A recent conversation with a colleague in California prompted me to write this. He said that as part of its back-to-school plan, his children’s elementary school district “highly encouraged” that all students be tested for COVID-19 before returning to class. The district provided families with an in-home saliva test and asked parents to collect their child’s saliva, place the vial in a plastic bag along with some forms containing identifying information, and drop them off at the district offices before the start of school. He was surprised to see that the drop-off box was an open-lidded container on a table outside the entrance to the school district offices. The forms completed by other parents (listing children’s names, insurance information, addresses, etc.) were visible, folded in half inside clear plastic bags along with the samples, but no staff member was stationed at the table to prevent people from peering into the container, removing or reading through the forms. I said that HIPAA most likely does not apply to this health information, but FERPA might (even though the health information on the forms had apparently not yet been recorded into the students’ school records). Nevertheless, the conversation reminded me that efforts to keep students healthy and safe must account for privacy.
When Ebola was in the public health spotlight, I about a New Jersey elementary school that posted an announcement about two new students arriving from Rwanda. The post said that the students would be kept at home for 21 days to allay concerns about infecting other students. The students were not identified by name, and the school admitted that the kids were symptom-free and not from a part of Africa affected by the Ebola outbreak, but the report raised concerns with how schools protect student privacy as well as the health of other students and staff.
Here in my home state of New Jersey, many elementary and secondary schools are open and doing their best to prevent COVID-19 from spreading in the classroom and the community. The New Jersey Department of Health issued recommendations to local health departments in early September that involve screening of students and staff and collection and reporting of COVID-19 symptoms and test results. As schools around the country grapple with whether and how to get students back into the classroom, it is easy to overlook data privacy requirements, especially when the privacy law that applies to most individually identifiable health information (HIPAA) and the privacy law that applies to most student records (FERPA) differ.
I noted one key difference in the Ebola posting: HIPAA allows disclosure of protected health information for public health activities, such as to a public health authority that is authorized by law to collect the information to prevent or control disease, but FERPA creates a slightly higher bar to disclosure of identifiable health information contained in a student’s record. Under FERPA, parents must provide written consent for disclosures of this information, unless an exception applies. The FERPA “health or safety emergency” exception allows disclosure without parental consent to a public health agency, for example, if the school determines that the public health agency needs the information to protect the health or safety of the students or other individuals. The school must determine that there is “an articulable and significant threat to the health or safety of students or other individuals” and, within a reasonable period of time after the disclosure, document in the student’s record the threat that formed the basis for the disclosure. In other words, while reporting the number of students testing positive for COVID-19 might satisfy the FERPA “health or safety emergency” exception, reporting the students’ names or other information might not.
The U.S. Department of Education published FAQs in March 2020 on FERPA and COVID-19, describing the “health or safety emergency” exception that allows reporting to public health departments, as well as when health information can be disclosed to other parties such as parents of other students. Interestingly, FAQ 7 states that schools can disclose information about a COVID-19 positive teacher or staff member to parents and students, as FERPA only protects information contained in student records, but points out that state privacy laws may apply. However, it’s worth noting that if the school has a self-funded health plan and receives the information in that capacity, HIPAA would prevent such a disclosure without the individual’s authorization.