New Guidance Published by HHS and DoE for HIPAA/FERPA Interaction for Ohio DD Boards

The HIPAA Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes,
when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or
lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a
person(s) reasonably able to prevent or lessen the threat. This may include, depending on the
circumstances, disclosure to law enforcement, family members, the target of the threat, or others
whom the covered entity has a good faith belief can mitigate the threat. The disclosure also must
be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i).
For example, consistent with other laws and ethical standards, a mental health provider whose
teenage patient has made a credible threat to inflict serious and imminent bodily harm on one or
more fellow students may alert law enforcement, a parent or other family member, school
administrators or campus police, or others the provider believes may be able to prevent or lessen
the chance of harm. In such cases, the covered entity is presumed to have acted in good faith where
its belief is based upon the covered entity’s actual knowledge (i.e., based on the covered entity’s
own interaction with the patient) or in reliance on a credible representation by a person with
apparent knowledge or authority (i.e., based on a credible report from a family member or other
person). See 45 CFR § 164.512(j)(4).

For threats or concerns that do not rise to the level of “serious and imminent,” other HIPAA
Privacy Rule provisions may apply to permit the disclosure of PHI. For example, covered entities
generally may disclose PHI about a minor child to the minor’s personal representative (e.g., a
parent or legal guardian), consistent with State or other laws. See 45 CFR § 164.502(b).

FERPA provides that PII from a student’s education records, including student health records,
may be disclosed by educational agencies and institutions to appropriate parties in connection
with a health or safety emergency, without the consent of the parent or eligible student, if
knowledge of the information is necessary to protect the health or safety of the student or other
individuals. 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36.

For example, if an eligible student storms out of a teacher’s office stating that, “I know where
my parents keep their guns, and someone is going to pay” and the teacher believes that the
student is on his way home to and may try to use the weapons, FERPA’s health or safety
exception would permit the teacher to contact the parents, police, or others in a position to help,
to warn them that the student is on the way home and threatened to use a weapon against others.

Educational agencies and institutions are responsible for making the determination as to whether
a health or safety emergency exists. See 34 CFR § 99.36(c). Pursuant to § 99.36(c) of the FERPA
regulations, in determining whether it may rely on FERPA’s health or safety emergency
exception:

an educational agency or institution may take into account the totality of the
circumstances pertaining to a threat to the health or safety of a student of other
individuals. If the educational agency or institution determines that there is an
articulable and significant threat to the health or safety of the student or other
individuals, it may disclose information from education records to any person
whose knowledge of the information is necessary to protect the health or safety of
the student or other individuals. If, based on the information available at the time
of the determination, there is a rational basis for the determination, the [U.S.
Department of Education] will not substitute its judgment for that of the
educational agency or institution in evaluating the circumstances and making its
determination.

(Emphasis added.) See also 73 Fed. Reg. 74,806, 74,837 (Dec. 9, 2008) (explaining that the U.S.
Department of Education amended FERPA’s health or safety emergency exception to add
subsection (c) in order to “provide[ ] greater flexibility and deference to school administrators so
they can bring appropriate resources to bear on a circumstance that threatens the health or safety
of individuals.”).

The U.S. Department of Education discussed the health or safety emergency exception to
FERPA’s general consent requirement in some detail in the preamble to the 2008 Federal
Register notice implementing changes to the FERPA regulations, 73 Fed. Reg. 74,806, 74,836­
74,839 (Dec. 9, 2008), and in guidance entitled “Addressing Emergencies on Campus,” issued in
June 2011. In the preamble, the U.S. Department of Education explained that:

the phrase “articulable and significant threat” means that if a school official can
explain why, based on all the information then available, the official reasonably
believes that a student poses a significant threat, such as a threat of substantial
bodily harm, to any person, including the student, the school official may disclose
education records to any person whose knowledge of information from those
records will assist in protecting a person from that threat.

73 Fed. Reg. at 74,838. The U.S. Department of Education also stated that:

to be “in connection with an emergency” means to be related to the threat of an
actual, impending, or imminent emergency, such as a terrorist attack, a natural
disaster, a campus shooting, or the outbreak of an epidemic. An emergency could
also be a situation in which a student gives sufficient, cumulative warning signs
that lead an educational agency or institution to believe the student may harm
himself or others at any moment. It does not mean the threat of a possible or
eventual emergency for which the likelihood of occurrence is unknown, such as
would be addressed in emergency preparedness activities.

Further, in the June 2011 guidance, the U.S. Department of Education explained the following:

In some situations, a school official may determine that it is necessary to disclose
[PII] from a student’s education records to appropriate parties in order to address
a health or safety emergency . . . This exception to FERPA’s general consent
requirement is limited to the period of the emergency and generally does not
allow for a blanket release of [PII] from a student’s education records. Typically,
law enforcement officials, public health officials, trained medical personnel, and
parents (including parents of an eligible student) are the types of appropriate
parties to whom information may be disclosed under this FERPA exception.
Disclosures for health or safety emergency reasons do not include disclosures to
address emergencies for which the likelihood of occurrence is unknown, such as
would be the case in emergency preparedness activities.

U.S. Department of Education, Addressing Emergencies on Campus, p. 3 (June 2011), available
at https://studentprivacy.ed.gov/resources/addressing-emergencies-campus.
Finally, where an educational agency or institution non-consensually discloses PII from a
student’s education records pursuant to FERPA’s health or safety emergency exception, within a
reasonable period of time after the disclosure, the educational agency or institution must record
in the student’s education records the articulable and significant threat to the health or safety of
the student or other individual(s) that formed the basis for the disclosure, and the parties to
whom the information was disclosed. 34 CFR § 99.32(a)(5).

The HIPAA Privacy Rule permits a health care provider to disclose information to the family
members of an adult patient who has decision-making capacity, and indicates that he or she does
not want the disclosure made, only to the extent that the provider perceives a serious and
imminent threat to the health or safety of the patient or others and the family members are in a
position to lessen the threat. See 45 CFR § 164.512(j). Otherwise, under HIPAA, the provider
must respect the wishes of the adult patient who objects to the disclosure.

HIPAA in no way prevents health care providers from listening to family members or other
caregivers who may have concerns about the health and well-being of the patient. A provider can
factor that information into the patient’s care, and should the patient later request access to the
health record, any such information disclosed under a promise of confidentiality (such as that
shared by a concerned family member with the provider), may be withheld from the patient if the
disclosure would be reasonably likely to reveal the source of the information. See 45 CFR §
164.524(a)(2)(v). This exception to the patient’s right to access their PHI allows loved ones to
disclose relevant health or safety information with providers without fear of disrupting their
relationship with the patient.

Consistent with common law principles, the U.S. Department of Education interprets the FERPA
rights of eligible students to lapse or expire upon the death of the eligible student. Therefore,
FERPA would not protect the education records of a deceased eligible student, and an
educational agency or institution may disclose such records at its discretion or consistent with
State law. However, at the elementary and secondary level, FERPA rights do not lapse or expire
upon the death of a non-eligible student because FERPA provides specifically that the rights it
affords rest with the parents of students until that student reaches 18 years of age or attends a
postsecondary institution. Once the parents are deceased, the records are no longer protected by
FERPA.

Yes- FERPA permits schools to disclose PII from education records to the parent of a student who is not an eligible student. See 34 CFR § 99.31(a)(12). Further, under FERPA, a school must generally provide a parent of a student who is not an eligible student with an opportunity to
inspect and review his or her child’s education records within 45 days of the receipt of a request.
20 U.S.C. § 1232g(a)(1)(A); 34 CFR § 99.10(b). While required to provide a parent of a student
who is not an eligible student with access to their child’s education records, a school is not
generally required by FERPA to provide copies of education records. See 20 U.S.C. §
1232g(a)(1)(A); 34 CFR § 99.10. One of the exceptions in which a school may be required to
provide a copy of the education records requested is in the context of a request for access to
education records from a parent or student who is not an eligible student where the
circumstances would effectively prevent the parent from exercising his or her right to inspect and
review education records; in this context, the school would be required to either provide the
parent with a copy of the education records requested or make other arrangements that would
allow for the parent to inspect and view the requested records. 34 CFR § 99.10 (d). An example
of circumstances effectively preventing a parent from inspecting or reviewing education records
is where the parent does not live within commuting distance of the school.

Yes. Protection and Advocacy (P&A) systems are designated by the governor of each State and
territory to protect and advocate for the rights of individuals with disabilities, including by
investigating incidents of abuse or neglect. Each P&A system administers multiple P&A
programs authorized by Congress through legislation such as the Developmental Disabilities
Assistance and Bill of Rights Act (DD Act) (for individuals with developmental disabilities), the Protection and Advocacy for Individuals with Mental Illness Act (PAIMI Act) (for individuals with mental illness), and section 509 of the Rehabilitation Act of 1973 (Rehabilitation Act) (for
certain individuals with disabilities who, for example, are not eligible for P&A services under the
DD Act or PAIMI Act). These statutes and their implementing regulations require that access to
records be provided to P&A systems under certain circumstances. See DD Act at 42 U.S.C. §
15043(a)(2)(I) and (J), 45 CFR § 1386.22; PAIMI Act at 42 U.S.C. § 10805(a)(4), 42 CFR §
51.41; and the Rehabilitation Act at 29 U.S.C. § 794e(f)(2), 34 CFR § 381.10(a)(2).

The Privacy Rule permits a covered entity to disclose PHI without an individual’s authorization
to a P&A system to the extent that such disclosure is required by law and the disclosure complies
with the requirements of that law. See 45 CFR § 164.512(a). Thus, a covered entity may disclose
PHI to the P&A system, as required by the DD Act, PAIMI Act, or section 509 of the
Rehabilitation Act, as well as any other Federal statute authorizing a P&A program, when the
P&A system requests access to such records in carrying out its protection and advocacy
functions under these Acts. Similarly, covered entities may disclose PHI to the P&A system
where another Federal, State, or other law mandates such disclosures, consistent with the
requirements in such law.

Where disclosures are required by law, the Privacy Rule’s minimum necessary standard does not
apply; instead, the law requiring the disclosure will establish the limits on what should be
disclosed. Moreover, with respect to disclosures required by law, a covered entity cannot use the
Privacy Rule as a reason not to comply with its other legal obligations. 

Yes, in certain circumstances. For instance, an educational agency or institution may disclose PII
from a student’s education records to a P&A system, where a parent of a student under 18 and
not in attendance at an institution of postsecondary education, or an eligible student, provides
prior written consent to disclose such PII to the P&A system. Additionally, as we previously
stated in an amici curiae brief jointly filed by the U.S. Departments of Education and Health and
Human Services before the U.S. Court of Appeals for the Second Circuit, there are also
circumstances in which an educational agency or institution may disclose such PII to the P&A
system without obtaining such prior written consent, such as in connection with an emergency
under FERPA’s health or safety exception (set forth in 20 U.S.C. § 1232g(b)(1)(I) and 34 CFR
§§ 99.31(a)(10) and 99.36), if the P&A system’s knowledge of the PII is necessary to protect the
health or safety of the student or other individuals.2 We noted that “the facts supporting a
P&A’s determination that a mentally ill student’s health or safety is in serious jeopardy, see 42
U.S.C. § 10805(a)(4)(C), for example, might also support a school’s determination that an
‘emergency’ existed in which disclosure of [PII from education records] was ‘necessary to
protect the health or safety of the student or other persons.’ 20 U.S.C. § 1232g(b)(1)(I).” Id. at
15-16. However, we also recognized that a P&A system’s request for name and contact
information might not always satisfy a FERPA exception to the general requirement of consent
and that, in those instances where the DD Act, the PAIMI Act, or section 509 of the Rehabilitation Act conflict with FERPA, “FERPA does not bar a P&A from obtaining access to the name of and contact information for a parent, guardian, or other legal representative of a minor student with a disability or mental illness where the P&A’s probable cause determination
satisfies the requirements for access to records under the PAIMI Act and the DD Act.” Id. at 15­
16. We concluded that where the statutes are in conflict, “the specific access provisions of the
PAIMI Act and the DD Act (and [section 509 of the Rehabilitation Act] by incorporation) are
properly understood as a limited override of FERPA’s generally applicable non-disclosure
requirements.” Id. at 15. We viewed a P&A system’s access to such PII from education records
as generally being consistent with Congress’ intent relating to student privacy in part because a
P&A system “is required to maintain the confidentiality of any student records it receives, see 42
U.S.C. § 10806(a) …,” such that we saw little risk of the public disclosure of the information
that FERPA is intended to prevent. Id. at 19-20. 

Most likely no. Although HIPAA allows limited disclosures to the National Instant Criminal
Background Check System (NICS) by a designated set of covered entities, this permission most
likely would not apply to covered entities that operate in the school context.

NICS is maintained by the Federal Bureau of Investigation (FBI) to conduct background checks
on persons who may be disqualified from possessing or receiving firearms based on State law or
Federal prohibited categories, including those who have been “involuntarily committed to a
mental institution” or “adjudicated as a mental defective” (e.g., found incompetent to stand trial).
See 27 CFR § 478.11.

HIPAA’s permission to disclose to NICS applies only to covered entities that are: (1) An entity
designated by a State to report, or which collects information for purposes of reporting, on behalf
of a State, to the NICS; or (2) A court, board, commission, or other lawful authority that makes a
commitment or adjudication that causes an individual to become subject to disqualification as
described above. For these covered entities, the Privacy Rule allows disclosure of only the
limited demographic and certain other information needed for purposes of reporting to NICS and
expressly prohibits the disclosure of diagnostic or clinical information for such purposes. See 45
CFR § 164.512(k)(7).

It is unlikely that a school health provider is a HIPAA covered entity designated by a State to
report to NICS or given the authority to order a student’s involuntary commitment, but if it is,
such a provider could make limited disclosures concerning a student to NICS.

More information can be found online at OCR’s NICS page.

FERPA permits records of a law enforcement unit of an educational agency or institution,
subject to the provisions of 34 CFR § 99.8, to be reported to NICS without obtaining the prior
written consent of parents or eligible students because such records are not covered as “education
records” under FERPA. Among the exclusions from the definition of “education records” – and thus from the privacy protections of FERPA – are records of a law enforcement unit of an educational agency or institution. 20 U.S.C. 1232g(a)(4)(B)(ii); 34 CFR § 99.3 (definition of “education records,” subsection (b)(2)). These records must be: (1) created by a law
enforcement unit; (2) created for a law enforcement purpose; and (3) maintained by the law
enforcement unit. 20 U.S.C. 1232g(a)(4)(B)(ii); 34 CFR § 99.8(b)(1). Law enforcement unit
records do not include the following: (1) records created by a law enforcement unit for a law
enforcement purpose that are maintained by a component of the educational agency or institution
other than the law enforcement unit; or (2) records created and maintained by a law enforcement
unit exclusively for a non-law enforcement purpose, such as a disciplinary action or proceeding
conducted by the educational agency or institution. 34 CFR § 99.8(b)(2). Under FERPA, “law
enforcement unit” means any individual, office, department, division, or other component of an
educational agency or institution, such as a unit of commissioned police officers or
noncommissioned security guards, that is officially authorized or designated by that agency or
institution to (1) enforce any local, State, or Federal law, or refer to appropriate authorities a
matter for enforcement of any local, State, or Federal law against any individual or organization
other than the agency or institution itself; or (2) maintain the physical security and safety of the
agency or institution. 34 CFR § 99.8(a)(1). Therefore, subject to State or local law, educational
agencies and institutions may disclose records of a law enforcement unit, as set forth in 34 CFR
§ 99.8, to anyone, including NICS, without consent from parents or eligible students.