Скачать презентацию Protecting Student Privacy HIPAA and FERPA in Скачать презентацию Protecting Student Privacy HIPAA and FERPA in

9621bd8b4be1ba35e2ab3aad17dbdfdc.ppt

  • Количество слайдов: 42

 Protecting Student Privacy: HIPAA and FERPA in Schools 2014 Indiana Association of School Protecting Student Privacy: HIPAA and FERPA in Schools 2014 Indiana Association of School Nurses November 7, 2014

Martha Dewey Bergren, DNS, RN, NCSN FNASN, FASHA, FAAN bergren@uic. edu Director, Advanced Population Martha Dewey Bergren, DNS, RN, NCSN FNASN, FASHA, FAAN [email protected] edu Director, Advanced Population Health Nursing University of Illinois-Chicago Consultant, National Confidentiality Taskforce Testimony to NCVHS Privacy Subcommittee Johnson & Johnson School Health Leadership Institute Martha Dewey Bergren

Federal Laws & Privacy FERPA – Family Education Rights and Privacy Act HIPAA – Federal Laws & Privacy FERPA – Family Education Rights and Privacy Act HIPAA – Health Insurance Portability & Accountability Act Martha Dewey Bergren

Interface: Public Schools : FERPA Student’s health care providers & agencies: HIPAA Interface: Public Schools : FERPA Student’s health care providers & agencies: HIPAA

Family Educational Rights & Privacy Act § FERPA – passed in 1974 § Protects Family Educational Rights & Privacy Act § FERPA – passed in 1974 § Protects the privacy of students and families § Sets standards of confidentiality for all education records Does not address health records § www. ed. gov/policy/gen/guid/fpco/ferpa/index. html Martha Dewey Bergren

Family Educational Rights & Privacy Act Education Records: any records with personally identifiable information Family Educational Rights & Privacy Act Education Records: any records with personally identifiable information about a student maintained by the school, staff members, contracted employees Education Records: student health records, pupil services records, & third-party health records

FERPA Permitted Disclosures Permitted uses of student information without consent: § § Internal sharing FERPA Permitted Disclosures Permitted uses of student information without consent: § § Internal sharing for “legitimate educational interest” as defined by the school district External release if • Directory information • To school which student intends to enroll • Exceptions

LEGITIMATE EDUCATIONAL INTEREST Should mean: § Use is consistent with purposes for which data LEGITIMATE EDUCATIONAL INTEREST Should mean: § Use is consistent with purposes for which data are kept § Written criteria for access § Necessary to perform task/service or relevant determination about student § Used within context of school district business § Balanced interests – individual/community

HIPAA: Health Insurance Portability & Accountability Act § Improve portability & continuity of health HIPAA: Health Insurance Portability & Accountability Act § Improve portability & continuity of health insurance coverage § Reduce costs & simplify administrative burden § Standardize electronic transmission of administrative & financial transactions § Protect security & privacy

HIPAA Permitted Disclosures Permitted without authorization = TPO • Treatment • Payment • Healthcare HIPAA Permitted Disclosures Permitted without authorization = TPO • Treatment • Payment • Healthcare Operations • “Minimum disclosure” standard

HIPAA: Health Insurance Portability & Accountability Act School Health Records èEducation records: Exempt è HIPAA: Health Insurance Portability & Accountability Act School Health Records èEducation records: Exempt è They are covered by FERPA

FERPA HIPAA § Annual notice of rights to students § Right to inspect education FERPA HIPAA § Annual notice of rights to students § Right to inspect education records § Right to request amendment § Record access log § Transfer of ed records to new school § Notice of Information Practices § Right to access information § Right to request amendment § Disclosure logs Martha Dewey Bergren

FERPA HIPAA EXCEPTIONS —Directory —Emergencies —Research —Judicial order/subpoena —Audit by state/federal officials —Studies —Authorized FERPA HIPAA EXCEPTIONS —Directory —Emergencies —Research —Judicial order/subpoena —Audit by state/federal officials —Studies —Authorized representative — School officials with legitimate educational interest —Directory —Emergencies —Research —Judicial order/subpoena —Audit by state/federal officials — Quality Assurance — Body Identification — Public Health — TPO

FERPA HIPAA § Internal release: OK for “legitimate educational interest” § Internal release: OK FERPA HIPAA § Internal release: OK for “legitimate educational interest” § Internal release: OK for Treatment. Payment, Operation § Educational purposes § Health purposes § No policies/ procedure § Policies & procedures detailed Martha Dewey Bergren

FERPA pre-dates: § § § IDEA Electronic Student Records Security Email Internet 3 rd FERPA pre-dates: § § § IDEA Electronic Student Records Security Email Internet 3 rd Party Reimbursement Martha Dewey Bergren

FERPA: No TPO Exemption § Treatment – HIPAA providers share information with schools for FERPA: No TPO Exemption § Treatment – HIPAA providers share information with schools for Treatment without authorization – FERPA does not allow sharing information with prescribers of Treatment without authorization – Immunizations, physical exams, & education assessments = No treatment = no exemption*** Martha Dewey Bergren *** State exceptions

FERPA: No TPO Exemption § Payment Letter to Iowa Department of Education re: Disclosure FERPA: No TPO Exemption § Payment Letter to Iowa Department of Education re: Disclosure of Education Records to Medicaid Agency for Reimbursement Purposes (10/25/05) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/io wa 101205. html § If submitting for Medicaid reimbursement, MUST have parent consent Martha Dewey Bergren

FERPA: No Public Health Exemption Letter to University of New Mexico re: Applicability of FERPA: No Public Health Exemption Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements (11/29/04) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc. html Letter to Pennsylvania Department of Education re: Disclosure of Education Records to CDC Grantees (2/25/04) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/pacdc. html Letter to California Department of Education re: Disclosure of Education Records to CDC Grantees (2/18/04) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/ca 21804. ht ml Martha Dewey Bergren

FERPA: No Public Health Exemption Letter University of New Mexico: Applicability of FERPA to FERPA: No Public Health Exemption Letter University of New Mexico: Applicability of FERPA to Health & Other State Reporting Requirements (11/29/04) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/baiseunmslc. html § State law requires principals, teachers, school nurses report immediately: – Communicable diseases, vaccine preventable & STDs – Bio-terrorism & chemical agents: anthrax, smallpox – Food, waterborne & environmental – Tic, encephalitis, hepatitis, Legionnaires, etc – Spinal cord, TBI, tumor registry § Decision: Subject to all FERPA requirements Martha Dewey Bergren

FERPA: No Public Health Exemption Letter University of New Mexico: Applicability of FERPA to FERPA: No Public Health Exemption Letter University of New Mexico: Applicability of FERPA to Health & Other State Reporting Requirements (11/29/04) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/b aiseunmslc. html Emergency: – – Imminent danger Immediate need Narrow interpretation Case-by-Case determination Decision: NO routine reporting = written consent Martha Dewey Bergren

Spellings October 30, 2007 Balancing school privacy and safety - Letter to school officials Spellings October 30, 2007 Balancing school privacy and safety - Letter to school officials http: //www. ed. gov/policy/gen/guid/secletter/071030. html – Virginia Tech § Law Enforcement Empowers school officials to “act quickly when need arises” § Disclose w/o consent student health or safety § Release w/o consent to law enforcement, public health, trained medical personnel Martha Dewey Bergren

FERPA and H 1 N 1 DOEd Guidance October 2009 § May disclose information FERPA and H 1 N 1 DOEd Guidance October 2009 § May disclose information from education records r/t emergency, if necessary to protect the health / safety of student or others § School determines on a case-by-case basis § Emergency = significant threat § Disclosure must be documented http: //www 2. ed. gov/policy/gen/guid/fpco/pdf/ferpa-h 1 n 1. pdf Martha Dewey Bergren

FERPA Disaster Guidance 2010 In emergency / disaster, schools may disclose: § Directory information FERPA Disaster Guidance 2010 In emergency / disaster, schools may disclose: § Directory information § Personally identifiable information to protect health / safety of students / others § Limited to the period of the emergency § Immunization information May not disclose to prepare for emergencies http: //www 2. ed. gov/policy/gen/guid/fpco/pdf/ferpa-disaster-guidance. pdf Martha Dewey Bergren

Balancing school privacy and safety § Law enforcement units – Not covered by FERPA Balancing school privacy and safety § Law enforcement units – Not covered by FERPA – No release needed – Access to student education records § Security video not FERPA Martha Dewey Bergren

Balancing school privacy and safety § Observed or personal knowledge, not covered by FERPA Balancing school privacy and safety § Observed or personal knowledge, not covered by FERPA § Transfer all records without consent (IDEA 2004) Martha Dewey Bergren

FERPA Revisions- 2008 § § § § Authorized representative may audit records with written FERPA Revisions- 2008 § § § § Authorized representative may audit records with written agreement Physically protect records from unauthorized access Restrict access to necessary portion of the record Specifies that student health records are high risk Threat to the health and safety of a student or students may be taken into account Stronger penalties for breaches Electronic records Martha Dewey Bergren

FERPA: Child Abuse Reporting FERPA superseded by CAPTA Child Abuse Prevention, Adoption and Family FERPA: Child Abuse Reporting FERPA superseded by CAPTA Child Abuse Prevention, Adoption and Family Services Act of 1988 amended the Child Abuse Prevention and Treatment Act (CAPTA) Letter to University of New Mexico re: Applicability of FERPA to Health and Other State Reporting Requirements (11/29/04) http: //www. ed. gov/policy/gen/guid/fpco/ferpa/library/b aiseunmslc. html Martha Dewey Bergren

USDA State Medicaid & CHIP Program § May disclose eligibility for free and reduced USDA State Medicaid & CHIP Program § May disclose eligibility for free and reduced meals § Not required § Names, eligibility status, & eligibility information directly to Medicaid or SCHIP § Must notify parents. Parental opt out § Social security number § Other disclosure of eligibility information is punishable of $1000 , 1 year imprisonment http: //www. gpo. gov/fdsys/pkg/FR-2011 -12 -02/pdf/2011 -30683. pdf Martha Dewey Bergren

Health Data at school level Traditional practices § Lack rudimentary security – – – Health Data at school level Traditional practices § Lack rudimentary security – – – Locked file cabinets Locked doors Commingled files Access to FAX machine and mailboxes Intra-district transport § Paper records – Sequential multi-student records Martha Dewey Bergren

Health Data at school level § § No school nurse School decides if emergency Health Data at school level § § No school nurse School decides if emergency * No TPO exceptions Dispersed throughout school – caretakers may have no confidentiality background § No FERPA training Martha Dewey Bergren

Security and privacy: All records § § § Faxing Email E-Records Off campus / Security and privacy: All records § § § Faxing Email E-Records Off campus / personal computers and evices Intra-office transport Exceptions – – Directory information De-identified Martha Dewey Bergren

Only acceptable strategies § Obtain parental authorization for ANY sharing outside school § De-identify Only acceptable strategies § Obtain parental authorization for ANY sharing outside school § De-identify Martha Dewey Bergren

HIPAA De - identify information – Name – SS# – State, zip – DOB, HIPAA De - identify information – Name – SS# – State, zip – DOB, DOE…. . – Vehicle # – Record number – Serial number – Device number Martha Dewey Bergren – Fax and phone number – Email, IP address – Web address – Certificate and license number – VIN & registration

FERPA De - identify information – Name – ID# – Gender – DOB, place FERPA De - identify information – Name – ID# – Gender – DOB, place – Religion – Country of origin – Sports & clubs – Academic performance Martha Dewey Bergren – Employer – Discipline – “Anything else traceable”

HIPAA –FERPA unresolved issues § § Ignorance – unintentional and intentional Inadequate direction from HIPAA –FERPA unresolved issues § § Ignorance – unintentional and intentional Inadequate direction from DOE & HHS Inconsistent federal laws Conflicts between federal education & health laws § Conflicts between state and federal laws § Conflicts between laws and ethical codes § Health Information Exchanges Martha Dewey Bergren

 References Schwab, N. , Rubin, M. , Maire, J. A. , Gelfman, M. References Schwab, N. , Rubin, M. , Maire, J. A. , Gelfman, M. , Bergren, M. D. , Mazyck, D. & Hine, B. (2005). Protecting and disclosing student health information: Guidelines for developing school district policies and procedures. Kent, OH: American School Health Association.

HIPAA and Mental Health § New 2014 HIPAA Mental Health Guidelines http: //www. hhs. HIPAA and Mental Health § New 2014 HIPAA Mental Health Guidelines http: //www. hhs. gov/ocr/privacy/hipaa/und erstanding/special/mhguidance. html Martha Dewey Bergren

 References § National Forum on Education Statistics. (2010). Forum Guide to Data Ethics. References § National Forum on Education Statistics. (2010). Forum Guide to Data Ethics. Washington, DC: National Center for Education Statistics. http: //nces. ed. gov/pubs 2010/2010801. pdf

 References Bergren, M. D. (2009). Confident about Confidentiality? HIPAA/FERPA Made Easy http: //www. References Bergren, M. D. (2009). Confident about Confidentiality? HIPAA/FERPA Made Easy http: //www. jackstreet. com/jackstreet/WNAS N. bergern. cfm Bergren, M. D. (2011). Being Confident about Confidentiality: Part II HIPAA/FERPA Made Easy http: //www. jackstreet. com/jackstreet/WNAS N. Bergren 2. cfm

Office of Family Compliance Webinars http: //www 2. ed. gov/policy/gen/guid/fpco/hottopics/ind ex. html? exp=4 § Office of Family Compliance Webinars http: //www 2. ed. gov/policy/gen/guid/fpco/hottopics/ind ex. html? exp=4 § FERPA 101 § Data Sharing Under FERPA § Intersection of FERPA and IDEA Confidentiality Provisions § Elementary and Secondary School Officials § FERPA model school policies

Uninterrupted Scholar’s Act of 2013 § Permits disclosure of records of students in foster Uninterrupted Scholar’s Act of 2013 § Permits disclosure of records of students in foster care to state/county social service agencies or child welfare agencies. § Amended the requirement that educational agencies and institutions notify parents before complying with judicial orders and subpoenas in certain situations. Martha Dewey Bergren

 References Guidance for Reasonable Methods and Written Agreements http: //www 2. ed. gov/policy/gen/guid/fpco/pdf/reasonablemtd_agree References Guidance for Reasonable Methods and Written Agreements http: //www 2. ed. gov/policy/gen/guid/fpco/pdf/reasonablemtd_agree ment. pdf Final FERPA regulatory changes Published in Federal Register on December 2, 2011 Effective January 3, 2012 http: //www. gpo. gov/fdsys/pkg/FR-2011 -12 -02/pdf/2011 -30683. pdf