February 25, 2004
Ms. Martha Holloway
State School Nurse Consultant
Department of Education
Gordon Persons Building
P.O. Box 302101
Montgomery, Alabama 36130-2101
Dear Ms. Holloway:
This is in response to the information you provided this Office on January 23, 2004. Specifically, you faxed us a memorandum dated April 22, 2003 from Donald E. Williamson, M.D., State Health Officer, Alabama Department of Public Health (DPH), that was addressed to superintendents and head masters. In the memorandum, Dr. Williamson noted that concerns had been raised regarding the "sharing information with the [DPH] regarding immunizations." Dr. Williamson went on to state that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to students' immunization records and that HIPAA permits schools to disclose these records to the DPH. He also stated:
The U.S. Department of Health and Human Services (HHS), who promulgated the HIPAA regulations, and the Centers for Disease Control [and Prevention] (CDC) recently emphasized the public health exception to HIPAA in guidance issued on April 11, 2003. The guidance states that covered entities may disclose protected health information to public health entities, without patient authorization, for the conduct of public health surveillance, investigations, or interventions, as well as for the purpose of preventing or controlling diseases. Additionally, the HHS Office of Civil Rights guidance issued on July 6, 2001 states that covered entities may rely on the judgement (sic) of a public health entity when requesting a disclosure as to the minimum amount of information that is needed by Public Health.
When I was in Montgomery and Birmingham in January conducting training sessions on the Family Educational Rights and Privacy Act (FERPA), I received several questions concerning the applicability of FERPA to immunization and other health records maintained by schools subject to FERPA. You asked that we comment on Dr. Williamson's assertion that student immunization records are covered by HIPAA and whether or not FERPA applies. As you know, this Office administers FERPA. See 20 U.S.C. § 1232g; 34 C.F.R Part 99 (2003).
FERPA is a federal law that protects privacy interests of parents in their children's "education records," and generally prevents an educational institution from having a policy or practice of disclosing the education records of students, or personally identifiable information contained in education records, without the written consent of the parent. The term "education records" is defined as all records, files, documents and other materials which contain information directly related to a student and are maintained by the educational agency or institution or by a person acting for such agency or institution. 20 U.S.C. § 1232g(a)(4)(A); 34 C.F.R § 99.3 "Education records."
Additionally, the records of a student that pertain to services provided to that student under the Individuals with Disabilities Education Act (IDEA) are "education records" under FERPA and are subject to the confidentiality provisions under IDEA (see 34 C.F.R §§ 300.560-300.576) and to all of the provisions of FERPA. When a student reaches the age of 18 or attends an institution of postsecondary education, the student is considered an "eligible student" under FERPA and all of the rights afforded by FERPA transfer from the parents to the student. 20 U.S.C. § 1232g(d); 34 C.F.R § 99.3 "Eligible student."
A K-12 student's health records, including immunization records, maintained by an educational agency or institution subject to FERPA, including records maintained by a school nurse, would generally be "education records" subject to FERPA because they are 1) directly related to a student; 2) maintained by an educational agency or institution, or a party acting for the agency or institution; and 3) not excluded from the definition as treatment or sole possession records, or on some other basis. 20 U.S.C. §1232g(a)(4)(a).
The HIPAA Privacy Rule at 45 C.F.R. Parts 160 and 164 provides additional guidance with respect to the treatment of student health records including immunization records. Specifically, the HIPAA Privacy Rule establishes guidelines to protect the privacy of Protected Health Information (PHI). PHI is defined as: "individually identifiable health information: (1) except as defined in paragraph 2 of this definition that is: (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any form or medium. (2) Protected health information excludes individually identifiable health information in:
(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as employer." See 45 C.F.R. §160.103.
Thus, education records, including individually identifiable health information contained in such records, that are subject to FERPA, are specifically exempt from the HIPAA Privacy Rule. The reason for this exemption is that Congress, through FERPA, previously addressed how education records should be protected.
Therefore, student immunization records that are maintained by an educational agency or institution subject to FERPA that directly relate to a student or students are considered to be education records under FERPA and are not subject to the HIPAA Privacy Rule. Accordingly, HIPAA neither authorizes nor permits the disclosure of these records.
Under FERPA, there are a number of several specific statutory exceptions to the general rule against nonconsensual disclosure that are set forth at 20 U.S.C. § 1232g(b)-(j) and 34 C.F.R § 99.31. However, there is no exception to FERPA's prior consent rule that would permit a school subject to FERPA to disclose health or other immunization records to a State health agency such as DPH under the circumstances described in Dr. Williamson's April 22, 2003 memorandum. A very limited exception to FERPA's prior consent rule allows educational agencies and institutions to disclose personally identifiable non-directory information to appropriate officials in connection with a health or safety emergency. Specifically, FERPA provides that education records may be disclosed without consent:
in connection with an emergency [to] appropriate persons if the knowledge of such
information is necessary to protect the health or safety of the student or other persons.
20 U.S.C. § 1232g(b)(1)(I). However, the regulations implementing this provision at 34 C.F.R §§ 99.31(a)(10) and 99.36 indicate that these conditions will be "strictly construed."
The exception to FERPA's prior written consent requirement was created with the first FERPA amendments that were signed into law on December 13, 1974. The legislative history demonstrates that Congress intended to limit application of the "health or safety" exception to exceptional circumstances, as follows:
Finally, under certain emergency situations it may become necessary for an educational agency or institution to release personal information to protect the health or safety of the student or other students. In the case of the outbreak of an epidemic, it is unrealistic to expect an educational official to seek consent from every parent before a health warning can be issued. On the other hand, a blanket exception for "health or safety" could lead to unnecessary dissemination of personal information. Therefore, in order to assure that there are adequate safeguards on this exception, the amendments provided that the Secretary shall promulgate regulations to implement this subsection. It is expected that he will strictly limit the applicability of this exception.
Joint Statement in Explanation of Buckley/Pell Amendment, 120 Cong. Rec. S21489, Dec. 13, 1974. (These amendments were made retroactive to November 19, 1974, the date on which FERPA became effective.)
This Office has consistently interpreted this provision narrowly by limiting its application to a specific situation that presents imminent danger to students or other members of the community, or that requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. While the exception is not limited to emergencies caused by terrorist attacks, the Department's Guidance on "Recent Amendments to [FERPA] Relating to Anti-Terrorism Activities," issued by this Office on April 12, 2002 provides a useful and relevant summary of our interpretation (emphasis added):
[T]he health or safety exception would apply to nonconsensual disclosures to appropriate persons in the case of a smallpox, anthrax or other bioterrorism attack. This exception also would apply to nonconsensual disclosures to appropriate persons in the case of another terrorist attach such as the September 11 attack. However, any release must be narrowly tailored considering the immediacy, magnitude, and specificity of information concerning the emergency. As the legislative history indicates, this exception is temporally limited to the period of the emergency and generally will not allow for a blanket release of personally identifiable information from a student's education records.
Under the health and safety exception, school officials may share relevant information with "appropriate parties," that is, those parties whose knowledge of the information is necessary to provide immediate protection of the health and safety of the student or other individuals. (Citations omitted.) Typically, law enforcement officials, public health officials, and trained medical personnel are the types of parties to whom information may be disclosed under this FERPA exception….
The educational agency or institution has the responsibility to make the initial determination of whether a disclosure is necessary to protect the health or safety of the student or other individuals. …
In summary, educational agencies and institutions subject to FERPA may disclose personally identifiable, non-directory information from education records under the "health or safety emergency" exception only if the agency or institution determines, on a case-by-case basis, that a specific situation presents imminent danger or threat to students or other members of the community, or requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. Any release must be narrowly tailored considering the immediacy and magnitude of the emergency and must be made only to parties who can address the specific emergency in question. This exception is temporally limited to the period of the emergency and generally does not allow a blanket release of personally identifiable information from a student's education records to comply with general requirements under State law. Certainly an outbreak of diseases such as measles, rubella, mumps, and polio not only pose threat of permanent disability or death for the individual, but have historically presented themselves as epidemic in nature. Thus, disclosure of personally identifiable information from students' education records to State health officials for such reasons would generally be permitted under FERPA's health or safety emergency provisions.
In disclosing the information to a State health agency, a school should advise the agency that personally identifiable information disclosed by the school may not be redisclosed or shared with any other party outside of the appropriate officials at that agency, unless such disclosure is done with the prior written consent of parents or eligible students or is done on behalf of the school for the same purpose it was disclosed to the agency. See 34 C.F.R § 99.33. Further, FERPA establishes a recordkeeping requirement for educational agencies and institutions in 34 C.F.R § 99.32. Briefly, this section states that an educational agency or institution (1) shall maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student and (2) shall maintain the record with the education records of the student as long as the records are maintained. The record of disclosure must also include: (1) the parties who have requested the information from the education records, and (2) the legitimate interests the parties had in requesting or obtaining the information.
Please note, however, that FERPA does not prohibit an educational agency or institution from disclosing "non-personally identifiable information" to State health officials. Rather, FERPA specifically prohibits the disclosure of personally identifiable information from education records without the prior written consent of parents and students under 34 C.F.R § 99.30. The FERPA regulations at 34 C.F.R. § 99.3 define personally identifiable information to include:
(a) the student's name;
(b) the name of the student's parent or other family member;
(c) the address of the student or student's family;
(d) a personal identifier, such as the student's social security number or student number;
(e) a list of personal characteristics that would make the student's identity easily traceable; or
(f) other information that would make the student's identity easily traceable.
In order to make sure that information is not personally identifiable, the disclosing educational agency or institution would need to remove the name, identification number, and any other identifier that would permit the identity of an individual student to be easily determined.
Finally, nothing in FERPA prohibits school officials from obtaining parental consent in order to disclose personally identifiable information on students to State health officials. The written consent required before an educational agency or institution may disclose personally identifiable, non-directory information from education records should:
(1) specify the records that may be disclosed;
(2) state the purpose of the disclosure; and
(3) identify the party or class of parties to whom the disclosure may be made.
34 C.F.R § 99.30(b); see 20 U.S.C. § 1232g(b)(2)(A).
If requested, the agency or institution must provide a parent or student with a copy of the records disclosed. 34 C.F.R § 99.30(c).
I hope that this letter adequately explains the requirements of FERPA as they relate to the disclosure of personally identifiable information to the DPH by educational agencies and institutions subject to FERPA. Should you have any further questions, please do not hesitate to contact this Office at the following address and telephone number:
Family Policy Compliance Office
Office of Innovation and Improvement
U.S. Department of Education
400 Maryland Avenue, S.W.
Washington, D.C. 20202-5901
LeRoy S. Rooker
Family Policy Compliance Office