In the American Academy of Pediatrics statement “Role of the School Nurse in Providing School Health Services,” the authors acknowledge that misinformation about federal privacy laws can be problematic,1 creating misunderstandings among pediatricians and school nurses that impact student care. Confusion arises when clinicians, covered by the Health Insurance Portability and Accountability Act (HIPAA), work collaboratively with school nurses, covered by the Family Educational Rights and Privacy Act (FERPA), to conduct health programs. The majority of school nurses report working with their local health department2 but are unsure about what procedures to follow for documenting and communicating health information, and existing federal guidance does not speak adequately to the complications arising from cross-sector collaboration.3
In this article, we use an example of a school-based sexually transmitted infection (STI) screening program to highlight the 2 main federal privacy laws that impact school and health provider collaboration: FERPA and HIPAA. State privacy laws and institutional policies impose restrictions beyond federal law. These local laws and policies vary, as does their intersection with federal law. School and health department collaborators must negotiate this complex web when they plan joint projects.
Passed in 1974, FERPA is designed to protect students’ educational records.4 Any educational institution receiving funding from the US Department of Education must allow parents or an eligible student (>18 years of age or has begun postsecondary education) to access the student’s records. However, private or parochial elementary and secondary schools with no US Department of Education funding are exempt.4 In certain circumstances, schools may disclose information without consent to school-based officials determined to have a legitimate educational interest.4
Educational records include information related to a student’s mental or physical health that is maintained by a school or an agency acting on the school’s behalf.4,5 When a school employs an agency to deliver health services, its records are still considered to be part of the students’ educational records even when the agency provides those services off school grounds.3 However, if a clinic not employed by the school happens to provide services to students on school grounds, then FERPA would normally not apply.
In 1996, pursuant to HIPAA, the US Department of Health and Human Services issued regulations to establish standards, informally known as the privacy rule, for electronic health care transactions and for the use and protection of identifiable health information by covered entities.6 Under HIPAA, adults and emancipated minors have the right to access their own medical records.6 In most cases, a parent is an unemancipated minor’s personal representative and would have access to all protected health information (PHI) contained in that minor’s medical record.6 A covered entity may share PHI with other health care providers for purposes related to health care delivery without getting consent, but intention to use the information in this way must be disclosed.6
Intersection of Privacy Laws in an STI Program
HIPAA and FERPA do not overlap. The HIPAA privacy rule excludes educational records protected under FERPA,3 but matters become more complicated when a program is jointly sponsored or part of a collaborative effort. The following hypothetical vignettes explore the potential for confusion, conflict, and risks to privacy in an STI screening and treatment program that is run and funded by a health department but operates in a school.
Vignette 1: The school nurse refers a student to the STI program for testing and then makes a note about the referral in the student’s school medical record. Has the school nurse breached the student’s privacy?
From a legal perspective, the answer is likely no. However, all 50 states and the District of Columbia grant minors the right to consent to their own STI-related services.7 Only 18 states give physicians the discretion to pass on information to parents; the remainder have legislation protecting the confidentiality of adolescent sexual health services or are silent on the matter.7 Thus, adolescents who are told a program is confidential may have the reasonable expectation that information will not be shared with parents. On the other hand, some schools or districts have internal policies regarding what a nurse is expected to enter into student medical records, despite those records being accessible to parents on request.4 FERPA delineates the role of the school nurse as the key gatekeeper of student health information. Recognizing that relevant school or district policies may apply, federal law allows the school nurse to exert some discretion over what information is added to an educational record.4 Documenting referrals may follow institutional policy but students may view this as a violation of trust, negatively impacting student use of the STI-related services being provided.
Vignette 2: A student tests positive for chlamydia. The health department practitioner consults with the school nurse regarding known allergies or potential drug interactions associated with treatment. Can the health department practitioner and the school nurse discuss this?
A HIPAA-covered provider can disclose PHI to school nurses for treatment purposes.3 For example, if a school nurse were responsible for administering medication to a student, the covered provider may discuss the treatment, drug interactions, allergies, and other health care information germane to the care of that student.3 If the school nurse has no treatment-related role, then the health department practitioner cannot share any information that might indicate a student’s name or diagnostic status. If the school nurse chooses to enter treatment information into the student’s school medical record, this information becomes part of the educational record and potentially available to the student’s parents.3
If the school nurse wanted to disclose potential drug interaction information from the student’s record to the health department practitioner, FERPA states that the school should first obtain consent from the parent or eligible minor.4 Both could speak directly to the student, but provider-to-provider communication is restricted. The school nurse, bound by FERPA, would not be able to share information without consent unless there were an emergency.4 For example, if a student began to show signs of an adverse reaction after receiving treatment, the school nurse could then share information about the student’s allergies and medications.
Vignette 3: A student is discussed during a multi-disciplinary team meeting. The school nurse knows the student participated in the STI program and tested positive. Should the nurse disclose this information during the meeting to other school officials?
Schools typically have group meetings to discuss high-risk students’ academic progress, during which a school nurse might share known STI-related information to provide context for understanding a student’s high-risk and health-seeking behaviors. This is allowed under FERPA but could result in written documentation (eg, meeting notes or e-mails) that would become part of the student’s educational record.4
Importantly, students may not expect that participation in a confidential STI program would lead to this type of disclosure. An external agency accustomed to operating under HIPAA standards may also be unaware that bringing STI testing into a school setting could lead to sensitive information being shared with teachers and other school personnel or becoming vulnerable to parental access as part of an educational record.
Implications for School Sexual Health Programs
Practical guides for operationalizing the intersection of FERPA and HIPAA regarding adolescent health are needed. The following recommendations can guide this work.
Carefully Map Out Workflow To Anticipate and Address Potential Information-Sharing Conflicts
When school personnel partner with external health agencies, staff could be asked to generate scenarios when confidential communications would be necessary or could facilitate each individual’s role. At the outset, all parties must have a clear understanding of what is and is not an acceptable use of student information. These scenarios could then be used to establish detailed protocols to guide proper communications and information-sharing within the legal bounds of applicable federal and state laws.
Develop and Disseminate Clear Privacy Protocols To All Partners
Protocols for a collaborative program may be inconsistent with current workflow or institutional practices. Development and dissemination of clear protocols for all personnel is required to ensure that appropriate information is collected and recorded in ways that minimize risks to confidentiality. These protocols can be supported by a memorandum of understanding signed by school and agency leaders to encourage buy-in and provide clarification for staff.
Tell Students in Plain Language What Privacy Protections They Can Expect
The nuances of FERPA and HIPAA are not common knowledge among high school students. The assumptions adolescents make regarding the meaning of the word “confidential” when used by medical practitioners may not be in line with how their information may actually be used under the law. Transparent communication about the use of their information will help temper expectations of total privacy, will head off potential problems that otherwise could arise from their misperceptions, and will thereby contribute to trusting relationships that will facilitate care.
The examples used here are focused on STI programming, but the implications for interagency collaboration explored here extend to any health-related services provided to students, particularly those that minors may consent to on their own, such as drug screening or mental health services. Thoughtful consideration of protocols and clear communication will minimize the risks to adolescent privacy rights while contributing to stronger and more effective collaborative relationships among school and community partners.
Dr Elliott conceptualized, designed, and conducted the analysis, drafted the initial manuscript, and reviewed and revised the manuscript; Dr DeJong reviewed the analysis plan and reviewed and contributed to revisions of the manuscript; Dr Feinberg oversaw the analysis plan and contributed to the preparation of the manuscript; and all authors approved the final manuscript as submitted and agree to be accountable for all aspects of this work.
FUNDING: Supported by Health Resources and Services Administration grant T03MC07646.
POTENTIAL CONFLICT OF INTEREST: The authors have indicated they have no potential conflicts of interest to disclose.
FINANCIAL DISCLOSURE: The authors have indicated they have no financial relationships relevant to this article to disclose.