Where to draw the line on privacy for college students

Recently, the ever-present question of patient privacy came up at the University of Oregon, where a student’s therapy records were accessed by the school without her consent following a rape case. The action was perfectly legal under the federal Family Educational Rights and Privacy Act (FERPA), but many on campus, including staff counselors, felt the school acted unethically because its motivation was to defend itself in a lawsuit not to help the student.

Jennifer Pike, an associate at Reed Smith LLP, says there can be confusion among students, parents and even providers about when HIPAA applies and when FERPA applies. Generally, HIPAA will protect client records in a traditional healthcare setting outside of a school campus, while FERPA regulates access to various records kept by educational institutions and their employees.

“There are two types of records: educational and treatment records,” Pike says. “Therapy notes are consider treatment records, and they are used only by counselors for healthcare purposes.”

However, she says, the Department of Education has made clear the fact that student treatment records can be used as education records under special circumstances, such as in the case of a lawsuit against the institution where those records might become relevant. In the University of Oregon case, the student was suing the school for its handling of the rape incident and claimed emotional distress, so the administrators had a reason to access the records. And they are permitted to do so under FERPA.

The law makes the distinction so the university does not need to obtain a subpoena to access its own facilities’ records, created by its own employees, when defending itself against a legal claim.

“The main issue in the University of Oregon case was its legal right, but the key is to understand what FERPA permits versus what is required,” Pike says. “FERPA permits access to student records, however, it does not require them to access the records. That was a choice they made.”

Alternatively, the school could have obtained the student’s consent before pulling up her information from the campus counseling center.

Effects on students

Student advocacy groups are concerned that as a result of the University of Oregon incident, rape might go unreported across campuses nationwide because students believe their counseling records will be read by school administrators without consent.

“I am almost sure that this will indeed affect many women, or persons, from future disclosures of being violated in any manner, and that is an extremely sad situation for our society to be in, not to mention dangerous since this allows the perpetrators to continue on their path of control issues and sick tendencies that destroy lives,” Marilyn Selfridge, a student at Kaplan University, who is studying Human Services and working toward a doctorate program in Clinical Psychology, tells Behavioral Healthcare.

Selfridge says she’s studied the case and believes when students seek care at a university counseling center, they are vulnerable and emotional and might not understand that seeking help in that setting can be detrimental to their privacy. 

“Most of the public understands that disclosing in a ‘therapeutic’ relationship, or that of a counseling setting, is confidential, and they take it at that,” says Selfridge. “When their personal issues are opened up to the public, that scares away other potential disclosures and appears to protect the perpetrator.”

Where to draw the line

The University of Oregon case is a classic example of how client expectations of privacy differ from prevailing policy.  At the other end of the spectrum, there are also examples of situations in which privacy protection laws are viewed as too tight.

Many patient advocates are pushing for more openness in sharing pertinent treatment information, specifically in situations where parents want access to help an adult child engage in treatment. Families have long been frustrated by HIPAA when it prevents their involvement with care plans for a loved one who has a behavioral health diagnosis and struggles to receive care.

In the next few weeks, Rep. Tim Murphy (R-Pa.) is expected to reintroduce the Helping Families in Mental Health Crisis Act, which includes a proposal (Section 301) to loosen up certain patient information that currently is protected under HIPAA and FERPA. The bill writes in exceptions to the two laws so parents can get information about diagnosis, prescriptions and pending appointments.

Section 301 would apply only when an individual’s mental health condition prevents him or her from making an informed decision about the need for treatment. Under this section, the clinician would determine when the sharing of health information is in the best interest of the patient. The Murphy proposal would similarly apply to situations in which a student’s information would be shared by school administrators with parents when it’s in the student’s best interest.

Even so, HIPAA currently allows an exception that permits providers to discuss a patient’s situation when the patient is a danger to himself or others. However, experts believe some providers fear legal action or costly HIPAA violations, so they don’t disclose information even for exceptions.

Where to draw the line on protecting private information is an issue that has as many nuances as it does misinformation. Pike says educational institutions issue annual notices to students, informing them of their rights to access education records under FERPA. That mechanism might be the ideal channel in the future to communicate more explicitly how FERPA applies to treatment records, she says.