Wikipedia’s entry for the Family Educational Rights and Privacy Act of 1974 is short. FERPA, also called the Buckley Amendment for Senator James Buckley who sponsored the bill, grew by one paragraph in March of this year. Two new footnotes link to articles in The Chronicle of Higher Education: "Just How Private Are College Students' Campus Counseling Records?" and "Raped on Campus? Don't Trust Your College to Do the Right Thing"
These footnotes bring infamy to the University of Oregon in its handling of a student’s mental health records. They should not become footnotes in history and put another nail in the privacy coffin.
Katie Rose Guest Pryal (a former professor of law who specializes in higher education, mental health, and social-justice issues and authored the second article) wrote: "If you are a student and seek counseling at your college's counseling center, your medical records are most likely not protected by the typical medical-privacy laws, otherwise known as the Health Insurance Portability and Accountability Act. Instead, they fall under the aegis of FERPA, just as Oregon said. And compared with HIPAA, FERPA is about as protective as cheesecloth."
U of O administrators used a FERPA exemption to access a student’s post-rape records without her consent to defend the school against her Title IX lawsuit. The U of O’s aggressive strategies misfired after they filed a countersuit. John Clune, one of the attorneys representing the student said, “They need real changes not calculated PR efforts.”
Technically, FERPA may be on the side of the U of O. Under what conditions is prior consent not required to disclose information? If a parent or eligible student initiates legal action against an educational agency or institution, the educational agency or institution may disclose to the court, without a court order or subpoena, the student's education records that are relevant for the educational agency or institution to defend itself.
But arguing the U of O’s actions were technically lawful disregards other ethical and legal questions. The U of O controversy prompts deep discussions and national solutions to assure students’ health and therapy records and privilege laws are protected. Students must have a right to privacy for both education and health care.
Congresswoman Bonamici is troubled by a “loophole in federal privacy law.” She and Senator Wyden want the U.S. Secretary of Education Arne Duncan, to “clarify how FERPA applies to student medical records.”
That’s a problem. When Congress shifts responsibility to agencies for interpretations of laws that Congress wrote, we cannot determine the intent of our elected leaders. Heads of agencies are appointed and are all too happy to make rule changes that assure citizens become victims of domestic surveillance, commercial exploitation and massive data breaches.
The U.S. Department of Health & Human Services and the U.S. Department of Education wrote joint guidance on HIPAA and FERPA in 2008. This guidance is woefully out-of-date since FERPA rules and regulations were subsequently relaxed to collect and share more data.
FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. Most colleges operate student health centers. As such, records maintained there are “education records,” and FERPA applies. The rules get really messy when these school-based health centers bill insurance companies. That’s when HIPAA security (but not privacy) rules may (or may not) apply.
Congress enacted HIPAA to establish national standards and requirements for electronic health care transactions and to protect the privacy and security of individually identifiable health information. These transactions allow data (the currency of the 21st Century) to flow.
The HIPAA privacy rule simply does not apply to most students’ health records because the US Department of Health and Human Services has ruled that "individually identifiable health information that is part of an 'education record'... would not be considered protected health information."
Are student health records, aka “education records,” protected education information?
Confidential data is at the heart of the U. of O controversy. FERPA rule changes in 2008 and 2011promote wider disclosure of students’ education records with fewer safeguards. The Electronic Privacy Information Center says this is “a growing trend with student data: government agencies are taking personal information that students are required to provide, skirting federal regulations, and turning student data over to the private sector with few, if any, safeguards for privacy and security.”
Former U.S. Senator James Buckley wrote FERPA in 1974 to help parents access their children’s educational records. Buckley has called for Congress to amend FERPA because college athletic departments were using the statute to hide recruiting violations and sexual abuse committed by student athletes. In 2010, the Columbus Dispatch reported, schools like Oregon State University censored information about student athletes in the name of student privacy. These tactics protect a “$5 billion college-sports world that is funded by fans, donors, alumni, television networks and, at most schools, taxpayers.” Buckley said, "Institutions are putting their own meaning into the law."
FERPA has no private right of action. In other words, parents and students cannot sue an educational institution for violations. Legal scholar Daniel Solove says since FERPA’s only sanction is the withdrawal of all federal funds, it’s “like using a nuclear bomb to kill a cockroach.” Thus, the sanction has never been imposed in FERPA’s 40-year history.
Title IX, passed in 1972, prohibits discrimination based on sex in federally funded educational activities. In 2010, the Center for Public Integrity reported lax enforcement of campus sexual assault cases. Students complained to the U.S. Department of Education’s Office for Civil Rights that they did not receive “prompt and equitable“ resolutions in response to this federal law. The Office for Civil Rights generally dismissed these student complaints, siding with schools that cited a lack of eyewitnesses and the role of alcohol in decisions when no disciplinary charges were brought against an accused student.
However, the Supreme Court ruled in 1999 that schools can be held liable for students who have sexual assaulted other students. In 2007, the University of Colorado paid a $2.7 million settlement to two students who alleged they were raped by football players and recruits and accused university coaches and administrators of facilitating a culture of sexual violence by athletes.
Rather than wasting time with the Office for Civil Rights, some students are immediately resorting to private lawsuits. But winning damages in a private lawsuit is challenging, as the student must prove that the college had actual knowledge of sexual harassment or assault, and showed “deliberate indifference”—which is what the U of O student’s attorney claims in her lawsuit. Recall, this is a Title IX lawsuit, not a FERPA lawsuit.
The Clery Act (named for Jeanne Clery a 19-year old who was murdered in her Lehigh University dorm room in 1986) requires 7500 colleges and universities publish and distribute annual crime statistics to current and prospective students and employees. New rules put more emphasis on schools investigating not only sexual assault, but also dating violence, domestic violence, and stalking.
But what about confidentiality laws? All states recognize the psychotherapist-patient privilege, and that privilege is also recognized under federal common law. The Supreme Court ruled that: “Effective psychotherapy… depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears... (T)he mere possibility of disclosure may impede disclosure of the confidential relationship necessary for successful treatment.”Unfortunately, this ruling only applies to federal court proceedings.
Under Oregon law, a psychotherapist has to be “licensed, registered, certified or otherwise authorized under the laws of any state to engage in the diagnosis or treatment of a mental or emotional condition; or ”reasonably believed by the patient so to be, while so engaged.”
Oregon also recognizes the school employee-student privilege. After all, wouldn’t parents and students reasonably believe all discussions regarding mental and emotional conditions (whether in person or electronic) are privileged in schools?
A bipartisan coalition led by Oregon Attorney General Ellen Rosenblum wants to prohibit nonconsensual disclosure of mental health records of students "seeking services related to domestic violence, sexual assault or stalking" with House Bill 3476. At the hearing on this bill, Rosenblum asserted, “No victim should have to fight the bureaucracy on her path to recovery.”
Ok, fine. But carving out this segment of students misses the mark. What about victims of bullying and harassment? Title IX protects these students too. Indeed, the Oregon House Education Committee just held a hearing on House Bill 3425, which would require school districts and the Department of Education “to provide information related to confirmed acts of harassment, intimidation or bullying, or acts of cyberbullying.”
What kind of privacy protections exist for k-12 research and compliance audits (for bullying and other health initiatives); k-12 school-based health centers; big data collections and vendor relationships; new technologies, like telemedicine?
These complexities will be further explored.
~ Kris Alman serves as Assistant Secretary of Health for Data Privacy at the Green Shadow Cabinet