November 29, 2004
Ms. Melanie P. Baise
Associate University Counsel
The University of New Mexico
Scholes Hall 152
Albuquerque, New Mexico 87131-0056
Dear Ms. Baise:
This responds to your letters of February 4 and July 9, 2003, in which you asked about a potential conflict between the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and State laws that impose mandatory reporting requirements on university health care providers and other school officials. This Office administers FERPA and is responsible for providing technical assistance to ensure that educational agencies and institutions comply with the statute and regulations codified at 34 CFR Part 99. An educational agency or institution that determines that it cannot comply with FERPA due to a conflict with State or local law is required to notify this Office within 45 days, providing the text and citation of the conflicting law. 34 CFR § 99.61.
The first letter concerns operation of the University of New Mexico's Student Health Center, which provides medical services to students. You explained that New Mexico Health Department regulations provide for mandatory reporting to the State Department of Health of "a range of diseases and injuries, including sexually transmitted diseases, HIV, AIDS, communicable diseases, infectious diseases, health conditions related to environmental exposures and certain injuries and cancer." 7 NMAC 4.3. Communicable diseases must be reported "immediately" to the State Office of Epidemiology. 7 NMAC 4.3.12(A). You noted that reports must include personal information about the student-patient, including name; date of birth/age; sex; race/ethnicity; address; and telephone number, and that all reports are confidential. 7 NMAC 4.3.12(C), 4.3.9(I), 4.3.10(F). Your concern is that if students refuse to provide written consent, or do not provide it in a timely manner, these mandatory reporting requirements may conflict with FERPA if the disclosures do not fall within the exception for disclosure of education records "in connection with a health or safety emergency."
Your second letter identified two additional State mandatory reporting requirements that may conflict with FERPA. The first is the Abuse and Neglect Act, NMSA 1978 Sec. 32A-4-1 et seq., (1999 Repl. Pamp.) codified in the New Mexico Children's Code. According to your letter, this law requires "every person" who "knows or has a reasonable suspicion that a child is an abused or a neglected child [to] report the matter immediately to "local law enforcement, the Department of Children, Youth and Family, or tribal law enforcement or social services agencies for any Indian child residing in Indian country. The second law is the Adult Protective Services Act, which provides that "any person having reasonable cause to believe that an incapacitated adult is being abused, neglected or exploited shall immediately report that information to the [Department of Children, Youth and Families]." NMSA 1978 Sec. 27-7-30(A)(1999 Repl. Pamp.) The report must include the name, age, and address of the incapacitated adult, any person responsible for the adult's care, and other relevant information. In both cases, failure to report abuse as required may be punished as a misdemeanor. Your concern is that university health care providers who submit reports about students under these statutes might violate FERPA.
Applicable FERPA Provisions
FERPA protects the privacy interests of parents and students in a student's "education records." Educational agencies and institutions subject to FERPA may not have a policy or practice of disclosing "education records, or personally identifiable information contained therein other than directory information ... without the written consent of their parents..." except as provided by statute. 20 U.S.C. § 1232g(b)(1); 34 CFR 99.30. All FERPA rights transfer from parents to students when the student reaches 18 years of age or attends a postsecondary institution. 20 U.S.C. § 1232g(d); 34 CFR § 99.3 ("Eligible student").
Under FERPA, "education records" are defined as
those records, files, documents, and other materials which -
(i) contain information directly related to a student; and
(ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.
20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3 ("Education records"). The term "student"
includes any person with respect to whom an educational agency or institution maintains education records or personally identifiable information, but does not include a person who has not been in attendance at such agency or institution.
20 U.S.C. § 1232g(a)(6); 34 CFR § 99.3 ("Student").
FERPA excludes four categories of information from the term "education records" including
(iv) records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice.
20 U.S.C. § 1232g(a)(4)(B); 34 CFR § 99.3 ("Education records"). These are commonly known as "treatment records" of eligible students.
FERPA applies to an educational agency or institution that receives funds under programs administered by the U.S. Secretary of Education. 34 CFR § 99.1(a). If an agency or institution receives funds under one or more of these programs, FERPA applies to the recipient as a whole, including each of its components, such as a department within a university. 34 CFR § 99.1(d).
Records maintained on students at a campus health center are "education records" subject to FERPA because they are directly related to a student and maintained by the institution or by a party acting for the institution. The records of a campus-based student health center would not be subject to FERPA if the center is funded, administered and operated by or on behalf of a public or private health, social services, or other non-educational agency or individual. (We note that final regulations promulgated under the 1996 Health Insurance Portability & Accountability Act (HIPAA), codified at 45 CFR Parts 160 and 164, provide that health care information that is maintained as an "education record" under FERPA is not subject to the HIPAA Privacy Rule precisely because it is protected under FERPA. See 45 CFR § 164.501, Protected health information. A campus health care provider that is not subject to FERPA may be subject to the HIPAA Privacy Rule instead.) As explained further below, based on the information provided in your letters, we agree with your conclusion that student health records maintained by the University's Student Health Center are "education records" subject to FERPA.
Under the provisions cited above, records maintained by the University's Student Health Center on student-patients are excluded from the definition of "education records" under FERPA only if they are made, maintained, and used only in connection with the student's treatment and not disclosed to anyone other than individuals providing treatment to the student. If these records are disclosed in personally identifiable form to the State Department of Health or other agencies for reasons other than the student's "treatment," then the records are no longer excluded from the statutory definition of "education records" and may only be disclosed in accordance with FERPA requirements. That is, the student must provide a signed and dated written consent in accordance with section 99.30 of the FERPA regulations or the disclosure must fall within one of the exceptions to that requirement as set forth in section 99.31(a).
State Law Reporting Requirements
1. Reporting of Notifiable Conditions and Cancer.
Regulations issued by the New Mexico Department of Health for "Control of Disease and Conditions of Public Health Significance" impose mandatory reporting requirements for "notifiable conditions," which include both "communicable diseases" and "conditions of public health significance." 7 NMAC 4.3.7 J. "Communicable disease" means "an illness caused by infectious agents or their toxic products which may be transmitted to a susceptible host." "Condition of public health significance" means "a condition dangerous to public health or safety." 7 NMAC 4.3.7 D & E.
Certain communicable diseases require immediate reporting on an "emergency basis." These include vaccine preventable diseases, such as measles, mumps, haemophilus influenzae, invasive infections, rubella, tetanus, etc., and other diseases such as anthrax, botulism, cholera, E.coli infections, Hantavirus, rabies, smallpox, tuberculosis, yellow fever, as well as suspected food and waterborne illnesses and those suspected to be caused by release of biologic or chemical agents. 7 NMAC 4.3.12 A. "Routine" (i.e., non-emergency) reporting is required for various infectious diseases, including but not limited to Colorado tick fever, encephalitis, hepatitis, Legionnaires' disease, Lyme disease, malaria, Reye syndrome, toxic shock syndrome, etc.; sexually transmitted diseases, such as chlamydia, gonorrhea, syphilis, HIV, and AIDS; birth defects; and health conditions related to environmental exposures and certain injuries, such as asbestosis, firearm injuries, lead blood levels, pesticide-related illness, silicosis, spinal cord injuries, traumatic brain injuries, and other environmentally-induced health conditions. 7 NMAC 4.3.12 B.
State health regulations provide that health care professionals, laboratories, and "any other person ... having knowledge of any person having or suspected of having a notifiable condition, shall immediately report the instance to the Office [of Epidemiology of the Department of Health]." 7 NMAC 4.3.8. "Other person" includes but is not limited to an official in charge of any health facility, the principal or person in charge of any private or public school or child care center, teachers and school nurses. 7 NMAC 4.3.7 L. All reports must include the patient's name, date of birth/age, sex, race/ethnicity and telephone number, along with the problem reported. 7 NMAC 4.3.12 C. In addition, the Department of Health may have access to all medical records of persons with, or suspected of having notifiable diseases or conditions of public health significance. 7 NMAC 4.3.9 H. (The Department of Health may also require exclusion of infected and non-immune persons, including students, patients, employees, or other persons, and order closure and discontinuance of operations in specified circumstances, where any case of communicable disease occurs or is like to occur in public, private, or parochial school or health care facility. 7 NMAC 4.3.9 D.)
State health regulations also designate the New Mexico Tumor Registry as the agency responsible for operating a statewide cancer registry. 7 NMAC 4.3.10 A. Hospitals and other facilities providing screening, diagnostic or therapeutic services to patients must report cancer cases to the cancer registry. 7 NMAC 4.3.10 B. Health care professionals (such as a school nurse) diagnosing or providing treatment for cancer patients, except for cases directly referred to or previously admitted to a hospital or other facility, must also report cancer cases to the registry. 7 NMAC 4.3.10 C. The cancer registry is authorized to access all records of physicians and surgeons, hospitals, outpatient clinics, nursing homes, and all other facilities, individuals or agencies providing cancer related services. 7 NMAC 4.3.10 D.
All reports of notifiable conditions and cancer case data are confidential. Disclosure to any person of reported information that identifies or could lead to the identification of an individual is prohibited except for purposes of prevention, control, or research or, in the case of cancer reporting, for reporting to other state cancer registries and local and state health officers. 7 NMAC 4.3.9 I and 4.3.10 F.
2. Reporting of Abuse and Neglect
You also asked about two other State laws. The first is the Abuse and Neglect Act, part of the New Mexico Children's Code, which requires every person, including a nurse, schoolteacher, or school official, who "knows or has a reasonable suspicion that a child is an abused or a neglected child [to] report the matter immediately" to local law enforcement, the county department of children, youth and family, or tribal law enforcement or social services agencies (for Indian children residing in Indian country). NMSA 1978 § 32A-4-3 A. This section also provides that these agencies are entitled to have access to "any of the records pertaining to a child abuse or neglect case maintained by any of the persons [required to report abuse or neglect under this statute]" except as otherwise provided. NMSA 1978 § 32A-4-3 E. You pointed out that the law does not enumerate what items of information must be reported, but undoubtedly the institutional official making the report would be asked to provide the name of the student. Failure to report abuse as required is a misdemeanor under § 32A-4-3 F.
The second State law is the Adult Protective Services Act, which provides that "any person having a reasonable cause to believe that an incapacitated adult is being abused, neglected or exploited shall immediately report that information to the department [of children, youth and families]." NMSA 1978 § 27-7-30 A. The report must contain the name, age and address of the adult, the name and address of any other person responsible for the adult's care, the extent of the adult's condition, the basis of the reporter's knowledge, and other relevant information. NMSA 1978 § 27-7-30 B. Failure to report abuse as required is a misdemeanor under § 27-2-30 C.
In both cases, these reports may require the disclosure of personally identifiable, non-directory information from education records. You indicated that University health care providers may obtain information about students that would require them to submit a report under these State laws.
As noted above, health or medical "treatment records" of postsecondary students are excluded from the FERPA definition of education records provided they are disclosed only to individuals providing treatment. Our review of the mandatory State reporting requirements described above indicates that any "treatment records" maintained by the University would lose that status if they were disclosed pursuant to any of these State laws. In particular, the mandatory reporting of notifiable conditions and cancer cases addresses general concerns of public health and safety and not treatment for the individual who is the subject of the disclosure. Similarly, while the reporting requirements established under the State's abuse and neglect laws are intended to protect the subject individuals, the disclosure of information to law enforcement, social services, legal assistance, and other agencies cannot be considered "treatment" under this FERPA exception to the definition of "education records" in FERPA. Accordingly, we find that personally identifiable information from education records that is disclosed pursuant to any of these State laws may not be considered "treatment records" and is subject to all FERPA requirements.
FERPA provides that prior written consent is not required to disclose properly designated "directory information" from education records. 34 CFR §§ 99.31(a)(11) and 99.37. "Directory information" means information that would not generally be considered harmful or an invasion of privacy if disclosed, including the student's name, address, telephone number, date of birth, and so forth. See 34 CFR § 99.3 ("Directory information"). Communicable diseases and other notifiable conditions about an individual student may not be designated and disclosed as directory information under FERPA because this is the type of information that would generally be considered an invasion of privacy if disclosed. This is consistent with the confidentiality requirements imposed under State law for the mandatory reporting of this information, as noted above.
Another FERPA provision allows an educational agency or institution to disclose personally identifiable information from education records, without prior written consent,
in connection with an emergency [to] appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons.
20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) 99.36.
Congress added this exception to the written consent requirement when FERPA was first amended, on December 13, 1974. The legislative history demonstrates Congress' intent to limit application of the "health or safety" exception to exceptional circumstances --
Finally, under certain emergency situations it may become necessary for an educational agency or institution to release personal information to protect the health or safety of the student or other students. In the case of the outbreak of an epidemic, it is unrealistic to expect an educational official to seek consent from every parent before a health warning can be issued. On the other hand, a blanket exception for "health or safety" could lead to unnecessary dissemination of personal information. Therefore, in order to assure that there are adequate safeguards on this exception, the amendments provided that the Secretary shall promulgate regulations to implement this subsection. It is expected that he will strictly limit the applicability of this exception.
Joint Statement in Explanation of Buckley/Pell Amendment, 120 Cong. Rec. S21489, Dec. 13, 1974. (These amendments were made retroactive to November 19, 1974, the date on which FERPA became effective.)
Section 99.31(a)(10) of the regulations provides that the disclosure must be "in connection with a health or safety emergency" under the following additional conditions:
An educational agency or institution may disclose personally identifiable information from an education record to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
34 CFR § 99.36(a)(emphases added.) In accordance with Congressional direction, the regulations provide further that these requirements will be strictly construed. 34 CFR § 99.36(c).
The Department has consistently interpreted this provision narrowly by limiting its application to a specific situation that presents imminent danger to students or other members of the community, or that requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. While the exception is not limited to emergencies caused by terrorist attacks, the Department's Guidance on "Recent Amendments to [FERPA] Relating to Anti-Terrorism Activities," issued by this Office on April 12, 2002, provides a useful and relevant summary of our interpretation (emphasis added):
[T]he health or safety exception would apply to nonconsensual disclosures to appropriate persons in the case of a smallpox, anthrax or other bioterrorism attack. This exception also would apply to nonconsensual disclosures to appropriate persons in the case of another terrorist attach such as the September 11 attack. However, any release must be narrowly tailored considering the immediacy, magnitude, and specificity of information concerning the emergency. As the legislative history indicates, this exception is temporally limited to the period of the emergency and generally will not allow for a blanket release of personally identifiable information from a student's education records.
Under the health and safety exception school officials may share relevant information with "appropriate parties," that is, those parties whose knowledge of the information is necessary to provide immediate protection of the health and safety of the student or other individuals. (Citations omitted.) Typically, law enforcement officials, public health officials, and trained medical personnel are the types of parties to whom information may be disclosed under this FERPA exception...
The educational agency or institution has the responsibility to make the initial determination of whether a disclosure is necessary to protect the health or safety of the student or other individuals....
By way of example, in accordance with these principles we concluded in a 1994 letter that a student's suicidal statements, coupled with unsafe conduct and threats against another student, constitute a "health or safety emergency" under FERPA. However, we also noted that this exception does not support a general or blanket exception in every case in which a student utters a threat. More recently, in 2002 we advised that a school district could disclose information from education records to the Pennsylvania Department of Health, without written consent, where six students had died of unknown causes within the previous five months. These facts indicated that the district faced a specific and grave emergency situation that required immediate intervention by the Department of Health to protect the health and safety of students and others in the school district.
With regard to reports required under state law, in 2000 we advised a state senator about a potential conflict between FERPA and a state law that requires a school to notify the appropriate law enforcement agency immediately if it receives a request for the records of a child who has been reported missing, and then notify the requesting school that the child has been reported missing and is the subject of an ongoing law enforcement investigation. Once again noting that the "health and safety emergency" exception generally does not allow a blanket release of personally identifiable, non-directory information from education records, we concluded that FERPA would allow school personnel to comply with this law
only if the school has made a case-by-case determination that there is a present and imminent threat or danger to the student or that information from education records is needed to avert or diffuse serious threats to the safety or health of a student...In the case of a missing child, we agree that law enforcement officials would constitute an appropriate party for the disclosure assuming that the school has first determined that a threat or imminent danger to the child exists.
May 8, 2000, letter to Pennsylvania State Senator Stewart J. Greenleaf (emphases added.)
In summary, the University may disclose personally identifiable, non-directory information from education records under the "health or safety emergency" exception only if it has determined, on a case-by-case basis, that a specific situation presents imminent danger or threat to students or other members of the community, or requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. Any release must be narrowly tailored considering the immediacy and magnitude of the emergency and must be made only to parties who can address the specific emergency in question. This exception is temporally limited to the period of the emergency and generally does not allow a blanket release of personally identifiable information from a student's education records to comply with general requirements under State law.
The New Mexico Department of Health has made a reasonable determination, by regulation, which specific, communicable diseases require immediate reporting on an "emergency" basis. 7 NMAC 4.3.12(A). This Office will not substitute its judgment for what constitutes a true threat or emergency unless the determination appears manifestly unreasonable or irrational. We find that the State reporting requirement for communicable diseases satisfies the FERPA requirement for a case-by-case determination that a specific situation, i.e., an identified communicable disease, presents an imminent danger or threat to students or other members of the community, that the release is narrowly tailored to meet the emergency, and that reports are made to appropriate authorities within the health department. Therefore, the University may disclose personally identifiable information from education records, without written consent, to meet these State health reporting requirements.
We cannot come to the same conclusion with respect to the "routine" or non-emergency reporting that is required by regulation for other notifiable conditions, including the infectious diseases, injuries, environmental exposures, sexually transmitted diseases, HIV/AIDS, cancer, and birth defects specified in 7NMAC 4.3.12 B, as well as reports to the New Mexico Tumor Registry required under 7 NMAC 4.3.10. Indeed, in these cases, the State Department of Health has determined that the specified disease or condition does not constitute an imminent danger or threat or that emergency reporting or other action is necessary to address the concern. Consequently, the University may not disclose information from a student's education records to meet these "routine" health reporting requirements unless it has made a specific, case-by-case determination that a health or safety emergency exists, as described above, or the student provides prior written consent for the disclosure in accordance with section 99.30 of the FERPA regulations.
In regard to the reporting required under New Mexico's Abuse and Neglect Act, in 1997 this Office reviewed State laws in Maine and Texas that require schools to report known or suspected cases of child abuse or neglect to designated officials. While we first determined that the "health and safety emergency" exception in FERPA would not permit a blanket release of personally identifiable information from a student's education records in every case where a teacher "knows or has reasonable cause to suspect that a child has been or is likely to be abused or neglected," we also concluded that these state laws actually presented a conflict between FERPA and another, later-enacted Federal law that superseded FERPA and allowed these disclosures without consent.
In particular, the Federal Child Abuse Prevention, Adoption and Family Services Act of 1988 amended the Child Abuse Prevention and Treatment Act (CAPTA) by providing that a State must enact laws that require reporting of known and suspected instances of child abuse and neglect in order to receive grants for abuse prevention and treatment programs. See 42 U.S.C. § 5106a(b)(1)(A) and 45 CFR 1340.14(c). (States must also ensure that the disclosure and redisclosure of information concerning child abuse and neglect is made only to persons or entities determined by the State to have a need for the information. 42 U.S.C. § 5106a(b)(4)(A).) It is clear that in some instances the mandatory reporting may require the release of personally identifiable information from education records protected under FERPA. Congress enacted the basic privacy protections of FERPA in 1974. Following well-established standards of statutory construction, we were unable to interpret these two laws (CAPTA and FERPA) so that they did not conflict and concluded that Congress intended to supersede FERPA in this instance and allow reports of child abuse to take place, including disclosure of personally identifiable information from education records, without parental consent.
Under this analysis, University personnel may comply with the specific reporting requirements in New Mexico's Abuse and Neglect Act and regulations to the extent that these State requirements comply with CAPTA (including regulations promulgated pursuant to CAPTA) and conflict with specific provisions in FERPA. We would be pleased to answer any more detailed questions you may have in this regard about reporting requirements under this State law.
New Mexico's Adult Protective Services Act requires "[a]ny person having reasonable cause to believe that an incapacitated adult is being abused, neglected or exploited" to "immediately report that information to the [department of children, youth and families]." Records created or maintained pursuant to investigations under this law are "confidential" and may not be disclosed directly or indirectly to the public. However, these records are open to inspection by numerous agencies and individuals other than the Department of Children, Youth and Families and the alleged victim, including court personnel; personnel of any State agency with a legitimate interest in the records; law enforcement officials; any State government social services agency in any other State; health care or mental health professionals involved with the alleged victim; parties and their counsel in all legal proceedings brought pursuant to the Adult Protective Service Act; persons who have been or will in the immediate future provide care or services to the adult (except the alleged abuser); persons appointed by the court to serve as guardian, visitor, or qualified health care professional; any other person or entity, by order of the court, having a legitimate interest in the case or the work of the court; and protection and advocacy representatives pursuant to the Federal Developmental Disabilities Assistance and Bill of Rights Act and Protection and Advocacy for Mentally Ill Individuals Act. Records of substantiated cases are also provided to the State Department of Health, the District Attorney's Office, the Medicaid Fraud Control Unit, and the Office of the Long-Term Care Ombudsman for "appropriate additional action." N.M. Stat. Ann. § 17-7-29.
We are not aware of any Federal law comparable to CAPTA that applies to the reporting required under the Adult Protective Services Act. In regard to disclosing information from education records without prior written consent, there may well be many instances in which a University official who has a legal responsibility to make a report about an incapacitated adult under State law, particularly one who appears "abused," could also conclude that a "health or safety emergency" exists under the FERPA exception as explained above. However, given the inclusion in the State reporting requirement of the standards of "neglect" and "exploitation," which may not present immediate risk to an incapacitated adult, or may not implicate the adult's "health or safety," we cannot conclude that the State has made a case-by-case determination that a "health or safety emergency" exists in these circumstances. In addition, the wide variety of parties who may obtain access to information disclosed initially to the Department of Children, Youth and Families may not meet the FERPA requirement that the information be redisclosed only in accordance with the requirements of 20 U.S.C. § 1232g(b)(4)(B) and 34 CFR § 99.33(a). Therefore, the University may not disclose personally identifiable information from education records to comply with the Adult Protective Services Act without the student's prior written consent unless it has made a specific, case-by-case determination that a "health or safety emergency" exists, as described above, or some other exception to the prior written consent requirement applies. Further, if such a determination is made, the University must also advise the Department of Children, Youth and Families that it may not redisclose any personally identifiable information from education records to any other party except in accordance with the requirements of 20 U.S.C. § 1232(b)(4)(B) and § 99.33 of the FERPA regulations. See also 34 CFR § 99.33(e), which provides a penalty for third-party redisclosure of education records in violation of FERPA requirements.
Finally, we note that under State law the Department of Health has authority to prescribe the duties of public health nurses and school nurses, and that all school health personnel (except physical education staff), "are under the direct supervision and control of the district health officer in their district. They shall make such reports relating to public health as the district health officer in their district requires." Public Health Act §§ 24-1-3 G and 24-1-4 D. These State laws do not remove records maintained by the University's Student Health Center from coverage under FERPA because it appears that health services are provided to students by, on behalf of, and under the control of the University, and not a separate health agency or health care provider. We would be pleased to evaluate any additional facts you wish to share on this point.
I trust that this is helpful in explaining the scope and limitations of FERPA as it pertains to your inquiry. Should you have any additional questions, please do not hesitate to contact this Office again.
LeRoy S. Rooker
Family Policy Compliance Office