In the health care arena, personally identifiable health information is protected by the Privacy Rule of the federal Health Information Portability and Accountability Act (HIPAA) enacted in 2001.1 Student health records maintained by federally funded schools are specifically exempt from HIPAA; instead, personally identifiable student health information is protected by the 1974 Family Education Rights Privacy Act (FERPA), administered by the Family Policy Compliance Office (FPCO) of the US Department of Education.2 Both laws protect the confidentiality and privacy of an individual’s personally identifiable health information. They provide the individual with access to that information and entitle the individual to some control over its use and disclosure.
HIPAA and FERPA both provide for annual notice of information practices, allow clients to inspect their records, and allow clients to request revisions. Both laws allow directory information to be shared without a client’s authorization and allow sharing of health information without a written release in case of emergencies, judicial order, or subpoena.
There are some major differences in these laws and their impact on public health. HIPAA provides an exemption to allow personal health information to be shared with state and local public health authorities without client authorization. This exemption acknowledges the need for public health authorities to have access to personal health information for the identification of threats to public health and safety. By contrast, FERPA does not allow information sharing for public health purposes without prior written authorization from students older than 18 or parents or guardians of minor students. Written signed authorizations are required to allow educational settings to bill for health procedures; to communicate with prescribing providers; and to share mandated surveillance and public health data with local, state, and federal public health authorities.
Thus, FERPA can interfere with the collection of essential public health data. Several recent actions by FPCO have strengthened the barriers that FERPA presents to public health. In 2003, the US Department of Education determined that memoranda of understanding between the Pennsylvania Department of Education and local grantees of the Centers for Disease Control and Prevention (CDC) to allow access to student health records to conduct surveillance for developmental disabilities and autism were a violation of FERPA.3 In 2004, a series of US Department of Education letters to public health and school officials who requested clarification of the applicability of FERPA to state health reporting requirements stated that information required for public health surveillance and immunization compliance did not qualify for an exemption under FERPA and that written permission to release this information to state health authorities is required.4,5
As recently as April 2007, the Florida Delegation of the American Medical Association (AMA) issued a resolution to the AMA to lobby the US Congress to amend FERPA with explicit provisions to enable the sharing of student health information of public health significance with state and local health authorities to protect public health.6 Sharing of these same data by a HIPAA-covered entity without written authorization would be allowed because it was deemed essential for the protection of the public’s health. In 2006, the Association of State and Territorial Health Officials and the Council of State and Territorial Epidemiologists issued individual policy statements seeking a reassessment of FERPA interpretation by the US Department of Education, a congressional amendment that allows the release of identified student health data for public health purposes without parental consent or a public health–focused remedy to FERPA-imposed student health data access restrictions.7,8
Historically, schools have played an essential role in the protection of the public’s health, from enforcing immunization compliance to providing essential data in the epidemiological study of diseases and disabilities. The recent interpretations of FERPA by FPCO have raised barriers to data sharing between public schools and public health authorities that inhibit the ability of public health departments to carry out their essential responsibility to protect and enhance the health of children and the public at large. With the development of comprehensive educational tools, it is unlikely that compliance with the sharing of personal health information in the interest of public health surveillance and protection will be a barrier to participation in school activities.
Therefore the American Public Health Association—
- Strongly recommends that FERPA be amended so that federal and state governments work with education and public health leaders to develop guidelines that allow schools to share personally identifiable health information with public health authorities, without prior client authorization, for immunization compliance, infectious and chronic disease surveillance, and other data collection activities essential for carrying out the public health mission.
- Strongly recommends that the federal and state governments establish common standards across all settings for the protection and confidentiality of personal health information while allowing for the necessary sharing of information for treatment and payment and public health purposes.
- Recommends that FPCO develop and issue guidelines for the US Department of Education for research and publications.
- Realizes that, given the concern with data collected from schools, institutional review boards should pay special attention to any requests for personal identifiable data or deidentified data that would be used for research or publication.
References
- Standards for Privacy of Individually Identifiable Health Information. 45 CFR Part 160 and Subparts A and E of Part 164. Available at: www.hhs.gov/ocr/hipaa. Accessed December 11, 2007.
- 20 USC § 1232g; 34 CFR Part 99, commonly referred to as the “Buckley Amendment.” See About the Family Policy Compliance Office. Available at: www.ed.gov/policy/gen/guid/fpco/index.html. Accessed December 11, 2007.
- US Department of Education Letter to Pennsylvania Department of Education re: Disclosure of Education Records to CDC Grantees; February 25, 2004. FERPA Online Library. Available at: www.ed.gov/policy/gen/guid/fpco/ferpa/library/pacdc.html. Accessed December 11, 2007.
- US Department of Education Letter to Alabama Department of Education re: Disclosure of Immunization Records; February 25, 2004. FERPA Online Library. Available at: www.ed.gov/policy/gen/guid/fpco/ferpa/library/alhippaa.html. Accessed December 11, 2007.
- US Department of Education Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements; November 29, 2004. FERPA Online Library. Available at: www.ed.gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc.html. Accessed December 11, 2007.
- American Medical Association House of Delegates, Florida Delegation. Referendum to Reference Committee B re: Resolution 205 A-07 Family Educational Rights and Privacy Act; April 27, 2007.
- Association of State and Territorial Health Officials. 2006. Position Statement—Accessing School Health Information for Public Health Purposes. Available at: www.astho.org/pubs/FERPAPositionStmtFINAL030706.pdf. Accessed December 11, 2007.
- Council of State and Territorial Epidemiologist. 2006. Position Statement 06-CD-01. Public Health Access to Student Health Information. Available at: www.cste.org/PS/2006pdfs/PSFINAL2006/06-CD-01FINAL.pdf. Accessed December 11, 2007.
Back to Top