U.S. Department of Education Issues Guidance on Handling of Student Medical Records

November 2016

“Dear Colleague Letter” states that student medical records should be afforded privacy protections similar to those afforded to nonstudent medical records under HIPAA.

On August 24, 2016, the U.S. Department of Education (the “Department”) issued a “Dear Colleague Letter” to institutions of higher education to address several issues related to the privacy of student medical records.  The guidance followed an incident at the University of Oregon in which university officials accessed the campus therapy records of a student who had threatened to sue the school over its handling of an alleged sexual assault.

Privacy of Student Medical Records – FERPA v. HIPAA

At the outset of the Dear Colleague Letter the Department notes that student medical records maintained by an educational institution are generally considered to be “education records” or “treatment records” that are covered by the Family Educational Rights and Privacy Act (“FERPA”).  As a result, they may not be protected by the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, the federal law governing the privacy of most* medical records.  Under FERPA, education records cannot be disclosed without a student’s consent, unless one of FERPA’s exceptions applies. 

The Dear Colleague Letter analyzes three key FERPA exceptions and explains how they apply to student medical records.

First, the Department discusses the “school official” exception.  Under this exception, an institution is permitted to disclose education records to school officials who have a “legitimate educational interest” in the records – in other words, when officials need to review the records to perform their job. However, this exception does not permit a school official to review all records for all students.

The Department confirmed that attorneys representing an institution in legal proceedings generally function as school officials under FERPA and may have a legitimate educational interest in certain student education records.  Nevertheless, the Department states that in cases where litigation occurs between a student and the institution, the school official exception should be construed to offer protections to student medical records that are similar to those provided to other medical records under HIPAA.  More specifically, without a court order or written consent, institutions that are involved in litigation with a student should not share the student’s medical records with the institution’s attorneys unless the litigation in question relates directly to the medical treatment itself or the payment of that treatment, and even then should disclose only those records that are relevant and necessary to the litigation.

Second, the letter provides guidance with regard to the FERPA exception that allows an institution to disclose education records to a court when the records are relevant for the institution to proceed with litigation against a student or to defend itself from litigation brought by the student.  Once again, the Department states that when medical records or counseling records are involved, this rule should be read in light of the special sensitivity of those records and the importance of students being able to obtain timely on-campus medical treatment.   Institutions should follow the standard articulated under HIPAA and use this litigation exception to disclose medical records to a court only if the lawsuit relates directly to the medical treatment or the payment for such treatment.  Otherwise, the medical records should only be disclosed in response to a subpoena or court order, or with the student’s consent.

The Department recognizes that an institution may be under a legal obligation to preserve these records – under what is called a “litigation hold” – when the records are likely to be relevant to a reasonably anticipated, threatened, or pending lawsuit, and its guidance does not override any legal obligation a school may otherwise have to preserve records under applicable state or federal law.

Finally, the Department provides further guidance on the FERPA exception that allows the disclosure of education records to address a health or safety emergency.  This further guidance does not limit earlier guidance provided by the Department that addresses this exception.  In this letter, the Department recognizes that school officials may disclose education records, including medical records, to any person whose knowledge of information from those records could assist in protecting the student or others from an “articulable and significant threat.”  This can include disclosure to law enforcement officials, public health officials, medical personnel, attorneys representing the institution, and the student’s friends or family, as long as the disclosure is limited to information that is necessary to protect the student or others from the threat. 

Impact of Dear Colleague Letter on MIT

Simply put, this new guidance will have little impact on MIT’s practices.  As the Department acknowledged, institutions like MIT are already conforming to its guidance.  In addition, many years ago,  MIT Medical decided to adopt an approach to student medical records that affords greater privacy protections than FERPA.  Although FERPA sets forth minimum requirements for student medical records, MIT is permitted to offer broader protections than what is strictly required by FERPA.  MIT Medical applies the same privacy rules and protections to its student medical records that it applies to its nonstudent medical records, and it provides the same Notice of Privacy Practices to all of its patients, regardless of their status.   

MIT’s Privacy of Student Records policy, which describes MIT’s compliance with FERPA, can be found at http://web.mit.edu/policies/11/11.3.html.  More information about MIT Medical’s privacy practices can be found at https://medical.mit.edu/privacy.  Any questions about the privacy of student education records can be directed to OGC attorney Jay Wilcoxson.


*Technically HIPAA does not cover non-electronic medical records, nor would it cover medical records maintained by non-covered entities.