The coronavirus, officially COVID-19, is the most significant public health emergency in decades. The virus, believed to have originated in Wuhan, has expanded with astonishing rapidity. Despite government efforts, it has arrived in the United States. At the time of writing, 14 Americans have died. Given the combination of rapid growth and potential fatality, institutions handling large numbers of people in enclosed spaces must be prepared to deal with a potential case. One instance? Schools.
Schools provide health services. Nursing staff, counseling, prescription management and vaccination services are offered on campuses. These services give schools access to sensitive personal health information (PHI). PHI is protected by law. That would include a coronavirus diagnosis. On the other hand, early notification of a potential coronavirus case on campus could be critical to the health of other members of the campus community. So what guidance should diligent counsel offer concerned administrators about health record privacy?
The issue is knotty. First, it involves balancing two rights: privacy and public health. Second, it involves the interaction of two complex laws. FERPA, the Family Educational Rights and Privacy Act, applies to most school health records. HIPAA, the Health Insurance Portability and Accountability Act, applies to some school health records.
FERPA was enacted in 1974. HIPAA’s privacy regulations were issued in 2000. Since the United States Department of Health and Human Services knew that existing records were already protected by FERPA, it consciously exempted them from HIPAA. As a general principle, therefore, HIPAA does not apply to FERPA school health records.
Educational institutions that receive funding from the Department of Education are subject to FERPA. HIPAA is more complex. A good rule of thumb, however, is that entities transmitting health information electronically are subject to HIPAA. Both FERPA and HIPAA generally protect health information from disclosure. The consent of the student or their guardian is required. So what is a school supposed to do? The good news is that both FERPA and HIPAA have exemptions for public health emergencies. The guidance on public health emergencies is complex. But the coronavirus would certainly qualify.
Under the exemption, FERPA permits institutions to disclose PHI from student health records. The disclosure does not require consent. That said, it does require that the information be necessary to protect the health of the student or other members of the campus community. See 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36. The institution determines whether the necessary health emergency exists. See 34 CFR § 99.36(c).
In making the determination, the institution may rely on the totality of the circumstances. It must be able to cite an “articulable and significant threat.” The Department of Education will accept the institutional decision as long as there is a rational basis for the determination. Id.
The HIPAA Privacy Rule permits a covered entity to disclose PHI in similar circumstances. The entity must have a good-faith belief that the disclosure is necessary to prevent a serious and imminent threat to patient or public health or safety. The disclosure must be to a person reasonably able to address the threat. The disclosure also must comply with any other applicable law. See 45 CFR § 164.512(j)(1)(i).
The covered entity is presumed to have acted in good faith where its belief is based on actual knowledge, in other words, knowledge derived from the entity’s own interaction with the patient. The covered entity is also entitled to rely on a credible representation by a person with apparent knowledge, such as a family member. See 45 CFR § 164.512(j)(4).
Read together, the two statutes, with their respective carve-outs, permit the disclosure of a coronavirus condition. Even so, they are not carte blanche to ignore privacy laws. The minimum effective disclosure principle still applies. In other words, the school may release only as much information as necessary to address the health threat. So, for example, a school may notify parents that someone on campus has tested positive. That would enable parents to take necessary precautions. The school is on much thinner ice in announcing a third grader has the virus. And it is rarely appropriate to declare that a third grader in Mrs. Jones’ class has the virus.
Such a declaration would not advance the cause of protecting public health. And at a time when Asian Americans are being scapegoated for the virus, it may well subject the school to liability. In the world of privacy law, as with many medications, sometimes less is more.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.