School STI Services Raise Complications of HIPAA Confidentiality

Increasing rates of sexually transmitted infections (STIs) have health officials warning of a public health crisis in the United States.

There is evidence that some pediatricians are reserved in talking to at-risk teenagers about STIs and testing. Additionally, when adolescents are diagnosed with STIs in the emergency room, research has found that more than 40% do not fill their antibiotic prescriptions.

Statistics like these support the notion that high schools are a critical site for STI treatment and prevention.

Given teenagers visit this setting daily, interventions targeted to improve STI control might be easier to implement in high schools than almost anywhere else. But, there are risks to privacy hiding in the differences between laws which govern schools and health departments.

A new commentary in Pediatrics by experts from the Boston University School of Public Health highlights the gaps in student privacy which can be created during communications between health departments and schools. The commentary uses STI programs as an example of how these privacy gaps might be particularly impactful.

Complexity arises because clinicians are governed by the Health Insurance Portability and Accountability Act (HIPAA), but school nurses are covered by the Family Educational Rights and Privacy Act (FERPA).

“The majority of school nurses report working with their local health department, but are unsure about what procedures to follow for documenting and communicating health information, and existing federal guidance does not speak adequately to the complications arising from cross-sector collaboration,” authors of the commentary write.

FERPA applies to any educational institution eligible to receive funding from the US Department of Education. The institutions are required to allow parents or students older than 18 years access to the student’s health records.

When a school employs outside agencies to administer health services, those services are included in students’ educational records under FERPA, but when a clinic not employed by the school happens to provide a service on school grounds, FERPA tends not to apply.

Under HIPAA, parents may also obtain medical records pertaining to children under the age of 18 as their personal representatives. However, there are circumstances where the minor is the individual who consents to care. Therefore, in some cases, adolescents who are told a program is confidential may have the reasonable expectation that information will not be shared with parents.

As an example of a complication that might arise in collaboration between FERPA and HIPAA governed institutions the authors pose this question: what if a school nurse refers a student to a confidential STI program for testing and makes a note about this referral in the student’s school medical record?

Legally, the school nurse has not breached the student’s privacy.

However, all 50 states give minors the right to consent to their own STI services. Conversely, only 18 states give clinicians the discretion to pass on information to parents about these services, while the remainder of states have legislation in place protecting the confidentiality of adolescent sexual health services or do not address the matter.

The authors point out that while local law may shape the degree of flexibility, school nurses are considered the key gatekeeper of student health information under FERPA. Federal law therefore allows some discretion on what information is added to an educational record.

“Documenting referrals may follow institutional policy but students may view this as a violation of trust, negatively impacting student use of the STI related services being provided,” the commentary authors explain.

The commentary sheds light on the fact that there are many scenarios in which participation in HIPAA governed programs might be discussed in educational settings, such as team meetings discussing at-risk students’ academic progress. Nurses discussing an STI test in this setting may be providing useful context on a student’s risks as well as positive health care seeking behaviors.

However, a student may not expect that participation in a HIPAA governed STI service might be brought up in an educational setting and possibly be entered into educational records. Agencies which operate under HIPAA internally may themselves be unaware of how contact with a school setting may lead to information being shared with teachers or parents.

Trusting relationships with students are essential to adolescent health care, and not just in the STI setting. Complications like those explored in the commentary may also apply in sensitive cases such as mental health or drug related services.

The commentary authors suggest that school sexual health programs, and programs pertaining to other sensitive areas, carefully map out workflows in order to predict potential information-sharing conflicts. Whatever decisions are made about such information sharing, it should be clearly communicated in plain language to students what exactly is and isn’t confidential.