[This Transcript is Unedited]



February 19, 2004

Hubert H. Humphrey Building
200 Independence Avenue, SW
Room 705A
Washington, DC

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030


  • Call to Order, Introductions; Opening Remarks  – Mark Rothstein, J.D.
  • Schools – Panel 1
    • Beverly A. Dozier, J.D., Centers for Disease Control & Prevention (CDC)
    • Jane W. McGrath, M.D., American Academy of Pediatrics (AAP)
    • Ellen Campbell, U.S. Department of Education
    • Laura Manley Knoblauch, M.B.A., R.H.I.A., American College health Association
  • Schools – Panel 2
    • Thomas Hutton, National School Boards Association
    • Nadine Schwab, B.S.N., M.P.H., P.N.P, American School Health Association
    • Martha Dewey Bergren, D.N.S., R.N., National Association of School Nurses
  • Subcommittee Discussion – Mr. Rothstein

P R O C E E D I N G S (8:30 a.m.)

Agenda Item: Call to Order, Introductions

MR. ROTHSTEIN: Good morning, everyone. Welcome to the second day of our two
days of hearings.

My name is Mark Rothstein. I’m the Director of the Institute for Bioethics,
Health Policy and Law at the University of Louisville, School of Medicine, and
I am Chair of the Subcommittee on Privacy and Confidentiality of the National
Committee on Vital and Health Statistics, which, as most of you know, is a
federal advisory committee consisting of private citizens making
recommendations to Congress and the Secretary of HHS on Health Information
Policy, including issues related to HIPAA.

On behalf of the subcommittee and its staff, I want to welcome you to
today’s hearings.

I also want to welcome those who are listening on the internet. To those of
you on the internet, I apologize for the technical glitch yesterday that
prevented you from listening to our afternoon hearings, and the transcript of
those hearings will be posted shortly on our website so you can catch up on the
information that you missed related to law enforcement and HIPAA.

Before proceeding further, I would like to have introductions, beginning
with members of the subcommittee and staff, and, as usual, I would invite
subcommittee members to disclose any conflicts of interest that they have.

I’ll begin by noting that I have no conflicts of interest, and I’ll ask Dr.
Harding to be next.

DR. HARDING: I’m Richard Harding. I’m a child psychiatrist and Chairman of
the Department of Neuropsychiatry at the University of South Carolina and a
member of the committee and subcommittee and I have no conflicts in this

MR. HOUSTON: I’m John Houston with the University of Pittsburgh Medical
Center. I am a member of the committee as well as the subcommittee, and I do
not have any conflicts either.

MR. FANNING: I’m John Fanning from the Department of Health and Human
Services. I’m staff for the committee.

MS. FYFFE: I’m Kathleen Fyffe. I work for the Department of Health and Human
Services and I’m lead staff to the Subcommittee on Privacy and Confidentiality.

DR. GREENBERG: I’m Marjorie Greenberg of the National Center for Health
Statistics, CDC, and Executive Secretary to the committee.

DR. COHN: I’m Simon Cohn. I’m the National Director for Health Information
Policy for Kaiser Permanente and a member of the subcommittee and full
committee, and I have no conflicts.

MS. KNOBLAUCH: I’m Laura Manley Knoblauch. I’m the university privacy
officer at Illinois State University, but I am here today representing the
American College Health Association.

MS. DOZIER: Good morning. I’m Beverly Dozier. I’m the privacy role
coordinator for the CDC, Office of Health Information Privacy Office.

MS. SQUIRE: I’m Marietta Squire. I’m with CDC, NCHS, and I am staff to the

MS. HOOPMAN: Good morning. I’m Jan Hoopman. I’m President of the NASN. I’m
here as a visitor today.

MS. PERKIDOLICA: Sama Perkidolica(?) from the Association of State and
Territorial Health Officials. I’m here as a visitor.

MR. HUNTER: Ed Hunter from CDC.

MR. RODEY: Dan Rodey(?) from American Health Information Management

MR. ROTHSTEIN: And Gail Horlick, are you on line?

Is Gail on line, Donald?

MS. HORLICK: Good morning, Mark. This is Gail Horlick from CDC, staff to the
Subcommittee on Privacy and Confidentiality.

MR. ROTHSTEIN: Okay. Good to hear from you, Gail.

And welcome to everyone.

Yesterday’s hearings focused on the issues of banking and law enforcement.
In earlier rounds of hearings we heard about public-health issues and research
and other issues. So this is part of an ongoing series of hearings that we are
having on HIPAA implementation issues.

This morning, we will hear from two panels of invited experts on the topic
of HIPAA and Schools, and if any of the witnesses want to submit written
testimony that have not done so, I would invite them to submit it within two
weeks to Marietta Squire.

I want to alert our listeners as well as members of the staff and audience
about a schedule change today. We will take our two panel discussions pretty
much as listed on your agendas, but we will have a subcommittee discussion that
was supposed to begin at 11:30 and end at noon begin at 11:30 and end when it
ends, possibly as late as 12:30, but then adjourn the meeting for the day. So
we will not be meeting after lunch today.

I want to remind our witnesses and listeners about the purposes of the
hearings, and they are to consider whether the Privacy Rule strikes the
appropriate balance between health privacy and other important concerns to
determine whether there are practical problems or unintended consequences that
have arisen as a result of the Privacy Rule, and to ascertain whether there are
areas in which additional clarification, education where outreach efforts are
needed to facilitate compliance.

Witnesses are asked to limit their initial remarks to 15 minutes, and after
all the witnesses of each of the panels have concluded their discussion, we’ll
have ample time, I hope, for questions and a broader discussion with the
subcommittee members.

I would request that all witnesses and guests turn off their cell phones
now, and remind the witnesses that we are, in fact, being broadcast on the
internet and to please speak clearly into the microphone, so that everyone can

Agenda Item: Schools – Panel 1

MR. ROTHSTEIN: If there no other preliminary or introductory matters, I
would like to proceed to our first panel on schools, and we will proceed in the
order listed on your agendas, and that is we’ll lead off with Beverly Dozier.

MS. DOZIER: Good morning, ladies and gentlemen and members of the

My name is Beverly Dozier, and I am the HIPAA Privacy Rule Coordinator for
the Centers for Disease Control and Prevention. My position is within the
newly-created Health-Information Privacy Office, an office within CDC’s
Epidemiology Program Office.

I was asked to speak this morning about the implications and impact on
public health of the nexus between the Privacy Rule and the Family Educational
Rights and Privacy Act of 1974, also known as FERPA.

As you know, all records protected by FERPA are excluded from the definition
of protected health information in the Health Insurance Portability and
Accountability Act of 1996, also known as HIPAA. Therefore, regardless of the
nature of the information contained in an educational record protected by
FERPA, even if it is health related, the law governing the privacy of those
records is FERPA and not the HIPAA Privacy Rule.

The CDC has several national health-surveillance programs that track various
childhood health conditions and behaviors. A few examples are the National
Immunization Program; the National Center on Birth Defects and Developmental
Disabilities, which tracks conditions such as birth defects,
attention-deficit-hyperactivity disorder, fetal alcohol syndrome and autism;
the National Center for Injury Prevention and Control, which has systems to
track data related to unintentional injury and violence and collects data
related to behavior risk for injuries and violence; the National Center for
Environmental Health tracks child lead poisoning, asthma and conducts the
National Environmental Tracking Program; and the National Center for Chronic
Disease and Health Promotion, Division of Adolescent and School Health and
Division of Nutrition and Physical Activity; and the Office on Smoking and
Health, just to name a few.

In addition, CDC funds a host of external partners, including state and
local health departments, hospitals and academic institutions to identify and
track these and other childhood health conditions.

Several provisions of the Privacy Rule permit covered entities to provide
protected health information to public-health authorities, such as the CDC,
without the consent or authorization of the individual.

These provisions were included in the Privacy Rule because the Department of
Health and Human Services, or HHS, understands the need to balance individual
privacy interest with the public’s need to acquire health data for public
health and other purposes.

For some nationwide health-surveillance projects, public-health authorities
strongly believe that accurate data on the incidence of health conditions could
not be obtained if consent or authorization were required. This is especially
true of the types of conditions that CDC tracks in children. Often, a parent is
reluctant to have a child labeled with a condition or with a developmental
disability. For this reason, and some other socioeconomic factors, obtaining
accurate data for these types of conditions would be unattainable if parental
consent were required.

There has been some confusion in state and local education institutions
about whether FERPA or HIPAA protects health information in the case where a
school runs a health clinic. For example, when a school has a health clinic
that is a covered entity under the administrative simplification regulations
under HIPAA, because it provides health care and conducts electronic
transactions, as defined in the Transactions Rule, and these health records are
determined by the school to be protected by FERPA, then the records would not
also be protected by the Privacy Rule.

While covered entities under the Privacy Rule may disclose protected health
information to public-health authorities for public-health activities, FERPA
does not generally allow a school or a school system to share health
information contained in education records protected by FERPA with a
public-health authority without parental consent. Conversely, a public-health
authority is permitted under the Privacy Rule, subject to state and federal
laws, to share the data it collects with healthcare providers, public-health
authorities and the school system, if needed.

Some of the childhood conditions that CDC and its partners track are
uniquely identified in school-age children. In many cases, children with these
conditions are often only identified in the school. For example, autism and
attention-deficit-hyperactivity disorder either do not appear or are not
recognized until the child is of school age. These conditions manifest in the
child as behaviors, and the school psychologist or other specialist usually
tests the child, not to make a diagnosis, but rather to determine what kinds of
interventions would assist the child in being more effective in accomplishing

The results and conclusions of these tests become part of the child’s school
records and are thus protected by FERPA, and, furthermore, these results are
seldom found ascertained in the clinical setting.

Under an exception in the FERPA regulations that permits disclosure of
education records to authorized representatives of the Department of Education,
or Ed, CDC has a memorandum of understanding, or MOU, with the Department of
Ed. This MOU allows the CDC to access educational records in five metropolitan
Atlanta counties for our study known as the Metropolitan Atlanta Developmental
Disabilities Surveillance Project. The MOU expires next year.

The data from CDC surveillance of autism in Metropolitan Atlanta in 1996
show that for 40 percent of the children identified with autism, information
was found on these children only at the school sources. Only three percent of
the children were found uniquely at clinical sources. So while 57 percent of
the children with autism were known to school and clinical sources, school
sources certainly provided a great deal of unique information on the features
of the children’s disabilities.

There is no national policy that allows for the sharing of health data and
information between public-health authorities and educational institutions. It
is vitally important to the health of the nation’s children that public-health
authorities and educational institutions work together to identify the
incidence of childhood conditions and find effective interventions and

Congress recently passed the Birth Defects and Developmental Disabilities
Prevention Act of 2003, Public Law 108-154, which provides an opportunity for
HHS and the Department of Education to work together to resolve this
data-sharing dilemma as it relates to autism and other developmental disability

The law requires HHS and Ed to study these issues and submit a report to
Congress within 18 months. The report must describe, one, the challenges to
obtaining education records in the absence of parental or patient consent for
public-health purposes, such as surveillance data for autism and other
developmental disabilities; two, how these challenges can be overcome,
including efforts to educate parents, improve school confidence in the privacy
of public-health surveillance programs and raise the rates of parental or
patient consent.

The report will also include specific qualitative and quantitative
justifications for any recommendations for changes in the existing statutory
authority, including the Family Educational Rights and Privacy Act of 1974.

The CDC looks forward to working together with Education to protect the
health-information privacy of individuals while maintaining a strong
public-health system and clarifying the provisions of the Privacy Rule as they
relate to public health and education.

MR. ROTHSTEIN: Thank you very much for that testimony.

We’ll now proceed with our second witness, Jane McGrath.

DR. MC GRATH: Good morning, Chairman Rothstein and members of the
subcommittee. I am very pleased to be here today.

My name is Dr. Jane McGrath. I am pleased to be here today to represent the
57,000 pediatricians of the American Academy of Pediatrics on an issue of
importance to children, parents, health professionals, educators and

I have been a pediatrician for over 15 years and am currently the School
Health Officer for the New Mexico Department of Health and also an Associate
Professor of Pediatrics at the University of New Mexico Health Sciences Center.

Real-world problems are created by the lack of clarity regarding whether
privacy requirements of HIPAA apply to health information in schools, and I
would like to just talk about a couple of examples.

First, immunization information. States mandate that schools require certain
immunizations in order for children to attend. These immunization requirements
are, in effect, the way we, as a society, ensure that children receive their
immunizations. School nurses enforce immunization requirements and spend a
considerable amount of time and energy making sure that students at all grade
levels are appropriately immunized.

Under HIPAA, the school nurse is no longer able to call the local health
department or pediatric provider in order to update immunization information on
a student without explicit written permission from the parent. Getting written
authorization from parents may seem like a trivial step, but, in many
communities, it can represent a significant barrier to a school nurse who is
already overwhelmed with work and may be responsible for the immunization
records of over 1,500 students.

Because immunizations are considered a public-health exemption under HIPAA,
the regulations allow the sharing of information between HIPAA-covered entities
without explicit authorization. It does seem unreasonable to require school
nurses to get written parental authorization that is not required of other
health professionals when we rely so heavily on school nurses to enforce the
immunization requirements.

The exchange of information related to the treatment of a student with
special-care needs is another area of concern. As schools are not generally
considered to be covered entities under HIPAA, the exchange of information with
the child’s provider for purposes of treatment is thought to require parental
authorization. Since the implementation of IDEA, students with special
healthcare needs have started going to school in unprecedented numbers. As a
result, many school nurses provide daily care for children with complex medical
conditions. Children attend school who need ventilatory support, ostomy care,
tube feedings, perineal dialysis and a host of other medical procedures and

It is vital that the school nurse be able to quickly contact a student’s
physician if something should go wrong during the day. The current regulatory
confusion has resulted in children not getting the health care they need while
at school in an acceptable time frame. It is difficult enough for a school
nurse to get a busy medical provider on the phone to answer questions
concerning a patient’s care. When the conversation about healthcare is delayed
because of concerns about whether the parent has granted permission to share
necessary health information, the child is the person who suffers because of
the delay.

Another area of particular concern is in the arena of mental health,
students discharged from psychiatric hospitalization and residential treatment.
Getting records after a student has been discharged from a mental-health
facility has been a long-standing problem for schools. Under the current
regulatory environment, the school must depend entirely on the parent to
provide a discharge summary. Parents frequently don’t remember to give the
school a copy of the discharge summary, and this can cause disruption in the
continuity of care, especially with respect to medication. When the school
nurse is included in discharge planning and receives a discharge summary, the
student is much more likely to have consistent followup and medication.

Schools bill Medicaid for services provided to students written into their
individual educational plan or IEP. Schools provide services that are billed to
Medicaid. The government needs to make it clear what a school’s
responsibilities are under HIPAA. It may be reasonable to explore allowing
schools to qualify as HIPAA-covered entities. Schools are part of the
healthcare safety net and should be encouraged to collaborate with managed-care
organizations, community providers and others.

The current regulatory environment results in barriers between schools and
other HIPAA-covered entities. As a consequence, there is less collaboration
and, consequently, worse healthcare for students. Because schools are the place
where children are during the day, schools need to be included to a greater
degree in the community network of healthcare.

Another point is that schools do not adequately protect private health
information of students. Under FERPA, schools are not required to protect
private health information separately from the student’s academic record. As a
result, it is not uncommon for a school to include health information in a
student’s cumulative academic file. Although FERPA regulates access to the
cumulative file, it is done with an eye towards who should appropriately have
access to the academic record, and a student’s health information may be
released to an individual who only really desires their academic information.
This compromises a student’s health privacy, but does not violate the FERPA

There is a lack of clarify about the intersection of HIPAA and FERPA. It is
clear, from my experience and the messages I have received from many providers
and school nurses, that confusion is widespread about what is and what is not
allowable under the current HIPAA and FERPA regulations. Many states have
developed ad-hoc solutions to the current situation that results in further
lack of clarity and consistency. It is fair to say that a solution that might
be acceptable in Massachusetts is not feasible in New Mexico, and I have
brought and would like to submit to the record a number of emails from
colleagues and school nurses in my part of the world talking about the problems
and issues that they have encountered.

The American Academy of Pediatrics proposes the following recommendations
for your consideration.

First, that personally-identifiable health information of students in
schools should be protected in the same manner as such information elsewhere.
Many schools are involved in providing healthcare on a day-to-day basis.
However, their management of health records is a significant problem.
Confidential student-health information can be found in various locations
throughout the school. For example, academic files, the coaches’ files, the
school nurse’s files. This information may be kept or assessed by a range of
individuals with little or no training related to confidentiality requirements.
A consistent, fair and reasonable system must be designed to protect a
student’s health information in the healthcare and educational settings.

Second, school-health providers and community health providers should be
able to communicate directly concerning treatment issues, including
immunization records. There is a lack of clarify concerning the intersection of
FERPA and HIPAA that results in barriers to effective communication for the
treatment of students in the school setting. The current environment is one of
confusion that results in school health providers who are often the people
immediately responsible for a child’s welfare during the day being able to
communicate with the community health providers.

And, lastly, more stringent health privacy standards need to be put into
place within the school setting in order to provide adequate privacy to the
student’s health information.

Schools are not uniformly careful with students’ personally-identifiable
health information. Simply liberalizing the HIPAA Privacy Rule to allow school
nurses to be included for purposes of receiving and sharing health-treatment
information is not an adequate resolution to ensuring that health information
remains private.

I appreciate the opportunity to share these observations with the
subcommittee, and I would be happy to respond to any questions.

MR. ROTHSTEIN: Thank you very much.

I’m sure the subcommittee has a number of questions raised already by the
first two witnesses, and we’ll take them up at the end of the discussion.

We would like now to proceed to Ellen Campbell.

MS. CAMPBELL: Thank you.

My name is Ellen Campbell. I am the Deputy Director of the Family Policy
Compliance Office at the Department of Education.

The mission of the Family Policy Compliance Office – FPCO – is to meet the
needs of the department’s primary customers, students and their families, by
effectively implementing two important federal privacy laws that seek to ensure
student and parent rights in education, FERPA, the Family Education Rights and
Privacy Act, and the Protection of People Rights Amendment, PPRA.

The FPCO responds to complaints from parents and students as well as to
inquires and requests from school officials for technical assistance.

In addition, the FPCO responds to a large number of telephone calls, emails
from parents, students, school officials and other government officials
requesting information on FERPA and PPRA.

The purpose of my testimony today is to discuss FERPA and its intersection
with HIPAA.

FERPA has a long-term continuing impact on educational agencies and
institutions that are the recipients of U.S. Department of Education funds.
Therefore, FERPA impacts all public school districts, virtually all public
institutions or public post-secondary institutions, public and private – excuse
me – and all state educational agencies.

FERPA is a federal law that protects privacy interests of parents and their
children’s education records. FERPA generally prevents an educational agency or
institution from having a policy or practice of disclosing the education
records of students or personally-identifiable information contained in
education records without the written consent of the parent.

The term, education record, is broadly defined as all records, files,
documents and other materials which contain information directly related to a
student and are maintained by the school or the person acting for the school.

Additionally, the records of a student that pertain to services provided to
that student under the Individuals With Disabilities Education Act idea are
education records under FERPA and are subject to the confidentiality provisions
under IDEA and all of the provisions of FERPA.

When a student reaches the age of 18 or attends college at any age, the
student is considered an eligible student under FERPA and all the rights
afforded by FERPA transferred from the parent to the student.

K through 12 students’ health records, including immunization records,
maintained by an educational agency or institution subject to FERPA, including
records maintained by a school nurse, would generally be education records
subject to FERPA because they are, one, directly related to a student, and,
two, maintained by an educational agency or institutional party acting for the
agency or institution, and, three, are not excluded from the definition of
education records as treatment of sole-possession records or on some other

In August 1996, Congress enacted HIPAA to ensure continued health-insurance
coverage for persons who change jobs and to establish transaction security,
privacy and other standards to address concern about the electronic exchange of
health information.

Final regulations for the privacy requirement detailed in how covered
entities must handle individually-identifiable patient information were
published in the Federal Register on December 28, 2000, with final
modifications to the Privacy Rule August 2002.

Organizations subject to the HIPAA Privacy Rule, known as covered entities,
include health plans, healthcare clearinghouses and healthcare providers that
transmit health information in electronic format. Healthcare providers include
institutional providers or health and medical services such as hospitals and
other non-institutional providers. As such, schools and school districts that
provide health and medical services to students may qualify as covered entities
under the HIPAA Privacy Rule.

However, the preamble to the December 2000 final rule explained that health
information maintained as an education record, defined by FERPA, is excluded
from HIPAA privacy requirement; that is, it is not the HIPAA Privacy Rule, but
FERPA, and the confidentiality provisions and idea, where applicable, that
protect the privacy of information in education records, including,
specifically, health-related information, and I won’t read what the preamble to
the 2000 final rule stated, but it is in the testimony, but I will read this
sentence, it says, while we strongly believe that every individual should have
the same level of privacy protection for his or her individually-identifiable
health information, Congress did provide us with the authority to disturb the
scheme – for records maintained by educational institutions under FERPA. We do
not believe Congress intended to remand or preempt FERPA when it enacted HIPAA.

The FERPA carve-out from the HIPAA Privacy Rule includes treatment records
of eligible students, those that are 18 or in college at any age, which are
excluded from the statutory definition of education records in FERPA; that is,
treatment records of eligible students are not protected under FERPA as
education records and are not subject to the HIPAA Privacy Rule. However, if
the records are used for any other purpose than for treatment of the student as
laid out in the law and the regulation, they become education records under

It should also be noted that even if records maintained by schools that
provide health services to students are subject to FERPA and thus excluded from
the HIPAA Privacy Rule, the school may, nonetheless, be covered under other
HIPAA standards, such as the Transaction Rule.

As noted, the reason for the exemption in the HIPAA Privacy Rule for records
covered by FERPA is that Congress, through FERPA, previously addressed how
education records should be protected, and I would like to give you a little
more background on FERPA before we end.

Under FERPA, there are a number of specific statutory exceptions to the
general rule against non-consensual disclosure. There are no general exceptions
to FERPA’s Prior-Consent Rule that permit a school subject to FERPA to disclose
records to a state health agency or to researchers. FERPA does contain a very
limited exception to the Prior-Consent Rule that allows educational agencies
and institutions to disclose information to appropriate officials in connection
with a health or safety emergency.

Specifically, FERPA says that these records may be disclosed without consent
in connection with an emergency to appropriate officials if the knowledge of
this information is necessary to protect the health or safety of the students
or other persons.

However, the regulations and the congressional language indicate that these
conditions will be strictly construed. I won’t quote the joint statement, but
it is in the testimony that you can see in 1974 Congress intended that that
exception be strictly construed.

The FPCO has consistently interpreted this provision narrowly by limiting
its application to a specific situation that presents imminent danger to
students or other members of the community or that requires an immediate need
for information in order to avert or diffuse serious threats to the safety or
health of a student or other individual.

While the exception is not limited to emergencies caused by terrorist
attack, our recent guidance on this issue provides useful and relevant summary
of our interpretation, which I will not quote.

In summary, educational agencies and institutions subject to FERPA may
disclose personally-identifiable non-directory information from education
records under the HELPA(?) safety emergency exception only if the agency
institution determines on a case-by-case basis that a specific situation
presents imminent danger or threat to students or other members of the school
community or requires an immediate need for information in order to avert or
diffuse serious threat. Any release must be narrowly tailored considering the
immediacy and magnitude of the emergency and must be made only to parties who
can address the specific emergency in question.

Certainly an outbreak of diseases, such as measles, rubella, mumps and polio
not only pose threat of permanent disability or death but have historically
presented themselves as epidemic in nature. Thus, disclosure of personal
identifiable information from records to state health officials for such
reasons would generally be permitted under FERPA’s health or safety emergency
provision, and then there are recordation requirements that the law requires
that schools record who they dispose it to and under what exception.

Please note, however, that FERPA does not permit an educational agency
institution from disclosing non-personal identifiable information to state
health officials or to any other outside entity. Rather, FERPA prohibits the
disclosure of personally-identifiable information from education records
without the consent of parents or students, and personally-identifiable
information is described in the regulations, and I list the items there that
make a record personally identifiable.

In order to make sure that information is not personally identifiable, the
disclosing school would need to remove the name, ID number, any other
identifier that would permit the identity of an individual student to be easily

And, finally, nothing in FERPA prohibits school officials from attaining
parental consent in order to disclose information to anyone, to outside
entities. The written consent has to specify the records that may be disclosed,
state the purpose of the disclosure and identify the party or class of parties
to whom the disclosure may be made. Certainly, this could include a broad
consent at the beginning of the year for any disclosures to physicians that
might need to be made.

I hope that this testimony adequately explains the requirements of FERPA as
they relate to the disclosure of personally-identifiable information contained
in student-education records as well as to the intersection between FERPA and
HIPAA, and we are always available for any questions on followup.

MR. ROTHSTEIN: Thank you very much. I’m sure we will have some questions for
you shortly.

And the final witness on this first panel is Laura Manley Knoblauch.

MS. KNOBLAUCH: Good morning.

My name is Laura Manley Knoblauch, and I am here as a designated
spokesperson for the American College Health Association with regard to the
Privacy Rule under HIPAA. I am a member of the American College Health
Association’s HIPAA Task Force.

The American College Health Association represents 2,624 individuals and 955
institutions and is the principal leadership organization in the field of
college health. College and universities’ health services provide health
services to 15.3 million students.

I work for Illinois State University where I am the Assistant Director of
the Student Health Service and the University Privacy Officer.

My goal today is to relay to you concerns college and university health
services are experiencing in their efforts to comply with the privacy rules of
HIPAA, as well as complying with the Family Education Rights and Privacy Act,
otherwise known as FERPA, and, in some cases, state law for student medical

Before I begin stating our dilemma, I must state that not all student health
services are faced with HIPAA compliance, because not all institutions perform
any of the electronic transactions triggering the application of HIPAA.

Many of our student health services are smaller and do not bill for services
or file insurance manually or electronically. However, for those student health
centers who do perform electronic transactions, we have been seeking legal
interpretation on how to comply with HIPAA. Because most of our institutions
receive federal funding, they are also covered by FERPA. The intersection of
these two pieces of legislation has been the subject of much discussion and
interpretation. Great disparities have resulted in how college and university
health centers across the country have dealt with the issues created by the
HIPAA regulations.

Implementation efforts fall along the spectrum of implementing only HIPAA,
following only FERPA or some convoluted combination of these two regulations.
Many student health services have received legal opinions regarding compliance
with FERPA and HIPAA and they have informed us that student health services
must ensure compliance for student records under FERPA or state law, and
non-student records are governed by HIPAA. In addition, the January 2003 FERPA
Teleconference sponsored by the Department of Education reenforced these legal

Many student health services are now in the unenviable position of having
three different standards with which to comply. Student records maintained and
accessed solely by the provider are governed by state law. Students records
released for any reason, including pursuant to a patient authorization, are
governed by FERPA. Non-student records, such as those of university employees
are governed by HIPAA.

Since we often release medical records upon patient authorization, we have
to determine, prior to the release, the patient’s status, be it student or
non-student, and if the record has ever been released. This has created a
cumbersome, complicated system for medical-record privacy and one that I don’t
believe Health and Human Services intended.

Student health services frequently refer patients to physician specialists
within our communities. These medical providers naturally assume that we are
covered entities under HIPAA. When a specialist requests medical records for
treatment purposes, we must have the student patient sign an authorization for
this release. This is often confusing for the patient and our clinical staff,
as well as a possible barrier to efficient communication to the clinical staff
to whom we refer.

Under FERPA regulations, student health services could, theoretically,
release a student medical record to a professor without obtaining the patient’s
consent. However, FERPA will not allow release of a student medical record to
another healthcare provider for treatment purposes without a patient

In my opinion, to consider clinic records maintained by the student health
service education records under FERPA, instead of medical records, is absurd
and illogical.

As a result of the widespread confusion in college health, there is
disparity in the way university health centers have chosen to grapple with the
several sets of medical privacy laws that we are charged to comply with. For
example, some university health services have implemented a HIPAA-only approach
for the non-student records, meaning that for their non-students, they comply
with HIPAA and for their students, they comply with FERPA. This has certainly
simplified the process of complying, but it appears that a student medical
record is being held at a lesser privacy standard than non-student medical
records. If HIPAA is the national privacy standard in healthcare, which we
believe it should be, why are student medical records exempt under HIPAA?

Some university health services have considered complying exclusively with
HIPAA regulations and ignoring FERPA. However, in some cases, FERPA regulations
are more stringent. An example is that HIPAA allows for release of information
for treatment, payment and health-care operations. However, this would be a
violation under FERPA. This is one of the benefits available under HIPAA that
would violate FERPA. Legal experts have told university health services that
since FERPA is, in some cases, more stringent, we cannot simply choose to
comply with HIPAA as it is not the higher standard in all cases.

We looked at the possible non-compliance penalties of HIPAA versus FERPA. We
were told that compliance with HIPAA, instead of FERPA, even though FERPA
doesn’t levy fines, could result in federal funds being withheld from the
university if it was found to be in non-compliance, a frightening thought to
say the least for most institutions.

Still, other university health services have addressed this complicated
problem by opting to discontinue providing care to non-students, such as
spouses, summer camps, visiting scholars, athletic interns, J-1 Visa Scholars
and the like. This option allows them to follow only FERPA or state law. This
is certainly not an optimal solution as it decreases healthcare access and
services to the campus community, not to mention the lost revenue.

Representatives of several university health services have attempted to
contact the Department of Education and/or HHS with questions regarding the
HIPAA-FERPA intersection. We have received no official response.

In order to discuss our challenges with compliance and to formulate a
solution, we put forth the following recommendation:

It is a request of the American College Health Association for this
committee to identify a workgroup made up of representatives from the
Department of Education, the Department of Health and Human Services and the
American College Health Association to specifically address the implementation
issues of HIPAA in our college and university health centers.

We believe the resolution of our issues will only be achieved through
changes in both FERPA and HIPAA regulations and that it will require
involvement from all constituents to effectively make these changes. The
changes to the regulations might include:

One, to change the FERPA’s regulation’s definition of exemption to education
records. The exemption to education records, Section 20, US Code 1232-G,
Section A-4-B IV, for medical records held at institutions of higher education,
needs to be broadened in scope beyond the provider-patient relationship. The
exception needs to include the records, even if they are released outside the
provider-patient relationship.

This change in definition would exempt any medical record created by a
university health service from FERPA leaving an institution to comply with
state law if they do not perform any of the listed electronic transactions or
to solely comply with HIPAA if they do submit listed electronic transactions.

Secondly, to change the HIPAA regulation’s definition of protected health
information or PHI to include medical records held by institutions of higher
education. The definition of PHI and HIPAA at Section 164 501, needs to be
changed to eliminate the FERPA exception of medical records held by
institutions of higher education. These two changes would allow medical records
held at institutions of higher education to be included in PHI under HIPAA and
would remove their coverage under FERPA. This would eliminate the dysfunctional
intersection of these two regulations and, we believe, would meet the intent of
both of these regulations, which is to protect the privacy of medical records
held by institutions of higher education. The end result being that any
university health services falling under HIPAA regulations by virtue of them
performing any of the listed electronic transactions would automatically treat
all of their medical records under one privacy standard, that being HIPAA.

We thank you for your time and consideration of our request, and I would be
happy to answer any questions you may have.

MR. ROTHSTEIN: Thank you very much.

I have an infinite number of questions B (laughter) – but I’m sure my
panelists and subcommittee colleagues do as well. So we will open the floor for
discussion and questions by subcommittee members, begin with John Houston.

MR. HOUSTON: I feel bad, because I always start. Well, but what the heck.

MR. ROTHSTEIN: You don’t feel that bad. (Laughter).

MR. HOUSTON: Well, that’s true.

I guess I have two separate questions for Dr. McGrath, the first being is in
the event that you had a special-needs child, somebody who had some type of
care that was required on a daily basis within a school setting or had to have
medications administered, things of that sort, what would preclude the school
from requiring an authorization in appropriate paperwork prior to accepting
that child into the school, so that the nurse would have available to the
nurse, you know, access to the medical information?

DR. MC GRATH: It is my understanding – and I think we have other experts
here in the room who will, hopefully, be able to help us clarify these things
probably more effectively than I can – but I think, under most circumstances,
if you have a child with known medical needs that are being taken care of by
the school, certainly, in that circumstance, early in the school year, it might
be not too onerous for the school to get written authorization to share
information with the physician, but, for example, as is frequently the case
now, unfortunately, many of us don’t have a single physician that we deal with,
but perhaps an entire group or a large group. So, in that case, the nurse might
call to try to get some help, and because there is such a large amount of
uncertainty about HIPAA and FERPA and what can be shared and what can’t be
shared, if there wasn’t immediate documentation for what might be another
physician or another part of a physician group, they may or may not feel
comfortable sharing the information. So even though a written authorization had
been obtained by the school, that information might not be available to a
covering physician on the line. So, again, there are different levels, I think,
in the community of concern.

The other issue is for a new child that is being brought into the school,
authorization may not have been acquired from the parents at the time of
registration. You know, it’s a new procedure for schools to get that
authorization, so that you may have a child who is new in the school, doesn’t
have authorization and the nurse is unable to follow up, and then, again, you
may have a child who has had a known problem that hasn’t really manifested
itself or has a new problem, and the school doesn’t have authorization. It’s
not always easy for the school to get authorization from parents if it hasn’t
been obtained at the time of registration, and I think one of the big problems
for school nurses is that the focus of the school is not on healthcare, but
it’s on the academic issues of the child. So, generally, a child who is getting
enrolled, either at the beginning of the year or in the middle of the year
doesn’t necessarily come into contact with the school nurse at the time of
enrollment. So enrollment is done by the school counselor or somebody else –

MR. HOUSTON: But to the extent that there is some medications that need to
be administered or some type of treatment that needs to be administered on a
daily basis or on a periodic basis, I would suspect, in that particular case,
arrangements would have to be made with the nurse anyways, and in those types
of scenarios, I would suspect that there are things that can be put in place
procedurally to allow that nurse the flexibility to communicate with the
physicians and ensure that the care is delivered appropriately. I mean, that
would – just thinking out loud.

DR. MC GRATH: I think it is not an issue that procedures can’t be put in
place. It is that they are often overlooked by schools because they don’t see
healthcare as their primary responsibility. They see their primary
responsibility as enrolling the kid in the school, getting them signed up for
their classes, and, then, it’s frequently the case in my experience that a
child is enrolled in school without the school nurse ever even knowing.

So, now, obviously, a child with multiple health problems, that child is
more likely to be referred to the school nurse, but, again, I would just submit
to you that you need to recognize that schools don’t consider – their first
consideration is not the health status of the child. Their first consideration
is all of the issues that have to do with that child’s academic records,
success and placement within the school.

MR. HOUSTON: Just a followup question. What happened pre-HIPAA? I mean, what
was – I guess – it would be interesting to understand what was the climate
before HIPAA. Obviously, FERPA existed.

DR. MC GRATH: Under FERPA, I think – prior to HIPAA, there was – well, I
think it is unfair to say that unfettered access between the physician and the
school nurse – I think it is always difficult for a school nurse to get a
physician on the phone to talk about issues because they tend to be very busy,
but I think school nurses have much more ready access to physicians.
Physicians, generally, are much more wary and careful and unsure about what
they can communicate without explicit authorization given HIPAA. Now, part of
this may, in fact, be less an issue of what the law actually allows, so much as
people’s own concern about that or perceptions.

MR. ROTHSTEIN: Okay. Thank you.

Dr. Harding.

DR. HARDING: I have a number of questions, but just one clarifying, and then
I’ll let someone else start.

Does FERPA not apply to private schools?

MS. CAMPBELL: FERPA only applies to schools that receive funds from the U.S.
Department of Education as a spending-clause provision under the Constitution.
Private schools, for the most part, do not receive federal funds.

Now, children are placed in private schools by the local school district.
The local school district, in that case, is responsible under FERPA and IDEA
for that child’s privacy of their records.

So a private school, if they qualified as a covered entity under HIPAA, they
would be subject to HIPAA, because they are not generally subject to FERPA.

DR. HARDING: I wasn’t aware of that. Thank you.

MR. ROTHSTEIN: I have several questions about FERPA. This is new ground for
many of us, and I just want to get some clarification on some of the statements
that some of your co-panelists made.

Is it, in fact, the case that FERPA does not require separate records for
medical and academic records in schools?

MS. HARDING: Yes, FERPA does not require that a school create any records or
maintain them in any specific fashion, other than to protect the privacy of the
records under FERPA.

We are very aware of a tension between local control and federal control,
and the law only requires if you have records, then you have to comply with
FERPA. It doesn’t say you have to have – there’s no such thing as cumulative
record under FERPA. It is any record that is directly related to the child is
maintained by the school.

Now, that doesn’t mean – and we have said this – that a school could not
create a higher standard and allow only health officials to see the information
in the school nurse’s office. That has always been the case, but that is up to
the school.

MR. ROTHSTEIN: So it could, in fact, be the case – and may be – for medical
information, health records to be commingled with academic records, and the
protection, I hear you saying, is the limited or supposed limited access to all
the records.

MS. CAMPBELL: That’s correct. I mean, a school only has to provide access to
the parent.


MS. CAMPBELL: No one has the right to see the records. However, the law
permits disclosures to other school officials who have a legitimate educational
interest. So just any teacher down the hall doesn’t have a right to see the
record. They have to have a legitimate educational interest in that child’s
education –

MR. ROTHSTEIN: Under HIPAA, one of the requirements is that covered entities
have to engage in a training program to train employees and students who might
have access to that information; that is, trainees and so forth. Is there any
comparable training requirement under FERPA B in other words, a requirement
that teachers be trained and school nurses be trained and other people be
trained about the FERPA requirements?

MS. CAMPBELL: There is nothing in the law or the regulations that require
training. I believe there’s something in IDEA that requires that those IDEA
officials be trained, but my office has a very aggressive training program
itself where we train school officials in FERPA all over the country, and if we
have a situation where we have found that a school violated FERPA in a
complaint, one of the stipulations is they have to provide guidance to school
officials on compliance with FERPA.

MR. ROTHSTEIN: And the last question – and then I’ll let some of my other
colleagues ask – is does FERPA draw any distinctions in the treatment or the
care or the standards between K-12 and higher education? In other words, we
heard testimony that sometimes student medical records are released to
professors or could be released to professors without the consent of the
students who are now presumably 18 and old enough to give their own consent.
Are there different standards or is there just a single standard?

MS. CAMPBELL: Well, I wouldn’t call it different standards. There is a
carve-out. One of the exceptions to an education record is if it is a medical
treatment record on a student who is 18 or in post-secondary school, and then
there are parameters for that. I mean, a college, for instance, could decide we
are going to treat these records as medical records, not as education records,
but that means they can only be disclosed within the institution for those
people providing treatment to the student’s position.

Once a disclosure is made that is not within those parameters, it becomes an
education record under FERPA. So, oftentimes, you see a treatment record being
disclosed to the disability office on campus. Well, that’s fine, but once it is
it is no longer in that carve-out section. It’s now an education record under

MR. ROTHSTEIN: So am I correct in saying that the primary reason for the
Department of Education being reluctant to, let’s say, have that regulation
under FERPA, setting requirements that there be a distinction between
educational records and health records is a sort of federalism issue that you
don’t want to –

MS. CAMPBELL: Well, no. It’s a statutory issue. I mean, we don’t write
regulations just based on something that we want to change. Congress has to
change the law –

MR. ROTHSTEIN: So you don’t think that you have the statutory authority to
do it.

MS. CAMPBELL: No, we do not.

MR. ROTHSTEIN: So – I see. I was under the impression that it was your
earlier testimony that concern about differences in state policies was driving
that, and now you think it’s a lack of statutory authority.

MS. CAMPBELL: The lack of statutory authority to just decide we are going to
change and say, okay, these are subject to HIPAA and these are not.

MR. ROTHSTEIN: No, I don’t mean subject to HIPAA. I’m talking exclusively in
the FERPA realm. If you wanted to say, we want to treat medical records
separately from educational records and we think that all schools subject to
FERPA should do that for whatever reason, do you think FERPA gives you that –

MS. CAMPBELL: Not at the K through 12 level. I think we have that at the
post-secondary level. I don’t believe we have the authority to say that at the
lower level.

MR. ROTHSTEIN: Okay. Richard.

DR. HARDING: One of the issues that the committee has been asked to look at
is the issue of unintended consequences of HIPAA, and HIPAA was brought forward
with a good heart and with good intentions and I think that it has served many
good purposes.

You were saying, though, in the college health services that it has
complicated your life a little bit, and you have made some recommendations.
Could you expand a little bit on the complications? Is it just that you aren’t
sure what HIPAA really states and there is a debate going on among your
association and colleagues about the extent of HIPAA’s sincerity or severity or
is it – you know, I guess I’m trying to think about the intent, the way it is
written. What would help? And you mentioned getting together and talking, but
what would help.

MS. KNOBLAUCH: Right. I think what would be helpful, for those of us that
see both students and non-students, it’s a real challenge, because we have to
treat our student records under FERPA. If they have only been maintained in
that provider-patient relationship, they have an exemption under FERPA and they
are covered under state law.

Our non-students, such as university faculty and staff, those records are
held under HIPAA. We have all tried different ways of complying with that, and
at my institution, we have tried to keep the higher standard of both laws just
for consistency.

My healthcare providers, when they go to release information for treatment
purposes, for a student, they have to get an authorization for a non-student
they don’t. Specialists within the community are questioning, why do you need a
release for this? I’m providing treatment. Aren’t you a healthcare provider?
Aren’t you a covered entity?

So it has been a real challenge for us. Which types of disclosures do we
document when we keep our accounting and disclosures, we have to document all
disclosures for our HIPAA records. For our FERPA records, we are documenting
all disclosures, including those of treatment. It is just a real challenge
trying to know whether this record is a HIPAA record or a FERPA record, and
sometimes I have a faculty member who is also a student. How do I treat that
record? Where does it fall? Does it fall under HIPAA or under FERPA? Those are
the challenges that we are struggling with. Quite honestly, if all the records
were HIPAA, it would make my life simpler.

DR. HARDING: Have those things been superceded by more stringent state laws
in any cases?

MS. KNOBLAUCH: In a few cases there are some state laws that are more
stringent, such as my state’s HIV records are more stringent, but the lion’s
share of the challenges tend to come between the HIPAA and FERPA and student
and non-student records.

MR. ROTHSTEIN: Can I just ask a clarification?

You said a few minutes ago you want to be covered under HIPAA.

MS. KNOBLAUCH: I think it would make –

MR. ROTHSTEIN: Okay. I just – hadn’t heard that in a while. (Laughter).

MS. KNOBLAUCH: When you have been trying to deal with three regulations, I
think having one would simplify the process. Again, not all university health
centers submit electronic transactions, and so they would not be covered under
HIPAA, but those of us who do, it would simplify the process to have one
standard as opposed to three.

MR. HOUSTON: Just to follow up on that, reading your recommendations,
obviously asking for HIPAA to eliminate – the second recommendation was to
eliminate the FERPA exception, but, obviously, if we eliminate the FERPA
exception, then you still have this area where I’m sure people are going to
have some discomfort, where if you are not doing electronic transactions and
there is no FERPA exception within HIPAA, what applies?

MS. KNOBLAUCH: State law would apply, would it not?

MR. HOUSTON: Arguably, then, I guess, the drafters of FERPA would say, well,
the intent of FERPA was to provide some type of federal framework with regards
to the protection of student information, and that would be an unintended – I
think – consequence of doing that, and I guess what would be nice to see, and
sort of like a homework assignment, I guess, in one sense is to say, based upon
the different scenarios of whether there is electronic transactions being
performed or not, how would you deal with providing a framework for protecting
patient health – protected health information or health information in each
case? You know, obviously, you’ve got students. You have faculty and family
members, and, in each case, you almost have to do an analysis of where
electronic transactions are performed, where they are not being performed and,
in each case, how do you guarantee that there is going to be appropriate
protections put in place. I think your second recommendation sort of says,
well, we don’t do electronic transactions. You have a varying standard, which
was really not intended.

MS. KNOBLAUCH: Well, I would agree with that, but the way HIPAA is written,
if you don’t submit electronic transactions, you are not a covered entity. So I
wanted to point out that there are some university health services that don’t
submit electronic transactions, but, yes, HIPAA would be much easier for all of

MR. HOUSTON: Would it be helpful to sort of have an analysis of – you know,
based upon the different scenarios, how would we ensure that appropriate
protections are put in place, whether it be FERPA, whether it be HIPAA, whether
it be something else, but, clearly, I guess my point is is that the federal
government has felt compelled in each case to put regulations in place to
ensure that either health information or student information is, in all cases,
protected, so – or as much as possible. So I guess that is an issue that I see.

DR. HARDING: Ms. Dozier, are you aware of any specific – any occasions or
any trends in the reporting of public-health information that shows that HIPAA
has caused or effected that at this point or is it theoretical at this point?

MS. DOZIER: No, it is not theoretical. There has been a great deal of
confusion about public-health reporting. I think that it has definitely gotten
better of late, but we are still encountering situations where states who were
previously reporting certain conditions to the CDC, and did not have state
reporting laws felt like they were no longer able to report to the CDC once the
HIPAA compliance was required.

We are still battling that hurdle on an actual program-by-program basis
within the CDC, and our letters and communications in education programs with
different states within our tracking systems have been helpful, but we have
several situations that we are still having ongoing discussions with states or
local health departments.

DR. HARDING: The interpretation is that they are not allowed.

MS. DOZIER: That they cannot – that they – yes. In an absence of a specific
reporting law that they cannot provide us with that information.

DR. HARDING: And then have you asked for clarification on that?

MS. DOZIER: From the state health department?

DR. HARDING: Well, to HHS or the Office Civil Rights or any other –

MS. DOZIER: Yes, I think that we are very clear on what the situation is.
The problem is educating the state and local health departments.

DR. HARDING: So the law is clear. It’s the educational component that –

MS. DOZIER: We feel like it’s very clear. There’s confusion on the other
end, as we can see.

MR. ROTHSTEIN: At our hearing in November on the issue of public health, we
did hear quite a bit of testimony about the problem, not only of permissive
disclosures, which you are alluding to, but also even required disclosures and
a reluctance on the part of some reporters to make the disclosures because they
thought, erroneously, that it violated HIPAA, and that is one of the things
that this subcommittee is considering.

The other thing that we are considering and heard specific testimony about
was the immunization issue, and the problem that it places on schools and
school nurses having to get authorization, et cetera, and so this subcommittee
is aware of that.

Dr. McGrath, I wonder if you could take us through the mental-health issue
that you raised earlier. I’m clear on the first two issues that you called to
our attention, the immunization one, certainly, and the treatment one. Just as
an aside, as to the treatment issue, I think I would like to explore with my
colleagues the issue of whether it would qualify as – if a nurse, for example,
routinely or even periodically gives injections of some sort to a child or oral
medications or anything, whether that would qualify under the treatment
provisions of HIPAA, and where there is treatment, even if it is performed by a
non-covered entity, disclosure of protected health information for treatment
purposes does not require an authorization, but, in that context, it is
something that I am not clear on, and it’s maybe something we need to take a
look at, but could you go through the mental-health issue that you raised? I
want to be certain that we understand your concern.

DR. MC GRATH: Okay. Well, let me start by saying I am not a lawyer.

MR. ROTHSTEIN: A lot of people preface their remarks for us with that


DR. MC GRATH: But one of the areas of concern for schools – and I’m sure you
are aware – is that the growing number of students who have mental-health
treatment outside of school, either in residential treatment or psychiatric
hospitalization, their return to school generally really requires some
integration in terms of behavioral supports that might have been recommended,
especially medication, and, in my experience, frankly, one of the biggest ways
in which students’ treatment tends to sort of fall through the cracks is that
children who have been in psychiatric hospitalization, many of them also come –
in many cases, they are in foster care or the care from their parent – their
parents may have varying degrees of organization in terms of helping their
child transition back into school.

So one of the ways in which things get dropped through the cracks is it –
prior to HIPAA, prior to the implementation of HIPAA, it was possible for a
school nurse to receive a discharge summary of a child who had been in a
psychiatric hospital or residential treatment that would outline what the
treatment recommendations are for that child, and the nurse would know what
medications they are supposed to be on, what behavioral supports are supposed
to be put into place and could help manage that transition.

Now, it is my understanding, that the discharge summary can only really be
given to the parent. I understand the – you know – that point of view. However,
it is not always possible for then the school nurse to get the discharge
summary from the parent and to ensure that the child has a smooth reentry into
school. That make sense?

MR. ROTHSTEIN: Richard, do you want to comment on that?

DR. HARDING: Well, I would think that it would be much more – even more
complicated, because you have parents who want to wish it away and say that he
was suicidal a week ago, he had four days in the hospital, and let’s just kind
of get him back into school and let nobody know, and, therefore, it’ll be like
it never happened, or some parents who want to gather around all the troops and
get as much help as possible, and then that is a parental decision that can
leave a nurse dangling with someone who had attempted suicide four days ago,
who now is back in the school without knowledge from anybody in the school.

MR. ROTHSTEIN: On the other hand, might it not also be the case that you
have a child who does have some sort of behavioral or mental-health problem,
maybe not of the dimension that you are talking about, and the parents are
legitimately concerned about stigmatization, about the fact that mental health
and health information in general may not be separated from other information,
and that may become a self-fulfilling prophecy in terms of the teachers who
would have access to this information, and for very legitimate reasons might
decide, you know, I think we are doing an effective job of caring for that
child at home, and – you know, in the private healthcare setting – and there’s
no point in notifying the schools. No good could come of it.

Dr. Cohn, did you want to comment?

DR. COHN: Yes. I just had a question about that, because I think you are
bringing up an issue that I am sort of – back of my mind as I’m listening to
this, and maybe this is really a question for Ellen, just because I’m – you
asked an earlier question about sort of the commingling of records under FERPA,
and just to make sure I understand how this might play out, the educational and
the medical records are potentially commingled under FERPA. A student may have
some sort of a medical problem or otherwise comes back to school, that
information is communicated or put in that record, and then the student, later
on, applies to go to another school, applies to college, applies to wherever.
Now, does that – that becomes part of the permanent medical record – permanent
record for the student, correct? Since he is available for sort of that –
evaluation at that next stage. Am I missing something here?

MS. CAMPBELL: It could be that way. Under FERPA, there is no such thing as a
permanent record. School can not have records, have records, throw them away
once they have them, and there’s no requirement that they be commingled or that
they be separated, and, again, they could have their own local policy that we
are going to separate these records.

Now, one of the exceptions to the general-consent rule under FERPA is school
may transfer information to a new school that the student is seeking or
intending to enroll, whether it be college or another high school. That is a
permissive disclosure. The original school may or may not disclose everything.
Sometimes they don’t disclose anything because the parents owe them money. It
is up to the local school.

We have a new requirement under No Child Left Behind that says the states
now have to have in place a procedure for transferring disciplinary records.
That is the only requirement, because a lot of times you have a problem,
children going from one school to another. The new school doesn’t know about
the problem. So that requirement is there, but that doesn’t – there is no
requirement that they disclose medical records or other education records.

DR. COHN: Okay. Can I just ask Jane – I mean, should we be concerned? I
mean, obviously – I’m a physician like you. I mean, is this a – we obviously
want people to have the information they need, but is there an issue here?

DR. MC GRATH: And I think that is why we have both recommendations from the
American Academy, that we include the school nurse, so that we can have
appropriate sharing of information and so, for example, things like medication
are properly continued across time, but, at the same time, we need to have more
stringent requirements for schools in regards to health information, and I
think we need to address, as well, the issue of what happens when a child does
transfer and what happens to that medical record and how is it transmitted.

You know, there’s a concern about, for example, your child’s sports physical
form, which, you know, all of us who are parents have had filled out. Where
does that go? And, you know, what dusty locker in the gym does your child’s
medical record end up in?

So I think there are a lot of concerns, but I think if the goal is to
improve communication – I mean, school is where children are during the day.
They spend more active awake time in school than they do anywhere else, and
it’s critical that the school be able to respond appropriately to your child’s
health needs. At the same time, the school needs to be responsible in the same
way that a health-care provider agency is responsible about how that
information is kept and shared.

MR. HOUSTON: I guess I’m still struggling. Where do the changes need to be
made? It almost appears like there’s a bigger issue with regards to FERPA and
the way that FERPA deals with medical information and making sure that it’s
appropriately managed through FERPA, and that there is some type of linkage
between FERPA and HIPAA that sort of makes sure that some of these unintended
consequences with regards to communication of information don’t occur, but it
really sounds to me like we’re still B sounds like we are still dealing with
predominantly a FERPA issue, from my simple understanding of this, and I
apologize if I’m missing things, and I guess then, at the same time, I’m sort
of questioning – because our purview is really the Privacy Rule under HIPAA is
what really needs to be changed under the Privacy Rule. Assuming that FERPA
were to deal with these issues more appropriately, how does the Privacy Rule
need to change? And I guess – I’m stuck with exactly what do we do to the
Privacy Rule to make it work, knowing that FERPA maybe needs to be improved.

MR. ROTHSTEIN: Well, I have a sort of a related question. While we are
struggling for the – I mean, there is clearly an overlap in practice in many
areas, certainly, in the college area, and we need to get a handle on the
constraints that we have, the jurisdictional constraints of the statutes so we
know what is fair game for changing by regulation and by whom and what needs a
statutory amendment and the like.

Ms. Campbell, is there a federal advisory committee on FERPA?

MS. CAMPBELL: No, sir.

MR. ROTHSTEIN: There is not.


MR. ROTHSTEIN: Have there been any reports issued that might help us dealing
with medical records under FERPA? I mean, has this issue been studied by the
agency, by Congress by IOM , by GAO, OTA, somebody?

MS. CAMPBELL: To the best of knowledge, no.

MR. ROTHSTEIN: Really? Okay.

So, basically, you’re telling us we are on our own. (Laughter).


MR. ROTHSTEIN: Yes, okay. We’ve been there before. (Laughter).

DR. COHN: I was going to say, obviously, we’ll be hearing from others after
our break, but I guess in all of this stuff I’m wondering whether the issue of
asking OCR to get more involved in working with the Department of Education to
sort of figure out how all this plays together –

SPEAKER: Or even the CDC also, I mean –

DR. COHN: Well, I don’t know. I’m not sure the – I mean, yes, the CDC has
issues, but I hear they are more educational issues almost than anything else,
but you’re right. Maybe the CDC is a player in this, though, certainly, OCR is
part of the U.S. Department of Health and Human Services. So, hopefully, they
represent CDC interests, but it sounds to me like there is a need to sort of
figure out how all of this comes together. Obviously, the questions I was
asking were about –

MS. CAMPBELL: Well, I would like to point out that we worked with the
Department of HHS over a year ago in developing – respective websites on the
intersection, and it’s still in clearance in HHS. So we are pursuing our own
guidance, and we’ll be putting that up on our website shortly.

MR. ROTHSTEIN: Okay. Thank you. Well, that is helpful.

Gail Horlick.


MR. ROTHSTEIN: Are you with us? Do you have any questions?

MS. HORLICK: No, I don’t. Thank you.

MR. ROTHSTEIN: Okay. Any questions here? John.

MR. FANNING: I don’t have a question, but I would like to provide the
committee with some information about privacy-policy thinking in light of Ms.
Dozier’s explanation of the study of autism.

All privacy-policy inquiries over the years have supported the use of
personal information for research and statistical purposes with identifiers
without individual consent.

Now, they have typically required, as a condition of that, that there be
careful analysis of the need for the information in advance and that there be
an absolute prohibition on the receiver of the record against use of the record
for anything but a research or a statistical purpose. Okay?

The Privacy Protection Study Commission in 1977 explicitly recommended that
FERPA be amended to permit disclosure for research and statistical purposes.

That said, the public is not as understanding of this use of information as
are the policy people who inhabit these committees, studies and commissions,
and surveys do show that a very high proportion of people do want to be
consulted before their records are used for research.

MR. ROTHSTEIN: Thank you for clarifying that.

Kathleen, do you have any questions?

Well, thank you very much to our panelists, and we will stand in recess for
15 minutes, and take a break and we’ll have Panel No. 2 begin at 10:15.

(Brief recess).

Agenda Item: Schools – Panel 2

MR. ROTHSTEIN: I want to welcome you back to our second panel on the issue
of schools and HIPAA, and we have three witnesses today, and I would like to
take them in the order in which they are listed on the agenda, if that is okay
with you, and we’ll begin with Mr. Thomas Hutton.

MR. HUTTON: Good morning Chairman Rothstein and subcommittee members. My
name is Tom Hutton. I’m a staff attorney with the National School Boards
Association. I’m here on behalf NSBA and also its Council of School Attorneys.

NSBA is a non-profit federation of 49 state associations of school boards,
along with the boards of education of the District of Columbia and Hawaii and
some other U.S. entities, and COSA is an NSBA membership program that serves
over 3,000 attorneys who represent public-school districts, state boards of
education, associations and community colleges.

Dr. McGrath mentioned that she was not a lawyer, and I am here to sort of
express the opposite – I am not a health authority. I am just a plain, old
lawyer, and so my testimony will be a little different, perhaps, from the
others that you’ll hear this morning.

The fact that NSBA and the Council of School Attorneys are not specifically
healthcare focus groups is perhaps a useful context for the subcommittee to
bear in mind as it weighs how it can sort of further the intent of HIPAA with
respect to K-12 education from the perspective of people who aren’t focused
mostly or solely on healthcare issues.

I want to start out by saying that DHHS is to be commended for recognizing
that HIPAA’s privacy regulations should not disturb or overlap the existing
complex privacy regime governing public school education records under FERPA
and, significantly, the many state privacy laws that are out there as well.

Schools do take their privacy obligations seriously, at least if the volume
of inquiries we received about school obligations under HIPAA are any
indication. We continue to receive a great many inquiries about HIPAA, and, as
you know, there is a good deal of confusion. I’ll pick up on comments from
earlier this morning that there is a great deal of confusion persisting as to
school privacies under HIPAA and where that intersection with FERPA occurs. One
state department of education reportedly has counseled school districts in the
state to await further federal guidance before expending precious time and
resources on HIPAA compliance strategies because there is a significant degree
of uncertainty out there.

I also think it is important to just get back to my point about sort of the
non-focus entirely on health things. It bears keeping in mind, I think, when we
are talking about the challenges facing K-12 education and school attorneys
that the context in which they are operating right now is just fully dominated
by the challenges of complying with the No Child Left Behind Act and the
conditions which the act was enacted to address, and that is important when we
are considering ways in which we can foster further privacy protections and
that kind of thing to bear in mind that the full system from top to bottom –
and you’ll hear this from the state departments of education, and the U.S.
Department of Education is so focused on this myriad of challenges that they
are contending with that one more sort of federal regulatory approach is going
to be difficult for the system – I don’t mean to say that to sort of whine and
say, oh, don’t do anything and that kind of thing, but I think it’s important
to bear in mind as you consider recommendations.

In June of 2003, NSBA initiated a dialogue with the Office for Civil Rights,
which we understood was in the process of developing some frequently-asked
questions – I think it was alluded to earlier this morning – for schools, and
we have been engaged in that process now for several months. The FAQs have not
been forthcoming yet. They are eagerly anticipated by school attorneys and
other school officials.

Not surprisingly, NSBA’s object so far B and school attorneys have been – it
is kind of ironic that the advent of HIPAA has sort of caused a lot of K-12
people to look at FERPA like an old friend. Confronted with this new whole
regulatory regime, all of a sudden FERPA seems kind of familiar, and so there
has been sort of a sense, I think, that, well, we would like as broad a FERPA
exception to HIPAA as possible, because it is sort of what we know, and rather
than sort of impose this new system on us let’s go with what we know, and also
to the extent that there is a lack of clarity between how the laws intersect,
that is an understandable reaction also to sort of cling to let’s just go with
the familiar and not have to deal with multiple conflicting requirements.

I don’t have time, probably, to go through all the minutia in my written
testimony, but I did want to highlight a few areas that school attorneys think
could use some real clarification.

I have also appended an attachment like Dr. McGrath did to her testimony
which sort of lays out a whole lot of commentary and questions that we received
from the field during the process of sort of trying to collect feedback for

Let me acknowledge that some of the questions we are flagging may have been
addressed by HHS or perhaps can be discerned with some diligent research and
analysis, but I think it is instructive to the level of confusion – to relay
faithfully the kinds of things that are being asked and put out there, and if
you are looking for somebody to sort of relay uncertainty, I’m your guy,
because the time that I spent going into HIPAA and FERPA, I feel like I can
represent very faithfully the degree of confusion that is out there in the

One thing that we were impressed with very early on when we started
collecting feedback was the wide discrepancy of people’s understandings about
what HIPAA meant for K-12, and there are states that have basically told school
districts, well, you have FERPA. HIPAA doesn’t apply to you, and all the way to
the opposite extreme where we hear school districts retaining very costly sort
of consultants to help them revamp their entire system of everything based on
HIPAA, and then you have sort of the range in the middle where people are
recognizing that. In fact, HIPAA has implications for K-12. There is a FERPA
exception that is pretty significant for schools and trying to weigh that a
little bit more carefully.

One of the issues that is important, from our perspective, to get more
clarity on is covered-entity status. Just as an aside, we note that there has
not been a lot of attention to the role of schools as healthcare
clearinghouses, which is one of the three covered entities. It is usually K-12
schools are looked at as maybe falling into one of the other two, but, in some
instances, larger districts function as a healthcare clearinghouse for smaller
districts that don’t have the same capability of, for example, of seeking
Medicaid reimbursement. So that area, we recommend that if there is additional
guidance forthcoming from HHS it be addressed.

There is also – in our discussion with HHS, we have been told that they are
viewing a distinction sort of between the employees of the school district and
the school district itself as to covered-entity status. I can tell you that
based on the analyses that we have seen out in the world and school lawyers,
that concept is not readily sort of appreciated by the whole field. It is sort
of seen as the school district is the entity, whether it is a covered entity or
not, and not sort of a distinction between whether the healthcare clinic at the
school or the nurse is a covered entity as distinct from the district. So if
that is, indeed – that informs the analysis of a lot of other issues that we
have raised here, and if that is the case, then that clarity on that issue is

The largest issue, of course, is the extent to which the education-records
exception for FERPA – what the implications of that fully are for a school’s
obligations under HIPAA.

We have had a lot of discussion on that among school law communities, and,
again, even if we have gotten away from the notion that HIPAA doesn’t apply to
schools at all, the extent that the FERPA exception addresses the world of
records that are relevant and sort of eliminates any PHI on behalf of the
school, you sort of end up at the same place, and there is a great deal of
confusion out there about whether, in fact, all of our records fit into the
FERPA education records, and, therefore, we don’t have any PHI and we don’t
have any implications under the HIPAA Privacy Rule.

There is also a long list of the exceptions to FERPA education records and
how HIPAA plays into those things, oral communication or information gleaned
from first-hand observation; the issue of sole-possession notes, which was
addressed earlier; law-enforcement records; records pertaining to student
employees. There’s an awful lot of sort of confusion about – I’ll throw out one
example. The sole-possession notes, there’s a lot of analysts that have said,
well, the same rationale HHS used to exclude the records of certain adult
students from HIPAA’s privacy rules sort of applies to these sole-possession
notes that schools have. So wouldn’t it be the same thing there? And you see
commentary back and forth on that.

Another issue that is out there that I haven’t seen much commentary on from
either HHS or the Department of Education is a Supreme Court ruling in 2002 in
Awaso v. Falvo(?), which, basically suggested that the definition of education
records under FERPA is much narrower. There hasn’t been any followup to that to
sort of give us clarification, but the Supreme Court basically said that they
envisioned education records under FERPA being maintained by sort of a central
custodian of the schools, which is not necessarily the way that it plays out in
a lot of school districts, and, in the absence of further clarity about what
the Supreme Court meant by that. That sort of potentially throws a great deal
of uncertainty into a school’s understanding of the extent to which the
education-records exception under FERPA gets them out of different HIPAA

Medicaid billing is probably the longest list of questions in our appendix,
whether billing from Medicaid – I think Ms. Dozier mentioned this morning, that
it may have implications for the Transactions Rule, but does that also have
implications for the Privacy Rule? And there’s a great deal of uncertainty
about that issue out there and whether – Okay. We have to do the Transaction
Code Sets – that we understand – but do we also have to deal with all the HIPAA
privacy complaints, by virtue of the fact that we are billing for Medicaid

There has been a good deal of discussion about whether all the ancillary
sort of administrative obligations about assigning a privacy officer and all
those kinds of things apply to a school that either does not have PHI –
protected health information – or that does not use or disclose PHI in a way
that would trigger HIPAA privacy obligations, and so there is a great deal of
confusion on that issue as well.

School nurses and school health clinics, I alluded earlier to the
distinction between whether those are the covered entities or the schools are
the covered entities, but there is also a constellation of issues around
whether the school nurse is an employee of the school district or perhaps a
county department of health who is in the school and does that have
implications for whether it is actually the school board or the county
department of health that is a covered entity with HIPAA obligations, and you
see a lot of discussion about that issue as well.

The immunization issues were already flagged this morning.

Drug and alcohol testing is another issue that is out there, and because
there is a lot of sort of attention to that politically right now, that could
be a looming one.

Other speakers here are more capable of addressing some of the complications
that have arisen with respect to dealing with third parties and whether school
nurses and school officials can get information from outside physicians and
that kind of thing, but that is – we get a great deal of feedback from people
saying that is an issue.

So our sort of message, by and large here, I am not prepared to weigh in to
discussions that you had in the first panel about, well, we’d be better off
just having HIPAA or we’d be just better off having FERPA. I can just invade –
the plea from the field, from local communities that we hear is just clarity
about where one ends, where one begins, not having three systems of privacy
regulations, but having one and sort of sorting that out for us.

As I said, the field has been waiting eagerly for the FAQs that were to be
coming out of HHS. We have a few recommendations aside from sort of the
substance of the issues that I flagged, and one of them – it was very positive
to hear Ms. Campbell say this morning that, in fact, the Department of
Education is sort of taking a look at the HIPAA things, because that was one of
our recommendations that we are not privy to the degree of collaboration that
has occurred between the departments, but, from the local perspective, you sort
of have a silence from the normal sources of your information, which is the
Department of Education at the national level, and then your state department
of education, and it doesn’t seem like there’s a coordination of information
about where HIPAA ends and where FERPA begins for schools from the normal
sources of information they have for the department. So to the extent that
there is collaboration and the information is being put down through the
Department of Education and the state departments of education, that can help
clear a lot of the uncertainty up more quickly, from our perspective.

I will be happy to answer any questions. I rather suspect I may have more
than the subcommittee, but the bottom line for NSBA and for the Council of
School Attorneys on this kind of issue is as you go forward with making
recommendations to the department that there is – really where we are in terms
of the local level of understanding of what is entailed here is perhaps several
steps back from what you heard from the panel earlier this morning, and that is
important to bear in mind as you deliberate on how best to help K-12 schools
fulfill their obligations under the act.

Thank you.

MR. ROTHSTEIN: Thank you very much, Mr. Hutton.

Our next witness will be Ms. Schwab.

MS. SCHWAB: Thank you.

Good morning, Mr. Chairman and members of the subcommittee. My name is
Nadine Schwab. I am representing the American School Health Association – which
is an interdisciplinary school-health organization – as an expert in
school-health issues related to privacy, confidentiality and student-health
records. As an aside, that means I am an expert in practice, complexity and
confusion, not on HIPAA or FERPA, per se.

Thank you for the opportunity to testify on the impact of the HIPAA Privacy
Rule on schools, in particular, its impact on school attendance, student safety
and learning and parent-school-physician communication.

In preparation for this hearing, I solicited and received within the past
two weeks current information from American School Health Association leaders,
as well as state-level nurse consultants from state departments of public
health and education and school nursing leaders across the country.

The issues I will address are those with significant negative impact on
student learning and health and on the resources of families in public schools.

We believe these negative outcomes are due primarily to misinterpretation of
the regulations and inadequate guidance, not to the regulations themselves.

Before addressing those concerns, it should be noted that HIPAA has had a
positive impact on school-based practices related to records and
confidentiality, albeit small and mostly indirect; that is, through the
questions, diverse opinions and conversations that it has generated.

Many school health leaders welcomed the HIPAA privacy standards, and,
indeed, had hoped that they would apply to health records of children and youth
in schools, in order to ensure consistent minimum standards and practices
across settings and to clarify conflicts among laws as alluded to by Attorney

FERPA was enacted before children with significant physical, developmental,
behavioral and mental-health conditions attended school and before schools
became providers of a wide variety of health and mental-health services in
order to support student learning.

Even today, records, including third-party medical or psychiatric records,
as a subset of – I’m sorry. FERPA does not address student health records,
including third-party medical or psychiatric records, as a subset of education
records, nor does it provide sufficient direction for appropriate protection,
disclosure and use of these health records within the primary and secondary

Now, I return to the impact of the HIPAA Privacy Rule on schools, students
and families. First, and foremost, students are still being denied attendance
in school and parents are losing time from the workplace because physician
offices and clinics refuse to share immunization and mandated
physical-assessment information with school nurses or other school officials.

Despite the fact that these health requirements – that is, immunizations and
periodic physical assessments and screenings, such as tuberculosis screenings –
are driven by public-health policy and constitute the only real barriers to
school attendance for most children. State public-health officials have
generally not interpreted such information to fall under the public-health
exceptions to the authorization requirements of the Privacy Rule. Furthermore,
they have not included school nurses or school physicians as extensions of the
state and local public-health system, despite the fact that these school-health
officials have traditionally been considered public-health professionals, are
generally the school officials responsible for school district compliance with
public-health mandates, and are expected to report to public-health authorities
communicable disease data and related problems – de-identified data – that
occur in the school communities as required by state law.

Where school nurses and physicians are not considered an extension of the
public-health system and where states have not enacted a law to circumvent
these problems or issued specific guidance to the contrary, which is still the
majority of states, HIPAA authorization is required for physicians and clinics
to share mandated immunization and physical-exam data with schools. This
negatively effects schools, students and families as follows:

Public schools are in a difficult position when they are both prohibited
from denying children access to school and, at the same time, are required to
deny them access if they have not complied with the public-health mandate.

Further, there is a significant drain on school-district resources when
students loose time and miss instruction in the classroom and when
school-health personnel spend significant portions of their time in tracking
public-health mandates, rather than providing student support services,
especially when paperwork, not the students or the public’s health, is at

In many instances, it is the paperwork – the right form and getting it to
the school in a timely fashion – that are the problems. Many physician offices
and clinics now refuse to fax the state-mandated immunization or physical-exam
forms to schools, a past practice which allowed students same-day entry into
school, and many will not accept parent-signed school authorization forms for
the release of that information, even if our forms meet the authorization
requirements of HIPAA. School personnel must then spend considerably more time
in communicating with parents and convincing them to retrieve the form from
their physician and hand-deliver it to school.

Students, above all, are negatively impacted by these HIPAA-related
communication problems when they are delayed in starting or prohibited from
continuing in school. It can be disastrous for our most vulnerable students who
can least afford time away from the classroom and learning. These are often the
same students whose families have the least resources available to learn about
and comply with the requirements of these various laws and the paperwork that
goes with them. Students suffer the consequences.

Families, too, are negatively impacted by the lack of clarity and
misunderstandings related to permissible communications between schools and
healthcare providers about these mandated health requirements for school

Many parents have been told that their oral, over-the-telephone or faxed
authorization to allow the child’s healthcare provider to release their child’s
immunizations data to school nurses is insufficient and that they have to drive
to the provider’s office, sign the provider’s form and hand deliver the
immunization record back to the school themselves.

Some providers have refused to accept a faxed authorized form for release of
immunization data to school even when the authorization was executed by the
parent on the provider’s own form.

These reported incidents have happened all over the country and are still
happening. For example, one state consultant reports in remote parts of the
state where physicians are scarce or non-existent, parents have been required
to drive hundreds of miles to the doctor’s office to pick up, in person, their
child’s immunization records. Others report different, but equal impediments to
school-provider communications within suburban and inner-city communities. Some
families do not have phones, drive cars or understand English, and many single
and working parents can ill afford absence from their jobs, especially to taxi
HIPAA-compliant forms and immunization records around town or country because
providers refuse to comply with their request to fax to their child’s school
immunization or other health information mandated by law. Better they save
absent days for times when their children are truly ill and need to be cared
for at home.

It is critical that we remove these artificial barriers to school attendance
and necessary communications between schools and healthcare providers. These
barriers can be eliminated through guidance to state health departments and
providers clarifying that:

One, school nurses and physicians should be recognized as public-health
professionals and extensions of their state’s public-health system, regardless
of whether they are employed by school districts, health departments or other
healthcare agencies.

Two, that school nurses should be included among the healthcare providers
who can access and contribute to state immunization registries.

Three, that release to school nurses and physicians of records demonstrating
compliance with state-mandated health requirements for school attendance is
permitted under the public-health policy exception to the Privacy Rule’s
authorization requirements.

And, four, that immunization data may be faxed from a HIPAA-covered entity
to a school.

The second major area in which HIPAA-privacy regulations continue to have a
serious negative impact on schools, students and families across the country
relates to communications between healthcare providers – that is, physicians
and clinics – and school health professionals, but not only school nurses and
physicians, also other school health professionals – physical therapists,
occupational therapists, speech-language pathologists, clinical psychologists
and school psychologists – regarding the health-care treatment of children in
school who have acute and chronic-health and mental-health conditions.

There are large numbers of students today who need special healthcare
services during the school day for medication administration for asthma,
anxiety, depression or anaphylaxis to feedings by gastric tube, oxygen
administration, IV therapy, respirator care, physical therapy, mental-health
counseling and specialized behavioral-modification programs.

School health professionals – for example, school nurses – cannot administer
many of these treatments without a medical order from the healthcare
prescriber. In order to meet safety standards and licensure requirements in
nursing practice and to protect clients, nurses must be able to communicate
about an order directly with a prescriber to question the order, explain
school-setting issues that may effect the prescriber’s judgment about the
order, report adverse and therapeutic effects and so on. It is under the state
licensure laws that these communications for treatment purposes were previously
assumed permissible and desirable that have now been shut off by
interpretations of HIPAA.

Based on their interpretation of HIPAA, many physician offices and clinics
now refuse to discuss with the school professional the medical order they are
asking that same professional to administer. Many school health leaders report
that healthcare providers cannot disclose treatment information to school
health professionals because schools are not covered by HIPAA. This situation
is extremely hazardous to schools, students and families for the following

Schools are negatively effected because their personnel are being asked to
deliver services to students without adequate communication with the healthcare
providers who are prescribing the treatment or care. This interferes with the
ability of those professionals to meet minimum standards for the care and
safety of their client.

While schools can and do pursue authorization for such communications,
sometimes there is a significant delay between the expected implementation date
of an order and the date when an authorization form is executed and accepted by
both the school and prescriber B executed by the parent and accepted by both
the school and prescriber.

Sometimes, usually in contentious situations, parents refuse to sign such
communication requests, yet expect school health professionals to follow the
medical orders of their child’s physician.

Students are placed in significant jeopardy when prescribers and health
professionals in schools are not communicating and collaborating about the
healthcare treatments that are expected to be provided in school.

Delays in or lack of communication regarding healthcare treatment can result
in delayed treatment, treatment errors and poor care, all of which are likely
to negatively impact the student’s health status and learning in school.

Sometimes, students may be kept out of school until authorization is
completed for communications regarding treatment orders.

Families are also impacted when their children are denied appropriate care
because of these inadequate communications.

And, once again, parents should not need to taxi HIPAA authorization forms
from physician office to school before a treatment order can be implemented for
their child.

To remedy this problem, guidance is desperately needed to clarify whether
healthcare providers who are covered entities can disclose protected health
information for treatment purposes using the minimum-necessary standard to
school health professionals or other school officials in schools covered by

To clarify whether HIPAA-covered entities can accept the written and signed
request of a parent to disclose certain health records to their child’s school
for educational planning purposes, if that request is on a school-disclosure
form, rather than the covered entity’s own form, even if it has – but if it has
all the HIPAA-required elements of a valid authorization form and to clarify
whether HIPAA-compliant entities can fax authorization forms and health
information to schools and under what circumstances.

There are many other areas at the HIPAA-FERPA interface where healthcare
providers, schools and school-health professionals need additional guidance.

For example, is it true that schools engaging in the electronic transmission
of student health data for Medicaid-filling purposes are required to meet the
requirements of the Security and Transaction Rules, but not the Privacy Rule?
While that is the response many of us heard at the OCR National Conferences on
the Privacy Rule last year – at least in regard to the Transaction Rule –
differing opinions on this issue remain rampant and states are grappling with
the answer one by one.

If that statement is true, is the school district required to keep a
duplicate set of records for Medicaid, HIPAA privacy or other reasons.

Finally, I wish to offer one additional suggestion which would require
long-term collaboration between the U.S. Departments of Health and Human
Services and Education.

In reality, school health records, including any third-party medical or
psychiatric records, should be afforded the protections due both education and
medical records. Therefore, many of the implementation problems related to
schools might best be resolved if FERPA could be updated to be more consistent
with HIPAA and more directive in identifying minimum privacy standards for the
use and protection of student health information, including oral
communications, the minimum-use standard, staff training and enforcement
requirement and related security.

Consistent standards across settings would enhance the privacy,
confidentiality and security of student-health records, improve district
practices and promote trust, communication and collaboration among families,
schools and healthcare providers.

Thank you.

MR. ROTHSTEIN: Thank you very much for that testimony, and I know we’ll have
questions for you as well.

And our final witness on this panel is Martha Dewey Bergren.

MS. BERGREN: Thank you.

Good morning, Chairman and members of the subcommittee.

I am Martha Dewey Bergren, Clinical Assistant Professor at the University of
Illinois, Chicago, College of Nursing. I’m nationally certified in both
informatics and school nursing and have followed the development of HIPAA
regulations and its impact on school nursing since its inception.

I am the Co-Chair of the HIPAA Advisory Committee to NASN, and I represent
the National Association of School Nurses today and over 10,000 grassroots
school-nurse members who have sent me many comments and emails which I will
share with you today.

As you know, education records are exempt from the HIPAA Privacy Rule and
school health records are educational records and protected by the Family
Education Rights and Privacy Act.

School nurses have several responsibilities to school children in their
families that have been effected by FERPA, by HIPAA. To protect citizens from
preventable communicable disease that causes morbidity and mortality, schools
have, over the century, successfully enforced public-health mandates by
requiring proof of immunizations for school entry.

School nurses act as case managers and provide treatment and health
monitoring that allows medically fragile and chronically and acutely ill
children to be educated in the least restrictive environment as mandated by

Children in schools have the same diagnoses, treatments, healthcare needs
that you all see in acute-care facilities. Treatments for children in schools
include suctioning tracheotomies, urinary catherization, monitoring ventilator
settings, administering gastrostomy feedings and administering very complex
medications to a wide variety of children with chronic illnesses.

And one thing that I did want to point out also is that school nurses are
frequently responsible for the zero to six-year age group prior to
kindergarten, and that the records of those children also contain a lot of
family-health information – for instance, maternal labor and delivery, use of
alcohol, drugs, et cetera, during childbirth – as assessment information that
leads to why a child is not developing correctly and might need some additional
special education in the early childhood age range.

School nurses also collaborate with educators and primary-care providers to
identify the source of healthcare problems that interfere with learning and to
design individual effective education plans, healthcare plans and emergency

Nurses also function to enhance the ability of students to attend school and
achieve in the educational setting, and we collaborate with primary providers
to provide a safe and supportive school environment following injury,
hospitalization and illness. We communicate with educators and providers
regarding the child’s health status and whether or not they can fully
participate or participate with restrictions in music, athletics, physical
education and academics.

Prior to HIPAA, primary providers and health departments communicated and
collaborated on all of these matters regularly. It was nothing to pick up the
phone and call a physician and confirm an order, have them fax a clarification
of a dosage that we were not familiar with. Nurses could verify immunization
dates with physician offices and local health departments, get
health-maintenance parameters over the phone and consult with providers
regarding assessments for learning problems.

Since HIPAA regulations, school children have suffered as a result of
misconceptions regarding communication of personally-identifiable health
information with schools. Nurses from all over the country have reported the
refusal of HIPAA-covered entities to communicate with them directly, and this
stack of emails reports the following situations:

Physician offices, hospitals and health departments refusing to honor
HIPAA-complying authorizations initiated by schools, releasing PHI only to
parents and only in person.

Some HIPAA-covered entities will only release information with their
facilities release forms, requiring school nurses to maintain a file of 25 to
30 release forms specific to healthcare providers or agencies.

And, earlier, Mr. Houston asked why would it not be possible to get an
authorization at the beginning of the school year for the children who have
chronic illnesses, and many of these children have seven-eight different
specialists covering their care because of the different systems that their
diseases cover, and frequently parents seek other specialists during the school
year that wouldn’t have been covered in that initial release which is signed at
the beginning of the school year.

HIPAA-covered agencies are refusing to accept faxes or send fax information
to schools, citing HIPAA, and providers are refusing to confirm or discuss
treatment orders, immunization dates, physical-exam dates, activity
restrictions or health accommodations with school health providers.

And how has this then effected students and their families? It is estimated
that thousands of students have been excluded from school due to missing
immunization dates required for school entry or attendance. Students have been
re-immunized when the barriers to obtaining the information are too burdensome
for working parents, rural residents or families who have relocated significant
distances from providers who administered the immunizations. Students have had
to return to school following an illness or injury – have had to return delayed
due to the inability of the nurse to provide treatment without knowledge of the
student’s health-problem restrictions or physician’s orders, and students have
returned to school without needed medication or treatments for their chronic or
acute health conditions.

Parents have missed work to drive or take public transportation to
physically travel to providers, obtain the records and physician orders for
treatment and then re-transport them to school, and parents have also missed
work to travel to school to administer medications or administer treatments
because of the nurse’s inability to obtain physician orders to administer or
have been unable to clarify treatments or doses over the phone or by fax.

One nurse in Illinois estimated that 75 to 100 of 275 students were excluded
and missed school days this year due to missing immunization verification.

Health departments in some jurisdictions have conducted vision and hearing
screenings for schools for years, and, now, since HIPAA, they are refusing to
share the results of those screenings with school officials, so that school
health authorities can provide followup and even accommodate, say, a child with
a vision problem by moving them to the front of the room.

School nurses repeatedly report providers refusing to verify
indistinguishable dates on the documents that provider generated.

Many nurses report that many parents provide reports of physical exams that
are required for school attendance or for participation in athletics or
physical education, but that the date of the physical exam is missing.
Providers who conducted the exam refused to verify the date of the physical
exam, and this is all new since HIPAA.

Restrictions on physical activity, such as no physical education for two
weeks, are sent to schools without the reason for the restriction. One nurse
had a physician order for a child returning to school to participate in
physical education as tolerated. When the nurse called for clarification, she
was told due to HIPAA, the provider could not reveal the child’s health problem
nor what body system it effected – respiratory, cardiac, orthopedic.

There was a situation – and this is just as an example – of a child that
returned to school with a central line, unbeknownst to the school nurse, and
the child was found sitting in an abandoned auditorium because they didn’t feel
well. The school nurse found out about this after the fact, didn’t know that
the child had been admitted to school with a central line.

Some physicians not only require to have the parents come to the office to
pick up the orders, but require the parents to schedule an appointment to
counsel them and thus delay student treatment, attendance and assessments for

One health department in Southern Illinois refused to share immunization
data with schools because immunization data is not for treatment purposes and
not exempt, but stated that the school must share any health information in the
ed record because it was for treatment purposes and did not need a parent

And then one situation that I found particularly ridiculous was a school
nurse from Delaware reported that a highly-regarded tertiary medical center,
which cares for many Medicaid recipients and uninsured students, called a
school health office to request that a nurse read a PPD that had been
administered in the facility, but refused to tell the nurse the date and the
time the PPD had been administered, thereby making it impossible to read it at
the 72-hour mark whether the child had a positive or negative reaction.

While some facilities are overreacting to the HIPAA Privacy Rule, many
facilities are aware that they may share health information for treatment, but
are aware also that they are not required to share it without authorization.

Primary providers cite that they are permitted to have more restrictive
information privacy policies than the minimum required by HIPAA, and they admit
to school officials that their office’s stringent restrictions on sharing,
since HIPAA, have greatly decreased the time and greatly decreased the workload
previously spent collaborating with schools on schoolchild healthcare and
immunization compliance.

HIPAA-covered entities frequently cite their inability to share PHI with
schools specifically because schools are not HIPAA-covered entities, and one
facility specifically cited FERPA as not providing HIPAA-level privacy
protection. While HIPAA provides direction to school health providers on how to
protect patient privacy, FERPA does not provide guidance to schools on how to
protect family and student privacy. Schools are left to interpret who has a
legitimate educational interest to access a student’s educational records
without authorization, and including the health records. Some schools interpret
this narrowly and others interpret it quite broadly.

FERPA was written in 1974, prior to the inclusion of medically-fragile or
disabled children in schools and does not differentiate between the voluminous
and sensitive health information and family health histories that are collected
and stored to provide educational and health services.

FERPA also does not address the storage and security of this information in
the school electronic data bases or servers, nor does it mandate
confidentiality training for educators or school health employees.

School districts engage in HIPAA transactions when they electronically bill
for nursing care and other health services in schools. In fact, some states
mandate that schools seek reimbursement for health services.

Health and Human Services sources have stated that education records, even
when submitted as a HIPAA-covered transaction, are exempt from the HIPAA
Privacy Rules, but are subject to the Transaction Rules and Code Sets. However,
this information has not appeared in the form of technical guidance and many
schools have been advised by legal counsel that engaging in a HIPAA transaction
automatically qualifies a district as a HIPAA-covered entity, and, therefore,
subject to the Privacy, Security and Transaction Rules.

And HHS, on direct questioning, has been silent on whether or not the
security rules apply to HIPAA transactions conducted by schools.

There are several areas where guidance and direction is welcome: Written
technical guidance on the submission of electronic transmissions for
reimbursement; an exemption of the immunization records from HIPAA Privacy
Rules in the interest of national public health goals; an exemption of public
screening data collected for the detection of easily-preventable disabilities
that interfere with learning – for instance, vision and hearing; a stronger,
clearer directive to help providers that HIPAA not interfere with the provision
of care regardless of the setting; a stronger, clearer directive that what
constitutes reasonable safeguards when the provision of non-sensitive
information, such as physical exam dates, are requested for school entry or
participation in athletics and academics; a clear, definitive statement that
HIPAA-covered entities shall communicate with health providers, including those
who provide healthcare in schools to provide treatment to clients; a definitive
statement that HIPAA does not bar transmission of PHI via analog fax machines,
and a statement that analog fax transmissions do not qualify as HIPAA
transactions; and one thing that I think is antithetical to HIPAA, in terms of
administrative simplification, including some directive prohibiting the refusal
to honor HIPAA-compliant authorizations. Requiring a school to use an
agency-specific authorization form is not in the spirit of administrative

The National Association of School Nurses thanks the subcommittee for
inviting us to testify on the impact of the HIPAA Privacy Rule on the ability
of school nurses to provide quality healthcare to children and to increase the
attendance and educational achievement of this nation’s children. Thank you.

MR. ROTHSTEIN: Thank you very much for that testimony, including all these
examples that you provided.

Strikes me that this panel was a little different from the first panel in
that the first panel raised very complicated issues of construction of the
regulations and the overlap or non-overlap of HIPAA and FERPA or the
limitations of HIPAA or whatever to – just from my very quick reading of your
testimony, I think the statute and the regs are clear and have clear answers to
90 percent of your questions. The issue is how are we going to get the word out
to people, so that they don’t hold up process by saying they can’t accept the
facts or what have you, and so, at least for me, those are the kinds of issues
I would like to explore with this panel.

But I will open the floor for questions. John, would you like to assume your
usual role?

MR. HOUSTON: Yes, thanks. Maybe I am going to make as much of a comment,

I’m disappointed that it seems like there’s epic cues in the system in
guidance that is necessary, and that there is a lot of – a lot of what is
happening, clearly, when I listen to the testimony and read through the
testimony, it doesn’t make sense that it should be this way. It was never
intended to be this way, and it’s troubling to me, and I am also troubled by
the fact that it’s clear from Martha’s testimony that providers are using this
as a reason or an excuse to maybe avoid having to do work that, frankly, they
should be doing, because they are the patients.

I guess one question I do have is – and I think I know the answer, but I’ll
still ask it – is it appears to me, from earlier testimony and your testimony,
that the big hole is still the alignment of FERPA to HIPAA and ensuring that
there are no gaps and that FERPA works well and aligns then to it.

Just, again, any specific recommendations as to what you think needs to be
done within our purviews as well as your thoughts on additional modifications
to FERPA? I know some of it, you touched on in your testimony already, though.

MS. BERGREN: Well, both Nadine and I are actually on a national
confidentiality committee for student health records that has issued some
suggestions on, for instance, separating health records from educational
records, has made some other suggestions to – in terms of policy for protecting
health records in the school setting, creating a higher standard that meets
HIPAA-level protections for health records in schools, a lot of what Dr.
McGrath mentioned this morning.

Nadine, do you want to add to that?

MS. SCHWAB: You just made me think of something that I really need to say.
We can’t really separate health records in schools from educational records
because educators need this information in order to serve students well in
school. So we need to be clear that although a lot of the issues that we have
talked about are with the school health professionals – my boss, for example,
who is the special ed administrator in the school district, she needs that
information to know that we are providing appropriate individualized education
programs for students with special needs. So I just want that as a piece.

MR. ROTHSTEIN: Excuse me, but there might be a difference between separating
the two types of records and limiting access to them. So, in other words, it
might well be that a special ed coordinator would have a legitimate need to
have access to both kinds of records and you could still have them separated,

MS. SCHWAB: And we absolutely agree, and this task force that we are on, the
document that we are working on is actually going to come out with some
guidelines to policy and administrative procedures that school districts could
follow using a lot of the HIPAA standards, you know, as policy.

The problem is that doesn’t necessarily drive those school districts that
perhaps need it the most. It will help those of us who know that we need to be
doing a better job in this area.

I do think that clarification to the field is extremely important, and I
also just want to reiterate that FERPA does not sufficiently address
protections in appropriate use of health records in schools, and that needs to
be taken care of.

MS. BERGREN: One inquiry that I had earlier this year was from a school
district in Southern Illinois that wanted proof that they actually had to have
a locked file cabinet for health records, and I had to research. I mean,
there’s just basic not understanding of – because FERPA doesn’t give any
direction, it just says protect families’ education rights. School districts
interpret that very loosely or tightly depending on what their orientation is,
and I do think that there is more direction needed on protecting health
information in schools.

MS. SCHWAB: Can I just add one thing? On the side of the educators, they –
unless they are special educators, they really have no preparation around
confidentiality, privacy. They don’t understand health records, laws
whatsoever. So they are really functioning from a place where they don’t have
any education about this.

MR. ROTHSTEIN: Do you think that it would be an appropriate subject for
in-service training for teachers? I mean, it used to be, in the old days, you
had your special ed teachers and you had your regular teachers, and, now, with
so many kids with special needs being mainstreamed that it suggests to me that
every teacher needs this kind of training.

MS. SCHWAB: Every teacher, and I think your school administrators need a
great deal more depth in this area than they are getting in their current

MR. HOUSTON: But it sounds like a huge void relates to guidance to
providers, covered entities as to what they are permitted to do and the like,
and I think we need to find out what is the status of the FAQs and what is the
depth of the FAQs.

And the other thing I might – let me ask you a question in terms of the
authorizations, because I still think an authorization is still a
hugely-important thing here that – and if there is a way to make it work, I
guess I would think that is one thing we need to try to do, and I guess a
question is is there any interest in or do you think there is any capability to
develop a model authorization that could be supported by whatever association
that could be used to maybe prevent some of this dueling authorization-form

MS. SCHWAB: We actually have – some of us in some of the states have
developed model authorization forms that would be HIPAA compliant that schools
could use, and in some places and with some providers, that works, but others
are just saying, no, no, we can’t take that. It’s not our form. So, again, it
comes down to needing guidance that, yes, you can.

If there was a model form that everyone would use and just could put their
heading on, I mean, I think that that would help, although I don’t know if
everyone would adopt it.

MR. HOUSTON: I think that some of the stuff that HHS has done with respect
to sort of trying to get resources, FAQs and sample forms and that kind of
stuff to physicians, if there were school-specific things like that, as opposed
to talking about the physicians interacting with the schools, but the schools
don’t have that same level of sort of detailed, here’s an example of – and when
there is still this level of uncertainty about some of the macro-issues out
there, it’s hard to get down to the level of getting those things, because they
are still trying to figure out, well, do we even have to deal with this law?
Are we just FERPA and we don’t have to deal with them?

MR. ROTHSTEIN: Let me ask all of you this question. I know you all are
representative of national organizations and we appreciate your sharing with us
some of the horror stories, if you will, but I want to ask you if maybe you
could share some success stories if you are aware of any. So, in other words,
are you aware of localities or school districts or groups of your members who,
for example, work together with the local medical society or the local
association of pediatricians or whomever to talk about these issues, to get
some programs jointly developed and maybe that we could use as sort of models
or to point to the kinds of things that should be encouraged throughout the

MS. SCHWAB: One of the things that has been done that I think was extremely
helpful was in Massachusetts. The State Department of Public Health actually
issued guidance about the immunization, that public-health-mandated
information, and some frequently-answered questions, which has been very
helpful in Massachusetts, so that Massachusetts providers in schools have that
information to go on. So I would look at that.

I think the Oregon Attorney General just came out with an opinion about the
question of whether or not the schools that were Medicaid billing were not
subject to the Privacy Rule, but were subject to the Transaction Rule, and I
can’t remember what it said about Security Rule, but that was, I thought, very
well done and would be a nice thing for HHS to kind of mirror in a
technical-assistance guidance.

MS. BERGREN: I was told that there are places where things are working well,
but the focus of the search for stories was what is not working, and I could go
back to those people who said that there are some situations that are working
well and just ask what the model was.

MR. ROTHSTEIN: We would very much appreciate that, because we would like to
support those kinds of efforts. I’m not sure what went on there, but we would
certainly like to see the successes replicated elsewhere.

DR. HARDING: Being very cognizant of Mr. Hutton’s comment about not one more
darn thing, please, and then thinking about the 1974 FERPA law that – you know,
it’s 30 years ago, and I remember 30 years ago, and there weren’t the same kids
in school 30 years ago. I mean, it wasn’t – the kids, like the central line,
that would have been an intensive care. It wouldn’t even have been allowed on
the regular unit of pediatrics 30 years ago. So it is a different world, and to
kind of lay things at the foot of a 30-year-old law makes me a little anxious,
I guess, and makes me feel not – I mean, several people said, please don’t mess
with FERPA, you know. That is something that is solid, and we know, we know the
game well with FERPA and HIPAA is complicating things, but it just seems like
it is going to be necessary to relook at FERPA, if FERPA is going to continue
to have its preeminence and so forth.

MR. HOUSTON: I think there may be very compelling reasons why more privacy
protection is needed and more clear sort of communication rules for
student-health information in a sort of post-IDEA world are there. I just throw
the cautionary note out, not to say we shouldn’t even consider that, but just
the context in which it has to be pursued is give it to us in clear form that
we understand, don’t impose another huge level of regulatory stuff, and in the
world of No Child Left Behind, another big federal regulatory thing without
sort of clarity and resources attached is just going to be explosive, and so if
it is thought through well and it actually makes schools’ lives easier, because
it clears up this level of confusion, and there is a lot of administrative
sweat being poured out trying to figure this stuff out.

So, you know, it can be done in a way, I think, that – and the very
compelling connection that is made between the sort of what in some people’s
minds who aren’t in healthcare and in privacy kinds of things are sort of these
esoteric kinds of privacy things, but when you make it to a connection to sort
of a local school-board member about it’s about student health and safety and
academic achievement and all those – then you are speaking their language and
the case is compelling, but it just needs to be made in a clear way, I think.

MR. ROTHSTEIN: Other questions from – Richard.

DR. HARDING: The other part, and it’s something that John Fanning was
talking about during the break and was brought up in your testimony, is that we
have to come to a way to not allow the law to interfere with good patient care.
We can’t allow that, and, you know, you die with your rights on or whatever the
term is.

You know, when push comes to shove, the best thing for the patient has to be
done, and to heck with the law, and that is – I don’t know how to codify that
exactly, because that is a very difficult – and many people would have
different interpretations of what is best for the patient, but somehow or other
that has to come forward. I don’t know how to do that.

MR. ROTHSTEIN: Any further questions?

Gail, are you still with us?

MS. HORLICK: Yes, I am.

MR. ROTHSTEIN: Any questions?

MS. HORLICK: No. No, I don’t have any questions. Thanks.

MR. ROTHSTEIN: Just soaking it all in.

MS. HORLICK: Well, yes, I did want to comment that the Massachusetts memo
that was referred to, the subcommittee actually has. I think I provided that to
you in November.

MR. ROTHSTEIN: Okay. We will dig that out of our files and take a look at

MS. HORLICK: I guess one other thing that was going through my mind, you
know, Mark, you mentioned earlier that the rule is quite clear in some places,
maybe about facts or whatever. What we at CDC found helpful was to put together
some Q&As that were either directly from the rule or directly from the FAQs
that were on the OCR website, and just the one or two page memo with something
that could be handed to the providers, and even though the information is out
there, that was helpful with our – the F CNA six(?) visits and maybe something
similar could be tried.

MR. ROTHSTEIN: Well, the kind of thing that I was thinking of was maybe if
the county medical society and the school board would put together a joint
publication that said – you know, dealing with school health issues, and it may
well be that the physicians would give greater credence to a document that was
sort of co-produced, endorsed by an organization of which they were a member,
than to come in and just hand them another piece of paper, either from the
schools or from the government or something like that.


MR. ROTHSTEIN: I don’t know, and that’s why –

MS. HORLICK: Oh, yes, but either – you know, even just – yes, I can
certainly see that, but something saying that the specific authorization – the
HIPAA-compliant authorization doesn’t have to be on the provider’s own form. I
mean, that would go a long way, if it had the proper credence.

MS. SCHWAB: And I’m not sure that the local or even state provider groups
getting together with schools will do it, because there is not enough guidance
coming – there is still confusion coming down from state departments of
education, state departments of health, et cetera. So –

MS. HORLICK: Well, perhaps they could prepare a document that would be
reviewed by OCRs –

MS. SCHWAB: If we had something – right.

MS. HORLICK: – have the official blessing.

MS. SCHWAB: Then they could adapt something.


MS. SCHWAB: That would work better.

MR. ROTHSTEIN: Yes, I mean, let’s assume that tomorrow the OCR FAQs
regarding HIPAA and FERPA and schools come out, then some locally-endorsed
statement incorporating that information, and maybe some sort of meeting –
joint meeting to deal with these issues. I mean, just hearing the list of this
just made me sad. There are enough sort of difficult, insoluble kinds of
problems that we have to deal with without problems that shouldn’t be problems,
and they are getting in the way of the education of kids or their health care.

MS. BERGREN: I think that some of the direction – I’m going to echo Nadine –
does need to come from OCR, and the reason that I say that is that fear is
driving a lot of the physicians’ and providers’ refusal to share, fear of the
penalties. It’s per incident of releasing information inappropriately, and in
these small physician practices, they have a very small staff and are in rural
America. They can’t handle that level of a fine and that penalty, and, believe
me, that was hammered in the little session they sent their office manager to
on HIPAA a year-and-a-half ago. You know, believe me, the fines carry a great
weight, and that’s why I think that having some technical guidance specific to
communication with schools from OCR would be very helpful to diminish that fear
of financial penalty and jail time.

MR. ROTHSTEIN: And, of course, one of the things that this subcommittee and
full committee recommended a while ago was that there be a special section on
the OCR website for schools as well as a special section on all other kinds of
issues where you just click on and get the official word on school issues or
you click on and get the official word on law enforcement or whatever the issue
might be, and we are still hoping that may come about in the future.

Any other questions?

Well, I want to thank all three of you for joining us and sharing that
information, and, again, if you have further information that would be helpful
to us B and, personally, what I would like to see is the great success that you
can point to that we can sort of endorse and support. So thank you very much.

Agenda Item: Subcommittee Discussion

MR. ROTHSTEIN: At this point in our agenda, we are going to turn to a
consideration of the three topics that we talked about over the last day and to
try to develop some plans for dealing with them –

MR. HOUSTON: – take a break?

MR. ROTHSTEIN: Sorry? No, we are not going to take a break. We are going to
go straight through, and then adjourn at lunchtime.

MR. HOUSTON: Gotcha.

MR. ROTHSTEIN: Okay. There’s good reason for it. I know everyone is anxious
to keep going.

So if I could ask you to think back to the two topics that we talked about
yesterday – of course, banking and law enforcement – and today’s topic, we need
to kind of figure out where we want to go next. I mean, do we need more
information? Do we need additional hearings? Who do we need to hear from and so

So the first one was banking.

MR. HOUSTON: My suggestion is on banking is it seemed to be that there was
one issue which related to 1179, I think it was –


MR. HOUSTON: – and a clarification of its intent and its scope or at least
guidance in that regard, because that seemed to be the gap, and then, clearly,
then I think the only other questions were that relate to whether a bank would
become a business associate or a covered entity as a clearinghouse by the fact
that it was handling PHI vis-a-vis the 835 or parts of the 835 that it might
come in contact with are handled through its –

MR. ROTHSTEIN: All right. Let’s take those two things separately.

The first one is on 1179, and I don’t know where you are going to get that
clarification from. I think we heard from people who were there at the drafting
of 1179, and I think it would take either a court decision or some sort of
advisory opinion from the Attorney General or something. Who is going to say
what 1179 means?

MR. HOUSTON: It seems to be the hole – I mean, I don’t know. I mean, you got
this B

MS. FYFFE: Would you go back to the conference report? I mean –

MR. ROTHSTEIN: See, the issue in Section 1179 is how broad an exemption does
banking have? Does banking that’s – was the intent to limit the banking
exception to consumer transactions, so checks, credit-card transactions, et
cetera, or was it intended to be broader and encompass any banking activity
throughout the payment chain in terms of the reimbursement of providers and so

And we heard yesterday two conflicting views. To no one’s surprise, the
banking industry believed that the exemption was very broad and it exempted
everybody, and we had other witnesses who were intimately familiar with it,
including Bill Braithwaite, who said, no, the intent was just to exempt the
consumer aspect of this, and I think it is obviously very important, because if
the broader view prevailed, then it certainly ties the hands of OCR or, indeed,
the committee, in terms of what we might want to recommend.

MR. FANNING: Mr. Chairman, may I suggest that the substance of that issue is
really the business of the agencies that have substantive responsibility for
this, mainly this department and perhaps the financial regulatory agencies, but
it seems to me that there is not a great deal that the committee could do in
terms of the substance of that question. The committee may want to emphasize
the need for privacy protections for information, however achieved.

MR. HOUSTON: Why can’t the committee make the recommendation that there is
an issue with 1179 or a clarification is required of whomever and ask the
Secretary to take that forward? I don’t see any reason why we can’t do that.

MR. ROTHSTEIN: Oh, I have no problem with that. What I was saying is I don’t
think it is our responsibility to take a position that 1179 is narrow or 1179
is broad. I think that is beyond our responsibility.

I do think it is certainly appropriate for us to say that the scope of 1179
has a bearing on some other issues and that needs to be clarified in some way.

MS. FYFFE: We cannot interpret 1179.

MR. HOUSTON: But we – I think it is within our purview or right to at least
indicate the testimony from individuals who were involved in the drafting of it
indicated that the intent of it was to deal with check and credit-card
transactions. We did hear that. It was very clear that that was the original
scope or intent of that particular section. I guess I don’t know why we
shouldn’t have the right to at least acknowledge –

MR. ROTHSTEIN: We can say – I think we can say that we did hear from at
least two witnesses who had that position, but I think we can’t draw the
conclusion that that is necessarily the correct interpretation, because we
didn’t hear from a lot of other people.

MR. HOUSTON: I agree with your perspective. I guess I wanted to give it as
much – I don’t even want to say evidence – testimony, and frame it in a way
that allows somebody within HHS to take this forward, at least to start to try
to resolve it, because I think this has to be resolved.

MR. ROTHSTEIN: Well, I think the way we need to frame it – and it is not
necessarily inconsistent with what I hear you saying – is there is a problem
with banking that PHI is used in the banking process, in terms of payment of
these claims.

We can describe the testimony that we heard, that at least for some
transactions, PHI goes along with that, and that raises the question of whether
– where that goes through the chain it is within the scope of the Privacy Rule
Regulation, and that raises the broader issue of the exemption in 1179 that we
believe is essential to have clarified.

MR. HOUSTON: That’s fine.

MR. ROTHSTEIN: So I think we can put that in a letter, and I certainly would
support that, because it is part of the crux of the problem.

I do think there is another – I mean, another issue to consider is that Mr.
Stone, who represented the American Bankers Association, I think testified to
the fact that some bankers and some banking transactions they actually do, in
fact, play the role of a clearinghouse or a business associate, and it wasn’t
clear to him – and probably couldn’t be clear to him, given his position – in
how many of these situations the banks actually went through all their
requirements that the Privacy Rule places on clearinghouses and business
associates, and so that is an issue that I think is fair for us to raise, that
even in the normal – in quotes – covered-entity functions that bankers provide
not the – sort of the value-added that Kepa described. Where they most likely
would be found to be covered, we have questions about whether they are, in
fact, in compliance with the Privacy Rule requirements. So that is a second
point that I would add on –

MR. HOUSTON: I mean, maybe to restate that a little bit, I guess what I
heard was as much guidance regarding when is a bank a business associate, when
would a bank potentially be a clearinghouse, because I think that was sort of
the fundamental, underlying point that was being made, and then, obviously, if
a bank is a business associate, clearly, its obligations are to comply with the
business-associate terms that its covered entity imposes upon it. I don’t think
there was any testimony said they weren’t complying as business associates, per
se, as much as –

MR. HOUSTON: He didn’t know.

MR. HOUSTON: Right. Because I think there was a fundamental uncertainty as
to whether they were either, because of 1179, and if they – you know, I think
if you close the loophole of 1179, what you end up with is they are – as long
as their transactions contain PHI – such as through an – part of an 835 – at
that point in time, they are either a business associate or a clearinghouse,
and, in that particular case, have obligations that need to be met, based upon
what they are characterized as.

MR. ROTHSTEIN: There are two other points that I would suggest that we might
want to put in any letter that we come up with.

Number one is that we did not hear any testimony of any widespread or any
misuse of PHI by the banking industry, in terms of selling the information or
wrongfully disclosing information or using it in ways that are not deemed
appropriate. The information, of course, is encrypted to begin with, and so
that would make it more difficult.

The second thing that I would want to add is that we did hear testimony that
it is possible to achieve the payment needs of the payer, the bank and the
provider without including PHI, and I think that is an important point because
that may influence the structure of 835s in the future or rules that would go
through that. That was a question that I specifically asked Kepa and the other
members of the panel.

The way it currently works now is in the claimed-payment document, the 835,
there is an attachment that includes the PHI, and the PHI – for reasons that I
don’t understand, to be honest with you – need not actually be in that document
to provide all the information that the payer and the banker needs.

MR. HOUSTON: Wasn’t there some discussion about when you’re done with
lock-box functions that there’s potential that the entire 835 could go to the
lock box?

MS. FYFFE: There are circumstances under which that would happen.

MR. HOUSTON: Right. But I think what they sort of indicated was we don’t
necessarily need to provide that information, but a lot of banks were giving
value-added services, which –

MR. FYFFE: Right.

MR. HOUSTON: B in essence, would provide that certain PHI was actually
accompanying any type of financial transaction, but I guess – so there is a
nuance between is it absolutely necessary? No. Were banks desirous of providing
those additional services, and I think the answer sounds like to be, in a lot
of circumstances, yes.

MR. ROTHSTEIN: Well, and if they were, then –

MR. HOUSTON: And they were covered – right.

MR. ROTHSTEIN: – maybe certain restrictions ought to apply to them.

Personally – and this may just reflect my lack of sophistication in this
area – I would like to see our letter not go into all of the details of how the
banking functions actually work, but simply say that we did hear testimony that
PHI, for many banking functions, is not necessary and that further exploration
of how this could be achieved would be desirable.

MR. HOUSTON: Minimize the use.

MR. ROTHSTEIN: Yes, to minimize the use and the possibility that this could
be disclosed.

There is another point that we might want to consider – and not in the
letter – and that is we do not disclose – as far as I know – in NPP, to anyone,
that their PHI may be disclosed to bankers. I mean, we list all the things that
– in the notice of privacy practices where your PHI will go, with consent,
without consent, with authorization, et cetera. Maybe, in the interests of – it
may be in the interests of consumers to disclose this information if, in fact,
it were disclosed.

MR. HOUSTON: If it were disclosed to a bank – well, I’m making B assuming
that the 1179 loophole or whatever is clarified – would be pursuant to a
business-associate agreement or as a clearinghouse function, which would be all
part of that payment chain which would then be within the realm of payment.

MR. ROTHSTEIN: Yes, I understand that, but here I am, I’m your average
patient/consumer, and I read this notice and it says that my health information
may be disclosed in the process of paying my claim. Well, I’m assuming that –
yes, okay. Well, Blue Cross is not going to pay unless they find out what my
doc did for me. The idea that National Bank is somehow in that process may
never have occurred to me.

MS. FYFFE: The notice of privacy practices from either your health plan or
your provider would not say that a bank –

MR. HOUSTON: No, but there might be other – and I understand the point, but
there may be other cases where your PHI is disclosed to other third parties
during the payment process, whether that be firms that facilitate collections
or –

MS. FYFFE: That is supposed to be mentioned in the notice of privacy.

MR. HOUSTON: Is it? Is this part of payment?

MR. ROTHSTEIN: Well, it’s payment or operations or something.

MR. HOUSTON: But any business – I mean, I don’t think we would – I would be
– thinking of my own notice, I would be concerned about listing up every case
where we had a business associate touch a piece of PHI, because those business
decisions happen on a very regular basis to go between an in-house service
versus a –

MS. FYFFE: Sounds like the NPP needs to be updated.

MR. HOUSTON: Well, no, no, because –


MR. HOUSTON: An NPP, in my mind – we can’t afford to have another
privacy-practices update every month or every two weeks because we now, all of
a sudden, have a business associate performing a function –

MR. ROTHSTEIN: No, what I’m suggesting is that you don’t have to list the
name of the bank, but it may be, as a matter of truthful disclosure, that
financial institutions are involved in the payment chain besides just the
health-insurance company or some health plan or clearinghouse. I just think
it’s a matter of being truthful.

MR. HOUSTON: I just think NPPs are – they can’t be – I understand your
point. I’m just concerned about where do we start and where do we stop, and
there is clearly the concept of the business associate, which is – you know,
that they were acting as your agent, and, again, those types of relationships
change all the time, especially in a large organization that has – ours has
many hospitals and it’s quite large, and, in fact, they may vary between
hospitals, but, in every case, if we are not doing it in house, we are using a
business associate and we are expecting our business associate to do the
appropriate thing, based upon a contractual – you know.

MR. FANNING: Mr. Chairman, I can suggest a possible principal distinction
between the ordinary business associate and the bank. The business associates
are clearinghouses and other organizations that have no relationship to
individuals’ lives, except as handlers of their information on behalf of a
payer or a provider. Whereas, banks have a broader place in people’s lives and
one could make the argument – and I am not necessarily pressing this argument –
one could make the argument that it is more important that they know that that
institution has their information.

MR. ROTHSTEIN: That is much better than I could have said it and that – than
as I have tried to say it several times. So I thank you.

MR. HOUSTON: I think it needs some additional research.

MR. ROTHSTEIN: Research?

MR. HOUSTON: On my behalf, at least. I –

MR. ROTHSTEIN: Well, feel free. (Laughter).

Well, okay. So the question B all right. Let me try to sum up this. On the
issue of banking, do you think we need – Before we prepare a draft letter for
the full committee, do we need any more information from consumers, the banking
industry, healthcare providers or do you think we have the essence of what we

DR. HARDING: I think we have the essence. We don’t have the answer.

MR. ROTHSTEIN: Well, that is beside the point. (Laughter).

DR. HARDING: So we are concerned with PHI. Embedded in banking payments and
so forth is PHI.


DR. HARDING: Therefore, we are concerned about that.


DR. HARDING: And then who does that go to? Do we ask the Secretary to do the
appropriate thing to attend to that?

MR. ROTHSTEIN: Correct. Correct.

MR. HOUSTON: I mean, we need to investigate to find out who has
responsibility or who has the oversight of 1179 and has the ability to write
guidance or clarification –

MR. ROTHSTEIN: Well, we’ll obviously raise the 1179 issue and set out the
two –

MR. HOUSTON: Need to find out who that is, though.

MR. ROTHSTEIN: – competing positions.

MR. HOUSTON: Give the Secretary the –

MR. ROTHSTEIN: Yes, I just wanted to sort of wrap that up, because our
conclusion may be different when we get to the second topic that I want to talk
about, and that is law enforcement.

And in law enforcement, we did not have as extensive a discussion as we
would have liked. The staff made heroic efforts to get law enforcement to the
table, but they were unavailable in many instances.

We did have three excellent witnesses who outlined a variety of problems,
and I think there are a couple that we would want to focus on.

I’ll just start with two, one that was mentioned by Bob Gellman, and that is
the administrative requests under 512-F, the fact that there are very few
restrictions placed or requirements for administrative requests. They can be
oral. They can be by any law-enforcement official. There’s no requirement of
showing of any sort of relevance, et cetera. So that is one issue we may want
to take up.

The other issue that I would just add to our list is the disclosures
required by law pursuant to 512-A, and this gives very wide discretion to state
and local officials to enact wide-ranging laws requiring the collection,
disclosure, release of all sorts of records.

So those are two problems. I’m not suggesting how we relieve any of them or
solve any of them, but there are others that we can add to the list.

MR. HOUSTON: The only other one that I think came up yesterday that –
brought up was related to the concept of doctor shopping and whether there are
guidelines that could be provided as to what a covered entity can and cannot do
with regards to addressing a problem where a physician office realizes that
doctor shopping is occurring and what type of information can be disclosed,
what type of actions can they take. I think there is a lot of just difficulty
in that area.

MR. ROTHSTEIN: Well, and the related issue that we spent a fair amount of
time on, and that is the prescription-monitoring program –


MR. ROTHSTEIN: – that DEA has supported and about 20 states have, and
because of 512-A, those state laws can – you know, there are disclosures
required by law, and, therefore, they can be made without any sort of
authorization, and, yet, as we discussed yesterday, there is concern that they
– either in their present form or in some future form – could really be over

Okay. Now, having said that, we don’t need to resolve this.

The question is what we should do next, because, as many of us talked
informally, we really did not have a sufficiently representative group before
us. We had – the only law-enforcement official we had was from DEA, and that as
a – sort of very narrow in scope.

Ideally, we would like to hear from the FBI. We would like to hear from
state police, local – you know, all sorts of people, and it’s not clear to me
that they have an interest in testifying either orally or in written form. So
I’m not sure what to do at this point, and I’m open to suggestions.

DR. GREENBERG: These are potential testifiers, organizations that were
contacted already, but were not either available or declined?

MR. ROTHSTEIN: That’s right.

So, I mean, we would like to hear from the FBI, from Justice, from the
chiefs of police, from the – you know – county law-enforcement officials,
whatever, just to see what problems they have, and I certainly don’t want to
speculate as to their reasons for not wanting to testify or being unavailable.

The fact of the matter is that I don’t know what we can say in the absence
of their testimony. I suppose we can just say that, that we have identified
these problems. We recognize that we do not have an adequate record because we
have not been able to obtain the testimony from key stakeholders, but we think
that these are issues that need to be explored at the department level or
inner-department level or something like that.

John, do you have wisdom to share?

MR. FANNING: No, except to make it more complicated by suggesting that these
questions also go to the issue of the relationship between this regulation and
state law, which is a broader issue and of great complexity.

MR. HOUSTON: State law and go local practice in each county.

MR. FANNING: One might make a national law that governs the availability of
information to law-enforcement authorities and even courts, but the
complexities involved in interfering with, certainly, local judicial process,
but even with, shall we say, police practice, are very great.

MR. ROTHSTEIN: Well, and even the state legislative prerogatives, in terms
of enacting laws that would come under 512-A. So I think in our letter we
should certainly point out that that is another complicating factor.

MR. FANNING: I think that a regulation of this kind, as large as it looms in
our minds, has to be seen as a kind of first step in hammering out national
policy on the use of information. The attention called to the subject by the
regulation, awareness of it by providers and so on, may have effects on future
choices by legislatures, for example.

MR. ROTHSTEIN: Would the other members of the committee feel comfortable
discussing the issues in the way that we have so far sketched them?

Okay. Well –

DR. HARDING: The only other thing that I would suggest is that we compliment
the good and maybe go quiet on the things that aren’t so good or say very
little about them, and that way bring them up with faint praise or something
like that. I don’t know how to exactly – these must be very sensitive issues,
and so we could say, we understand that there are times when emergencies exist
and that things have to done, and in national interest and terror and so forth,
but – and then remain silent on some of the other things.

MR. ROTHSTEIN: I think that is a good point. I mean, just like in every
other area, I mean, we are balancing privacy against an important interest. If
nobody cared about research or public health or law enforcement, our hearings
would be very short, but these are very difficult questions, and so I
appreciate your raising that, and we will try to do that.

Okay. Let’s move on to today’s discussion, which involved – if you have
forgotten already – (laughter) – our two panels on schools, and –

DR. HARDING: Excellent. Excellent presentation.

MR. ROTHSTEIN: So do you have some suggestions on the kinds of issues we
want to talk about relative to today’s hearings?

MR. HOUSTON: I think we need to at least identify the fact that there is a
conflict or a tension between FERPA and HIPAA. Obviously, we are in the same
boat as 1179. Insofar as we don’t have responsibility or purview over FERPA, we
clearly have to identify that that is a source of issue.

After that, though, I guess it is dependent upon what happens with FERPA,
what changes we would want to try to make to HIPAA to make it more compatible.
That would be one point, I think is –

MS. HORLICK: Mark, this is Gale.

I just wanted to mention that I just thought it was interesting the way the
panel shaped up, because everybody was given the same instruction, and I was
taken by your comment about the HIPAA/FERPA intersection, more in the first
panel, and the educational aspects more in the second panel.

Also, for whatever reason, when Dr. Harding is speaking, it is a little – I
am just not able to hear. I don’t know if it’s where the microphone is
situated, but –

DR. HARDING: I apologize.

MR. ROTHSTEIN: He’s so tall that that microphone is –

MS. HORLICK: My thought is –

DR. HARDING: I will do much better next time.

MS. HORLICK: – or at least one of my thoughts is that there were certain
issues that were related to HIPAA that clarification, in terms of which law
applies that we could raise – the Medicaid billing issue, whether school – does
it matter if – who the school nurse is employed by? Certain sort of broad
issues that wouldn’t – that it seems to me – I was reading through Mr. Hutton’s
questions, his attachment, a little bit, and it seems like there are some just
overall themes that are not – that it is not clear which law addresses, and
then some of the items that were mentioned, I think, in terms of HIPAA needing
further education, we might be able to list those or come up with a general
suggestion, but I think that goes in a separate area in terms of further
education is needed. I think the rule is clear, and maybe picking up on your
suggestion about how that education could be done.

MR. ROTHSTEIN: Yes, I agree with you, Gail. I think that especially the
second panel made it clear that much work needs to be done, in terms of just
informing all the parties – the teachers, the school nurses, the
administrators, the physicians in the community, et cetera – because some of
the questions that were raised, I think OCR has been as clear as they can be. I
mean –

MR. HORLICK: Right. But I do think – it was stated and I do agree
wholeheartedly that whatever is developed needs to somehow get OCR’s blessing.
It either needs to be – you know, if it is not written by OCR, if somebody else
writes it and they approve it or if that is not possible, then if someone
writes a document where they specifically reference the OCR website or – when
we did the MMWR, it was HHS document, so it was too big for most people to
read, but if you cut and pasted pieces from it, you still had that – the
regulatory authority, and I think that, in the end, that that is really
important. The state medical board can say what they want, but if the OCR
doesn’t agree, then – you know.

So I think they have been clear, but one of the things that I am finding is
that there’s a lot of clear information out there, but people are just not
going to the website or they are not – it’s not that the information is not
available, but each individual provider or person isn’t seeking it out, and so
if someone pulls something together that comes from the official source and it
is in a one or two pager, it has been our experience that has been very
helpful. We are looking to do that again in another area.

MR. HOUSTON: But I thought there was some guidance from OCR or FAQs that had
not been released that had been in process for some time.

MR. ROTHSTEIN: There’s some – reportedly – FAQs in the works on schools,
FERPA’s intersection, but I think – here’s the – sort of the mental image that
I would like us to address. Okay? You’ve got this pediatrician in solo
practice. It’s just the doc and a nurse somewhere, and somewhere along the
line, over the last two years, the pediatrician has heard that if you release
records, they are going to come and take you away in handcuffs, and what is it
that we need to do or that somebody needs to do to reassure that pediatrician
that sharing information about his or her patient with the school nurse for
purposes of treatment or immunization records or what have you is not going to
violate the law and get him or her into terrible trouble?

This person is busy from 8 to 6 or maybe later. They are not going to log
into the OCR website to see what the latest FAQs are. I mean, how do we reach
that person? And the suggestion that I was sort of thinking about is maybe
through some medical association where they would normally get information or
there’s gotta be some way.

DR. GREENBERG: I was sort of feeling that the missing party, although – was
the provider – the community provider in this discussion. Although, we did hear
from the American Academy of Pediatrics, so – and I don’t know whether – didn’t
specifically ask her what kind of guidance AAP is trying to provide to its
members, but a lot of children are actually not treated by pediatricians, but a
family physician or –


DR. GREENBERG: – internal medicine or what have you, not to mention the
children for whom this is most complicated, it seems, with the chronic
conditions – whether it be endocrinologists, psychiatrists, whatever – are not
part of the AAP, and I found myself often thinking, well, I’m being almost
amazed that the healthcare providers were putting these barriers up, but I
think you have put your finger on it, that the anxiety is such that when in
doubt, don’t share, and, in fact, the schools are not covered entities. This is

MS. HORLICK: Right. And – this is Gail – I think that is a large part of it,
that they – although they may – you can separate out the immunizations that
might be required for school entry, but a lot of the other information they
might be sharing it for – you know, can they participate in athletics or for a
treatment purpose, but if they are not a covered entity, my understanding is
they are reluctant to share even the immunization data without authorization,
unless there is a state law, and I think it raises an important issue because
while we have looked at the public-health purpose besides – you know, behind
sharing that immunization data, and I think most parents would want providers
to be able to share that without their consent, so their children can get into
school, I think, as you pointed out earlier, many parents may not want
discharge summaries and some very sensitive information to be shared without
their authorization.

DR. GREENBERG: Well, particularly because it can get into this FERPA
situation where it gets mixed in with other records –


DR. GREENBERG: – and, you know, becomes – you know, maybe – any teacher that
that child touches would have access to this, which would not, maybe, you know,
be appropriate or certainly desired.

So I am just wondering if we need – if the subcommittee needs to hear from –
I mean, your question. Is there enough information or does there need to be
some more dialogue with provider groups?

MR. HOUSTON: Can I make – also, one thing we did hear in testimony this
morning was that – one piece of testimony we did hear this morning indicated
that certain providers were using HIPAA as an excuse to – because it reduced
their burden, their effort. So there’s –

DR. GREENBERG: Well, I have noticed, personally, that providers who used to
be willing to fax things – prescriptions, what have you – won’t anymore, and I
think – not because of HIPAA. This is regardless. This was prior to HIPAA. This
is not HIPAA. This is – I think it’s a time thing. I mean, I saw this before
HIPAA came into – you know, things that previously had been faxed, et cetera,
won’t be anymore. You have to go and pick them up or whatever, and I think it
is part of the whole thing of burden and –

MR. HOUSTON: So we do have to be somewhat cautious, in my mind, about
ensuring that one isn’t a pretense for the other. I mean, maybe some of this is
overstated, and I’m sure there is definitely genuine concern out of the
providers about releasing information, but I think at least we do have some
indication that maybe some of this is done – it’s more convenient or it’s less
burdensome not to have to comply, and we’ll just use HIPAA as the excuse,
because I think we do see that in other areas, too.

MR. ROTHSTEIN: Kathleen –

MS. FYFFE: Yes, I remember back to our November hearings, we had invited a
number of provider organizations to the hearings. The only organization that
accepted our invitation was the American Academy of Family Physicians, I think
it was. The other provider groups had said that they needed more lead time in
order to survey their members more formally about any challenges or issues or
concerns about the HIPAA Privacy Rule. So I am wondering if we might want to
spend a couple of minutes talking about perhaps having further information or
another panel from the providers, but giving them sufficient lead time, as they
have requested, to survey their members.

MR. ROTHSTEIN: Well, maybe we don’t need hearings. Maybe we could write a
letter to the AAFP and other groups that we can identify and ask them to
respond in writing, and sort of narrowly tailor the question, based on the
kinds of things that we have been talking about today, to get some input.

You can say that we heard testimony that physicians have been reluctant to
release records under such-and-such circumstances, and, in many of these
instances, the regulations are quite clear that doing so is permissible under
the Privacy Rule, and we are wondering if there are any suggestions they have
as to how to reduce these impediments, et cetera, whatever, and then if we send
that to a selected handful of medical organizations, that will at least give –
a chance to respond. I’m not sure I want to delay things.

We have our next subcommittee hearing in two weeks as part of – not hearing,
subcommittee meeting as part of the overall full committee meeting.

MS. FYFFE: That’s March –

DR. GREENBERG: March 4th and 5th.

MR. ROTHSTEIN: March 4th and 5th.

DR. GREENBERG: Privacy is the morning of the 5th? Is that – I
don’t have it with me.


At that meeting, of course, we are going to present the draft of our letter
dealing with research and public health and other issues –

DR. GREENBERG: At the full committee meeting.

MR. ROTHSTEIN: At the full committee meeting.

DR. GREENBERG: And that was my question about – are you discussing that
letter at all today or –

MR. ROTHSTEIN: We were not going to.

DR. GREENBERG: Okay. You’re pretty much –

MR. ROTHSTEIN: Yes, we had a conference call –


MR. ROTHSTEIN: – signed off.

DR. GREENBERG: Okay. And has that letter – are you aware of that letter
going to the Executive Subcommittee? I’m wondering if we – you know, I don’t –

MS. FYFFE: I’m guilty. I have not sent it to the Executive Subcommittee.

DR. GREENBERG: Well, I think it is actually probably my office that should
have sent it, but it would have had to have gotten it to send it. Maybe – I’ll
take responsibility, too, because I was actually on that conference call.

We have a – you know, this new process that we agreed to about a year ago
that certainly reports – but I think letters, too, because often our letters
are a substitution for a report – that are going to be brought for a decision
to the full committee, go out to the Executive Subcommittee, first to get – you
know, kind of give a heads up and see if any other subcommittee chairs want to
weigh in with any suggestions.

So if that hasn’t gone out, I think we should send it out probably today.

MR. ROTHSTEIN: Right. We can send that out today.

DR. GREENBERG: And it’s a letter, so you can give them a –

MS. FYFFE: It’s a draft letter.

DR. GREENBERG: It’s a draft letter. I think our intent is to – I think we
have to send out the agenda books by a week from today, so people wouldn’t have
a lot of time, but do we have – Kathleen –

MS. FYFFE: Yes. Yes, I can send it to you.

DR. GREENBERG: Could you send Debbie Jackson and me –

MS. FYFFE: Sure.

DR. GREENBERG: – an electronic version of the latest copy, then, and we’ll
get that out. I just realized that something had kind of –

MS. FYFFE: Actually, I think you all have a copy of it, because –

DR. GREENBERG: Okay. You have the latest version, electronic version of

MS. FYFFE: I’ll send it to you this afternoon.

DR. GREENBERG: Would you send it to me? Okay. Thank you.

MR. HOUSTON: There was a copy in our packet today, and I guess I had read
the letter that was sent out in preparation for this meeting, and I guess I had
had some additional tweaking that I had – was interested in, but shall we just
simply – should I wait on that until our next meeting – at the full committee

MR. ROTHSTEIN: If you wouldn’t mind, if it’s okay with you.

MR. HOUSTON: That’s why I’m asking.

MR. ROTHSTEIN: Are they non-substantive tweaks?

MR. HOUSTON: I think so. They may be mildly substantive.

MR. ROTHSTEIN: (Laughter).

MR. HOUSTON: Mildly. That’s sort of like –

DR. GREENBERG: Well, if any of them are sufficiently –

MR. HOUSTON: Give me more time, I’ll –

DR. GREENBERG: – substantive that –

MR. ROTHSTEIN: That you’re not comfortable having this sent out to the
Executive Committee?

MR. HOUSTON: No, I just – there were just some minor tweaks on the research
side that I saw that I think are more clarifying, though –

MR. ROTHSTEIN: Okay. Well, this is a draft. It is going – I’m sure it is
going to be tweaked in a substantive and non-substantive sense when it gets to
the full committee, and we also need to debate the one bullet that was not
agreed to. So everyone is going to have ample opportunity.

So I just want to wrap up the school issue. We are going to send out letters
to – and Kathleen and I will talk about the appropriate medical groups, asking
if they would like to comment on that, and should we have a draft letter in two
weeks? Is that –

MS. FYFFE: The draft letter that would go out to the medical groups?

MR. ROTHSTEIN: No, the draft letter to the Secretary on the – is that too

MS. FYFFE: On the hearings yesterday and today?

MR. ROTHSTEIN: Yes. Um-hum.

MS. FYFFE: Too soon.

MR. ROTHSTEIN: Okay. So we will decide at our next subcommittee meeting in
two weeks what the deadline will be for preparing the draft of the letter based
on this hearing.

The other agenda item that we will consider – because we have two additional
members who are not here, and so I don’t want to discuss it without them –
Simon – and Harry has now joined –

DR. GREENBERG: Harry has joined the committee, yes.

MR. ROTHSTEIN: And that is the issue of other topics to consider for our
third round of hearings, and I have your recommendation that we consider the
issue of fund raising, and that is on the list, and I would just say in passing
that I would like to add to the list marketing, which is a very controversial
issue, and I would like to hear how it is working, the marketing provisions. I
have no sort of agenda, but we had such heated hearings before the marketing
rule, we would be remiss if we didn’t follow up on that.

And the other thing that I would add to the list is the issue of media
access to medical records that was raised by the letter that we received. I
think it is a very interesting issue.

MR. HOUSTON: The last two committee meetings I’ve been at, privacy and then
the security subcommittee before regarding the security testimony, it seems
like in a couple of cases we had two panels that collapsed into one panel, and,
again, maybe – my thought is that some of these things we might be able to do
with a four-person panel, one single panel, like fund raising. Again, what we
are dealing with – like yesterday, we ended up getting done pretty early, and,
boy, I’ll tell you, again, I know I seem to be fixated on fund raising, but I
really want to try to get some time, even if it’s a single panel in order to
get some testimony –

MR. ROTHSTEIN: Well, it’s on the list. It’ll be our next hearing.

MR. HOUSTON: I know. I’m just saying though – I’m just thinking whether we
can streamline some of this, if there is some less controversial, by doing
single panel.

MR. ROTHSTEIN: Well, that is certainly a possibility. If we can get a broad
enough cross section. Sometimes, if you have – depending on the topic. If you
only have four people, then five other important people are left out, and we
need to hear their perspectives, but fund raising, there is an organization
that has testified before us – the name escapes me – and so they are very well
connected with the fund-raising community, and then we can hear from one or two
organizations and maybe some consumer person and that, I think, would be
appropriate –

MR. HOUSTON: I think it’s AAMC.

MR. ROTHSTEIN: No, it’s not AAMC.

MS. FYFFE: Healthcare Philanthropic Association –

MR. FANNING: There is an association of –

MR. HOUSTON: No, AA – American Association of something Philanthropy –

MS. FYFFE: Healthcare Philanthropic –


MR. ROTHSTEIN: Something or other.

MS. FYFFE: – Organizations, yes.

MR. ROTHSTEIN: I mean, we have heard form them in the past, and I’m sure
they would be happy to come back and tell us how things are going and whether
they think we need to do anything.

Are there other matters for us to discuss today?

DR. HARDING: Just as an aside, the issue of private schools and parochial
schools that aren’t under FERPA –

DR. GREENBERG: We can’t hear you, Dr. Harding.

DR. HARDING: Pardon me.

The issue brought up about private schools and parochial schools not being
covered under FERPA in –

DR. GREENBERG: Well, then they can be covered under HIPAA.

DR. HARDING: Well, is that what is happening? Are they considering
themselves covered entities? What is happening with that whole group? Because
everybody else is kind of hiding behind FERPA, and when FERPA isn’t present,
what do they do?

MR. ROTHSTEIN: That is an interesting question. We may want to add that to
our letter.

Well, in conclusion, I want to thank the people who are responsible for
putting the hearing together. I want to especially thank Amy Chapper and the
folks at CMS who were kind enough to allow her to do this work for us, John
Fanning and Kathleen Fyffe and the ASPE people who were kind enough to loan us
their services, and Gail Horlick from CDC as well, and I want to thank Marietta
Squire and Shirl Willheit(?) as always, and our crack broadcast team, and thank
you all, and the meeting is adjourned.

(12:15 p.m.)