When Students Become Patients, Privacy Suffers

University students have less privacy for their campus health records than they would have if they sought care off campus. Schools say they are trying to seek the right balance between privacy and safety.

During her senior year at Yale University, Andrea faced spiraling depression and anxiety. She sought treatment at the campus health center, where she received medication and therapy.

By the final week of classes, though, her struggles had grown more intense. Andrea was drinking heavily and contemplating suicide. She was hospitalized against her will for a week.

Andrea, who asked that only her first name be used to protect her privacy, was 21 years old, just a few weeks shy of graduation. But when she was sent to the hospital, the university’s mental-health center decided to notify her parents—even though records show her health providers knew she had a broken relationship with them. Andrea said her parents didn’t even know she was receiving treatment.

When they got the news, her parents flew to New Haven. Andrea said she felt pressure from Yale’s counseling center to leave campus immediately and fly home with them.

Had Andrea not been a student, the clinicians treating her would have sought her permission before sharing information on her condition or medical care. Under the Health Insurance Portability and Accountability Act of 1996, the landmark federal law known as HIPAA, patients can limit who has access to such information.

Andrea’s records at Yale were subject not to HIPAA; they fell under the Family Educational Rights and Privacy Act, known as FERPA, the federal law that provides privacy protections for student records.

Under FERPA, the fact that Andrea was no longer a minor did not matter. FERPA allowed the university to share information with her parents. Both laws allow providers to share information in an emergency, but even then, HIPAA tells them to seek permission from patients first.

Yale Health’s website informs parents that they cannot access their child’s health information without a signed written consent form. Andrea said she does not recall signing that document. When she recently asked to see any such form, she said, she was told by the counseling center’s chief that there was none. “Most of what happened while I was in the hospital happened without my knowing it,” she said. “I got an update every day or two about where my life was going.”

Andrea’s case is a vivid demonstration of how weaknesses in state and federal laws—and the often-conflicting motives of students, parents, and college officials—have left patient privacy vulnerable when students receive medical treatment on campus.

Universities walk a fine line when providing that treatment or mental-health services to students. If campus officials don’t know what’s going on or disclose too little, they risk being blamed if a student harms himself, herself, or others. If they pry too deeply, they may be accused of invading privacy, thereby discouraging students from seeking treatment.

Even after mental-health treatment ends, privacy issues persist. Disputes have erupted over whether colleges can consult patient records to defend themselves, such as when they are accused of not properly investigating a sexual assault.

“There’s no doubt in my mind that the schools are trying to strike the right balance,” said Paul Lannon, a Boston lawyer who advises colleges on legal issues. “They care for the students. They want the students to do well. They want the students to be healthy.”

If Yale’s health center hadn’t shared information about her condition with her parents, Andrea said, she would have moved in with a friend or a friend’s family while seeking continued treatment.

Instead, once she returned home, her parents did not allow her to see a psychiatrist or therapist. Her mother refused to accept that Andrea was experiencing psychiatric problems, she said. Andrea wrote about her experiences on a blog about dealing with mental illness at Yale.

Andrea graduated on time, but she was allowed to return to campus only if accompanied by her parents. She remains angry that details of her condition were shared. Yale may have complied with the letter of the law, she said, but university officials could have done a better job of respecting her wishes and including her in decisions.

Thomas Conroy, a Yale spokesman, said in an email that the university does not discuss individual students’ records, “whether or not the student gives permission or has no objection.” (Andrea said she was willing to sign documents allowing Yale to talk to a reporter about her case.)

Conroy pointed to a regulation from Yale’s undergraduate college stating that it will notify a student’s parents when there is a change in that student’s enrollment status, such as a withdrawal from school, voluntary or involuntary.

EXEMPTIONS AND LOOPHOLES

Deciding who has the right to know what’s going on with the health of college students presents tricky questions.

College is “absolutely a very challenging time,” said Dr. Victor Schwartz, medical director of the Jed Foundation, a New York-based non-profit that works to promote emotional health among college students. “The students are almost inevitably legal adults, but there are a lot of other parties that have skin in the game and really have concerns and to one degree or another legitimate involvement.”

These concerns are not easily reconciled, either by laws or by institutional policies. FERPA, passed in 1974, gives students and their parents access to their education records, which schools and colleges had sometimes denied them. FERPA also dictates when and how those institutions can obtain or share information that identifies individual students.

If students are under age 18 or are claimed as dependents for tax purposes, the law allows colleges to share educational information with their parents without their consent.

Within a campus, education records such as transcripts, schedules, and disciplinary records can be shared with anyone who has a “need to know,” such as a dean, registrar, or residential adviser. Treatment records generally can’t be shared, and they are handled more securely. But if those records are shared for any reason other than treatment—if they’re given to a lawyer or even to a student herself—they effectively become education records. At that point, the typical FERPA standards apply.

FERPA also includes a health-and-safety exception: If a student is seen to be in danger, or to be putting others in danger, information can be shared with “appropriate parties,” including the student’s parents, regardless of whether they claim the student as a dependent.

If a student seeks help off campus or at a university hospital, HIPAA, the more-restrictive law, typically applies. In those cases, university officials have no right to obtain the information. If a patient asks for his or her own records, it doesn’t strip them of protection. Indeed, some providers and insurance companies won’t share health information with the parents of minor teenagers without their permission. When a patient is over age 18, health providers that share information with a parent can be subject to fines.

The intersection of these rules leaves considerable room for subjectivity. Andrea, for example, was treated at Yale-New Haven Hospital, a private institution, and her stay was covered by HIPAA. But because Yale Health clinicians sent her to the hospital and visited her there, some information was subject to FERPA.

Colleges also have very different views about when and how to invoke FERPA’s health-and-safety exception.

These differences sparked fierce debate after Seung-Hui Cho, a student at Virginia Tech, shot and killed 32 people and wounded 17 others in 2007 before killing himself. Students and professors had raised concerns about Cho’s behavior before the shooting, and he had had contact with the university’s counseling center and police. But, a state review panel concluded: “the university did not intervene effectively. No one knew all the information and no one connected all the dots.”

A subsequent federal report cited privacy laws as a “substantial obstacle” to sharing information about students’ problems. “Throughout our meetings and in every breakout session, we heard differing interpretations and confusion about legal restrictions on the ability to share information about a person who may be a threat to self or to others,” a report from three federal agencies said.

Still, years later, university policies are “all over the map,” said Darcy Gruttadaro, director of the Child and Adolescent Action Center of the National Alliance on Mental Illness. “I’m not sure that there’s an easy answer here.”

CONFLICTS OF INTEREST?

Students sometimes discover their medical records have been retrieved without their permission when they find themselves in a legal dispute with their universities.

That happened in a pair of high-profile cases at the University of Oregon.

In one case, Laura Hanson, who said she was sexually assaulted by a fellow student at the University of Oregon in 2013, pursued a claim against her alma mater over what she saw as a drawn-out investigation of the incident, which ultimately substantiated her account. Hanson learned that university lawyers had obtained her confidential counseling records without her permission, not as part of their investigation into her sexual-assault allegations, but in response to her claim that the school hadn’t investigated urgently enough.

“I felt like they were trying to undermine me,” she said.

The university eventually settled Hanson’s claim for $30,000. Doug Park, the university’s deputy general counsel, declined to discuss particulars of the case. But under rules in place at the time, since changed, he said the university was permitted to review a student’s counseling records to defend itself against charges of wrongdoing including alleged violations of Title IX, the federal regulation that outlines how universities should respond to accusations of sexual assault.

A second University of Oregon student, identified in court records as “Jane Doe,” also accused university lawyers of improperly obtaining her counseling records after she faulted officials’ handling of an alleged rape by three Oregon basketball players. The University of Oregon settled Jane Doe’s case for $800,000, but its lawyers insisted they had collected the records only to comply with a request from her lawyers and didn’t review them.

After the Oregon controversy, the Department of Education proposed guidelines in August for the use of students’ counseling records. Its message: University lawyers should view those records only if the treatment itself is at issue in a legal case, if they have permission, or if a judge’s order gives them access.

“Institutions of higher education have a strong interest in ensuring that students have uncompromised access to the support they need, without fear that the information they share will be disclosed inappropriately,” Kathleen Styles, chief privacy officer of the Department of Education, wrote in a blog post.

Students share their personal details with campus health centers as would any other patient with a health provider. But while students are the clients at campus health centers for treatment purposes, colleges rely on the centers’ advice to decide whether the students should be allowed to stay on campus or be allowed to return.

“It seems like a conflict of interest,” said Karen Bower, a lawyer who represents students and their families feuding with universities. “It’s not clear who the client is.”

The University of Oregon announced on October 1 that it plans to tighten its rules. It will now seek a subpoena if lawyers want to review a student’s health records or, if that’s not possible, notify students of the university’s intention and give them an opportunity to object.

One of Jane Doe’s lawyers, John Clune, said they learned only from her therapists that the university’s lawyers had obtained their client’s records. Without more-consistent notification from universities, there’s no way to know how often students’ privacy is being violated. “We would never have known from the university,” he said, “had our client’s therapists never told her about what happened.”

“MY SOCKS WERE JUST KNOCKED OFF”

For all of the concerns about violating students’ privacy, there is also a risk to choosing discretion over disclosure. Some parents have argued that, if anything, colleges should release more information to them about their children.

Margaret Go’s son Brian committed suicide in 2009 while enrolled at the California Institute of Technology. Two deans and three psychologists at Caltech were aware that he was under significant stress or had had suicidal thoughts, according to pleadings in his parents’ lawsuit against Caltech. Yet Caltech never conveyed that information to his parents; in court records, the university said it was honoring Brian Go’s request not to do so. Margaret Go said she learned about Brian’s troubles only after his death.

“I was just a mom, and my socks were just knocked off because it seemed to me such a complete lack of common sense and human decency not to call us,” she said. “I entered in the Alice-in-Wonderland world of privacy rights and mental-health law.”

Margaret Go and her husband pursued a lawsuit against the university and the counseling staff. A medical malpractice claim involving the counseling staff was settled, but a Los Angeles County Superior Court judge dismissed a negligence claim against the university, saying it had no legal duty to protect Brian Go from harming himself because he was an adult. (He was 20.)*

“Brian did report that he had contemplated suicide but denied that he continued to have suicidal feelings,” university officials wrote in a statement. “Nonetheless he was immediately referred to and seen by the counseling center, and Caltech administrators followed the advice of the mental health professionals.”

Caltech adopted a series of changes based on the recommendations of a 2011 mental-health task force, including increased access to psychiatric care for students, expanded hours at the campus counseling center, and training for resident advisers on mental-health issues. Judy Asbury, a spokeswoman for the university, said in an email that the task force was not a specific response to Brian Go’s death, “but the tragic event was a factor. The Caltech community was deeply affected by Brian’s suicide; he was an engaged student, president of his ‘house’ (which is like a dorm community here) and well-liked.”

Brian Go’s parents have suggested a way forward: Create an environment of transparency and open communication much earlier. In November 2014, they started a MoveOn.org petition asking that every university include forms for students to fill out before they arrive on campus, laying out how much information can be shared with parents or emergency contacts. More than 1,300 people signed the petition.

The idea is to deal with potential problems during a moment of calm, rather than in a crisis, Margaret Go said. “It’s really practical. It’s really common sense. It doesn’t hurt anybody. In fact, I think it would help.”

This story originally appeared on ProPublica as “When Students Become Patients, Privacy Suffers” and is re-published here under a Creative Commons license.

*UPDATE — October 30, 2015: An earlier version of this story incorrectly said that a California appeals court agreed that the California Institute of Technology had no legal duty to protect Brian Go from harming himself. While a Los Angeles County Superior Court judge made such a ruling, the family dropped its appeal before the appeals court decided the case.

Related Posts