Testimony by Thomas Hutton for the February 19, 2004 NCVHS Subcommittee on Privacy and Confidentiality Hearing

Testimony of Thomas Hutton
Staff Attorney
National School Boards Association
before the
National Committee of Vital and Health Statistics
Subcommittee on Privacy and Confidentiality
February 19, 2004

Introduction

On behalf of the National School Boards Association (NSBA) and its Council of School Attorneys (COSA), I thank the subcommittee for the opportunity to share with you the questions and concerns we are hearing from public school districts and school attorneys with respect to school obligations to protect the privacy of student health information under the Health Insurance Portability and Accountability Act (HIPAA).

By way of introduction, NSBA is a not-for-profit federation of 49 state associations of school boards, together with the Hawai‘i State Board of Education and the school boards of the District of Columbia, Guam, and the U.S. Virgin Islands.  NSBA represents the nation’s 95,000 school board members, who, in turn, govern the 14,890 local school districts serving more than 47 million public school students.  COSA is an NSBA membership program serving over 3,000 attorneys who represent public school districts, state school boards association, or community colleges.

The Department of Health and Human Services (HHS) is to be commended for recognizing that HIPAA privacy regulations should not disturb or overlap the existing, complex privacy regime governing public school education records under the Family Education Rights and Privacy Act (FERPA) and state privacy laws.  Schools take their privacy obligations seriously, as evidenced by the volume of inquiries NSBA has received and continues to receive about HIPAA.  The advent of HIPAA provides another good opportunity for school districts to revisit their privacy practices.  And in the face of HIPAA’s privacy rules, FERPA has started looking a lot friendlier to school leaders and attorneys than perhaps it did formerly.

As the subcommittee has discerned, a great deal of confusion persists as to school privacy obligations under HIPAA.  One state department of education reportedly has counseled school districts to await further federal guidance before expending precious time and resources on HIPAA compliance strategies.  The body of my testimony will start by briefly touching on a few overarching principles guiding NSBA’s approach to HIPAA.  I will then outline some of the major areas and issues that our members have indicated are most in need of clarification, in some cases sharing NSBA’s perspective.  I will conclude with just a few thoughts as to how, aside from the substance of the HIPAA-FERPA intersection, HHS may be able to be of most help to the nation’s schools.

First, a few words about the context in which schools are operating as we consider their obligations under HIPAA.  I certainly do not mean to suggest that HHS, OCR, or this subcommittee is unaware or unappreciative of the challenges confronting America’s schools, but neither do I wish to take anything for granted.  Those who are immersed in K-12 issues day to day know that the rest of world sometimes may not fully appreciate the enormous extent to which state and local education leaders, school attorneys, and other public and private education policy makers at all levels are preoccupied with meeting the complex and costly mandates driven by the federal No Child Left Behind Act and by the conditions that the Act was enacted to address.

Significantly, we have embarked on the No Child Left Behind undertaking at a time when the educational challenges facing many schools are intensifying and when many school budgets across the country are hemorrhaging.  I note these things not to voice complaints or to make excuses.  But I do think that, as this subcommittee considers how HHS can most effectively and appropriately help to ensure that public schools fulfill the Act’s purposes, this context is important to bear in mind.

General propositions

In June of 2003, NSBA initiated a dialogue with Office for Civil Rights (OCR) staff, based on our understanding that OCR intended to issue Frequently Asked Questions (FAQs) for school districts regarding HIPAA’s requirements.  To assist OCR in that effort, we solicited questions from school attorneys and state school boards associations and drew on their expertise as to the questions confronting their clients and members.  We have also reviewed some of the analyses of HIPAA done by other organizations and individuals and have consulted some of these authorities.  We continue to receive inquiries regarding HIPAA.

Not surprisingly, NSBA’s object is, while remaining true to the policy purposes underlining the Privacy Rule, to minimize its applicability and consequent administrative and financial burden to schools.  Thus, from our perspective:

1. A broad FERPA exception is to be desired;
2. Regulatory requirements rendered pointless by the FERPA exception should be avoided; and
3. As a general matter, rules should be not unduly inhibit important school use of information, nor should they contemplate needless laxity regarding such use.

Issues needing clarification

We attach for the subcommittee’s perusal a sampling of some of the questions NSBA has received over the past months (see Attachment 1).  From this list we have attempted to identify what we think are the major or recurring areas of uncertainty.  We emphasize, however, that other issues we have received and included in the Attachment are also worthy of attention.

Let me acknowledge that at least some of these questions may have been addressed by HHS or perhaps can be discerned with some diligent research and analysis.  NSBA has arrived at its own tentative conclusions as to some of the answers, which in some cases we will relate here.  However, we feel we can best assist this subcommittee in its work by faithfully conveying what we hear people at the local level asking and saying.

Blanket exclusion or full HIPAA obligations

When we started collecting feedback, we were immediately impressed by the wide variety of understandings about school obligations.  Some feedback indicated that state agencies had advised school districts that the exclusion of FERPA education records from HIPAA’s definition of protected health information (PHI) represents to a blanket exclusion of public schools from HIPAA privacy requirements.  At the other extreme, some reports indicated that some districts were retaining costly consultants to review and revamp their entire privacy procedures in order to base them on HIPAA requirements.

We believe that, at this point, most people have moved beyond the first misunderstanding.  However, questions remain as to the precise effect of the FERPA exception on schools and whether it can have the effect of excluding schools from HIPAA’s privacy rule.

Covered entity status

While most commentary we have seen discusses the likelihood that a school district may be a health plan or a covered healthcare provider (i.e., one that transmits health information in electronic form in connection with a HIPAA transaction), we note that some school districts provide Medicaid billing services to other districts that lack the resources to accomplish this complex process.  Such a district, we understand, would constitute a health care clearinghouse, triggering HIPAA obligations.  We would recommend this example be included and analyzed in future HHS guidance to schools.

One issue that potentially bears on several of the areas listed below has arisen in some of our discussions with OCR staff: that is, a distinction has been suggested in some instances between employees of a school district — such as teachers, personnel of a law enforcement unit as defined by FERPA, and perhaps schools nurses — and the school district itself.  Whether records or communications created or maintained by the employee trigger HIPAA obligations, we understand, may turn on the initial inquiry as to whether the employee, as opposed to the district, is a covered entity.  This distinction is not one that we have seen many analysts or questioners make, and it would not seem to be well understood in the field.  Clarification of questions related to this analysis would be important to help inform other inquiries.

Education records

As a practical matter, where a school that is a covered entity provides health care only to students, and where all related records are deemed education records within the meaning of FERPA, our understanding is that no compliance with the HIPAA privacy rule would be required.  According to one state agency, all student information created or maintained by schools in that state are considered by the state department of education to fit within FERPA’s definition of an education record.  Therefore, the agency advises, school districts within the state need not comply with HIPAA Privacy Rule requirements.  One questioner specifically asked whether records protected under a more stringent state privacy law, although not defined as a FERPA education record, would also be excluded from the definition of PHI.

This line of analysis should be included in additional guidance from HHS.  To the extent the result may turn on a state agency’s determination of what constitutes an educational record for FERPA purposes, the role of Family Policy Compliance Office (FPCO) of the U.S. Department of Education and other authorities in construing what constitutes such a record should be spelled out in connection with the implications for HIPAA requirements.  Whether a school’s HIPAA obligations turn not on the individual records in question, but on whether the school is a “FERPA school” or a “non-FERPA school,” as some language in the HIPAA preamble and commentary may suggest to some readers, may be worth clarifying.

A related series of inquiries involves whether records that fall under exceptions to the definition of FERPA records may constitute PHI and trigger HIPAA obligations.

Exceptions to FERPA education records

Each of the following exceptions to FERPA’s definition of education records may have HIPAA implications:

• Oral communication or information gleaned from first hand observation:  The HIPAA definition of health information includes any information whether oral or recorded, created or received by a health care provider, and the definition of PHI includes individually identifiable health information transmitted or maintained in any form or medium.  Some analysts indicate that any PHI discussed or read aloud is subject to the HIPAA privacy rule, although others question how to draft policies that would treat such communication (for example, a parent’s telling a teacher that her child had complained of ear pain) as PHI.  Others maintain that the receipt by the school of such student information through oral communication or observation would not invoke application of the privacy rule, because oral communication conveying information contained in the education record, such as a conversation between a parent and teacher about the student’s IEP, is governed by FERPA.  At any rate, if school personnel document the information obtained verbally or by observation, the written information becomes either part of the student’s education record governed by FERPA or the content of sole possession notes.  This area is one where any distinction between the covered entity status of employees and the district should be spelled out.

• Sole possession notes:  Technically, records that are kept in the sole possession of the maker, such as a nurse’s notes, and never shared except with a temporary substitute, would be PHI governed by the HIPAA privacy rule.  Several analysts argued that the same rationale HHS used to exclude records of certain adult students from PHI should apply to sole possession notes: namely, that FERPA excludes such records only to the extent they are not available to anyone other than those providing treatment. But our understanding is that this oddity should have no practical effect, since HIPAA’s privacy rule does not apply unless PHI is “used or disclosed.”  Any use or disclosure of such records for other purposes — including disclosure to the student or the student’s parents — would convert the notes into an education record, excluding the notes from the HIPAA privacy requirements.  However, if “use” of the notes is construed as including any “utilization” by the individual maker of the notes, even this private utilization would trigger HIPAA privacy obligations.  Again, this line of questions may require clarification as to any distinction between covered entity status of the maker of the notes and the school district.

• Law enforcement records:  Records created and maintained by a law enforcement unit of an educational institution for its own use presumably would constitute PHI unless a distinction is made between the covered entity status of the law enforcement unit itself and the school district.  Such records would, however, become subject to FERPA, and thus not HIPAA, once disclosed.

• Records pertaining to student as employee:  Our understanding is that these records would also fall under the HIPAA exception for employee records.

• The U.S. Supreme Court in its decision in Owasso v. Falvo, 534 U.S. 429 (2002) suggested that FERPA’s definition of education records may be limited to records maintained by a “single central custodian.”  While we are unaware of any subsequent guidance from courts or FPCO on this point, this would appear to represent a narrower definition than contemplated in the examples above, in which case the scope of school records constituting PHI and triggering HIPAA obligations may be correspondingly broader.

Medicaid billing

Many questions from the field concern the HIPAA mandates that apply to a school district that seek reimbursement from Medicaid.  We assume that such districts will be covered entities and, as both a legal and a practical matter, will have to conform to the HIPAA transaction rules in order to have these claims processed.  Some maintain that all student records other than Medicaid records are FERPA education records.  However, others understand FPCO to hold that Medicaid reimbursement claims contain information rendering them education records for purposes of FERPA requirements.  If so, such claims would not trigger HIPAA privacy requirements.  Still others indicate that their district omits personally identifiable information from Medicaid statements, thus taking the billing out of the PHI definition.

Further, our understanding is that the same analysis would apply if a school district does not directly bill Medicaid but contracts with a third party to do so.

“Ancillary” administrative obligations of schools without PHI

Some analysts have questioned whether, if a school district were a covered entity by virtue only of its status as a covered health care provider to students, and if this district maintained (and, for purposes of the definition of health care provider, transmitted) only student health information that fit the definition of a FERPA education record, it serves any purpose to impose on the district the “ancillary” administrative obligations under HIPAA designed to protect the confidentiality of PHI, e.g., to designate a HIPAA privacy official, maintain documentation of policies and procedures, and provide access to the Secretary of HHS.  Similarly, even if the district did have PHI, but if this PHI were never used or disclosed so as to trigger applicability of the HIPAA privacy rule, mandating these ancillary requirements would seem to contradict the reasonableness underpinning HHS’s interpretations of HIPAA.

A district could nonetheless decide that it would be to its advantage to implement some or all of the HIPAA privacy provisions voluntarily.  For example, the district may believe that its situation could change in the near future and that it may engage in transactions triggering HIPAA’s privacy rule.  If so, adopting the provisions immediately, although not required, could help smooth the way to compliance in the event of the anticipated change.

Some have questioned whether a district without PHI should have to comply with the security standards rule, whereby the Secretary of HHS may demand access to student information in order to investigate HIPAA compliance.  Indeed, under some circumstances, they maintain, FERPA’s own privacy safeguards may preclude this.

School nurses and school health clinics

Many questioners have focused on the operation of school nurses and school-based health clinics.  Deriving answers to many of these question may require clarification as to the issue identified above regarding the covered entity status of an employee and/or clinic, as opposed to the district.  Assuming this analysis would not change the result, NSBA’s understanding is that if a nurse worked for the school district either as an employee or for an independent contractor or other third party contracted by the district to provide the services solely to district students, any records kept by the nurse, other than sole possession notes, would be subject to FERPA rather than HIPAA, because FERPA education records are those created and maintained by the district or by an agent acting for the district.

On the other hand, if the nurse were employed by a third party, such as a health department or hospital, and provided services at the school but were not contracted by the school to do so, the third party is operating its own program rather than acting for the district.  In this situation, HIPAA’s applicability would fall to the employing entity, and compliance with HIPAA’s privacy requirements would be the responsibility of the covered entity.  At their discretion, however, the school district and the third party could arrange contractually that the third party and its employees must treat all student health information, other than that contained in sole possession notes, as education records and comply with FERPA’s provisions. Such a contract would also spell out how any student records created or used by the third party will be kept separate from the health records of any non-student patients. In this contractual situation, HIPAA’s privacy rule would not govern the student health records, since the privacy of the information would be assured by FERPA.

Immunization records

Specific guidance on immunization records would help provide assistance in an area of health records affecting every district.  Examples applying HIPAA’s rules, and their exceptions, regarding preemption of state immunization laws could be of help.  For example, one such exception is for state laws serving a compelling need related to public health and procedures providing for the reporting of disease, injury, child abuse, or to facilitate public health surveillance.

As to one area of questioning, NSBA’s understanding is that if the school is requesting immunization records from another school, these are education records that can be exchanged under FERPA.  In fact, state law may require the exchange of immunization records for the purpose of school enrollment.  Once in the possession of the school district, immunization records are part of the student’s education record subject to FERPA.

Drug and alcohol testing

Guidance on records of drug and alcohol testing could be of potential assistance, especially in light of the Administration’s strong advocacy of more such testing.  Assuming the district or an agent acting on behalf of the district maintains the records, we understand that the results of a drug tests performed on students as a condition of participation in activities are education records subject to FERPA.  If such test results were not documented, FERPA would not apply. But could HIPAA?

Third parties

We have received many accounts of the reluctance of non-school, third party entities to release health information to school districts.  In some instances, the practical reality is that the easiest solution may be for the district to comply with the non-school third party’s request.  However, we suggest that the department consider including in future guidance examples of situations involving the interaction among schools and other HIPAA covered entities.  We also suggest that the department at least consider whether and how it can help non-school entities become better acquainted with the different rules that apply to schools.

Other recommendations

While NSBA and the school boards and school attorneys we represent do advocate certain outcomes as to some of these issues, we are confident in saying that with HIPAA, as with privacy regulations generally, the foremost concern for schools is clarity.  Aside from the substance of OCR’s additional guidance, NSBA does have a few thoughts as to ways to help improve the degree of understanding at the local level.

First, we would like to express our appreciation to our primary interlocutor, Beverly Dozier, Privacy Rule Coordinator for the Centers for Disease Control and Prevention.  Ms. Dozier has demonstrated sensitivity to the concerns that are particular to schools, as distinct from those of the rest of universe of covered entities.  We also appreciate her emphasis on OCR’s reassurances that its enforcement posture, rather than being quick to impose punitive consequences, will be one of helping to achieve compliance.  Although HIPAA obligations and privacy protections must not be ignored, school officials are comforted to know that while some of these uncertainties are sorted out, they need not expect the HIPAA police to come beating on the schoolhouse doors.

Based on the desire we have found among local school officials for additional clarification, we are confident that OCR’s eagerly anticipated Frequently Asked Questions (FAQs) will be widely and quickly disseminated.  As a general matter, the education sector could benefit from the same kind of readily understood, but in this case school-specific, assistance as appears to have been provided for physicians and other affected sectors, including, for example, the Q&A series posted on the Web site and, to the extent schools may have need of them, sample forms.

Finally, strong and visible coordination with the U.S. Department of Education and with state departments of education and departments of health will go a long way toward eliminating uncertainty.  In fairness, we have not been privy to the collaboration these departments may in fact have enjoyed.  But, for whatever it’s worth, there is a perception at the local level that messages on HIPAA requirements are sometimes less than clear.  To the extent school districts have well-established and familiar communications with their state departments of education, which in turn typically have a closer interface with the Department of Education than with other federal agencies, coordinating HIPAA guidance with these agencies will maximize its ready dissemination.  This is especially so where HIPAA intersects with FERPA and state privacy obligations regulated by these agencies.

Thank you again for this opportunity.  NSBA, the federation of state school boards associations, and the Council of School Attorneys stand ready to assist in the process of helping America’s school districts fulfill their obligations under HIPAA.