On HIPAA, HERPA and Sharing Health Data During a Pandemic
In working on this project, we at The COVID Monitor have reached out to a number of states and schools to ensure we’re reporting the most accurate data possible.
While we’ve received mostly positive feedback, some areas are using privacy laws to exempt themselves from reporting COVID-19 data in schools.
One Public Information Officer from the Idaho department of health sent us this message when we asked about what data the state is collecting about COVID-19 cases in schools and how the public can access it:
“The release of COVID school-related information by CDH would be in violation of HIPAA. … Additionally, Boise School District, one of the two largest in our district, has started reporting cases within its school district (link below). I’ve not yet heard whether any of the other school districts in our jurisdiction are planning a similar approach.”
So Idaho says it’s a violation to release the data, and then refers us to a school district that is releasing the data.
Florida made a similar claim after they initially released data on cases in schools by district, then later deleted it, saying they “accidentally” published the reports (three days in a row) and were reviewing how best to report cases in schools. Days later said they would not release any data at all, citing “privacy” concerns.
While Florida schools were mandated to open no later than August 31 via executive order (which was overturned in court but is under appeal by the state), most states are not fully reopening in-person schools until later in the year, so they may not have reporting sites ready yet. Even so, we’ve received the stock response of “HIPAA” or “FERPA” concerns from about a dozen of those states.
In this post, we’re going to go over why those laws don’t apply in reporting Coronavirus cases in schools.
First, let’s define some terms.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
PHI and PII: Personal Health Information (PHI) and Personally Identifiable Information (PII) refer to an individual’s health records that, if published, could lead to the identification of an individual tied to a specific disease, illness, or other health condition.
FERPA: The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.
1. HIPAA can (and has been) waived during a public health emergency.
States like Florida waived HIPAA compliance in the early days of the Coronavirus pandemic, as is the Governor’s right, according to Florida Department of Health Chief of Staff Courtney Coppola.
Florida publishes data that could easily lead to the identification of individuals, including the age, gender, county of residence, any countries a person has travelled to, hospitalization and ER data, symptom onset date and case date of every single person who tests positive for COVID-19.
For example, how many 53-year-old men in Gadsden County (an extremely rural county) traveled to Japan the week of February 1? We would assume people talk to other people in their neighborhood at least occasionally, and a trip to Japan would have been noted by someone.
Or how many 71-year-old men in Santa Rosa (another fairly rural county) traveled to Egypt, Israel and Jordan in early March? This particular person was reported to have visited the ER, admitted as an in-patient to a hospital, and died. It was extremely easy for me to find his name.
I objected to the publication of this level of granularity on a case-line basis in March, but was shot down and told to publish it, anyways.
Florida publishes the same data for minors that it does for adults. Age, gender, case date, onset date, travel, contact, etc. To say a count of cases by school districts (which are the same as counties) would be a privacy violation is nonsense: they already publish individual data far more detailed than that. They just don’t want you to know how many cases have been definitively tied to schools.
You can find the number of 5-year-olds, 6-year-olds, 7-year-olds and so on who tested positive each day in each county -- but specifically connecting those cases to schools is where some states are erroneously drawing an imaginary line.
2. Schools are not one of the four covered entities within HIPAA.
Even if a state could argue that it would be a privacy violation, they couldn’t use HIPAA as the basis for that argument.
Only four entities are covered under HIPAA, according to the CDC:
Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multiemployer health plans.
Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
Those who try to argue schools are covered under “business associates” fail to recognize this very important clause: “...using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.”
A person cannot be identified from listing the number of cases in a school district.
On another note, since FERPA has been brought up here and there, we’d like to go ahead and rule that out because it pertains to education records, the right of parents to access those records, and the privacy of students on an individual basis. Even on an individual basis, any of the agencies listed here can release as much information as they want, including individual student’s names.
3. Information about the number of cases per school cannot reasonably lead to the identification of individuals.
The information released by schools would have to be able to lead to the identification of the person whom the health information is about to be violation of HIPAA or FERPA. A count of cases by school or county can not reasonably lead to the identification of individuals, and is not classified as either PHI or PII.
Further, schools are (in most states) required to send letters home to parents who have a student enrolled in a classroom where someone was positive. This letter, which the parents can share with whomever they like, constitutes a far greater risk of identifying persons than a count across the entire school or district would ever present.
A count of cases by school, or even by grade, does not identify or provide information that could allow one to identify any single person in the school.
4. COVID-19 has been classified as a “mandatory reporting” disease.
Mandatory reporting means the school is obligated under the law to report certain diseases and conditions to the state health department, who then in turn must publish data regarding incidents to the public.
HIPAA allows confidential reporting to public health agencies for protection of public health.
Cases of infectious disease that can be spread in a school setting are considered a ‘health
emergency’ and may be reported to public health agencies under FERPA (which we mentioned earlier).
Here’s a brief list of data Florida already publishes about students and schools:
Vaccination rates by school for each type of vaccination
Number of homeless children in each school
Number/percent of children qualifying for free/reduced lunch
Tuberculosis cases in schools
HIV/AIDS and other sexually transmitted diseases
Methicillin-resistant Staphylococcus aureus (MRSA)
You can learn more about mandatory reporting and what it means for schools here.
Read the CDC’s list of considerations for reopening schools here.