April 23rd, 2015
College Rape Case Shows A Key Limit To Medical Privacy Law
By: Ryusuke Tanaka
A student allegedly raped by other students got medical therapy at her university’s clinic. After the student sued the university, the university accessed, without notice or consent, to the student’s medical record and sent them to its attorney in preparing for its defense against the student. The university’s access invokes privacy concerns and uncertainty in the scope of the laws.
What laws govern this issue? The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act have a relatively strong regulation for the protection of individual’s health information possessed by health care provider. Yet, HIPAA regulations apply only to “health plans, health care clearinghouses and health care providers” that transmit health information electronically in connection with certain health insurance related transactions[1]. If the university in this case processes and transmits, for example, health care claims submitted to a health plan, then it becomes possible to regard the university as “health care provider” or as “hybrid entities” that employs health care provider.
Whereas, the Family Education Rights and Privacy Act (FERPA) prohibits educational institutions from disclosing “education records” without the authorization of student (or parent). In general, “education records” are defined as records which contain information directly related to a student and maintained by an educational institution[2]. FERPA permits schools to disclose, without consent, educational record to the court for its defense if a parent or student initiates legal action[3]. The university in this case, when sued by the student, could plausibly rely on this provision to disclose her medical information to its attorney or the court.
According to the United States Department of Health and Human Services, regarding educational records where FERPA applies, schools should comply with FERPA, and in that case, they are not necessarily bound by HIPPA.[4]
The point that should be emphasized in this case is that the information accessed and disclosed was the therapy record of a rape victim. With high probability, it contains sensitive information that a reasonable person would not wish to be disclosed. In addition, a victim like the student in this case would have visited a school therapist not to complaint about incident but to sincerely receive medical care. Given the situation where the school counselors owed confidential responsibility and fiduciary duty under the professional ethics code, it is possible to say that a reasonable student would reasonably expect that information given to a school counselor should be protected as a medical record and not regarded as an educational record.
This case seems to urge the court to clarify the exact scope of HIPAA and FERPA.
[1] 45 C.F.R. §160.102
[2] 20 U.S.C. §1232g(a)(4)(A)
[3] 34 C.F.R. §99.31(a)(9)(iii)(B)
[4] http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/513.html