Angela Burnette, Counsel at Alston & Bird, and Julia Dempewolf, an associate at Alston & Bird, have compiled practical guidance for schools and universities to consider regarding student privacy and the prevention of school violence. Their recent article, published by LexisNexis in Health Care Law Monthly, is entitled “Clarity Instead of Confusion: Available Solutions Under the HIPAA Privacy Rule and FERPA To Prevent Student Violence.”
Tragic school shootings, such as at Virginia Tech, Sandy Hook Elementary, and Arapahoe High in Colorado, have heightened public discussions regarding whether prior disclosure of a perpetrator’s mental health information or disturbing behavior could have prevented harm to others. These privacy and safety issues directly intersect when the perpetrator is a student, whether the student was under the care of a mental health provider or when a school otherwise becomes aware of a student’s threats/potential for violence. When the student is an adult (18 years or older), there appears to be particular confusion among providers and schools as to whether and when the adult student’s parents can be contacted. As outlined in the article, there should be no need for confusion.
Two federal laws which regulate disclosure of student health information already permit disclosure of information in emergency situations: the Health Insurance Portability and Accountability Act of 1996 (HIPAA), enforced by the U.S. Department of Health & Human Services (HHS), and the Family Educational Rights and Privacy Act (FERPA), enforced by the U.S. Department of Education (ED). HIPAA’s Privacy Rule protects an individual’s identifying health information, while FERPA protects a student’s educational and treatment records. Both laws’ emergency exceptions were in place and available to schools and providers even before the Virginia Tech shooting, and a better understanding of those laws could improve safety going forward for both students and staff. To the extent a school or health care provider is unsure whether an emergency situation exists, practical solutions are offered to enhance safety and communication, and possibly prevent another tragedy.
Ms. Burnette’s and Ms. Dempewolf’s recent article addresses, among other things:
- Whether a school would be a Covered Entity under HIPAA;
- The distinction between records governed by HIPAA and records governed by FERPA;
- Use and disclosure of information, including if a student is a minor or over 18 years old;
- Emergency exceptions available under HIPAA and FERPA;
- Other possible solutions separate and apart from the emergency exceptions; and
- Proactive steps to take now before an emergency situation arises.