Data Privacy

In order to safeguard student privacy, school nurses maintain confidentiality within the legal, regulatory, and ethical parameters of health and education, and inform others about student health record protection in accordance with the Family Educational Rights and Protection Act (Family Educational Rights and Privacy Act, 1974), Health Insurance Portability and Accountability Act (Health Insurance Portability and Accountability Act, 1996), and other applicable federal and state laws and regulations.

NASN Code of Ethics 

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. School health records are educational records. FERPA applies to any public or private elementary, secondary, or post-secondary school. It also applies to any state or local education agency that receives funds under an applicable program of the US Department of Education.

The Act serves two primary purposes:

• It gives parents or eligible students more control over their educational records, and
• It prohibits educational institutions from disclosing “personally identifiable information in education records” without the written consent of an eligible student, or if the student is a minor, the student’s parents (20 U.S.C.S. § 1232g(b)).

FERPA give the parents the right to:

• Inspect / review the student educational records with 45 days (MN Data Practices Act/Chapter 13 is immediately or within 10 days). School health services staff should understand the procedure in their local school.
• Request an amendment to perceived inaccurate or misleading records.
• Consent to disclosures of personally identifiable information in records.
• File a complaint with the US Department of Education with alleged failure to comply with FERPA.

The US Department of Education: Protecting Student Privacy. has these two documents with additional information: Guidance for School Officials on Student Health Records and Know Your Rights: FERPA Protection for Student Health Records.

Exempted from the definition of “education records” are those records which are kept in the sole possession of the maker of the records, are used only as a personal memory aid, and are not accessible or revealed to any other person except a temporary substitute for the maker of the records. School health services programs should address “personal notes” in their documentation policy or procedures.   

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA.

Healthcare providers, health plans, healthcare clearinghouses, business associates are the types of individuals and organizations are subject to the Privacy Rule. When a school participates in third party billing, the activities of submitting for reimburse is covered under HIPAA.

When schools are creating their data privacy policies and practices a clear understanding of the interplay between HIPAA and FERPA is essential. Some key documents to consider are:

• CDC Health Information and Privacy FERPA and HIPAA includes a chart which provides a comparison
• Joint Guidance on HIPAA and FERPA

Minor’s Consent

School nurses serving students should have a strong understanding of minor consent and confidentiality laws in Minnesota. School nurses should meet with school leaders and school legal counsel together to have a joint understanding of the application of minor’s consent with the delivery of school health services. Additionally, the documentation of sensitive information should be addressed because helping students who seek counsel and assistance must be an integral part of a comprehensive services system dealing with substance abuse, sexually transmitted disease, HIV infection, pregnancy, contraception, abortion, and mental and emotional disorders.

The most up to date information on minor consent and confidentiality can be found on MDH’s Consent and Confidentiality Laws in MN.

Tennessen Warning

Whenever private or confidential data are collected, there is a requirement that the subject of that data be given certain information or notification. This requirement, also known as the Tennessen Warning, specifies that the person who is the subject of the data must be told the following:

• Why the data is collected.
• How the data will be used within the collecting agency.
• Whether the individual can refuse or is legally required to provide the data.
• What the consequences are to the individual of supplying or refusing to supply the requested data.
• The identity of others authorized to receive the data.

This statute also requires that schools safeguard records and dispose of records properly.