Testimony by Thomas Hutton for the February 19, 2004 NCVHS Subcommittee on Privacy and Confidentiality Hearing Attachment 1

Attachment 1

HIPAA Questions – Student Records :

Medicaid Billing

• What is HIPAA’s applicability for school districts that bill electronically for Medicaid and insurance?

• With regard to electronic Medicaid billing, our state department of health has issued Trading Partner Agreements with scary indemnification clauses — what is the requirement of school districts with regard to these agreements?

• In New York State there is an extended health program where nurse practitioners employed by a school district may diagnose illnesses and prescribe medications to students.  Medicaid billing does occur.  The nurse practitioner, a district employee, in diagnosing and prescribing medications is performing services much like those of a school based health clinic. Diagnostic notes and copies of prescriptions are kept in the student’s health record.  In such an instance would HIPAA or FERPA govern?

• There are several reoccurring concerns that have come up at the national Medicaid/Education meetings that I have attended. Our problem is we are continuing to get various responses depending on who you ask when. The areas that are apparently impacted by HIPAA include 1) school clinics, especially when Medicaid is billed for services; 2) medical services provided by school personnel and billed to Medicaid, but not addressed in the student’s IEP; 3) services billed to Medicaid that are part of the student’s IEP (evaluations…OT…PT…Speech…). The information that we have gotten from the Office of Medicaid Policy and Planning is that school corporations that seek Medicaid reimbursement would be considered “Covered Entities” under HIPAA.

• With respect to the HIPAA/FERPA Medicaid issue, if the school is not the one doing the electronic transfers but has hired a third-party or vendor to do this, what is the school required to do in that situation with respect to the HIPAA rules, if anything?  Is a business associate contract required in this case?

• Because the FERPA schools were billing Medicaid years before HIPAA came along, the HHS must have allowed the practice to continue when they excepted FERPA records from the PHI definition.  The preamble states they did not want two sets of rules to govern and that FERPA is sufficient.  Thus no need to comply with the Privacy rules.  (There was no mention that all records, except Medicaid records, are out of PHI definition).  While it may make sense to comply with the EDI codes standards so we can bill with standard codes that Medicaid will require to accept transaction, this does not mean we should have to comply with all of the Administrative Simplification requirements of the privacy rules.

• The biggest question in my opinion is: Does the School Board lose the protection of the FERPA exclusion in the definition section of PHI in the privacy rules because they bill electronically Medicaid for ESE students. If privacy rules still trump HIPAA under this billing situation, then does the Board still have to comply with the electronic code sets by October 15, 2003?

• The tough question is when School Boards bills Medicaid for therapy, etc. Maybe the electronic standards are applicable because they have to be able to get computers to talk to each other in same code transactions. But I have not seen any contracts that take the records out of the school’s FERPA files. I would think then the health care provider who possesses these files and treats the kids is the covered entity (if there is electronic transactions such as billing).

• I am of the firm opinion that in public schools FERPA trumps HIPAA’s privacy rule even when the nurses are billing Medicaid. The definition of PHI specifically excludes student records. The Preamble makes a few references to the DOE working with HHS, so there will not be two sets of rules.

• The applicability of HIPAA to districts that bill for Medicaid services is a major issue for us.  For many districts, that would be the only basis for coverage.  One district told me that the information the districts transmit to Medicaid is not personally identifiable.  In other words, they maintain PHI, most of which is a FERPA record, and bill for their services, but the information they use for billing purposes does not contain PHI.  Does that impact the HIPAA-applicability analysis?

• My hope is that OCR will say that FERPA governs all student education records, including records on the student kept by the school nurse, school clinician services and even Medicaid billing.

• We have taken the position that any medical information maintained by the school district we represent would meet the statutory definition of “education record” and, therefore, is not PHI.  Therefore, the privacy rules under HIPAA are not applicable.  However, the district would be required to comply with the EDI rules when submitting information to Medicaid electronically.

• If the school has a special education program and bills Medicaid for the special education services through a clearinghouse, what is the status of the clearinghouse in the following example:  If the school is not a covered entity and the Medicaid bills are not PHI and the clearinghouse only processes this type of bill, is the clearinghouse a healthcare clearinghouse subject to HIPAA privacy?  In other words we are wondering whether receiving FERPA data for processing to Medicaid would cause the clearinghouse to become a HIPAA-covered entity because it is converting the school’s claims into standard transactions.

• If a school district submits electronic transactions for Medicaid services, to what extent are they required to comply with HIPAA? The standards are one thing but there is also extensive training and awareness that needs to occur. Also, how do you identify who needs to be trained? How do schools take on the financial burden of compliance? The burden may potentially outweigh the actual Medicaid benefits received for the medical services. Have any guidelines or procedures been published for schools that will help with evaluating current practices and the scope of changes and costs needed for compliance?

• It is our reading of the preamble to the December 2000 final HIPAA regulations that if a school or school employee engages in a “HIPAA transaction,” (defined in the Code of Federal Regulations as “the transmission of information between two parties to carry out financial or administrative activities related to health care,” including filing claims), the school becomes subject to HIPAA regulation. Such transmissions also would presumably be subject to the electronic security regulations for HIPAA. As to whether any guidance exists specifically for schools, we have not yet found any.

• Many school districts receive reimbursement for health care provided to students who are Medical Assistance recipients.  The districts provide health care, document the health care provided, and transmit the provider information to a company that then submits the provider information to the state department of public welfare for the release of funds into a special account maintained by the state department of education for the school district.  The districts sometimes submit their service provider information to the company on paper, but many do so electronically; however, when the company transmits the districts’ information to DPW, they do so in electronic form.  It appears that this arrangement causes the school districts to qualify as “covered entities” as health care providers because:  (1) they provide health care; (2) through the company, the school districts engage in a HIPAA standard transaction (i.e., payment) in electronic form.  Some guidance from HHS on this arrangement would be helpful.

FERPA Education Records / HIPAA PHI

• It appears from language in the Final Privacy Rule regulations, issued in December of 2000, that HHS believes that if an educational institution is subject to FERPA, then all of the student health information in its possession would be subject to FERPA’s privacy scheme as an educational record, and therefore would not be “protected health information” (PHI) under HIPAA.  This is implied by the following passage from the final rule that discussed the relationship between HIPAA and FERPA:
  

  “These exclusions are not applicable to all schools, however.  If a school does not receive federal funds, it is not an educational agency or institution as defined by FERPA.  Therefore, its records that contain individually identifiable health information are not education records.  These records may be protected health information.  The educational institution or agency that employs a school nurse is subject to our regulation as a health care provider if the school nurse or the school engages in a HIPAA transaction.”  65 FR 82483 (December 28, 2000).

  This passage and the remaining text regarding FERPA in the Final Privacy Rule have caused many school attorneys to conclude that so long as the educational institution is subject to FERPA, then all of the student health information in its possession would be excluded from the definition of PHI.  Two potential problems with this interpretation, and areas where HHS should issue guidance:

  1. The Privacy Rule regulations do not exempt “educational institutions” or educational institutions subject to FERPA; the regulations only exclude student health information in FERPA “education records” from the definition of PHI.  There is, therefore, no categorical exemption for FERPA-covered educational institutions.  If those institutions otherwise meet the definition of a “covered entity” as a “health care provider,” then there is no categorical exemption from the administrative requirements of the HIPAA Privacy Rule (i.e., creation of a privacy policy, designation of privacy official and contact person, issuance of Notice of Privacy Practices, etc.).  If it is the intention of HHS to categorically exempt FERPA-covered educational institutions from compliance with the HIPAA Privacy Rule, then the Privacy Rule regulations (45 CFR Parts 160 through 164) should be amended to provide for this explicitly.
  2. Assuming that an educational institution otherwise meets the definition of a “covered entity” as a health care provider, the Privacy Rule only  excepts student health information in “education records covered by the Family Educational Rights and Privacy Act.”  45 CFR 164.501.  The FERPA definition of “education records,” however, contains an exception which provides that “records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute” do  not qualify as “education records.”  See 20 U.S.C. 1232g(a)(4)(B)(i).  This exception to the definition of educational records could apply to a school-employed psychologist who keeps treatment notes of a student for the psychologist’s own “memory jog” for the next time he or she treats a student; those notes could contain individually identifiable health information about a student.  Because the treatment notes fall under an exception to the definition of “education records” under the FERPA statute, but do contain individually identifiable health information, then those notes would qualify as PHI and must be kept confidential pursuant to the Privacy Rule.  HHS apparently recognized that the definition of “education records” in FERPA does not cover all forms of student health information held by educational institutions when they specifically created the exemption for “records described at 1232g(a)(4)(B)(iv)” (i.e., student health records at post-secondary educational institutions) from the definition of PHI; however, HHS may not have considered the situation I have just described, and should address this.

• Exactly where is the line of demarcation drawn between health-related information that is considered part of the education record versus that which would be considered part of a child’s medical record?  Of particular note would be those items of health-related information that might be routinely collected, but not specifically enumerated under FERPA.  If/when such a distinction is drawn, should such health related records (i.e. educational versus medical) be kept in separate section of the student’s “medical” file?

• My hope is that OCR will say that FERPA governs all student education records, including records on the student kept by the school nurse, school clinician services and even Medicaid billing.

• Assuming student records are not entirely exempt from HIPAA, where privacy protections under state law are at least as protective as FERPA, and where the state law applies to more student records than those defined as “education records” under FERPA, are these additional student records, or should they be, exempt from HIPAA’s requirements?

• The HIPAA question that I get most frequently is whether notes maintained by the school nurse and kept in her office are student educational records subject to FERPA, medical records or personal health information subject to HIPAA, or “personal notes” (which would contain PHI and would perhaps be subject to HIPAA, but in the nurses’ opinion not be an educational record). The nurses claim that only when the PHI is put into the student’s permanent record (as the immunization record is) does it become a student educational record.

• “Oral records”: the commentary to the Privacy Rule indicates that it applies to oral communications.  Our understanding, from FPCO, is that FERPA does not apply to oral communications, or information gleaned from first-hand observations.  What if the school nurse learns that a student is pregnant, but does not make a record of this information?  Is the information protected by HIPAA from disclosure to, e.g., school administrators?  What if she does make a record: is the information now a FERPA record that an administrator can access?

• If an entity, such as a school district, meets the definition of a covered entity, but does not have any information that falls within the definition of PHI, are they required to comply with the regulations?

• I suggest that the issue be approached as a special education issue rather than a medical issue.  FERPA exempts medical treatment records from the definition of educational records.  Federal courts have ruled under IDEA that schools must provide certain medically related services and have refused to recognize that schools may be providing a medical service.  IDEA specifically makes the medical services diagnostic and evaluative:  20 U.S.C. 1401.  Definitions.  (22) Related services. The term “related services” means transportation, and such developmental, corrective, and other supportive services (including speech-language pathology and audiology services, psychological services, physical and occupational therapy, recreation, including therapeutic recreation, social work services, counseling services, including rehabilitation counseling, orientation and mobility services, and medical services, except that such medical services shall be for diagnostic and evaluation purposes only) as may be required to assist a child with a disability to benefit from special education, and includes the early identification and assessment of disabling conditions in children.  Perhaps medical services being billed to Medicaid that are not a part of a medical clinic are not recognized as medical services under IDEA.  If HIPAA recognizes these billed services as medical services by the schools, then maybe these services should not be offered under IDEA.  The same Congress made both laws, so did they intend to allow the regulators to create conflicts in the application of the law?

• May a school nurse send a list to all teachers that identifies the student and the student’s disability or limitation? Is such a document covered by HIPAA or FERPA?

• Health information in school records and oral communications that are not covered by FERPA. In NC, we have some public school systems that are covered entities. Much of the individually identifiable health information in those records is excluded from the definition of PHI, because the information is an “education record” as that term is defined by FERPA. However, schools often also have individually identifiable information in records that are not education records under FERPA.  For example, FERPA’s definition of education record excludes sole possession notes. Thus, any individually identifiable health information in sole possession notes appears to be PHI and it must be protected in accordance with the privacy rule. This is an odd result, because sole possession notes are already extraordinarily private.  Note that some treatment records of older students are excluded from the definition of PHI even though they are not protected by FERPA, because those records are already extraordinarily private. The same rationale would seem to apply to sole possession notes, but sole possession notes are not excluded from the definition of PHI.

• Furthermore, if sole possession notes are PHI subject to the privacy rule, individuals have a right to access, inspect, and obtain a copy of those notes. However, if an individual exercises that right, the notes cease to be sole possession notes, because they have been disclosed to a person other than the maker of the notes. At that point, they become education records under FERPA and are no longer PHI. Not only is this an odd result, it can defeat the purpose of maintaining sole possession notes, depending on the circumstances. For example, some school nurses maintain sole possession notes to document referrals of students for confidential health services such as family planning or STD diagnosis and treatment. If this information is included in an education record, the student’s parents have a right to inspect the information, and the care is no longer confidential.

• We are concerned about oral communications of individually identifiable health information in schools. When those oral communications involve information that is in an education record (as that term is defined by FERPA), they are subject to FERPA and, we assume, not PHI. However, if the oral communications involve information that is not in an education record, they appear to be PHI. For example, suppose I tell my daughter’s teacher that she complained of ear pain in the morning and I would like to be notified if she continues to complain about the pain during the day. That information may never be documented anywhere, or it may be documented only in the teacher’s sole possession notes, so it never becomes an education record subject to FERPA. It is difficult to develop policies that treat such communications as PHI, but apparently that is what must be done. One solution is to conclude the school is a hybrid entity and designate the health care component carefully to exclude these kinds of foreseeable communications, but this is cumbersome and the lines can be difficult to draw.

Nurses / School-Based Clinics / Health Care Providers

• Is a school nurse considered a “health care provider” under HIPAA and if so, is a school based health clinic considered a “covered entity” under HIPAA, and if so is health related information collected by the school based health clinic (but unrelated to any school or educational need for information) considered “protected health information” under HIPAA and should it be treated as such?

• How is the school nurse (especially when the school nurse is employed by the county health department and not the school district) supposed to be handled under HIPAA

School Access to Information / Authorizations

• If parent/student signs a HIPAA compliant authorization for their pediatrician or primary care provider to release “protected health information” to the school (e.g. reports from physical examination for clearance to participate in sports), then in order for such authorizations to be HIPAA compliant (from a health care provider perspective) the authorization must be limited in both duration and scope, but this limitation is not clearly defined.  An administrative tension arises when health care providers are repeatedly asked to provide such authorizations for the same patient/student.  Does the phrase “for the duration of the student enrollment in XYZ school system” constitute an adequate (i.e. HIPAA compliant) limitation on the duration for such an authorization, or must greater frequency be utilized? Similarly does the phrase “for such purposes as are reasonably deemed necessary by and for the XYZ school system for participation in XYZ school system sponsored activities” constitute an adequate limitation on the scope of the authorization?  Alternatively, should authorizations read something like for the purposes of providing clearance for participation in school sponsored sports, for the academic year 2003-2004?

• We are starting to get a number of questions from school nurses regarding HIPAA.  The nurses are concerned about student health records they receive from physicians and health plans.  The practice has been to place them in the student’s file and treat them as student records under FERPA and state law.  Only authorized employees of the school district are allowed to see the health records.  School nurses are also concerned about the difficulty of receiving student health records from physicians and clinics.  Due to HIPAA, physicians and clinics are very concerned about sharing information.  Each clinic is developing its own release form and will not accept a school district release form.

• Anything OCR can do to simplify the process and make records subject to FERPA rather than HIPAA once we receive them would be helpful.  Their focus should be not only on protecting confidentiality (which is important), but also on the confidential ease of sharing information among agencies for the benefit of the student.  Slowing things down and putting procedural hurdles in the way will harm students and delay services to students.  The emphasis should not be on “excellent” and cumbersome paperwork so that OCR can more easily audit agencies for compliance.

• How is a school district supposed to handle Business Associate Agreements from service providers that specifically require HIPAA policies and procedures be implemented. (i.e., hearing aid providers or providers of other services like evaluations or testing, or equipment to students)?  I would prefer the answer to be that a school district can inform the Business Associate that the school’s compliance with FERPA and IDEA meets the HIPAA requirements.

• Understanding that “protected health information” per HIPAA excludes education records covered by FERPA, are those records still considered “covered” by FERPA where their disclosure is allowed without consent in the circumstances listed at 34 CFR 99.31 & 99.36? Or, because the FERPA protections of required consent, notice, etc. do not apply under those circumstances, does that mean they are not covered and thereby make such records in those circumstances subject to HIPAA regulation where they contain health information?  There has so far been no guidance from either OCR or the FERPA compliance office in the U.S. Department of Education. The option for full disclosure of student “education records,” including health information, to anyone in a school who is believed to need them in order to provide education appears to be contrary to privacy protections in HIPAA, but the issue will probably not be resolved until someone files a complaint.

Third Party Entities / Outside Services

• If the school has a special education program and bills Medicaid for the special education services through a clearinghouse, what is the status of the clearinghouse in the following example:  If the school is not a covered entity and the Medicaid bills are not PHI and the clearinghouse only processes this type of bill, is the clearinghouse a healthcare clearinghouse subject to HIPAA privacy?  In other words we are wondering whether receiving FERPA data for processing to Medicaid would cause the clearinghouse to become a HIPAA-covered entity because it is converting the school’s claims into standard transactions.

• If the school provides and pays for an outside psychological evaluation, is this covered by HIPAA or FERPA?

• Are home services (special education) covered by FERPA or HIPAA? If covered by HIPAA, does the district need to enter into a business associate contract with the provider of such services?

• How does a district protect itself from disclosure of protected health information of students by an athletic doctor or athletic trainer? What information can the team doctor/trainer provide to coaches? If the doctor does not bill the district electronically, is the district bound by the HIPAA regulations?

• School nurses are sometimes employed by a hospital or health department, rather than the school system. They provide school nursing services through arrangements that may be formal (contractual) or informal. In most cases, the hospital or health department that employs a school nurse is a covered entity. The school system is sometimes a covered entity as well.  In these circumstances, is the school nurse a member of the workforce of the covered entity that employs her or a member of the workforce of the school system for which she performs services?  If she is a member of the workforce of a hospital or health department that is a covered entity, does she carry the obligations of the HIPAA privacy rule with her when she performs duties for the school? We have been assuming that this is possible. We have advised local health departments that employ school nurses that, if they determine they are hybrid entities and designate their health care components, they may wish to consider excluding the school nursing program from their health care component (provided the school nursing program does not transmit health information electronically in connection with a HIPAA transaction). However, this option may not be available for hospitals, which may not be eligible for hybrid entity status.

• What happens when a school nurse is not an employee of the school system, but rather an employee of the local department of health and is working in the school through an interagency contract? Do HIPAA or FERPA standards and regulations apply? Is the health record under the jurisdiction of the health department or the school system?

Miscellaneous School Issues

• Employee discipline:  In a teacher disciplinary hearing, may an attorney disclose a student’s health information without parental consent?

• Foster children: If school nurses and school based health clinics are “heath care providers” and “covered entities” respectively under HIPAA, then is there guidance available as to what should be done in the instance of foster children, whose biological parents often retain legal decision making powers yet whose foster parents often perform most of the actual parental functions?  HIPAA states, in general, that control of one’s medical records generally follows the control over consent to the underlying medical encounter or procedure, which in this case would rest with either the biological parent or the student/patient, depending on the circumstances, but not the foster parent.

• Physical exams: If the district requires students to submit to physical exams as a condition of participation in extracurricular sports, are they unlawfully requiring them to waive their HIPAA rights?

• Are scoliosis exams covered by HIPAA?

• Internships / Vocational students:   Are school districts “business associates,” with which hospitals must enter into agreements, where students of the schools participate in vocational training programs sponsored by hospitals (e.g., “candy stripers”)?  Hospitals have been insisting that districts sign these agreements, which is frustrating to the districts because they do not receive PHI from the hospitals (the students do) and they have no control over the students.

• How are schools supposed to handle student work-study programs and internships in the health field and potential exposure to patient records?  I would prefer the requirement on schools to be training the student to keep patient records confidential but placing the burden on the medical field placement to insure student compliance with HIPAA.

• Child Abuse records: How about school’s reporting child abuse or neglect and any record associated with that report?  Besides the state laws confidentiality requirement for those reports, I assume that FERPA rather than HIPAA would apply to those records.

• Emergency Information:   Can a student “Emergency Contact Information” card list a child’s disabilities and/or limitations (asthma, allergies, etc.)?  Who should have access to such information?  Is such an emergency card part of a student’s education records under FERPA, or is it governed by HIPAA?

• Athletics:  How does a district protect itself from disclosure of protected health information of students by an athletic doctor or athletic trainer? What information can the team doctor/trainer provide to coaches? If the doctor does not bill the district electronically, is the district bound by the HIPAA regulations?

• May a school district require an athlete to submit an authorization for the release of health information for treatment purposes as a prerequisite to a student athlete’s participation on a team? Does the authorization have to be injury specific, or can it provide for all injuries that occur during the student athlete’s involvement with the team? Does such an authorization have to be obtained from the parent?

• Must a district enter into business associate agreement with its athletic doctors?

• Immunizations:  Are immunizations covered under HIPAA?

• Migrant students:  The No Child Left Behind Act requires a district to provide records on migrant students immediately to states and districts.  How should this requirement be reconciled with FERPA and HIPAA privacy requirements?