I was a walk-in patient at the student health clinic. My reason for writing is I don’t want anyone to know why I was there. Can my parents read my medical file?
Laws regarding data privacy can be a minefield, so this question raises concerns about confidentiality with medical records, especially those held by school health services. Different laws govern specific types of health service providers so privacy rights will vary, along with many loopholes within the rules. We’ll try to unravel the mess and check on your level of confidentiality.
Sharing data between schools and public health services is one of the more reliable methods of obtaining the information necessary to conduct health activities, such as immunization tracking. However, confusion has been created by federal privacy protections governing student education and health records. The governance and privacy of health records largely comes down to two acts, the Family Educational Rights and Privacy Act (FERPA) and the Health Information Portability and Accountability Act (HIPAA).
First, let us look at FERPA, a 1974 law which usually applies to most college-health records. This act prevents the disclosure of personally identifiable information in a student’s education record without the consent of the student (if over 18) or a parent. If you’re treated by or disclose information to college health services, your parents have the legal right of access to your records.
All educational institutions are covered by FERPA, including private and public schools and colleges, and any organization that receives funding from the Department of Education. All health records are protected from disclosure under FERPA, including immunization records, college nurse reports, and any other records relating to student health or education. Public health agencies can access student-health data maintained by a school or university only if written consent by the student or parent has been granted.
There a few extenuating circumstances when data can be disclosed without consent, such as instances when there is a pandemic or other major health risk.
Parents also expect to be notified whenever their child receives serious medical treatment. According to research, around 60% of colleges currently oblige parents with health and disciplinary detail disclosure.
The second law, HIPAA, was enacted in 2000 to grant greater rights of privacy over school medical records. This act prohibits the disclosure of any health and personally identifiable information to any third parties unless you, the individual who is the subject of the data, grant permission. Any healthcare provider, including campus health departments, can be covered under HIPAA. Material covered includes protected health information, demographic data, education records and employment history.
Additionally, where you are treated also determines which act your data falls under. Health service provided by a university falls under FERPA, while in-patient treatment falls under HIPAA. While the question posed is not specific, potentially embarrassing visits to student health for birth control, STD testing, etc. may be revealed to your parents.
These ambiguous discrepancies over what health data can be disclosed and when make the privacy protection acts muddled.
Your medical authorization form usually grants parents access to your medical records while at college. It also provides some legal leverage for the campus who are balancing between your privacy rights and parental concern. Going back to your question, we must reconsider what we consider to be ‘completely private and secure’.
Privacy – like eating and breathing – is one of life’s basic requirements – Katherine Neville.
(Martin J. Young is a former correspondent of Asia Times).