accountability Act (HIPAA) and medical records privacy protections to colleges and universities. In addition, I am the Chairman of University HIPAA Compliance for Duquesne University in Pittsburgh, Pennsylvania. Lastly, I am the Chair of the American College Health Association HIPAA Committee.
Since its inception in 1920, the American College Health Association has been dedicated to the health needs of students at colleges and universities where the vast majority of students are over the age of 18 and are considered adults. ACHA is the principal leadership organization for the field of college health and provides services, communications, and advocacy that help its members to advance the health of their campus communities. ACHA’s membership has grown from the original 20 institutions of higher education to more than 930. These member institutions represent the diversity of the higher education community — two and four year, public and private, large and small.
Today, I will discuss with you:
- the uses of medical records in colleges and universities,
- suggestions for how the potential expansion of protections for medical records might affect colleges and universities, either positively or negatively, and
- recommendations on the adoption of medical record protections.
Regarding the first issue: colleges and universities are a community of people. Therefore, the student health service functions as a community-based health care provider practice. The medical records at the student health service may serve a varied population. Medical records are maintained for ongoing treatment and evaluation of students, and in some cases, family members, faculty, and staff.
- Student health services frequently refer students to specialists in the community. If a student is a commuter or their health care provider is nearby, the student health service will be in communication with the health care provider. These external providers simply assume that the student health services are under HIPAA. When these health care providers request medical records for treatment purposes, the student must sign an authorization for this release. This is often confusing for the student and the college health service staff — as well as a possible barrier to efficient communication to the staff to which the student is referred.
- Medical records are kept on immunizations for state immunization laws. When students participate in a practicum or internship –especially in a health care setting –the student medical record is referred to.
- Faculty often desire information from the medical record. They may want to verify why a student is not in class and determine if the illness is chronic or long-term. They may need to know what the ultimate effect will be on the student’s performance in the class. Under FERPA regulations, student health services could theoretically release a student medical record to a faculty member without obtaining the student’s consent. However, FERPA will not allow release of a student medical record to another health care provider for treatment purposes without a patient authorization. Thus, considering clinic records maintained by the student health service education records under FERPA, instead of medical records under HIPAA, is confusing and unsubstantiated and must be further analyzed.
- Some health services work with their Department of Athletics to provide pre-screening physicals for athletes and monitor follow-up care. Health services also provide treatment for faculty and staff for on the job injuries. Here is where confusion may arise — if the health service engages in one of the HIPAA electronic transactions (45CFR160.103), then employee records are under HIPAA and student records are under FERPA. The confusion arises when the individual is both a student and an employee.
Regarding the second issue: the potential expansion of protections for medical records could have positive or negative effects for colleges. On the positive side, under HIPAA, people who do not have a “need to know” will not be able to access the record, nor have a right to the information contained herein. The law also protects the student health service staff as they can simply say, “the law says that you can’t have the record.” The students’ confidentiality is protected and the potential for discrimination is mitigated. The health service must respect students’ right to privacy or they won’t use the health service even in emergency situations — which can then cause further harm.
On the negative side, even cases that have gone to court have not resolved the HIPAA FERPA intersection. In Shin v. MIT, the case was settled out of court and thus the court had no occasion to rule on the HIPAA FERPA issue. In Allegheny College v. Mahoney, the college was found not negligent, and the only mention of the HIPAA FERPA intersection was that “policies will be looked at,” but that is on a voluntary basis not a court order. Thus, it is imperative that if the courts cannot settle the HIPAA FERPA intersection, then the laws need to be rewritten for all to clearly understand. For as of now, under HIPAA, information is shared for treatment, payment, and healthcare operations or if the patient consents. Under FERPA, information can be shared if the student’s life is in danger. That is a gray area. The questions arises as to “at what point does one tell others.” If one is right then they may save a life; but if one is incorrect, this can upset the student and break their trust. It is a tough judgment call.
Regarding the management of student health records, many student health services received legal opinions regarding compliance with FERPA and HIPAA that informed them that student health services must ensure compliance for student records under FERPA or state law, and non-student records would be governed by HIPAA. Many student health services are now in the unenviable position of having three different standards with which to adhere: students records maintained and accessed solely by the health care provider are governed by state law; student records released for any reason including patient authorization are governed by FERPA; non-student records (such as university employees, faculty, non-student spouses) are governed by HIPAA. An option then is for a college health service to discontinue providing services to non-students (such as, spouses, summer camps [band, athletic, etc.], visiting scholars, athletic interns, J-1 visa scholars). This option allows them to follow only FERPA or state law. This certainly is not an optimal solution as it decreases healthcare access and services to the campus community not to mention the lost revenue.
Another potential negative aspect concerns accreditation for college health services. There are many college health services that are accredited by the Joint Commission on the Accreditation of Healthcare Organizations, (JCAHO), and the Accreditation Association for Ambulatory Health Care (AAAHC). Both organizations are moving toward HIPAA regulations as part of the general survey requirements. Will college health services not be accredited because they are not able to meet the HIPAA requirements if they do not engage in one of the electronic transactions? Accreditation is important to student health services as it indicates a commitment toward excellence in health care that parents expect for their students attending a college or university.
Regarding the third issue: adopting protections for medical records are not seen as being easy or burdensome, but more so as necessary to ensure quality care and protect patient privacy. It needs to be reconciled that if HIPAA is the “national privacy standard” in health care — as it has been deemed –then why are student medical records exempt under HIPAA?
It is the request of the American College Health Association to specifically address the implementation issues of HIPAA, FERPA, and State laws in our college and university health centers. Our changes to the regulations are as follows:
- Change the FERPA regulation’s definition of “exception to education records.” The exception to education records (20 U.S.C. 1232g (a)(4)(B)(iv)) for medical records, held at institutions of higher education, needs to be broadened in scope beyond the provider/patient relationship. The exception needs to include the records even if they are released outside of the provider/patient relationship. This change in definition would exempt any medical record created by a college or university health service from FERPA, leaving the institution to comply with state law if they do not perform any listed electronic transactions –or solely to comply with HIPAA if they do submit any listed electronic transactions.
- Change the HIPAA regulation’s definition of Protected Health Information (PHI) to include medical records held by colleges or universities – institutions of higher education. The definition of PHI in HIPAA at 164.501 needs to be changed to eliminate the FERPA exception of medical records held by institutions of higher education (20 U.S.C. 1232g (a)(4)(B)(iv)). These two changes would allow medical records held at institutions of higher education to be included in PHI under HIPAA and would remove their coverage under FERPA. This would eliminate the dysfunctional intersection of these two regulations. We believe this would meet the intent of both of these regulations, to protect the privacy of medical records held by colleges or universities. The end result being that any college or university student health service falling under the HIPAA regulations by virtue of them performing any of the listed electronic transactions, would automatically treat ALL of their medical records under one privacy standard, HIPAA.
Thank you for the opportunity to present our concerns and requests.