Good morning.  My name is Laura Manley Knoblauch.  I am here as the designated spokesperson for the American College Health Association with regard to the Privacy Rule under HIPAA. I am a member of the American College Health Association’s HIPAA Task Force. The American College Health Association represents 2,624 individuals and 955 institutions and is the principal leadership organization for the field of college health. College and university health services provide health care services to 15.3 million students. I work for Illinois State University where I am the Assistant Director of the Student Health Service and the University Privacy Officer.  I hope to relay to you today concerns that college and university health services are experiencing in their efforts to comply with the Privacy Rules of HIPAA as well as complying with the Family Education Rights and Privacy Act (FERPA) and, in some cases, state law for student medical records.

Before I begin stating our dilemma, I must say that not all student health centers are faced with HIPAA compliance because not all institutions perform any of the electronic transactions triggering the application of HIPAA.  Many of our student health services are smaller and do not bill for services or file insurance manually or electronically.

However, for those student health centers who do perform electronic transactions, we have been seeking legal interpretation on how to comply with HIPAA.  Because most of our institutions receive federal funding, they are also covered under FERPA. The intersection of these two pieces of legislation, has been the subject of much discussion and interpretation. Great disparities have resulted in how college and university health centers across the country have dealt with the issues created by the HIPAA regulations. Implementation efforts fall along the spectrum of implementing only HIPAA, following only FERPA, or some convoluted combination of the two regulations.

Many student health services received legal opinions regarding compliance with FERPA and HIPAA that informed us that student health services must ensure compliance for student records under FERPA or state law and non-student records would be governed by HIPAA.  In addition, the January 2003 FERPA teleconference sponsored by the Department of Education reinforced these legal opinions.  Many student health services are now in the unenviable position of having three different standards with which to adhere:  students records maintained and accessed solely by provider are governed by state law; student records released for any reason including patient authorization are governed by FERPA; non-student records (such as university employees) are governed by HIPAA.  Since we often release medical records upon patient authorization, we have to determine prior to the release both the patient’s status (student or non-student) and if the record has ever been released.  This has created a cumbersome and complicated system for medical record privacy and one that I don’t believe Health and Human Services (HHS) intended.

Student health services frequently refer patients to physician specialists in the community.  Those medical providers naturally assume we are covered entities under HIPAA.  When the specialists request medical records for treatment purposes, we must have the student patient sign an authorization for this release.  This is often confusing for the patient and our clinical staff as well as a possible barrier to efficient communication to the clinical staff to whom we refer.

Under FERPA regulations, student health services could theoretically release a student medical record to a professor without obtaining the patient’s consent; however, FERPA will not allow release of a student medical record to another health care provider for treatment purposes without a patient authorization.  In my opinion, to consider clinic records maintained by the student health service education records under FERPA, instead of medical records, is absurd and illogical.

As a result of the widespread confusion in the college health field, there is disparity in the way university health centers have chosen to grapple with the several sets of medical privacy laws we are charged to comply with.  For example, some university health services have implemented a “HIPAA only” approach for their non-student records.  Meaning that for their non-students they comply with HIPAA and for their students, they comply with FERPA. This has certainly simplified the process of complying, but it appears that student medical records are being held at a lesser privacy standard than non-student medical records.  If HIPAA is the “national privacy standard” in health care, which I believe it should be, why are student medical records exempt under HIPAA?

Some university health services have considered complying exclusively with HIPAA regulations and ignoring FERPA.  However, in some cases FERPA regulations are more stringent.  An example is that HIPAA allows release of information for treatment, payment and health care operations.  However, this would be a violation under FERPA.  This is one of the benefits available in HIPAA that would violate FERPA.  Legal experts have told university health services that, since FERPA is in some cases more stringent, we could not simply choose to comply with HIPAA as it is not a higher standard in all cases.  When we looked at the possible non-compliance penalties of HIPAA vs. FERPA we were told that a policy of compliance with HIPAA (instead of FERPA) – even though FERPA doesn’t levy fines – could result in Federal funds being withheld from the university if it was found to be in non-compliance.  A frightening thought to say the least for many institutions!

Still other University Health Services have addressed this complicated problem by opting to discontinue providing services to non-students (i.e., spouses, summer camps [band, athletic, etc.], visiting scholars, athletic interns, J-1 visa scholars).  This option allows them to follow only FERPA or state law.  This certainly is not an optimal solution as it decreases healthcare access and services to the campus community, not to mention the lost revenue.

Representatives of several University Health Services have attempted to contact the Department of Education and/or HHS, with questions regarding the HIPAA/FERPA intersection, we have received no official response.  In order to discuss our challenges with compliance and to formulate a solution, we put forth the following recommendation:

It is the request of the American College Health Association for this committee to identify a work group made of up representatives from the Department of Education, the Department of Health and Human Services, and the American College Health Association to specifically address the implementation issues of HIPAA in our college and university health centers. We believe the resolution of our issues will only be achieved through changes in both the FERPA and HIPAA regulations and that it will require involvement from all constituents to effectively make these changes.  The changes to the regulations might include:

  • Change the FERPA regulation’s definition of “exception to education records”. The exception to education records (20 U.S.C. 1232g (a)(4)(B)(iv)) for medical records held at institutions of higher education needs to be broadened in scope beyond the provider/patient relationship. The exception needs to include the records even if they are released outside of the provider/patient relationship.  This change in definition would exempt any medical record created by a University Health Service from FERPA, leaving an institution to comply with state law if they do not perform any listed electronic transactions, or solely to comply with HIPAA if they do submit any listed electronic transactions.
  • Change the HIPAA regulation’s definition of Protected Health Information (PHI) to include medical records held by institutions of higher education.  The definition of PHI in HIPAA at 164.501 needs to be changed to eliminate the FERPA exception of medical records held by institutions of higher education (20 U.S.C. 1232g (a)(4)(B)(iv)). These two changes would allow medical records held at institutions of higher education to be included in PHI under HIPAA and would remove their coverage under FERPA. This would eliminate the dysfunctional intersection of these two regulations and we believe would meet the intent of both of these regulations, i.e., to protect the privacy of medical records held by institutions of higher education.  The end result being that any University health service falling under the HIPAA regulations by virtue of them performing any of the listed electronic transactions, would automatically treat ALL of their medical records under one privacy standard, HIPAA.

Thank you for your time and consideration of our request.