TESTIMONY

BEFORE THE

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY

PRESENTED BY:
JANE W. McGRATH, MD, FAAP
FOR THE

AMERICAN ACADEMY OF PEDIATRICS
February 19, 2004
8:45 am

Good Morning, Chairman Rothstein and members of the Subcommittee. My name is Dr. Jane McGrath. I am pleased to be here today to represent the 57,000 pediatrician members of the American Academy of Pediatrics on an issue of importance to children, parents, health professionals, educators and administrators. I have been a pediatrician for over 15 years and am currently the School Health Officer for the New Mexico Department of Health. I am also an associate professor of pediatrics at the University of New Mexico Health Science Center.

The Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) are two important laws intended to provide individuals and families with privacy protections. However, the implementation of the HIPAA privacy rule has resulted in significant problems for school health personnel and the students and families they serve. The intersection of HIPAA and FERPA has created a situation where different interpretations of the rules abound and there is very little clarity at the community level.

Real world problems are created by the lack of clarity regarding whether privacy requirements of HIPAA apply to health information which schools acquire or possess. Further, school health personnel often find it difficult or impossible to access important health information that they may need to assist a student. Schools are not considered 'covered entities' under the HIPAA rules and therefore are not considered to be providing HIPAA covered services. However, many schools play an important role in providing health care to students (e.g., immunization records, sports physicals, health screenings, etc.) Several examples help illustrate the problems school health personnel face related to HIPAA and FERPA requirements:

1. Immunization information - States mandate that schools require certain immunizations in order for students to attend. These immunization requirements are, in effect, the way in which we as a society insure that children receive their immunizations. School nurses enforce immunization requirements and spend a considerable amount of time and energy making sure that students at all grade levels are appropriately immunized. Under HIPAA, the school nurse is no longer able to call the local health department or pediatric provider in order to update immunization information on a student without explicit written permission from the parent. Getting written authorization from parents may seem like a trivial step; but in many communities it can present a significant barrier to a school nurse who is already overwhelmed with work and may be responsible for the immunization records of over 1,500 students.

Because immunizations are considered a public health exception within HIPAA, the regulations allow the sharing of information between HIPAA covered entities without explicit authorization. It seems unreasonable to require school nurses to get written parental authorization that is not required of other health professionals when we rely so heavily on school nurses to enforce immunization requirements.

2. The exchange of information related to the treatment of a student with special health care needs. - As schools are not generally considered covered entities under HIPAA, the exchange of information with a child's provider for purposes of treatment is thought to require written parental authorization. Since the implementation of IDEA, students with special healthcare needs have started going to school in unprecedented numbers. As a result many school nurses provide daily care for children with complex medical conditions. Children attend school who need ventilatory support, ostomy care, tube feeding, peritoneal dialysis and a host of other medical procedures and equipment. It is vital that the school nurse be able to quickly contact a student's physician if something should go wrong during the school day. The current regulatory confusion has resulted in children not getting the healthcare they need while at school in an acceptable timeframe. It is difficult enough for a school nurse to get a busy medical provider on the phone to answer questions concerning a patient's care. When the conversation about healthcare is delayed because of concerns about whether the parent has granted permission to share necessary health information, the child is the person who suffers because of the delay.

3. Students discharged from psychiatric hospitalization, residential treatment -Getting records after a student has been discharged from a mental health facility has been a long-standing problem for schools. Under the current regulatory environment the school must depend entirely on the parent to provide a discharge summary. Parents frequently don't remember to give the school nurse a copy of the discharge summary. This can cause disruption in the continuity of care especially with respect to medication. When the school nurse is included in discharge planning and receives a discharge summary, the student is much more likely to have consistent follow-up and medication.

4. Schools bill Medicaid for services provided to students written into their Individual Educational Plan (IEP)- Schools provide services that are billed to Medicaid. The government needs to make it clear what a school's responsibilities are under HIPAA. It may be reasonable to explore allowing schools to qualify as HIPAA covered entities.

5. Schools are part of the healthcare safety net and should be encouraged to collaborate with managed care organizations, community providers and others. - The current regulatory environment results in barriers between schools and other HIPAA covered entities. As a consequence, there is less collaboration and consequently worse healthcare for students. Because schools are the place where children are during the day schools need to be included to a greater degree in the community network of healthcare.

6. Schools do not adequately protect private health information - Under FERPA, schools are not required to protect private health information separately from the student's academic record. As a result, it is not uncommon for a school to include health information in the student's cumulative file. Although FERPA regulates access to the cumulative file, it is done with an eye towards who should appropriately have access to the academic record. A student's health information may be released to an individual who only desires their academic record. This compromises a student's health privacy but does not violate the FERPA regulation.

7. Lack of clarity about the intersection of HIPAA and FERPA - it is clear from my experience and the messages I received from many providers and school nurses, that confusion is widespread about what is and is not allowable under the current HIPAA and FERPA regulations. Many states have developed ad hoc solutions to the current situation that results in a further lack of clarity and consistency. It is fair to say that a solution that might be acceptable in Massachusetts is not feasible in New Mexico.

The American Academy of Pediatrics proposes the following recommendations for your consideration:

The personally identifiable health information of students in schools should be protected in the same manner as such information elsewhere: Many schools are involved in providing healthcare on a day-to-day basis; however their management of health records is a significant problem. Confidential student health information can be found in various locations throughout the schools (e.g., academic files, teachers records, etc.). This information may be kept or accessed by a range of individuals with little or no training related to confidentiality requirements. A consistent, fair and reasonable system must be designed to protect a student's health information in health care and educational settings.

School health providers and community health providers should be able to communicate directly concerning treatment issues, including immunization records. There is a lack of clarity concerning the intersection of FERPA and HIPAA that results in barriers to effective communication for the treatment of students in the school setting. The current environment is one of confusion that results in school health providers, who are often the people immediately responsible for a child's welfare during the day, unable to communicate with community healthcare providers.

More stringent health privacy standards need to be put in place within the school setting in order to provide adequate privacy to a student's health information. Schools are not uniformly careful with a student's personally identifiable health information. Simply liberalizing the HIPAA privacy rule to allow school nurses to be included for purposes of receiving/sharing health treatment information is not an adequate resolution to ensuring that health information remains private.

I appreciate the opportunity to share these observations with the subcommittee. I would be happy to respond to any questions members of the subcommittee may have.