FERPA And HIPAA Privacy Awareness
FERPA and HIPAAPrivacy Awareness
PresenterA module of the ACHA LeadershipInstitute presented by:MICHAEL HUEY, MD,Associate Professor ofFamily and PreventiveMedicineEmory University School ofMedicine2017-18 ACHA PresidentFaculty DisclosureNo presenter has a financial interest, arrangement or affiliation with any organizationor business entity (including self-employment or sole proprietorship) that could beperceived as a conflict of interest or source of bias in the context of this presentation.www.acha.org
Course DescriptionIn this course, you will review FERPA (The Family Educational Rights andPrivacy Act) and HIPAA (The Health Insurance Portability andAccountability Act), the two pieces of federal legislation that pertain to theprivacy and protection of healthcare records and protected healthinformation on our college and university campuses.You will look at the similarities and differences between FERPA andHIPAA, and the situations under which one or both may apply. You willlearn the difference between FERPA educational and treatment records,and why that is important in your college health program. You will review“TPO” and the “Minimum Necessary Rule.”The course will close with answers to common FERPA/HIPAA privacyquestions.www.acha.org
Learning Objectives Define FERPA and HIPAA and their applicability atCollege/University health and counseling services Compare FERPA vs. HIPAA standards and how theycompare and contrast Compare FERPA education vs. treatment records Explain the definition of protected information Describe protected information use and disclosure List common FERPA/HIPAA compliance questionswww.acha.org
FERPA and HIPAA atColleges/Universities
Colleges and Universities. . .Have an ethical and legal obligation toprotect the privacy of ourstudents/patients/clients, including theirhealthcare records.www.acha.org
Important As with all legal situations, it is very important toconsult with your college/university generalcounsel/attorney regarding your individual campusapproach to FERPA, HIPAA, and patient/student/clientprivacy. Your General Counsel’s instructions should supersedeany information provided in this webinar. There may be statutes/regulations in your state thatsupersede FERPA and HIPAA guidelines. FERPA andHIPAA are privacy minimums, not maximums.www.acha.org
Training Employees Colleges/universities should train all the members of theirhealthcare workforce on the policies and procedures regardingprotecting the privacy of healthcare information (FERPA andHIPAA).The training should be designed to fit the specificcollege/university to allow each employee to be able to carry outhis/her/their day-to-day activities within healthcareservices/settings.clipart-library.com (free) Privacy and Security Clipart#2907573www.acha.org
FERPA vs. HIPAA
FERPA and HIPAA:Federal Privacy LegislationFERPAFAMILY EDUCATIONAL RIGHTS & PRIVACY ----------------HIPAAHEALTH INSURANCE PORTABILITY &ACCOUNTABILITY ACTwww.acha.org
Patient/Client Privacy andConfidentiality RulesTwo Privacy Rules: FERPA is a federal law that protects the privacy of students’ “educationrecords,” including “treatment records.” In most college health settings, FERPA applies to care provided tostudents at our student health and counseling services. The HIPAA Privacy Rule creates national standards to protectindividuals' personal health information (PHI) and gives patients/clientsincreased access to their healthcare records.In most college health settings, HIPAA applies to care provided to non-students(e.g. faculty/staff or dependents seen at student health services). There may besettings (centers completely under the umbrella of a university healthsystem/school of medicine, outsourced centers, others) where HIPAA applies tothe care provided to all patients/clients.Note: Consult your college’s/university’s general counsel if you believe thisapplies to your setting.www.acha.org
Why FERPA and not HIPAAfor Students? Per DOE/HHS Guidance and Jan. 2013 revisionsto HIPAA regulations, it is clear that HIPAA doesnot apply to college/university education recordsor treatment records.FERPA has actually covered college studenthealth and counseling records for several years,but the regulations were not “operationalized”FERPA applies to colleges/universities thatreceive funds that are administered by the U.S.Department of Education (so most everybody).Under FERPA, “Education” and “Treatment”Records are treated differently.www.acha.org
FERPA: Education Records Under FERPA, The term “Education Records” isdefined as those records that are: (1) directly related to astudent; and (2) maintained by an educational agency orinstitution, or by a party acting for the agency orinstitution.FERPA requires written consent from parents or “EligibleStudents” (students who are at least 18 years of age orattending a postsecondary institution) in order to releasepersonally identifiable information (PII) from educationrecords.FERPA provides ways in which a school may — but isnot required to — share information from an eligiblestudent's education records with parents, without thestudent's consent.www.acha.org
FERPA: Education RecordsEducation Records: Student has a right to review. Limits on how records can be used withoutwritten consent from student. Can be disclosed without written consent inconnection with court proceeding/subpoena;and in connection with health and safetyemergency. However, education records can be disclosedwithout student consent to parents who claimstudent as a dependent on taxes (Treatmentrecords cannot).www.acha.org
FERPA: Treatment RecordsTreatment records are excluded from the FERPAdefinition of “Education Records.”Treatment Records are: Made by physician, psychiatrist, psychologist (orany recognized professional or paraprofessional), Made, maintained and used ONLY in connectionwith treatment, and Either not shared, or shared ONLY with othertreatment providers.www.acha.org
FERPA: Treatment RecordsYour student health and counseling records are“Treatment Records” under FERPA. Treatment records under FERPA are handled inmost ways like Protected Health Information(PHI) under HIPAA, but not in all ways. Under FERPA, treatment records, by definition,are not available to anyone other thanprofessionals providing treatment to thestudent, or to physicians, counselors or otherappropriate professionals of the student'schoice.www.acha.org
FERPA: Can a Treatment RecordChange to an Education Record? Under FERPA, when treatment records are usedor disclosed for any reason besides treatment,then they become education records and arecovered by FERPA rules on Education Records(e.g. You send a letter of accommodation to yourOffice of Undergraduate Education; once it is intheir files, the letter is an Education Record, not aTreatment Record).On the other hand, that is also true for HIPAA.Non-healthcare individuals and organizations arenot governed by HIPAA privacy laws, so oncehealthcare information leaves the healthcarearena, it has always been fair game.www.acha.org
US Dept. of Education “Dear ColleagueLetter” about FERPA (8/24/2016) “To provide a clarifying example, if an institution provided counselingservices to a student and the student subsequently sued the institutionclaiming that the services were inadequate, the school's attorneysshould be able to access the student's treatment records withoutobtaining a court order or consent.”“However, if instead the litigation between the institution and the studentconcerned the student's eligibility to graduate, the school should notaccess the student's treatment records without first obtaining a courtorder or consent.”“And under no circumstances should an institution seek to access suchrecords in an effort to intimidate or otherwise retaliate against a studentfor reporting or litigating claims of discrimination, including but notlimited to sexual harassment and assault.”www.acha.org
Other Important Differences betweenHIPAA and FERPA FERPA does not specifically allow disclosure for public healthactivities; therefore, a notice to student is required in mostsettings (e.g. disease surveillance, FDA reporting).FERPA does not specifically allow disclosure for reporting abuseto a relevant authority; therefore, a notice to student is requiredin most settings (e.g. mandatory reporting to state officials ofchild abuse).Therefore, many sites add specific information about theserequired disclosures in their paper or electronic FERPA privacyacknowledgement forms; generally it does not need to be doneone student at a time. (Check with your general counsel if youare unsure).www.acha.org
Quick Summary HIPAA does not apply to studentmedical/counseling records at the college oruniversity the student attends; FERPA does.Treatment Records under FERPA are handledin most ways like Protected Health Informationunder HIPAA, but not in all ways.A student does not have a FERPA right to“inspect and review” unshared treatmentrecords.A student does have a FERPA right to “inspectand review” treatment records that have beenshared outside of the healthcare arena.Ask your College/University general counsel forguidance on your campus and in your state.www.acha.org
Protected Information
What is Protected Information? Under FERPA (Personally IdentifiableInformation or PII) and HIPAA (ProtectedHealth Information or PHI), protectedinformation is any information that identifiesthe past, present or future physical or mentalhealth of an individual, and includes allcommunication media - written, verbal andelectronic.These policies extend to all individuallyidentifiable health information in the hands ofcovered entities (healthcare providers andadministrative staff).www.acha.org
Identifiers of PII/PHI:There are many, including some odd ones! NameAddressZipNames of relativesName of employerDOBTelephone numberFax numberE-mail addressFinger or voice printsPhotographic imagesSSNMedical record number Health plan beneficiarynumber Account number Certificate/license number Vehicle or other deviceserial number! IP address any otherunique identifier,character, code Any other identifyinginformation that couldreasonably identify thepatient.www.acha.org
Verbal CommunicationsWatch out for verbal communications containing PII/PHI in: ElevatorsHallwaysCafeteriaPublic AreasFree Clipart Now, Elevator Clipartwww.acha.org
State Law Supersedes if MoreRestrictive Essentially, FERPA and HIPAAare the minimum privacystandards that your healthcareorganization must meet.If state law is more restrictiveon a subject that FERPA/HIPAAcover, you must meet the privacystandards in your state.This situation occurs mostcommonly with mental healthand counseling records.Check with your general counselif you are unsure.clipart-library.com (free)Law Clipart #2509246www.acha.org
Protected Information Use and Disclosure
“TPO” and the Min. Necessary RuleUses and disclosures of PHI under HIPAAProtected Health Information can only be used for “TPO”Treatment*PaymentHealth Care Operations* Treatment is all healthcare provided, not just prescriptions, surgeries, etc.Minimum Necessary Rule -- A disclosure of protected health information,even where authorized by the regulations, must be limited to the “minimumnecessary” to accomplish the purpose for which it is made.While these are HIPAA rules, they are good “guidelines” to keep in mind inFERPA settings.www.acha.org
Incidental Use and Disclosure Under FERPA, there are no penalties forincidental or unintentional disclosure ofPersonally Identifiable Information (PII) andpatients/clients do not need to be notified (butmany student health and counseling centersdo so – it is the right and ethical thing to do).HIPAA acknowledges incidental disclosuresmay occur. Such disclosures are not a HIPAAviolation.Under both FERPA and HIPAA, we must take“reasonable” safeguards of PII/PHI.Only disclose the minimum necessaryinformation.www.acha.org
Inappropriate Access to PHI/PII Healthcare employees, staff and physiciansshould only access PII/PHI in order to performtheir job duties or perform functions on behalf ofthe patient/client and/or the organization.Most healthcare systems monitor their electronichealth records (EHRs) and paper medicalrecords. Generally, it is against policy to accessyour own healthcare records – you must gothrough medical records and/or your provider.Do not access records at the request of a friendor co-worker if you are not involved in the care.At many universities, it is a terminable offense(i.e. you could get fired!)www.acha.org
Verify before AccessYou should verify the identity and the authority to haveaccess to PII/PHI of any individual requesting PII/PHI. Patients/Clients PersonalRepresentatives Law Enforcement Research Public Officialswww.acha.org
HIPAA Security Rule Everybody Whereas the HIPAA Privacy Rule deals with Protected HealthInformation (PHI) in general, the HIPAA Security Rule deals withelectronic Protected Health Information (ePHI), which isessentially a subset of what the HIPAA Privacy Ruleencompasses.The HIPAA Security Rule “establishes national standards toprotect individuals' electronic personal health information that iscreated, received, used, or maintained by a covered entity.”For details, go to y/guidance/index.html.www.acha.org
Your Overall Approach whetherFERPA or HIPAAYou probably don’t need tomarkedly change what you aredoing!Continue to treat all patient/client informationwith respect for the patient’s/client’s privacy.When in doubt, seek advice from your general counsel!www.acha.org
Common FERPA/HIPAA compliance questions
FERPA/HIPAA Common Questions1. If a patient is at our student health clinic and they askfor copies of lab results, EKG’s, radiology reports etc.,can we give them to the patient?www.acha.org
FERPA/HIPAA Common Questions1. If a patient is at our student health clinic and they askfor copies of lab results, EKG’s, radiology reports etc.,can we give them to the patient?Yes. Under both FERPA and HIPAA,patients are allowed to have accessto their own health records uponrequest.PD4PIC CLIP ART (free)www.acha.org
FERPA/HIPAA Common Questions2. Can we leave text messages or messages on apatient’s/client’s voice mail or answering machine?www.acha.org
FERPA/HIPAA Common Questions2. Can we leave text messages or messages on apatient’s/client’s voice mail or answering machine?clipart-library.com (free)Voicemail Clipart #306186YES, BUT. . . Text messaging is not a secure,confidential way to communicate. Many schoolsget specific permission to text students, or have itbe part of the standard consent form with an optout. You also need to follow the MinimumNecessary Information rule and meet yourobligation to verify patient/client identity and thatyou have the correct text/phone numberanswering machine before releasing protectedinformation.www.acha.org
FERPA/HIPAA Common Questions3. Can we call the patient/client by name in the waitingarea?www.acha.org
FERPA/HIPAA Common Questions3. Can we call the patient/client by name in the waitingarea?YES. Calling a patient/client fromthe waiting room is part ofHealthcare Operations (TPO). Wealso have an obligation to verifyidentity before releasing protectedinformation, so we must have thecorrect patient/client!Free Clipart Nowwww.acha.org
FERPA/HIPAA Common Questions4. If I want to send flowers to a patient’s/client’s home,can I look up their address in our health record?www.acha.org
FERPA/HIPAA Common Questions4. If I want to send flowers to a patient’s/client’s home,can I look up their address in our health record?NO! You can only access apatient’s/client’s healthcare records forTPO: Treatment, Payment andHealthcare Operations. Flowers,though lovely, do not qualify (sorry!)Respond-ar.us (free clipart)www.acha.org
FERPA/HIPAA Common Questions5. Is it OK to talk to a patient/client on a speaker phone?www.acha.org
FERPA/HIPAA Common Questions5. Is it OK to talk to a patient/client on a speaker phone?clipart-library.com (free)Speaker Phone Clipart #2915419YES. But you have an obligation toverify identity before releasinginformation and to do your best toinsure auditory privacy (if possible, onboth ends of the call, but absolutely onyour end).www.acha.org
FERPA/HIPAA Common Questions6. Can we fax/email PII/PHI to someone?www.acha.org
FERPA/HIPAA Common Questions6. Can we fax/email PII/PHI to someone?clipart-library.com (free)Fax Machine Clipart #1384076YES, But. For a fax, you have an obligation toverify identity (and that you have the correctfax number) before releasing information.Email is not a secure communication system(unless you are inside a secure universityfirewall; be sure this applies to your campus.Many student health centers instead use aEHR Patient Portal/Secure Messaging tocommunicate with students rather than email.It is far more secure.www.acha.org
FERPA/HIPAA Common Questions7. Is it permissible to share patient/client information witha campus behavioral intervention team (and under whatcircumstances)?www.acha.org
FERPA/HIPAA Common Questions7. Is it permissible to share patient/client information witha campus behavioral intervention team (and under whatcircumstances)?Tricky Question! There may becircumstances under which you canshare information (e.g. danger to self,danger to others, etc.), dependingupon the make-up and role of thebehavioral intervention team.It is important to establish guidelines with yourgeneral counsel/university attorney.www.acha.org
Final FERPA/HIPAA comments and tips
Final comments: What can you do to ensurepatient/client privacy at your college/university? Make sure that you follow your privacy policies and procedures.Do not access any patient/client information unless it is for TPO.Make sure that patient/client information that is no longer neededis destroyed either through shredding or placing in a lockedcollection box. Get a paper shredder for your area.Conduct a walk about in your area to identify where you may haveprivacy and security concerns.Do your best to make sure your computer screen is not visible toanyone behind your work area.When you get up from your desk or leave the exam room, makesure to securely store any patient/client information and to log-offof your computer.www.acha.org
Final comments: What can you do to ensurepatient/client privacy at your college/university? Don’t provide anyone with your computer log-in/user ID orpassword.Don't talk about patients/clients in public areas such as elevators,buses, cafeterias, or restaurants.Take extra privacy precautions if your work area is accessible bythe public.If you are transporting patient/client information make sure theidentifiable information isn't showing.At the end of the day, make sure you have properly shut downyour computer and lock all your cabinets/rooms that containpatient information.www.acha.org
Final Comments Opening CommentsColleges and Universities . . .Have an ethical and legal obligation toprotect the privacy of our students/patients/clients, including their healthcare records.www.acha.org
For More InformationFor more information about FERPA v. HIPAA in college health andwellness programs, go to the US Department Of Health and HumanServices and the US Department of Education “Joint Guidance onthe Application of the Family Educational Rights and PrivacyAct (FERPA) and the Health Insurance Portability andAccountability Act of 1996 (HIPAA) to Student Health Records”(2008) at: hipaa-guidance.pdfFor information about the HIPAA Security Rule (ePHI), go rity/guidance/index.htmlCopyrighted MaterialPlease note that even with a proper reference, copyrighted material, including graphicsand corporate logos, should not be used without owner’s permission.Contact ACHA if you would like advisement on material you would like to use.www.acha.org
Thank you!A module of the ACHA LeadershipInstitute presented by:MICHAEL HUEY, MD,Associate Professor ofFamily and PreventiveMedicineEmory University School ofMedicine2017-18 ACHA Presidentwww.acha.org
Dec 17, 2018 · medical/counseling records at the college or university the student attends; FERPA does. Treatment Records under FERPA are handled in most ways like Protected Health Information under HIPAA, but not in all ways. A student does not have a FERPA right to “inspect and review” unshared treatment r
FERPA violation is confirmed and ensure privacy related communications sent to students impacted by a FERPA violation include links to the FERPA website, Regulation FIU-108, Access to Student Education Records, and/or other applicable contact information. A log of FERPA requests and potential violations was created during the audit. The
potential violation of FERPA. FERPA law requires annual notice of institutional FERPA policy. Policies and procedures provide documents for continued training and reference, especially in light of faculty and staff turnover. While FERPA law does not mandate training, it's obviously a good idea. OVERVIEW
FERPA transfer from the parents to the student, and he or she is known as an "eligible student" under FERPA. We will talk specifically about these rights as we get into this presentation. This means that the parents no longer have "rights" under FERPA, but there are provisions in FERPA that will permit a
1) An overview of federal HIPAA and FERPA laws and an easy-to-use guide that describes state-level laws. 2) Resources for school mental health leadership to use for developing policy that is impacted by HIPAA and FERPA,2 including: behavioral health referral pathways on campus and to the community; crisis
What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is a Federal Law. HIPAA is a response, by Congress, to healthcare reform. HIPAA affects the health care industry. HIPAA is mandatory.
Overview of HIPAA How Does HIPAA Impact EMS? HIPAA regulations affect how EMS person-nel use and transfer patient information HIPAA requires EMS agencies to appoint a “Compliance Officer” and create HIPAA policy for the organization to follow HIPAA mandates training for EMS personnel and administrative support staffFile Size: 229KB
Chapter 1 - HIPAA Basics A-1: Discussing HIPAA fundamentals 1 Who's impacted by HIPAA? HIPAA impacts health plans, health care clearinghouses, and health care providers that send or receive, directly or indirectly, HIPAA-covered transactions. These entities have to meet the requirements of HIPAA.
men’s day worship service. It is recommended that the service be adjusted for specific local needs. This worship service is designed to honor men, and be led by men. Music: Led by a male choir or male soloist, young men’s choir, intergenerational choir or senior men’s choir. Themes: Possible themes for Men’s Day worship service include:
