Data Disclosure

I am worried about disclosure. How secure are our college medical records?

Written by Martin J. Young, former correspondent of Asia Times.

Data privacy legislation can be a minefield, especially when it comes to medical records. Student health services will have a copy of all of your medical records, but different laws govern different health service providers, so it all becomes a bit of a grey area.

Schools and colleges will need to share medical records in order to keep track of immunizations and personal medical histories. Federal privacy protections governing student education and health records has created confusion between two laws governing medical data.

The privacy of health record authority boils down to two acts; the Family Educational Rights and Privacy Act (FERPA) and the Health Information Portability and Accountability Act (HIPAA).

FERPA is a law from the mid-70s which applies to most college health records. The act prevents the disclosure of personally identifiable information in a student’s education record without the consent of students aged over 18 or a parent. If you disclose information to student health services or get treatment there, your parents have the right to that information. Being treated for an STD is different from having a bicycle accident, but the disclosure act still applies either way.

Private and public schools and universities and any organization that receives funding from the Department of Education are covered by FERPA. All health records, such as immunization records, college nurse reports, and any other records relating to student health or education are protected under this act. If written consent by the student or parent has been granted, public health agencies can access this information. Mitigating circumstances are rare, but would include incidents of a pandemic or major health risk.

The second act, HIPAA, was sanctioned in the year 2000 to grant greater rights of privacy over school medical records. It disallows the disclosure of any health and personally identifiable information to any third parties unless the individual who is the subject of the data consents. HIPAA can cover any healthcare providers, including college health departments. Information covered includes protected health information, education records, employment history and demographic data.

Some legal loopholes can allow data disclosure, and these can include treatment, payment, healthcare activities, quality assessment and evaluations, and the disclosure of limited data fragments for public interest research purposes. The coverage can change depending on where you are treated. Student health services provided by colleges come under FERPA but in-patient hospital treatment falls under HIPAA.

Technology companies also have a big role to play in data disclosure, since personal identity theft is on the rise. Medical facilities and personnel must take extra precautions with regards to data security to maintain confidentiality. Apps and websites dealing with personal information must conform to internet security protocols and provide adequate data encryption, says web design expert Darryl Stevens.

The laws are there, but they cannot be relied on fully. The college will have to create a balance between protecting your right to personal privacy and parental concern, and you will have to decide what you consider to be private and secure.