Saturday, February 4, 2023

Read the Fine Print: Where FERPA and HIPAA leave your medical records at risk


Share post:

If you are a student and seek counseling or health services through your university, your medical records may not be protected by typical medical-privacy laws.

Students enrolled in post-secondary educational institutions should make sure they understand the basics of the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act, as the education and medical laws can overlap in a confusing manner, making it unclear what is really private and what is not.

Discovering the Legal Loophole

In January of this year, a student sued the University of Oregon for mishandling her sexual-assault case where, through the campus’ judicial process, three male students were found responsible for gang raping her.

In response to the litigation, the Oregon administration accessed the student’s therapy records from the university counseling center and turned them over to its general counsel’s office to use as part of their defense against her lawsuit. The university’s actions came to light in a recent op-ed piece by Katie Rose Guest Pryal in the Chronicle of Higher Education. Pryal is a former law professor at the University of North Carolina, Chapel Hill.

As the piece points out, the university was going to use the student’s own post-rape therapy records against her.

Typically, medical privacy can be breached in a lawsuit setting only when a patient sues a health-care provider for malpractice. This makes sense because in those instances the medical records become evidence that would determine whether the provider had actually breached medical standards of care. This scenario could then go to trial and the doctor in question could use a medical license defense attorney to fight their case but ultimately, a final decision as to whether there was malpractice will be made.

However, in this case, the student had not actually asserted any claim of malpractice against the University of Oregon. A senior staff therapist in the counseling unit wrote a public letter detailing the administration’s actions and appeared appalled that work she believed was protected by medical privacy laws was being violated in such a way.

So why was the university able to access a student’s medical records if they were protected by the HIPAA Privacy Rule?

Ironically enough, Oregon was entitled under the Family Educational Rights and Privacy Act to access and use her records against her in the lawsuit. The university was allowed to access the therapy records of a rape victim in order to defend itself in a lawsuit that did not have anything to do with therapy malpractice.

Even though Oregon dropped its counterclaim against the student last week, the litigation brought some unsettling legal loopholes to light, loopholes that need to be closed.

Where FERPA and HIPAA Intersect

Most students know the Family Educational Rights and Privacy Act as it pertains to their academic records at a post-secondary institution, if they are familiar with it at all. FERPA considers any student 18 years of age or older who attends a post-secondary institution, whether it be a college or university, to be an “eligible student.”

Essentially what FERPA does is take all rights given to parents or legal guardians and transfers them to the eligible student. The student then has the right to access his or her records, to have control over personally identifiable information from the records and file a complaint with the department, should it ever be necessary.

What people may not know is that FERPA applies to student records at the campus health clinics, too. In terms of privacy, college medical records do not count as “real” medical records. The FERPA FAQ page states that these records “will either be education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule.”

The Health Insurance Portability and Accountability Act was enacted by Congress in 1996 to improve the healthcare system’s efficiency by establishing “national standards and requirements for electronic healthcare transactions” and to protect the security of “individually identifiable health information.” Collectively, these are known as HIPAA’s Administrative Simplification provisions.

The HIPAA Privacy Rule requires covered entities to implement various safeguards to protect patient privacy and set limits and conditions on uses and disclosures that “may be made of such information without patient authorization.” Covered entities include health plans, health care clearinghouses and health care providers who transfer health information in an electronic form, according to the U.S. Department of Health and Human Services.

University health and counseling clinics would normally be considered covered entities according to HIPAA and therefore the HIPAA Privacy Act would protect student medical records. The problem is, while FERPA does differentiate between “treatment records” and “education records,” the same disclosure rules apply to both: “A school may disclose an eligible student’s treatment records for purposes other than the student’s treatment provided that the records are disclosed under one of FERPA’s exemptions to written consent.”

One such exemption is when a student sues the institution.

How to Protect Yourself

Whether or not anyone realized it at the time, the University of Oregon’s actions were, in fact, legal, because of the FERPA exemption. An education-law loophole allowed the administration to access medical records.

Institutions across the nation have been feeling increasing pressure to improve both their prevention and response to sexual assault. Some universities created counseling clinics for victims of assault or improved upon existing ones. Programs were fashioned or rebranded and students are encouraged to seek guidance and help through the university. But what if going through the school isn’t the safest option?

Arguably the best way for students to protect their privacy is to seek counseling outside of their post-secondary institution. They simply will not have adequate privacy protection through the school. The problem is, there’s no guarantee that students can find off-site centers that provide free services or even services at a relatively affordable cost. Additionally, most student health plans won’t pay for students who seek counselors who are not a part of the institution’s counseling center.

For these students, this means choosing between therapy they need but cannot afford at a place where they feel safe, or free on-site therapy provided by an institution they are not certain they can trust. True, the University of Oregon could be an isolated incident, and I hope this is the case, but that doesn’t change the discrepancies and holes in these policies.

What good are education laws that require frequently-asked-question sheets to clear the confusion that surrounds them?

Of what use are these privacy laws if they cannot fully protect us?


For more opinion editorial pieces, follow us at, on Facebook at MTSU Sidelines and on Twitter at @MTSUSidelines

To contact Editor-in-Chief Meagan White, email or follow her on Twitter at @meaganwhite328

Related articles

“Knock at the Cabin”: A Movie Review and Analysis

“Your family must choose to willingly sacrifice one of your three in order to prevent the apocalypse…If you...

“That ‘90s Show” is All That and A Bag of Chips

"That '90s Show" is pulling in young audiences with the new charisma, old nostalgic faces and the same...

The Gaming World and The World of Warcraft

When someone asks me, "What video games do you like to play?" my mind starts to race. I see a...

Depolarizing America: Take a walk in someone’s ideological shoes

I’m a member of Gen Z. The generation of TikTok, Snapchat, Instagram, technology and all the other things...