University Student Data and COVID-19: What can be shared?

The long-awaited return of students to schools has arrived, with some students attending school remotely, while others are attending classes on-site at academic institutions. We’ve also seen the unintended spread of COVID-19 at these institutions and, as a result, many schools have opted to discontinue on-site classes, switching to remote learning. In some instances, the students who have tested positive for COVID-19 have been asked to either return home or quarantine in specified dorms to prevent the spread of the virus to other students, faculty, and staff.

In these instances, there are people or organizations that may need to be notified if students, teachers, or other university staff have tested positive for COVID-19. Contact tracing may also be implemented at the university to help limit the spread of the virus. This raises a complicated question: who can the university notify, what information can they share, and what guidelines should be followed when dealing with COVID-19 at academic institutions? The answer depends on the situation, as a university must assess whether the information is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Personally Identifiable Information under the Family Educational Rights and Privacy Act (FERPA), or both.

HIPAA requires covered entities to protect the patient’s PHI through appropriate safeguards, as well as sets limits and conditions on the uses and disclosures of PHI without patient authorization. One such permissible disclosure is to prevent serious and imminent threat, which the Office for Civil Rights (OCR) has deemed COVID-19 as a serious threat, and therefore some patient information can be shared with the appropriate parties. Similarly, FERPA protects the privacy of student education records and prohibits educational institutions from disclosing PII in education records without written consent from the student (or parental guardian if the student is under 18 unless the underage student is enrolled in a university). “Educational records” include any information directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, a student’s health records fall under FERPA’s definition of “educational records”.1 FERPA does have a list of permitted disclosures, including cases of health and safety emergencies. So how do universities navigate these two policies when it comes to notifying others if a student, teacher, or other staff member has tested positive for COVID-19?

In normal situations, a student’s health record falls under FERPA, and HIPAA does not apply. So, for example, if a student visits the campus medical center operated by the university, that record falls under FERPA guidelines and the institution would need to have a permitted reason to disclose the information. In regards to hospitals affiliated with a university subject to FERPA, a student’s hospital record is not considered “education records” as these facilities provide services without regard to the person’s status at the university, so that record would fall under HIPAA guidelines. But, if that hospital runs a student clinic, then those records would fall under FERPA guidelines. The U.S. Department of Health and Human Services together with the U.S. Department of Education issues a Joint Guidance on the Application of FERPA and HIPAA to Student Health Records in December of 2019, further elaborating on how these guidelines apply to records maintained on students. Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

In regards to the current COVID-19 pandemic, The U.S. Department of Education released a series of FAQs that cover questions related to FERPA and COVID-19 and includes a sample FERPA Consent Form: Deparment of Education Student Privacy Policy Office – FERPA & Coronavirus Disease 2019 FAQs – March 2020. The FAQ outlines that if a student has COVID-19, it is sufficient to only report a positive COVID-19 case has been found on campus to other students and/or the parents of other students rather than specifically identifying the student who is infected. For example, a university can email students and parents that there is a confirmed COVID-19 case on campus to help notify them of a potential risk of contraction. If a student’s PII needs to be disclosed, it must meet the health and safety disclosure exemption under FERPA, and can only be disclosed to appropriate parties, i.e. law enforcement, public health, trained medical personnel, and parents (PII cannot be disclosed to the media, as they are not considered an appropriate party under FERPA).

FERPA generally requires educational agencies and institutions to maintain a record of each request for access to and each disclosure of PII from the education records of each student. When making a disclosure under the health or safety emergency provision in FERPA, universities are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the university disclosed the information.

After finalizing the required analysis and assuming the university and/or HIPAA “covered entity” can notify appropriate parties, it may be prudent to also conduct contact tracing to prevent further spread of COVID-19. Both healthcare providers and academic institutions can benefit from the use of contact tracing technology to expedite this process and ensure the protection of student information. If a school intends on implementing contact tracing systems for COVID-19, it is advisable to prepare consent forms for parents and eligible students to allow for the potential sharing of “directory information” (i.e. a student’s name, address, phone number) that is linked to non-directory information (information regarding a students COVID-19 illness).

Protecting student patient data is essential, and having an understanding of FERPA is key for universities to ensure the confidentiality, health, and safety of its students during the COVID-19 outbreak. Under these guidelines, the PII in student education records cannot be disclosed without written consent from the student, unless there is a reason for exemption. With the COVID-19 pandemic affecting the nation, the FERPA health and safety emergency exemption comes into play, allowing universities to release a student’s PII to appropriate parties (law enforcement, public health, trained medical personnel, and parents) if disclosure is needed. Having an understanding of the FERPA guidelines and exemptions will help universities protect the health and privacy of their students during this time.

1 Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

Photo of Elizabeth B. Ruszczyk

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.