Posted on August 5, 2008 by Karl Romberger

A Pennsylvania court's view of HIPAA, FERPA, and student records

The Pennsylvania Superior Court considered, and rejected, the notion that two federal privacy statutes create privileges against disclosing student records during the course of litigation discovery. But a state law, however, might bar production of such records.

The case involved a former student’s discovery demands in a case against a private special school. Student alleged he suffered sexual abuse and sought records relating to other similar possible past claims against the school. The school opposed producing any such records citing various statutory confidentiality protections against disclosing records involving other students.

The court found that the Health Insurance Portability and Accountability Act of 1996, known as “HIPAA,” and the Federal Educational Rights and Privacy Act, known as “FERPA,”  set forth the parameters by which protected student records can be disclosed and that, generally, disclosure pursuant to court order is an exception to the non-disclosure rule. In this respect, the state court decision comports with the statutes.

More interesting is how the court viewed the argument about a privilege against litigation disclosure based on state law. The Pennsylvania Mental Health Procedures Act, known as the “MHPA,” is seen as creating a privilege, with the only exception being legal proceedings permitted under the MHPA. The court did not decide the ultimate issue but instead sent the case back to the trial court to consider with the school was a “facility” under the MHPA and whether the MHPA actually applied. 

The case is a good reminder that many times state laws can offer more protections (or obstacles depending on your position) than federal laws. 

Tags: , , , , , , , , , , , ,
Posted on March 24, 2008 by Karl Romberger

Proposed changes to FERPA regulations

On March 24, 2008 the U.S. Department of Education published proposed changes to the Family Educational Rights and Privacy Act (known as FERPA) regulations.  The changes are needed because of various statutory acts like the USA Patriot Act, two U.S. Supreme court cases, technology changes, and events like the Virginia Tech tragedy. The Department seeks comment and input on the proposal.

The proposed regulations offer definitional changes (clarifying that cyber-students “attend” a school; that social security numbers, student ID numbers, and unique electronic identifiers are not disclosable directory information, and more). Another proposal would permit a school receiving a record, such as a transcript to provide the record to the creating institution in order to verify the record as accurate and not falsified. “Personally identifiable information” is also changed to include information that, alone or in conjunction with other information, can lead to private student information (such as mother’s maiden name and information). 

Of particular interest in the higher education area, the proposal addresses concerns raised in the wake of the Virginia Tech tragedy and attempts to provide better guidance and assurance on disclosing information in health and safety situations. For students 18 and over, the proposal clarifies certain circumstances in which information can be disclosed to parents without consent, for example: when the student is a federal tax dependent of the parents; when necessary for health and safety; and when a student under age 21 violates substance abuse policies. 

The proposal also clarifies the means by which outside parties, such as contractors, may receive records without prior consent. Other matters address disclosure of “de-identified” information, verifying the identity of the person requesting records, among other items.

The Department will receive comments up to May 8, 2008. The link information explains how to submit comments.

Tags: , , , , , , ,