How to Handle Mental Health Data In School Files
by
|
With increasing frequency, school districts are required to address complex issues that arise out of the mental health needs of students. In addressing these issues, school districts are faced with challenges related to gathering, receiving, maintaining, and disclosing mental health data on students. An accurate understanding of FERPA, HIPAA, and applicable state laws will help school districts avoid costly mistakes that could lead to litigation and liability.
|
Parents often object when a school district requests, receives, maintains, or discloses mental health data on a student. Mental health records tend to contain highly sensitive information. For example, when a mental health professional conducts a comprehensive mental health evaluation of a student, the resulting report will typically contain a developmental history, an educational history, a social history, a mental health history, a medical history, a family history, and the application of DSM-IV criteria. The family health history may contain information about the student’s parents, siblings, and other relatives. This information is not always flattering. Many parents understandably believe that a school district does not have a legitimate educational need to maintain this type of information. Coupled with this belief, many parents harbor fears about the potential misuse or inappropriate disclosure of mental health data on their children. This article will address some of the common misconceptions and legal issues that arise when a public school district gathers, receives, maintains, or disseminates data that are related to the mental health of a student or the student’s parent(s).
Imagine that the school nurse in a public school district has just received a mental health evaluation report about a special education student from a private psychologist. On the top of the evaluation report, the psychologist’s office has prominently stamped the following warning:
Imagine that the school nurse in a public school district has just received a mental health evaluation report about a special education student from a private psychologist. On the top of the evaluation report, the psychologist’s office has prominently stamped the following warning:
“THIS REPORT IS CONFIDENTIAL AND SUBJECT TO HIPPA. UNDER PENALTY OF LAW YOU MAY NOT FORWARD OR DISCLOSE THIS REPORT.”
When the building principal and the IEP team ask to see the report, the school nurse refuses and cites HIPAA and the code of ethics that applies to the nursing profession. Upon discovering that the school nurse has received the full report, including the family history, the parents become outraged and assert that the report must be destroyed. The parents also assert that the school district is violating HIPAA by ordering the nurse to disclose the report. When the superintendent directs the school nurse to provide the records to the school district’s attorney so the district can obtain legal advice on the matter, the school nurse refuses. The nurse and the parents then assert that the district is ordering the nurse to violate HIPAA and FERPA. In both instances, the nurse and the parents are incorrect.
Overview of FERPA
At the federal level, the Family Educational Rights and Privacy Act (FERPA) and its implementing regulations protect most “education records” by classifying them as “confidential” and limiting their disclosure.[1] FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. An educational agency or institution that is subject to FERPA may not have a policy or practice of disclosing the education records of students, or personally identifying information derived from such records, without the written consent of a parent or eligible student, meaning a student who is eighteen years of age or older.
With limited exceptions,[2] FERPA broadly defines the term “education records” to mean all records that are directly related to a student and are maintained by an educational agency or institution or by a party acting for an educational agency or institution. Applying this definition, all mental health data that a public school district maintains on a special education student, including records of any mental health services provided under an IEP, are “education records” for purposes of FERPA. Similarly, all mental health data that a school nurse receives or maintains on a public elementary or secondary school student fall within the definition of “education records.” This is true regardless of whether the school district employs the school nurse or contracts with an agency that provides nursing services to students, and regardless of whether the services occur on or off school property. When contracting with a nursing agency, however, school districts would be well advised to include a provision in the contract confirming that the agency and its employees are required to comply with FERPA and any applicable provisions of state law. The contract should also contain a provision confirming that no physician-patient or similar privilege will arise out of the nurse’s work with any student.
What protections apply to “desk drawer” records?
Under FERPA, “education records” do not include records that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to another person except a temporary substitute for the maker of the record. This is commonly known as the “desk drawer” records exception. A number of states have passed laws limiting the application of the desk drawer records exception. For example, in Wisconsin the desk drawer records exception applies only to records maintained for personal use by “a teacher or other person who is required by the state superintendent . . . to hold a certificate, license, or permit.”[3] Similarly, in Minnesota the desk draw records exception applies only to the records of “instructional personnel” and the exception ceases to apply if the records are not destroyed at the end of the school year.[4]
Some school staff members misconstrue the scope of the desk drawer records exception. For instance, some staff members are under the mistaken belief that desk drawer records are completely shielded from disclosure. Because of this belief, some school staff members are overly casual, and sometimes inappropriate, in the comments they make in their desk drawer records. As any trial attorney will attest, desk drawer records are not protected from disclosure during the discovery phase of litigation. Other staff members are under the mistaken belief that they can avoid becoming involved in a dispute by discarding crucial notes about a student’s mental health status. The opposite is true. Moreover, discarding mental health data can leave a school district vulnerable to a claim that it failed to take appropriate action. Even if the staff member destroyed the records before litigation was foreseeable, if a lawsuit ensues a judge or jury could easily infer that the records were destroyed because they did not reflect positively on the school district. If the staff member destroyed the records after litigation commenced (in which case litigation hold requirements would have been in effect), the judge would likely sanction the school district and instruct the jury to draw an adverse inference against the district.
Overview of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was designed to protect the privacy and security of individually identifiable health information that is maintained by a “covered entity.” Toward that end, the U.S. Department of Health and Human Services promulgated the “HIPAA Privacy Rule.” This regulation requires “covered entities” to safeguard the privacy of health records and to limit the disclosure of such information without patient consent. The law defines a “covered entity” to mean a health plan, a health care clearinghouse, and a “health care provider” that transmits health information in electronic form in connection with a covered transaction.[5] A “health care provider” is any person or organization that furnishes, bills, or is paid for health care in the normal course of business.[6]
Many physicians do not seem to recognize that the HIPAA Privacy Rule permits covered health care providers to disclose private health information about a student to a school nurse for treatment purposes without parental consent.[7] For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who administers medication to the student or provides other care to the student at school. Physicians who are aware of this rule may still construe the physician-patient privilege to preclude them from disclosing private health information about a student to a school nurse without parental consent.
Does HIPAA apply to mental health data maintained by a school district?
HIPAA generally does not apply to mental health data maintained by a public school district. Most school districts are not “covered entitles” under HIPAA because they do not furnish, bill, or receive payment for “health care” in the normal course of business and they do not electronically transmit health information in connection with a covered transaction, such as the submission of a health care claim to a health plan. Moreover, the HIPAA Privacy Rule does not apply to health information that is contained in an “education record.” Because FERPA broadly defines “education records” to mean all records that are directly related to a student and are maintained by an educational agency or institution, any health information that a school district maintains on a student will fall within the definition of an “education record.” As a result, even those school districts that are “covered entities” are not required to comply with the HIPAA Privacy Rule, although they may be obligated to comply with certain requirements that apply to covered transactions. Neither a parent nor a physician can change this result by writing on the top of a record that it is “subject to HIPAA” and “may not be disclosed or forwarded.”
In explaining that the HIPAA Privacy Rule does not apply, the U.S. Department of Education has provided the following example:
Overview of FERPA
At the federal level, the Family Educational Rights and Privacy Act (FERPA) and its implementing regulations protect most “education records” by classifying them as “confidential” and limiting their disclosure.[1] FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. An educational agency or institution that is subject to FERPA may not have a policy or practice of disclosing the education records of students, or personally identifying information derived from such records, without the written consent of a parent or eligible student, meaning a student who is eighteen years of age or older.
With limited exceptions,[2] FERPA broadly defines the term “education records” to mean all records that are directly related to a student and are maintained by an educational agency or institution or by a party acting for an educational agency or institution. Applying this definition, all mental health data that a public school district maintains on a special education student, including records of any mental health services provided under an IEP, are “education records” for purposes of FERPA. Similarly, all mental health data that a school nurse receives or maintains on a public elementary or secondary school student fall within the definition of “education records.” This is true regardless of whether the school district employs the school nurse or contracts with an agency that provides nursing services to students, and regardless of whether the services occur on or off school property. When contracting with a nursing agency, however, school districts would be well advised to include a provision in the contract confirming that the agency and its employees are required to comply with FERPA and any applicable provisions of state law. The contract should also contain a provision confirming that no physician-patient or similar privilege will arise out of the nurse’s work with any student.
What protections apply to “desk drawer” records?
Under FERPA, “education records” do not include records that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to another person except a temporary substitute for the maker of the record. This is commonly known as the “desk drawer” records exception. A number of states have passed laws limiting the application of the desk drawer records exception. For example, in Wisconsin the desk drawer records exception applies only to records maintained for personal use by “a teacher or other person who is required by the state superintendent . . . to hold a certificate, license, or permit.”[3] Similarly, in Minnesota the desk draw records exception applies only to the records of “instructional personnel” and the exception ceases to apply if the records are not destroyed at the end of the school year.[4]
Some school staff members misconstrue the scope of the desk drawer records exception. For instance, some staff members are under the mistaken belief that desk drawer records are completely shielded from disclosure. Because of this belief, some school staff members are overly casual, and sometimes inappropriate, in the comments they make in their desk drawer records. As any trial attorney will attest, desk drawer records are not protected from disclosure during the discovery phase of litigation. Other staff members are under the mistaken belief that they can avoid becoming involved in a dispute by discarding crucial notes about a student’s mental health status. The opposite is true. Moreover, discarding mental health data can leave a school district vulnerable to a claim that it failed to take appropriate action. Even if the staff member destroyed the records before litigation was foreseeable, if a lawsuit ensues a judge or jury could easily infer that the records were destroyed because they did not reflect positively on the school district. If the staff member destroyed the records after litigation commenced (in which case litigation hold requirements would have been in effect), the judge would likely sanction the school district and instruct the jury to draw an adverse inference against the district.
Overview of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was designed to protect the privacy and security of individually identifiable health information that is maintained by a “covered entity.” Toward that end, the U.S. Department of Health and Human Services promulgated the “HIPAA Privacy Rule.” This regulation requires “covered entities” to safeguard the privacy of health records and to limit the disclosure of such information without patient consent. The law defines a “covered entity” to mean a health plan, a health care clearinghouse, and a “health care provider” that transmits health information in electronic form in connection with a covered transaction.[5] A “health care provider” is any person or organization that furnishes, bills, or is paid for health care in the normal course of business.[6]
Many physicians do not seem to recognize that the HIPAA Privacy Rule permits covered health care providers to disclose private health information about a student to a school nurse for treatment purposes without parental consent.[7] For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who administers medication to the student or provides other care to the student at school. Physicians who are aware of this rule may still construe the physician-patient privilege to preclude them from disclosing private health information about a student to a school nurse without parental consent.
Does HIPAA apply to mental health data maintained by a school district?
HIPAA generally does not apply to mental health data maintained by a public school district. Most school districts are not “covered entitles” under HIPAA because they do not furnish, bill, or receive payment for “health care” in the normal course of business and they do not electronically transmit health information in connection with a covered transaction, such as the submission of a health care claim to a health plan. Moreover, the HIPAA Privacy Rule does not apply to health information that is contained in an “education record.” Because FERPA broadly defines “education records” to mean all records that are directly related to a student and are maintained by an educational agency or institution, any health information that a school district maintains on a student will fall within the definition of an “education record.” As a result, even those school districts that are “covered entities” are not required to comply with the HIPAA Privacy Rule, although they may be obligated to comply with certain requirements that apply to covered transactions. Neither a parent nor a physician can change this result by writing on the top of a record that it is “subject to HIPAA” and “may not be disclosed or forwarded.”
In explaining that the HIPAA Privacy Rule does not apply, the U.S. Department of Education has provided the following example:
[I]f a public high school employs a health care provider that bills Medicaid electronically for services to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 C.F.R. § 99.30) in order to disclose Medicaid billing information about a service provided to a student.[8]
Does FERPA place limitations on the collection of mental health data?
Federal law does not specifically regulate the collection of mental health data by schools. However, school officials must review state law to determine whether it contains any requirements that apply when collecting mental health data. For instance, in Minnesota school officials must give a “Tennessen” warning before asking an individual to supply private or confidential information.[9] A Tennessen warning must state: (a) the purpose and intended use of the requested data within the school district; (b) whether the individual may refuse or is legally required to supply the requested data; (c) any known consequence arising from supplying or refusing to supply private or confidential data; and (d) the identity of other persons or entities authorized by state or federal law to receive the data.[10] The Tennessen warning should be given in writing to avoid proof issues in the event of litigation.
What are the implications of having school district staff provide diagnostic and treatment services to students?
Some school districts employ staff members, such as social workers and psychologists, who provide mental health diagnostic and treatment services directly to general education and special education students. These school districts then bill Medicaid and private insurance companies for the mental health services. This practice can expose a school district to claims for damages that are not covered by insurance. Most school districts do not carry (and cannot obtain) medical malpractice insurance. Claims arising out of the provision of medically based mental health services will rarely be covered under a typical commercial liability insurance policy or a typical errors and omissions insurance policy. A typical insurance policy will cover claims arising out of or related to the provision of educational services, but not claims arising out of or related to medically based services that are not required as part of an IEP or Section 504 Plan. Additionally, when school staff members provide mental health services directly to students, the parents and providing staff members may assert that a medical provider-patient privilege applies to all records generated as a result of the services. Parents and staff members may become incredulous and even defiant when informed that such data fall within the definition of “education records” under FERPA.
When may school officials access mental health data that are maintained by the school district?
FERPA generally prohibits school districts from disclosing education records without the written consent of the student’s parent or the written consent of the student, if the student is eighteen years of age or older.[11] However, the law contains several exceptions.[12] One of the most important exceptions allows school officials to disclose education records, without parental consent, to other school officials in the district, including teachers, who have a legitimate educational interest in the information contained in the records.[13] This begs the following question: When does a teacher or other school official have a legitimate educational interest in mental health data contained in a student’s education record?
As a general rule, school officials have a legitimate educational interest in mental health data on an individual student when they need to know the information in order to perform their job duties. For example, when an IEP team is considering whether a student’s misconduct was a manifestation of the student’s disability, the team is required to consider all relevant information, including mental health data that could impact the team’s determination. Under these circumstances, the IEP team members would have a “legitimate educational interest” or “need to know” the information in order to perform their job duties. Federal law preempts state law. Consequently, state law (including a code of ethics governing the licensure of a nurse, social worker, or psychologist) cannot prevent school officials from accessing education records that contain mental health data if the school officials have a need to review the data in order to fulfill their obligations under federal law.
Because of the sensitivity of mental health data and the stigma that can inappropriately attach to some mental health data, school officials should take reasonable precautions to maintain mental health data in a way that prevents inadvertent or intentional disclosure to, or access by, unauthorized individuals, including teachers and support staff who do not have a legitimate educational interest in the data. At a minimum, the authors of this article recommend that mental health data on a student be separated from other education records and be placed in a sealed envelope in the student’s education file. The outside of the envelope should state that it contains sensitive mental health data and may be viewed only by instructional personnel who have a need to review the information in order to perform their job duties for the school district. The envelope should also state that any person who unseals the envelope must place a document in the student’s file stating the person’s name; the date and reason the person opened the envelope; and the legitimate educational interest that the person had in reviewing the mental health data.
When may school officials disclose mental health data to an attorney, contractor, consultant, volunteer, or independent educational evaluator?
FERPA also contains an exception that allows school officials to disclose mental health data to a contractor, consultant, or volunteer that: (1) performs services or functions the school district would otherwise have to perform itself; (2) is under the direct control of the school district with respect to the use and maintenance of the data; and (3) is required to comply with FERPA’s prohibitions on the re-disclosure of education records.[14] By way of example, this exception allows a school district to hire a mental health professional or behavioral consultant to review mental health data in a student’s education records, without parental consent, for the purpose of providing advice to the school district about the student’s behavior and educational needs. The same exception allows a school district to provide mental health data and other education records to outside legal counsel for the purpose of obtaining confidential legal advice.[15]
When contracting for the services of an outside contractor or consultant, school officials should include a provision in the contract requiring the contractor or consultant to comply with FERPA and prohibiting the contractor or consultant from re-disclosing personally identifiable information derived from an education record. The contract should also contain a provision stating the purpose for which the contractor or consultant may use the information and prohibiting any other use. In addition, the contract should require the outside contractor or consultant to defend and indemnify the school district if the contractor or consultant violates FERPA, and to obtain a policy of insurance that lists the school district as an additional insured.
If a parent requests an independent educational evaluation (IEE), the school district should obtain the parent’s written consent before disclosing any education records to the independent evaluator. In addition, if possible, the district should have the parent agree, in writing, that no physician-patient or similar privilege will arise out of the evaluation or any services that the independent evaluator subsequently provides to the student. Finally, the district should ask the parent to agree, in writing, that the school district is entitled to review all data, including mental health data, upon which the IEE is based.
Are there recordkeeping requirements when a school discloses mental health data?
School officials often overlook, or are unaware of, FERPA’s recordkeeping requirements. A school district must maintain a record of each request to access the education record of a student. A school must also maintain a record of each disclosure of personally identifiable information from the education record of a student. For each request or disclosure, the record must identify the parties who requested or received personally identifiable information from the education records and the legitimate educational interests the parties had in requesting or obtaining the information. This information must be maintained with the education records of the student as long as the records are maintained.[16]
May school officials disclose mental health data in an emergency situation?
Another important exception in the law provides that school officials do not need parental consent to disclose personally identifiable information from an education record to a third party in connection with an emergency, if the third party needs to know the information in order to protect the health or safety of the student or another individual.[17] For instance, a school district may, and in some circumstances must, disclose mental health data on a student if the data indicate that the student is having suicidal thoughts or is planning to harm another person. School psychologists, school counselors, school social workers, and outside consultants may have a legal obligation to disclose such information immediately if the threat of harm to self or others is imminent. The failure to disclose under these circumstances could result in civil liability, actions against the professional’s license, and devastating personal consequences, including the loss of life.
May school officials forward mental health data when a student transfers to another school district?
FERPA states that an educational agency or institution may disclose personally identifiable information from a student’s education records without parental consent if the disclosure is to officials of another school or school system where the student intends to enroll, or where the student is already enrolled, as long as the disclosure is for purposes related to the student’s enrollment or transfer. Thus, under FERPA, a school district may forward mental health data in a student’s education records to another school district in which the student has enrolled or is enrolling, as long as the mental health data are related to the student’s educational needs. Despite FERPA’s clear language, school officials must verify that state law also permits such a disclosure.
From one state to another the law varies on whether a school district may forward mental health data when a student transfers to a different school district. Some states, such as Minnesota, require the former school district to transmit all education records on the student, including records containing mental health data, to the new school district, charter school, or nonpublic school that the student is or will be attending.[18] Other states, such as Wisconsin, generally prohibit school districts from forwarding “patient health care records” (meaning records that were prepared by or under the supervision of a health care provider), unless the student’s parent has given the school district written consent to forward the records.[19] Wisconsin law arguably exempts certain mental health treatment records from the definition of patient health care records.[20] However, the consequences for misinterpreting the statute are significant. The unauthorized release of “patient health care records” can subject the releasing party to criminal penalties in Wisconsin, including a fine of $25,000 and imprisonment for up to nine months.[21] The unauthorized release of such records may also subject the releasing party to civil liability in Wisconsin, including liability for actual damages, exemplary damages, and attorney fees.[22] The importance of carefully reviewing state law in this area cannot be overstated.
Summary
With increasing frequency, school districts are required to address complex issues that arise out of the mental health needs of students. In addressing these issues, school districts are faced with challenges related to gathering, receiving, maintaining, and disclosing mental health data on students. An accurate understanding of FERPA, HIPAA, and applicable state laws will help school districts avoid costly mistakes that could lead to litigation and liability.
NOTE: The purpose of this article is to inform you of interesting and important legal developments. Although current when submitted for publication, the information in this article may be superseded by court decisions and legislative amendments. Attorneys cannot render legal advice without an awareness and analysis of the facts of a particular situation. If you have questions about the application of concepts discussed in this article, you should consult your legal counsel. ©2012 Ratwik, Roszak & Maloney, P.A.; ©2012 Dr. William Dikel, M.D.
About the author Mick Waldspurger
Mick Waldspurger ([email protected]) is a shareholder with the law firm of Ratwik, Roszak & Maloney, P.A. Mick practices extensively in the area of school law, including the areas of special education, labor and employment, negotiations, data privacy, board governance, and litigation. Mick represents school districts in Minnesota and Wisconsin and works proactively with clients to identify practical solutions.
Federal law does not specifically regulate the collection of mental health data by schools. However, school officials must review state law to determine whether it contains any requirements that apply when collecting mental health data. For instance, in Minnesota school officials must give a “Tennessen” warning before asking an individual to supply private or confidential information.[9] A Tennessen warning must state: (a) the purpose and intended use of the requested data within the school district; (b) whether the individual may refuse or is legally required to supply the requested data; (c) any known consequence arising from supplying or refusing to supply private or confidential data; and (d) the identity of other persons or entities authorized by state or federal law to receive the data.[10] The Tennessen warning should be given in writing to avoid proof issues in the event of litigation.
What are the implications of having school district staff provide diagnostic and treatment services to students?
Some school districts employ staff members, such as social workers and psychologists, who provide mental health diagnostic and treatment services directly to general education and special education students. These school districts then bill Medicaid and private insurance companies for the mental health services. This practice can expose a school district to claims for damages that are not covered by insurance. Most school districts do not carry (and cannot obtain) medical malpractice insurance. Claims arising out of the provision of medically based mental health services will rarely be covered under a typical commercial liability insurance policy or a typical errors and omissions insurance policy. A typical insurance policy will cover claims arising out of or related to the provision of educational services, but not claims arising out of or related to medically based services that are not required as part of an IEP or Section 504 Plan. Additionally, when school staff members provide mental health services directly to students, the parents and providing staff members may assert that a medical provider-patient privilege applies to all records generated as a result of the services. Parents and staff members may become incredulous and even defiant when informed that such data fall within the definition of “education records” under FERPA.
When may school officials access mental health data that are maintained by the school district?
FERPA generally prohibits school districts from disclosing education records without the written consent of the student’s parent or the written consent of the student, if the student is eighteen years of age or older.[11] However, the law contains several exceptions.[12] One of the most important exceptions allows school officials to disclose education records, without parental consent, to other school officials in the district, including teachers, who have a legitimate educational interest in the information contained in the records.[13] This begs the following question: When does a teacher or other school official have a legitimate educational interest in mental health data contained in a student’s education record?
As a general rule, school officials have a legitimate educational interest in mental health data on an individual student when they need to know the information in order to perform their job duties. For example, when an IEP team is considering whether a student’s misconduct was a manifestation of the student’s disability, the team is required to consider all relevant information, including mental health data that could impact the team’s determination. Under these circumstances, the IEP team members would have a “legitimate educational interest” or “need to know” the information in order to perform their job duties. Federal law preempts state law. Consequently, state law (including a code of ethics governing the licensure of a nurse, social worker, or psychologist) cannot prevent school officials from accessing education records that contain mental health data if the school officials have a need to review the data in order to fulfill their obligations under federal law.
Because of the sensitivity of mental health data and the stigma that can inappropriately attach to some mental health data, school officials should take reasonable precautions to maintain mental health data in a way that prevents inadvertent or intentional disclosure to, or access by, unauthorized individuals, including teachers and support staff who do not have a legitimate educational interest in the data. At a minimum, the authors of this article recommend that mental health data on a student be separated from other education records and be placed in a sealed envelope in the student’s education file. The outside of the envelope should state that it contains sensitive mental health data and may be viewed only by instructional personnel who have a need to review the information in order to perform their job duties for the school district. The envelope should also state that any person who unseals the envelope must place a document in the student’s file stating the person’s name; the date and reason the person opened the envelope; and the legitimate educational interest that the person had in reviewing the mental health data.
When may school officials disclose mental health data to an attorney, contractor, consultant, volunteer, or independent educational evaluator?
FERPA also contains an exception that allows school officials to disclose mental health data to a contractor, consultant, or volunteer that: (1) performs services or functions the school district would otherwise have to perform itself; (2) is under the direct control of the school district with respect to the use and maintenance of the data; and (3) is required to comply with FERPA’s prohibitions on the re-disclosure of education records.[14] By way of example, this exception allows a school district to hire a mental health professional or behavioral consultant to review mental health data in a student’s education records, without parental consent, for the purpose of providing advice to the school district about the student’s behavior and educational needs. The same exception allows a school district to provide mental health data and other education records to outside legal counsel for the purpose of obtaining confidential legal advice.[15]
When contracting for the services of an outside contractor or consultant, school officials should include a provision in the contract requiring the contractor or consultant to comply with FERPA and prohibiting the contractor or consultant from re-disclosing personally identifiable information derived from an education record. The contract should also contain a provision stating the purpose for which the contractor or consultant may use the information and prohibiting any other use. In addition, the contract should require the outside contractor or consultant to defend and indemnify the school district if the contractor or consultant violates FERPA, and to obtain a policy of insurance that lists the school district as an additional insured.
If a parent requests an independent educational evaluation (IEE), the school district should obtain the parent’s written consent before disclosing any education records to the independent evaluator. In addition, if possible, the district should have the parent agree, in writing, that no physician-patient or similar privilege will arise out of the evaluation or any services that the independent evaluator subsequently provides to the student. Finally, the district should ask the parent to agree, in writing, that the school district is entitled to review all data, including mental health data, upon which the IEE is based.
Are there recordkeeping requirements when a school discloses mental health data?
School officials often overlook, or are unaware of, FERPA’s recordkeeping requirements. A school district must maintain a record of each request to access the education record of a student. A school must also maintain a record of each disclosure of personally identifiable information from the education record of a student. For each request or disclosure, the record must identify the parties who requested or received personally identifiable information from the education records and the legitimate educational interests the parties had in requesting or obtaining the information. This information must be maintained with the education records of the student as long as the records are maintained.[16]
May school officials disclose mental health data in an emergency situation?
Another important exception in the law provides that school officials do not need parental consent to disclose personally identifiable information from an education record to a third party in connection with an emergency, if the third party needs to know the information in order to protect the health or safety of the student or another individual.[17] For instance, a school district may, and in some circumstances must, disclose mental health data on a student if the data indicate that the student is having suicidal thoughts or is planning to harm another person. School psychologists, school counselors, school social workers, and outside consultants may have a legal obligation to disclose such information immediately if the threat of harm to self or others is imminent. The failure to disclose under these circumstances could result in civil liability, actions against the professional’s license, and devastating personal consequences, including the loss of life.
May school officials forward mental health data when a student transfers to another school district?
FERPA states that an educational agency or institution may disclose personally identifiable information from a student’s education records without parental consent if the disclosure is to officials of another school or school system where the student intends to enroll, or where the student is already enrolled, as long as the disclosure is for purposes related to the student’s enrollment or transfer. Thus, under FERPA, a school district may forward mental health data in a student’s education records to another school district in which the student has enrolled or is enrolling, as long as the mental health data are related to the student’s educational needs. Despite FERPA’s clear language, school officials must verify that state law also permits such a disclosure.
From one state to another the law varies on whether a school district may forward mental health data when a student transfers to a different school district. Some states, such as Minnesota, require the former school district to transmit all education records on the student, including records containing mental health data, to the new school district, charter school, or nonpublic school that the student is or will be attending.[18] Other states, such as Wisconsin, generally prohibit school districts from forwarding “patient health care records” (meaning records that were prepared by or under the supervision of a health care provider), unless the student’s parent has given the school district written consent to forward the records.[19] Wisconsin law arguably exempts certain mental health treatment records from the definition of patient health care records.[20] However, the consequences for misinterpreting the statute are significant. The unauthorized release of “patient health care records” can subject the releasing party to criminal penalties in Wisconsin, including a fine of $25,000 and imprisonment for up to nine months.[21] The unauthorized release of such records may also subject the releasing party to civil liability in Wisconsin, including liability for actual damages, exemplary damages, and attorney fees.[22] The importance of carefully reviewing state law in this area cannot be overstated.
Summary
With increasing frequency, school districts are required to address complex issues that arise out of the mental health needs of students. In addressing these issues, school districts are faced with challenges related to gathering, receiving, maintaining, and disclosing mental health data on students. An accurate understanding of FERPA, HIPAA, and applicable state laws will help school districts avoid costly mistakes that could lead to litigation and liability.
NOTE: The purpose of this article is to inform you of interesting and important legal developments. Although current when submitted for publication, the information in this article may be superseded by court decisions and legislative amendments. Attorneys cannot render legal advice without an awareness and analysis of the facts of a particular situation. If you have questions about the application of concepts discussed in this article, you should consult your legal counsel. ©2012 Ratwik, Roszak & Maloney, P.A.; ©2012 Dr. William Dikel, M.D.
About the author Mick Waldspurger
Mick Waldspurger ([email protected]) is a shareholder with the law firm of Ratwik, Roszak & Maloney, P.A. Mick practices extensively in the area of school law, including the areas of special education, labor and employment, negotiations, data privacy, board governance, and litigation. Mick represents school districts in Minnesota and Wisconsin and works proactively with clients to identify practical solutions.
References
[1] See 20 U.S.C. § 1232g; 34 C.F.R. Part 99.
[2] See 34 C.F.R. § 99.3 (excluding desk draw records, certain law enforcement records, certain employment records, certain treatment records for students who are 18 or older and attending an institution of postsecondary education, records created or received after an individual is no longer a student and are not directly related to the student’s attendance, and grades on peer graded papers before they are collected and recorded by a teacher). [3] Wis. Stat. § 118.25(1)(d)1. [4] Minn. Stat. § 13.32, subd. 1(a). [5] See 45 C.F.R. § 160.103. [6] Id. (defining “health care provider” and “transaction”). [7] U.S. Dept. of Health Hum. Services and U.S. Dept. of Ed., Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, at 4 (Nov. 2008). |
[8] Id.
[9] See Minn. Stat. 13.04, subd. 2. [10] Id. [11] See 34 C.F.R. § 99.30. [12] See 34 C.F.R. § 99.31. [13] See 34 C.F.R. § 99.31(a)(1)(i)(A). [14] See 34 C.F.R. § 99.31(a)(1)(i)(B). [15] Letter to Parent re Disclosure of Education Records to Outside Legal Counsel (U.S. Dept. of Ed. Sept. 7, 2004). [16] See 34 C.F.R. § 99.32(a)(1). [17] See 34 C.F.R. §§ 99.31(a)(1) & 99.36. [18] See Minn. Stat. § 122A.22, subd. 7. [19] See Wis. Stat. § 146.82. [20] See Wis. Stat. § 51.30. [21] See Wis. Stat. § 146.84(2). [22] See Wis. Stat. § 146.84(1). |