Testimony of
Nadine C. Schwab, BSN, MPH, PNP
on

HIPAA IMPLEMENTATION
AND SCHOOLS

Panel II

Representing the American School Health Association

National Committee on Vital Health Statistics (NCVHS)
Subcommittee on Privacy and Confidentiality

February 19, 2004

Room 705A of the Humphrey Building
200 Independence Avenue, SE ,
Washington , DC

Good morning, Mr. Chairman and members of the Subcommittee.  My name is Nadine Schwab. I am representing the American School Health Association (ASHA), a national interdisciplinary school health organization, as an expert in school health issues (pre-K-12) related to privacy, confidentiality and student health records (that is, an expert in practice complexity and confusion, not HIPAA or FERPA per se).  Thank you for the opportunity to testify on the impact of the HIPAA Privacy Rule on schools, in particular its impact on school attendance, student safety and learning, and parent-school-physician communication.  In preparation for this Hearing, I solicited and received within the past two weeks current information from ASHA leaders, as well as state-level nurse consultants representing state departments of public health and education, and school nursing leaders across the nation. The issues I will address are those with significant negative impact on student learning and health, and on the resources of families and public schools.  We believe these negative outcomes are due primarily to misinterpretation of the regulations and inadequate guidance, not to the regulations themselves. 

Before addressing those concerns, it should be noted that HIPAA has had a positive impact on school-based practices related to records and confidentiality, albeit it small and mostly indirect (mostly through the questions, diverse opinions and conversations it has generated).  Many school health leaders welcomed the HIPAA privacy standards and, indeed, had hoped that they would apply to health records of children and youth in schools in order to ensure consistent minimum standards and practices across settings and to clarify conflicts among laws (as alluded to by Attorney Hutton).  FERPA was enacted before children with significant physical, developmental, behavioral and mental health conditions attended school and before schools became providers of a wide variety of health and mental health services in order to support student learning.  Even today, FERPA does not address student health records (including third party medical or psychiatric records) as a subset of education records, nor does it provide sufficient direction for appropriate protection, disclosure, and use of these health records within primary and secondary schools. 

Now I return to the impact of the HIPAA Privacy Rule on schools, students, and families.  First and foremost, students are still being denied attendance in school, and parents are losing time from the workplace, because physician offices and clinics refuse to share immunization and mandated physical assessment information with school nurses or other school officials.  Despite the fact that these health requirements (immunizations and periodic physical assessments and screenings) are driven by public health policy and constitute the only real barriers to school attendance for most children, state public health officials have generally not interpreted such information to fall under the public health exceptions to the authorization requirements of the Privacy Rule.  Furthermore, they have not included school nurses or school physicians as extensions of the state and local public health system, despite the fact that these school health officials have traditionally have been considered public health professionals, are generally the school officials responsible for school district compliance with public health mandates, and are expected to report to public health authorities communicable disease data (usually de-identified) and related problems in their school communities, as required by state law.  Where school nurses and physicians are not considered an extension of the public health system, and where states have not enacted a law to circumvent these problems or issued specific guidance to the contrary (still the majority of states), HIPAA authorization is required for physicians and clinics to share the mandated immunization and physical exam data with schools.  This negatively affects schools, students and families, as follows:

• Public schools are in a difficult position when they are both prohibited from denying children access to school and, at the same time, required to deny them access because they have not complied with these public health mandates.  Further, there is a significant drain on school district resources (financial, human, and educational) when students lose time and miss instruction in the classroom, and when school health personnel spend significant portions of their time in tracking public health mandates rather than providing student support services, especially when paperwork, not the student’s or public’s health, is at issue.  In many instances, it is the paperwork – the “right” form – and getting it to the school in a timely fashion that are the problems.  Many physician offices and clinics now refuse to fax the state-mandated immunization and physical assessment forms to schools, a past practice which allowed students same-day entry into school, and many will not accept parent-signed school authorization forms for the release of such information, even forms that meet the authorization requirements of HIPAA.  School personnel must then spend considerable time in communicating with parents and convincing them to retrieve the form from their physician and hand deliver it to school.
• Students, above all, are negatively impacted by these HIPAA-related communication problems when they are delayed in starting, or prohibited from continuing in, school.  It can be disastrous for our most vulnerable students, who can least afford time away from the classroom and learning.  These are often the same students whose families have the least resources available to learn about and comply with the requirements of these various laws and the paperwork that goes with them.  Students suffer the consequences.
• Families, too, are negatively impacted by the lack of clarity and misunderstandings related to permissible communications between schools and health care providers about health requirements for school attendance.  Many parents have been told that their oral (via telephone) or faxed authorization to allow the child’s health care provider to release their child’s immunization data to the school nurse is insufficient, and that they have to drive to the provider’s office, sign the provider’s form, and deliver the immunization record to the school themselves.  Some providers have refused to accept a faxed, authorization form for release of immunization data to school, even when the authorization was executed by the parent on the provider’s own form.  These reported incidents have happened all over the country, and are still happening.  For example, one state consultant reports: ”In remote parts of [the state] where physicians are scarce or non-existent, parents [have been required] to drive hundreds of miles to the doctor’s office to pick up (in person) their child’s immunization records.”  Others report different, but equal impediments to school-provider communications within suburban and inner city communities.  Some families do not have phones, drive cars, or understand English, and many single and working parents can ill afford absence from their jobs – especially to taxi HIPAA-compliant forms and immunization records around town – or country – because providers refuse to comply with their request to fax to their child’s school immunization or other health information mandated by law for school attendance.  Better they save absence days for times when their children are truly ill and need care at home.

 It is critical that we remove these artificial barriers to school attendance and necessary communications between schools and health care providers.  These barriers can be eliminated through guidance to state health departments and providers clarifying that:

1. School nurses and physicians should be recognized as public health professionals and extensions of their state’s public health system, regardless of whether they are employed by school districts, health departments or other health care agencies;
2. School nurses should be included among the health care providers who can access and contribute to state immunization registries (many school nurses actually immunize students in their districts);
3. Release to school nurses and physicians of records demonstrating compliance with state-mandated health requirements for school attendance (e.g., immunization, health assessment and screening data) is permitted under the public health policy exceptions to the Privacy Rule’s authorization requirements; and
4. Immunization data may be faxed from a HIPAA-covered entity to a school.

The second area in which HIPAA privacy regulations continue to have a serious negative impact on schools, students and families across the country relates to communications between health care providers (physicians, clinics) and school health professionals regarding the health care treatment of children in school with acute and chronic health and mental health conditions.  By school health professionals, I refer not just to school nurses and physicians, but also to physical and occupational therapists, speech-language pathologists, clinical psychologists, social workers and others.  There are large numbers of students today who need special health care services during the school day, from medication administration for asthma, anxiety, depression or anaphylaxis, to feedings by gastric tube, oxygen administration, IV therapy, respirator care, physical therapy, mental health counseling and specialized behavioral modification programs.  School health professionals, for example school nurses, cannot administer many of these treatments (e.g., medication, oxygen, specialized feeding) without a medical order from the health care prescriber.  In order to meet safety standards and licensure requirements in nursing practice – and to protect clients – nurses must be able to communicate about an order directly with the prescriber – to question the order, explain school setting issues that may affect the prescriber’s judgment about the order, report adverse and therapeutic effects, and so on.  It is under state licensure laws that these communications for treatment purposes were previously assumed permissible – and desirable.  Based on their interpretation of HIPAA, many physician offices and clinics now refuse to discuss with the school professional the medical order they are asking the same professional to administer.  Many school health leaders report that health care providers cannot disclose treatment information to school health professionals because schools are not covered by HIPAA.  This situation is extremely hazardous for schools, students and families, for the following reasons:

• Schools are negatively affected because their personnel are being asked to deliver services to students without adequate communication with the health care providers who are prescribing the treatment or care.  This interferes with the ability of school health professionals to meet minimum standards for the care and safety of their clients.  While schools can and do pursue authorization for such communications, sometimes there is a significant delay between the expected implementation date of an order and the date when an authorization form is executed and accepted by both the school and prescriber.  Sometimes, usually in contentious situations, parents refuse to sign for such communication, yet expect school health professionals to follow the medical orders of their child’s physician. 
• Students are placed in significant jeopardy when prescribers and health professionals in schools are not communicating and collaborating about health care treatments that are expected to be provided in school.  Delays in or lack of sufficient communication regarding health care treatment can result in delayed treatment, treatment errors and poor care, all of which are likely to negatively impact the student’s health status and learning in school.  Sometimes students may be kept out of school until authorization is completed for communications regarding treatment orders.
• Families are also impacted when their children are denied appropriate care because of inadequate communications between the child’s health care providers and school health providers and, once again, parents should not need to taxi HIPAA authorization forms from physician office to school before a treatment order can be implemented for their child.

To remedy this problem, guidance is desperately needed:

• to clarify whether health care providers who are covered entities can disclose protected health information for treatment purposes, using the minimum necessary standard, to school health professionals or other school officials in schools covered by FERPA, without authorization?;
• to clarify whether HIPAA covered entities can accept the written and signed request of a parent to disclose certain health records to their child’s school for educational planning purposes, if that request is on a school disclosure form, rather than the covered entity’s own form, even if it has all of the HIPAA-required elements of a valid authorization form; and
• to clarify whether HIPAA compliant entities can fax authorization forms and health information to schools and under what circumstances.

There are many other areas at the HIPAA-FERPA interface where health care providers, schools, and school health professionals need additional guidance.  For example, is it true that schools engaging in the electronic transmission of student health data for Medicaid billing purposes are required to meet requirements of the Security and Transaction Rules, but not the Privacy Rule?  While that is the response many of us heard at the OCR national conferences on the Privacy Rule last year (at least in terms of the Privacy and Transaction Rules), differing opinions on this issue remain rampant, and states are grappling with the answer, one by one.  If that statement is true, is the school district required to keep a duplicate set of records for Medicaid, HIPAA privacy or other reasons?  Other questions remain, but will hopefully be addressed in the testimony of other speakers.

Finally, I wish to offer one additional suggestion, which would require long term collaboration between the US Departments of Health and Human Services and Education .  In reality, school health records, including any third party medical or psychiatric records, should be afforded the protections due both education records and medical records.  Therefore, many of the implementation problems related to schools might best be resolved if FERPA could be updated to be more consistent with HIPAA and more directive in identifying minimum privacy standards for the use and protection of student health information, including oral communications, the minimum use standard, staff training and enforcement requirements, and related security.  Consistent standards across settings would enhance the privacy, confidentiality and security of student health records, improve school district practices, and promote trust, communication and collaboration between families, schools. and health care providers.

Thank you.