The Family Policy Compliance Office is excited to announce the launch  of the new Student Privacy Website! This new website replaces both the Privacy Technical Assistance Center’s and the Family Policy Compliance Office’s sites.  The Student Privacy Website can be found at: Be sure to update your bookmarks accordingly!

Kris Alman 10/01/2015

Dear Ms. Styles, 
The USED PTAC “Dear Colleague” letter[1] is intended to guide higher education institutions in protecting student medical record: 
(W)ithout a court order or written consent, institutions that are involved in litigation with a student should not share student medical records with the institution's attorneys or courts unless the litigation in question relates directly to the medical treatment itself or the payment for that treatment, and even then disclose only those records that are relevant and necessary to the litigation.

Oregon Senator Wyden and Congresswoman Bonamici prompted USED for this guidance in asking whether a “loophole” in the FERPA allowed University of Oregon attorneys to gain access to a student’s private health-treatment records.[2]

This clarification of FERPA is well written.  It goes beyond legislation[3] passed this spring in Oregon (where I live) to protect student privacy. Oregon’s new law carved out confidentiality protections only for students who are victims of domestic violence, sexual assault or stalking to comply with Title IX and Clery Act data mandates.

However, the “Dear Colleague” letter only addresses the handling of student medical records in institutions of higher education. Furthermore, the issue only addresses FERPA exemptions in litigation.

In the era of big data, state agencies, school district administrators and teachers need much better guidance. FERPA and HIPAA violations don’t allow for a private right of action. But as GW Law School Professor and privacy expert Daniel Solove[4] notes, this does not stop lawsuits for negligence, privacy torts, and breach of confidentiality torts.

As a physician, I bring to the table both my confusion about these laws (despite the vast research I have done) and my perspective as a diagnostician.  Diagnoses evolve because psychosocial and physical complaints are hard to untangle. To develop trust, continuity of care is essential but generally lacking (despite Obamacare) for the highest risk patients whose dire socioeconomic conditions create barriers to care while compromising physical and mental health at the same time.

Discriminating between serious psychopathology and adjustment disorders requires a team of caring, committed individuals, which includes family members. Privacy and confidentiality laws can be perceived as barriers. This is nothing new.

Moving from analog to digital records, new problems are created. 
Digital recordkeeping is notoriously porous. I know. I am a victim of tax ID theft and among those affected by the OPM data breach—I might add, for work as a VA doctor in Albuquerque over 25 years ago. Needless to say, I was unaware that the OPM had records stored on me. But I was also shocked to know they had been retained so long.

Fair Information practices and privacy by design have not been built into America’s data systems. 
The last joint guidance on HIPAA and FERPA was in 2008.[5]  Since 2008, ARRA funding stimulated electronic records in both education and health care.  With that, came rule changes in FERPA that expanded non-consensual sharing of education records, which permits state agencies to share student data in longitudinal data systems from birth through career without consent.  Commercial sectors, promulgating “personalized” education, are doing the same as "school officials" or "authorized representatives." 
With search of metadata, individual profiles emerge that may be inaccurate. Again, I know. Three years ago, I used FERPA to request data in my son’s state longitudinal data system. In his k-9 trajectory, he was mislabeled a dropout four times for intra- and inter-district transfers and a year of private education.

Imagine how wrong data could be used for labeling a school “failing.” Imagine how wrong data could create profiles and used to track specific students with predictive analytics. Imagine how wrong data (such as behavioral data) might be reason for a college to reject a student.

I appreciate USED’s recognition of the complex nature of this issue and request for views on the following:
1. Whether this guidance would create any unintended consequences. For example, would this guidance in any way restrict the work of threat assessment teams, as we believe these teams are often the best method for schools and colleges to assess whether a given student constitutes a threat to him/herself or others? 
The simple answer is no. 
With good intentions, Senator Wyden and Congresswoman Bonamici have introduced the “Campus Litigation Privacy Act.“[6] My critique of that bill is the notwithstanding clause, which Congresswoman Bonamici has paraphrased as meaning[7]
The attorney provides satisfactory assurances that he or she has exercised due diligence in providing a student with notice and the opportunity to object to the disclosure of records and agrees to limit the use, disclosure, and retention of the information to the specific legal proceeding. 
There should be evidence of "articulable and significant threat to self or the health or safety of other individuals" if "good faith attempts" by “impartial” individuals to provide written notice to the student have failed to do so. Further, a representative of the school (a counselor or a member of the threat assessment team who has evaluated the student) should be present at the court or administrative tribunal.

Indeed, law enforcement should not wait for students’ mental health records to react to imminent threat. After all, a student may seek care off-campus or may never have previously sought mental health treatment.

All states recognize the psychotherapist-patient privilege. [8] Health care providers depend on confidentiality to create a trusting relationship. This is particularly true for mental health providers. 
The 1976 Tarasoff decision of California’s Supreme Court of California established that psychotherapists have a duty to protect potential victim(s) of the threat posed by the psychotherapist's patient.[9] This decision came about after a U.C. Berkeley student stalked and murdered a young woman attending a nearby community college in 1969. This case triggered passage of “duty to warn” or “duty to protect” laws in almost every state.[10]

These laws are not without controversy. Given a high prevalence of homicidal and sexually aggressive fantasies,[11] it’s challenging for therapists to evaluate the dangerousness of an individual—which argues for permissive, rather than mandatory duty to warn/protect laws.

How likely would mental health records be helpful for law enforcement when appealing to a judge for student health records?

Cho Seung Hui’s records[12] from Virginia Tech’s Cook Counseling Center and Carilion New River Valley Medical Center were not illuminating when they were disclosed to the public. He was described as an anxious, depressed young Korean man without homicidal or suicidal ideation.

In winter of 2008, the American Association of State Colleges and Universities[13] reviewed the Virginia Tech shootings and other related court cases to develop best practices for college and university leaders. The Virginia Tech Review Panel recommended that college counseling centers report all students receiving court-ordered mental health treatment (on- or off-campus) to the threat assessment team for follow-up.

Guns play a central role in violence in the U.S.—including elementary schools like Sandy Hook. In states that require background checks for private handgun controls, there is a 48% reduction in firearm suicide rates.[14] The number of gun-related deaths from in the U.S. from 1989-2014 (836,290) exceeds the number of combat deaths from all the wars in U.S. history (656,397).[15]

Everytown For Gun Safety[16] recently published a comprehensive analysis of every mass shooting[17] between January 2009 and July 2015: 
•      Of 133 examined incidents, in only one was there evidence the shooter was prohibited by federal law from possessing guns due to severe mental illness. In 15 other incidents (11 percent), there was there was evidence that concerns about the mental health of the shooter had been brought to the attention of a medical practitioner, school official, or legal authority prior to the shooting.
•      Five (4%) took place in schools, including primary, secondary, and college campuses.
•      38% of the shooters were prohibited purchasers of guns.

Aurora Colorado shooter James Holmes presents more ethical questions. A University of Colorado school psychiatrist had treated the young man and consulted with a campus police officer.[18] Holmes was not referred for a 72-hour psychiatric hold and The CU Behavioral Evaluation and Threat Assessment team never evaluated Holmes before he abruptly quit school.[19] Subsequent to that tragedy, Colorado passed landmark gun control legislation.[20]

Mental health professionals, teachers and clergy anguish over decisions to breach confidentiality when there is a potential threat to public safety.[21] An individual and a threat assessment team cannot predict violence. Nor can an involuntary commitment to a psychiatric hospital prevent violence.

On the other hand, a school could be accused of psychiatric abandonment[22] if they have not arranged follow-up for a high-risk student who voluntarily or involuntarily leaves the school. HIPAA and FERPA do not prevent disclosures to the family or guardian of students with serious mental health conditions. In my opinion, the UC staff abrogated those responsibilities. 
2.     Recognizing that getting a court order or consent will create additional burden on institutions, is there a way to mitigate that burden without lessening the protections given to students?

The court order is a necessary burden for schools to comply with confidentiality laws. 
3.     If this guidance is extended outside the postsecondary context to include K-12 and early childhood, what other factors need to be considered? For example, how would this guidance fit within the context of elementary and secondary school counselors, or disputes regarding special education services?

It is absolutely essential that guidance should include K-12 and early childhood. The HIPAA/FERPA joint guidance is woefully out-of-date. Federal law should address the following:

•      Student medical records in k-12 school based health centers

With school-based health centers becoming more prevalent,[23] there will be an explosion of student medical records for minors in K-12 and early childhood. It is extremely confusing how all these records will be handled—especially since payment through Medicaid[24], the State Children’s Health Insurance Program (CHIP) and private insurance companies will be involved.

School-based health centers (SBHC)[25] were created to address persistent disparities in health care access, quality, and outcomes. State, local, and private funds are the principal sources of financing for SBHCs though some federal program funds have been used by SBHCs to provide health care services to school-aged children. 
During the 2014-15 school year, there were 65 certified SBHCs[26] in operation in Oregon.[27] 60 sites use some form of electronic health records. 51 of those 60 sites use OCHIN Epic.

Headquartered in Portland, Oregon, OCHIN is a health information network[28] spanning 18 states and serving over 4,500 physicians. OCHIN has created a complex graphic[29] as part of their 2012 position paper, Student Treatment Records under HIPAA vs. FERPA.”[30]
(T)he SBHC is only considered a covered entity under HIPAA if it conducts any covered transactions electronically in connection with the health care it provides, such as billing insurance electronically. If the SBHC is a covered entity, then it must comply with the HIPAA Transactions regulations with respect to those covered transactions. These SBHCs generally will not be required to comply with the HIPAA Privacy regulations because the records they maintain are “education records” or “treatment records” under FERPA, which are excluded from the HIPAA Privacy regulations. In that case, FERPA privacy requirements apply to their records.

When OCHIN states that SBHCs are excluded from HIPAA Privacy regulations, this is no trivial matter. OCHIN provides a hosted Epic Systems’ practice management system (PMS) and electronic health record (EHR).[31]  OCHIN works with the Oregon Clinical & Translational Research Institute[32]researching care to underserved patients with an over-representation of racial and ethnic minorities, Medicaid patients and uninsured patients.

Contrast OCHIN’s position paper to this 2012 Oregon Department of Justice memorandum[33] that answered questions[34] regarding SBHCs including the following: 
Can nurses and school based health center (SBHC) staff work in the same space if hired by different entities?
A: Given the constraints both FERPA and HIPAA place on information sharing between school nurses and SBHC staff, having SBHC staff and school nurses work in the same space is not advisable because it would likely be impossible to retained the confidentiality required by these laws.

Should a school district be encouraged to designate a SBHC as a school official, allowing information sharing between the school nurse and the SBHCs staff?
A: Whether a school district can enter into an agreement with a SBHC that would allow information sharing between the two, without written consent, is a matter that must be discussed with legal counsel and it may or may not be legal under FERPA.

What if risk management in the district wants to talk to a school nurse about a student incident?
A: If risk management has a legitimate educational interest in the information and is a “school official” as that is defined under FERPA, a school nurse may discuss the incident with risk management.

Clear as mud.

The Association of State and Territorial Health Officials has compared the FERPA and HIPAA rules for accessing student health data.[35] Implementing of the different rules has practical implications.

For example, USED’s Privacy Technical Assistance Center[36] offers guidance on de-identification. Agencies are further expected to apply disclosure avoidance measures[37]. The HIPAA Privacy Rule[38] allows two methods for de-identification but does not restrict the use or disclosure of de-identified health information.

Dr. Latanya Sweeney was dubbed the “goddess of re-identification”[39] after she correctly re-identified children with type of cancer, ZIP code, and date of diagnosis. ” In Southern Illinoisian v. Department of Public Health, the courts ordered knowledge of her method sealed and barred her from publication.[40] Health-policy publications refused to publish re-identification experiments related to health data from fear that reaction might make data sharing more difficult. This led to a void of published results intended to reassure the public that distorted the risks of re-identification. 
Whether de-identification guidance is more or less stringent with FERPA is irrelevant if only governmental agencies follow guidelines. As Sweeney points out, the top buyers of statewide databases are not researchers but private companies, especially those constructing data profiles on individuals. The bottom line is that HIPAA/FERPA confusion prevails in early education through k-12.
•      Security and privacy rules governing student health records
A United States Supreme Court’s decision narrowed interpretation of the definition of “education record.”[41] The Dear Colleague letter explains that medical records (including counseling records) are "treatment records" until they are disclosed, when they become education records under FERPA. 
Do k-12 nurses also maintain “treatment records” until the records are disclosed? And until then, are these treatment records regulated by HIPAA? Or are they in legal limbo, only protected by confidentiality laws?  Surely school nurses are using electronic records for storing student health records. If they record that data in the school’s student information system, could these sensitive records be easily breached without restrictions on permission to access these records or strong passwords? 
Confidentiality is put to the test in Portland Public Schools. This Oregon school district has a suicide protocol that includes a "suicide screening form."[42] The protocol is initiated[43] “when a student makes any active suicide attempt or gesture, and/or talks about or shares thoughts of suicide, including those thoughts expressed in writing, art, or other forms.” The suicide screening form is “an incident report form that tracks a potential risk and the response of the school district staff to that risk.” Counselors are told that failure to include this education record in a student's cumulative file “is a violation of FERPA and school board policy.” 
Will placing the Suicide Screening Form in the student’s cumulative folder violate the American School Counselors Association guidelines? School counselors are subject to the same FERPA and School Board policy requirements as other school district employees.  Professional guidelines do not have the effect of the law. 
This interpretation of FERPA and confidentiality[44] is wrong in Oregon. But their intentions are valid. Should school districts or education service districts create threat assessment teams?

What about encryption of transmitted student medical records? Covered entities are required to transmit health records in accordance to the HIPAA Security Rule. 
Through telemedicine, the delivery of medical care is rapidly expanding to the Internet. Advocates for “school-based telehealth”[45] agree that “Keeping Children Healthy So They Can Do Their Best in School.” The trade secret telemedicine industry [46] is they are not covered by HIPPA Security rules. When companies claim that their product is “HIPAA secure,” [47] can they do so without meeting any standards? 
Confusion about FERPA and HIPAA lends to policies that are riddled with error and threaten confidentiality.  Telemedicine should be required to comply with HIPAA security rules. Schools should be required to follow the HIPAA Security Rule when handling any student medical records. Clarifications should be codified into law.

•      Cloud computing
The insatiable appetite for data strains education budgets. Cloud-based storage of data is cheaper, but it means the data is off-site in multiple sites (i.e. redundant), maintained by third parties and subject to price manipulation by rentiers whose financial bottom line is profit. The concept of data ownership loses meaning. 
The student information system (SIS) is a platform that can be cloud-based. The Beaverton School District (where my children, like Congresswoman Bonamici’s kids, attended) uses Synergy by Edupoint. Synergy offers cloud-based services, but the BSD (so far) just uses the software and stores the data on their own servers. What about school districts that don't have the resources to maintain education records on their own servers? Does that put these records at greater risk?

Power School is a popular SIS that has been acquired and sold multiple times since it was established in 1997. First Apple, then Pearson and in June 2015, Vista Equity Partners,[48] a private equity firm focused on investing in software and technology-enabled businesses, acquired Power School.

To secure data, these systems must require stringent encryption, authentication and authorization protocols. [49] Do they? Can a hacker find an electronic backdoor? 
The NY Times headline Data Breach at Anthem May Forecast a Trend[50] was prescient. 80 million records[51] were affected. The following month, the Premera data breach affected 11 million[52] and sensitive customer data that included bank account and clinical data going back to 2002 was compromised. The two data breaches were attacked using the same methods,[53] targeting employees to collect the logins and passwords and eventually access the insurer's real systems. Even if the Anthem data was encrypted,[54] the data could still have been compromised. If the credentials and keys are compromised, encryption does little to protect the data.

•      Special Education protections

FERPA also protects records about services extended to disabled or special needs students under the provisions of the Individuals with Disabilities Education Act. Children with emotional and behavioral disorders are an under-identified and underserved disability group. In longitudinal studies, these youth, compared to their non-disabled peers, experience higher rates of delinquency, juvenile incarcerations, school dropout, teen pregnancy, suicide, and substance abuse. [55]

Common education data standard elements[56] track students in state longitudinal data systems. These include 
•      IDEA Discipline Method for Firearms Incidents;              
•      IDEA Educational Environment for Early Childhood
•      Incident Related to Disability Manifestation
•      Disciplinary Action IEP Placement Meeting Indicator
•      Discipline Method of Children with Disabilities

While aggregated data can be used to investigate whether discipline methods endanger students, [57] could SPED and discipline records create profiles of students that administrators can track surreptitiously[58] through Google Apps for Education? Google Vault, which “fits on top of all Google Apps,” allows school administrators to “archive all the data flowing through--Drive files, docs, email” and “do searches across all of them for specific text strings.[59]

Could this kind of surveillance by administrators leverage a school nurse or teacher to breach a student’s confidentiality?

Pearson no longer sells k-12 student information systems, but it has a monopoly on tests done for clinical assessment:[60] Clinical Psychology, Speech and Language, Early Childhood, PreK-16 and Special Needs, Occupation and Physical Therapy and Special Ed. Pearson has done that through acquisitions that include BioBehavioral Diagnostics[61] for ADHD testing and PsychCorp,[62] also known as Harcourt Assessment. These clinical assessments are used in clinical settings as well.

Pearson’s acquisition of Harcourt in 2007 prompted the US DOJ to file an anti-trust lawsuit.[63] To avoid “the time, expense, and uncertainty of a full trial on the merits of the Complaint” the case was dropped, with satisfaction “that the divestiture of assets described in the proposed Final Judgment will preserve competition for the provision of clinical tests in the relevant markets identified by the United States.” 

Adam Smith would be impressed by the invisible hand of capitalism in the era of big data.

British-owned Pearson Education sells Boss, an app that monitors students’ behavior in schools.[64] Pearson claims this product, which records and tracks frequency of targeted positive and negative behaviors, is backed by extensive research “so that you can determine appropriate remediations to help students succeed.” The app tabulates data and emails it to you for “future use to help support a disability diagnoses.”

Pearson recently introduced Q-Global, a web-based system that consolidates the content and functionality of three legacy software systems (Q-Local™, PsychCorp Center, and ASSIST™) into one platform.[65] Now on-screen assessments don’t require interaction between the clinician and student. “The tool also offers a complete set of options for scoring, interpreting, and reporting assessment results.”

School psychologists can manually score the assessments or use Pearson software to do that. The latter option currently allows unlimited reporting. While these programs “will continue to operate normally for the foreseeable future”… “legacy software programs (PsychCorpCenter and ASSIST™) will cease to be offered for purchase in their desktop-based format.” And “Pearson will no longer provide system updates to these legacy programs to ensure their continued functioning for desktop-based use.”

In all likelihood, districts will be forced to outsource the scoring and storing of these tests to Q-Global. Q-Global will charge a fee-per-use.

The Q-Global license agreement[66] gives Pearson the authority to “extract de- identified data stored on Q-global.” “Pearson will only use this de-identified data for lawful purposes, including but not limited to, quality assurance, research, and/or test development.” “If You are a Covered Entity under HIPAA, You and Pearson  agree that the Business  Associate Addendum will govern HIPAA- related matters (click on the following link to view and accept the  Business Associate Addendum[67]).  If You are a school or not a Covered Entity, this paragraph does not apply.”

Johann Ari Larusson, Ph.D. leads Pearson’s Center for Digital Data, Analytics and Adaptive Learning.[68] His interest is to “leverage innovative and perhaps unconventional ways of analyzing and exploring large sets of data, of any kind, traditional or unstructured.” Tasmin Dhaliwal is a research associate who previously worked as an instructional coach for Teach For America. She received a BA in Political Economy from UC Berkeley and will receive her EdM from Harvard in spring 2016. Follow her on twitter: @tasmin_dhaliwal

My sister-in-law is a developmental pediatrician in San Diego. My son is nearly 21 years old. When he was in pre-school, he was identified through an IFSP with developmental delays. Back then, she warned me and warned parents for whom she consulted to not share private medical records with the IEP team. I didn't heed her advice. But I would now. And I would advise all parents to not share medical records with schools.

The more I see data-mining products in health and education, the more I want to pull out of anything that is “personalized.” The Department of Justice doesn’t have deep enough pockets to fight monopolies like Pearson with anti-trust lawsuits. The financial and societal costs of digitally delivered services will de-professionalize and de-humanize occupations through commodification. Trust does come with a TRUSTe certificate, especially when that venture-backed for-profit company was recently hand-slapped by the FTC for deceiving customers through its privacy seal program.[69]

In summary, the Courts, Congress and USED abrogate responsibility to Americans when promulgating a data-driven society. FERPA, HIPAA, COPPA and other privacy laws need to be overhauled with adherence to fair information practices.

In the meantime, the wreckage of FERPA and HIPAA’s collision must be cleared. 
A solution might be to create a robust “hybrid” system of records that creates consistency in HIPAA/FERPA privacy and security rules for students’ medical records (including school clinical evaluations) from pre-school through post-secondary education. School-based health centers should become hybrid entities.[70] These entities are required to create adequate "firewalls" between their health care component(s) and other components. Transfer of PHI held by the health care component to other components of the hybrid entity would be a disclosure subject to the HIPAA privacy and security rules and is allowed only under the same circumstances as would make it permissible for a covered entity, with HIPAA protections.

When financial sectors exact data and money in ways that exacerbate inequality, opportunities wither and holes in health and human services safety nets grow. I appreciate the opportunity to make these comments to USED. There are no simple solutions.
Kris Alman MD


[9] Options to “warn the intended victim or others likely to apprise the victim of the danger, to notify the police or to take whatever other steps are reasonably necessary under the circumstances”
[17] defined by FBI as “any incident where at least four people were murdered with a gun.”
[24] The Oregon Health Authority projects a $500 million budget hole for the 2017-19 biennium, caused, in part, by a planned scale back of federal funding starting in 2017.
[26] As of Sept. 2015, there are 75 certified SBHCs in Oregon.
[32] Major funding from the National Institutes of Health and significant institutional commitment from OHSU
[41] Owasso Indep. School District v. Falvo, 534 U.S. 426, 434 (2002)
[44] A certificated school counselor regularly employed and designated in such capacity by a public school shall not, without the consent of the student, be examined as to any communication made by the student to the counselor in the official capacity of the counselor in any civil action or proceeding or a criminal action or proceeding in which such student is a party concerning the past use, abuse or sale of drugs, controlled substances or alcoholic liquor. Any violation of the privilege provided by this subsection may result in the suspension of certification of the professional school counselor as provided in ORS 342.175 (Grounds for discipline), 342.177 (Hearing and decision on charges) and 342.180 (Appeal). However, in the event that the students condition presents a clear and imminent danger to the student or to others, the counselor shall report this fact to an appropriate responsible authority or take such other emergency measures as the situation demands. [1981 c.892 §33c]