Yesterday the news report following my commentary was published.
It doesn’t say what the sensitive information was, but makes clear that often times the wrong law is used to pursue wrongful disclosure of personal information. HIPAA (the Privacy Rule and the Security Rule) tends to be foremost in most people’s minds when privacy infractions occur because it is written about so often. However, as the article points out, it only applies to covered entities (CEs).
Unfortunately the discussion given to the television station is misleading. The list provided is incomplete in that some organizations not in the list are considered hybrid entities; those whose primary business is not being a healthcare provider or healthcare insurer, but have portions of their business that do those type of activities. Some educational institutions certainly are hybrid entities; simplistically those who provide health clinic services with the medical staff providing the care on their payroll.
It is good whenever considering privacy issues and regulatory noncompliance related to the protection of personally identifiable information (PII) within educational institutions to keep FERPA in the foremost of your considerations.
However, it *IS* possible that inappropriate sharing of PII can be covered by more than one regulation; and certainly, depending upon the details and involved issues, a situation where student PII is inappropriately shared with others could come under both FERPA and HIPAA. It is important to discuss any situation with a lawyer well-versed in the data protection laws and regulations to determine which one to use when pursuing legal action.
"A Grove mother who’s suing the school district on behalf of her 15 year-old son says an administrator told her sensitive information about another student.
Specific medical information that she says, he had no right to reveal.
Sheila Dawson’s lawsuit alleges Grove school faculty and administrators violated the Health Insurance Portability and Accountability Act or HIPAA, when they told others medical facts and lies about her son and other students.
The News on 6 spoke with a HIPAA expert and learned that "the act" only protects healthcare providers, healthcare clearing houses and others who bill electronically for medical services. Elise Brennan says if the information comes from anywhere else, it’s not protected under HIPAA. "HIPAA doesn’t pertain to idle gossip. If an employer or the school has learned information from gossip, then that’s not protected health information, which is what’s covered under HIPAA."
The US Department of Education points to the Family Education Right to Privacy Act, which prohibits schools from disclosing a student’s records without parental consent.
If a school has medical information about a student, it becomes part of the education record and is protected under FERPA."
Technorati Tags
information security
IT compliance
policies and procedures
HIPAA
FERPA
student privacy
awareness and training
privacy