A horrific case of sexual assault at the University of Oregon has shone a spotlight on the egregious lack of privacy laws protecting college medical records.
On August 18, Kathleen Styles, the Chief Privacy Officer of the Department of Education (ED) published new guidance for schools about how they should be protecting student medical records under the Family Educational Rights and Privacy Act (FERPA). It’s a move that has far-reaching implications for college students, and is also a rare bit of good news in the fight against rape culture that permeates many campuses.
In order to understand the driving forces behind these legal changes, we need to go back to 2014, to the University of Oregon, and revisit one of the more public and more horrific cases of campus rape.
Early last year, on January 8, a campus sexual-assault survivor at the University of Oregon sued the school for mishandling her case. The assault happened in March 2014. The survivor, who is using the name Jane Doe to protect her privacy, reported a gang-rape by three male students to campus authorities and the police [Trigger warning: The report contains extremely violent depiction of sexual assault.]. At the end of the 2013-14 school year, the university found the three students “responsible for sexual misconduct” and banned them from campus for up to ten years.
(The police chose not to prosecute, citing low likelihood of conviction. The alleged gang rapists “didn’t deny what happened as much as they said the acts that the accuser described were consensual.” Now would be a good time to review that police report, and to check your gut.)
So what’s the problem? There were many. The University of Oregon waited until after the end of its basketball season to investigate the assault, even though the survivor reported in March. Why? Because the three assailants were on UO’s basketball team. To make matters worse, one of the players, Brandon Austin, was recruited from another school, Providence College, where he’d been suspended from the basketball team for sexual assault and banned from campus by the school’s disciplinary board (a ban that was overturned by the school’s vice-president so he could continue to attend practice with the basketball team).
In her complaint against UO filed in January, Jane Doe alleged the deliberate delay in investigation, the deliberate recruiting of a player with a known history of sexual assault, and, most importantly for our purposes here, a violation of her medical privacy.
We learned more about this privacy violation the following month, when employees of the UO student counseling center blew the whistle on one of the most disturbing aspects of the case. Jennifer Morlok, a senior staff therapist at UO’s student counseling center claimed in a public letter of concern that, prior to Doe filing her lawsuit, UO employees went through her campus counseling records without Doe’s consent.
UO defended the secretive records-grab, arguing that because Doe was claiming emotional distress in her lawsuit, it was entitled to take her counseling records under FERPA. UO argued that it could take the records even before a lawsuit was filed—upon just hearing that there may be a lawsuit filed. Furthermore, they claimed they had a right to do so outside the normal discovery process overseen by our legal system.
At first I couldn’t believe the university’s gall. UO had used a law—FERPA—that is meant to protect student privacy in order to breach the privacy of a rape survivor. When I learned that such actions were indeed permitted under FERPA, I wrote in a March column, “If you are a student and seek counseling at your college’s counseling center, your medical records are most likely not protected by the typical medical-privacy laws, otherwise known as the Health Insurance Portability and Accountability Act (HIPAA). Instead, they fall under the aegis of FERPA, just as Oregon said. And compared with HIPAA, FERPA is about as protective as cheesecloth.”
Let’s back up a step to understand how FERPA has typically worked when it comes to protecting—or not protecting—student medical records.
FERPA covers the records of students who visit health clinics maintained by schools. These campus medical records are not protected under the regular HIPAA privacy laws. In plain English, for privacy purposes, college medical records simply have not counted as real medical records.
Although FERPA provides a slightly different definition for “treatment records”—those that are created for medical treatment—than for “education records,” the difference has been meaningless in action. By definition, treatment records can only be disclosed with the student’s written consent. But FERPA has a long list of ways that treatment records lose their special status. If a student takes any of the actions on this long list, their treatment records are “converted” into regular old education records, and education records can be shared without written consent.
Here are some of the actions that a student can take that will convert her treatment records and allow them to be shared without written consent: When a student sues her institution. When a student simply wants to see her own treatment records. In the real world, asking to view your own medical records does not release a medical provider from his or her ethical duty to keep your medical records private. That’s because in the real world, your medical records are protected by HIPAA.
The fact that FERPA is all that has kept student medical records private can have far-reaching consequences, far beyond Jane Doe and UO—even far beyond the privacy of rape survivors. All students’ medical privacy has been at risk when student health providers can only give students substandard protections.
An LGBTQ student who seeks counseling about bullying but who isn’t out to her family or friends is at risk. A student with a psychiatric disability that carries deep public stigma is at risk. A student who is HIV positive and is suffering depression, a common comorbidity, is at risk. Any of these students might seek counseling or medical care on campus, and their medical records would not be protected by HIPAA. They would only be protected by FERPA. Which, as the UO debacle has shown us, is not much protection at all. And, to make matters worse, the student health providers, the people who are doing the salt-of-the-earth work providing care to the students in need, themselves often don’t know that their patients have substandard privacy protections.
In my March column, I recommended that students seek treatment at off-campus medical clinics to protect their privacy. This advice made some people at some schools very angry, but I stood by it. Some university employees argued that, although FERPA allowed the taking of medical records in the way that I described (and, when interviewed, ED supported my argument), it would be the wrong thing to do, so “students shouldn’t worry that counseling centers will share their records without their permission.” Students should just trust their schools to do the right thing.
My response: You, school representative for University ABC, might be a good person. But you don’t know what your school’s General Counsel’s office is going to do when staring down the barrel of a multi-million-dollar lawsuit. You, spokesperson for College XYZ, might be a good person, but you can’t make that kind of reassurance when the law explicitly allows school lawyers to grab whatever records they want. You can’t just tell students to trust you. That’s not fair to students who are in desperate need of help.
Here’s where the Department of Education’s potential FERPA overhaul becomes really good news.
After accounts of UO’s medical records grab went public, a lot of people got angry, including legislators in Washington, D.C. They acted. For example, Suzanne Bonamici (D-Ore.) took leadership on the issue of finding new ways to protect student medical records. Her work and that of others has recently culminated in the new guidance on FERPA meant to provide more protection for students.
To be honest, I’m feeling hopeful. (Fair warning, though: I’m a bit of an optimist.)
The August 18th Department of Education draft of the Dear Colleague letter and summary blog post are seemingly designed to prevent a UO incident from ever happening again. ED wants to reassure students that they can be safe in their student health centers. Indeed, ED acknowledged this purpose in the blog post:
Institutions of higher education have a strong interest in ensuring that students have uncompromised access to the support they need, without fear that the information they share will be disclosed inappropriately. Providing on-campus access to medical services, including mental health services, can help promote a safe and healthy campus. The practice of sharing a student’s sensitive medical records with others not involved in their treatment may discourage the use of medical services provided on campus.
This chilling effect is ED’s motivation to act—and it should be schools’ motivation as well. Schools should be willing to give up the ability to take students’ records outside the proper legal processes in order to give students peace of mind when they access campus services. Students’ health should trump schools’ ability to win at all costs, and schools should be able to see that. (I warned you I was an optimist.)
And what does ED think should be the model for student privacy? HIPAA:
We think [the HIPAA] standard makes sense, and that FERPA’s school official exception should be construed to offer protections that are similar to HIPAA’s. We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts, without a court order or written consent.
This statement suggests that even when a student sues a school, the school must go through the usual legal channels to get its hands on the student’s medical records. There is an exception for when a lawsuit is over the actual provision of medical care (e.g., malpractice or failure to pay a bill) but even then, a school “should only disclose those records that are relevant and necessary to the litigation.”
Granted, these guidelines are only in “draft” form, and ED is “seeking public input on our draft guidance, as we believe that this input will result in a better product.” (Schools have 45 days to comment from the August 18 publication date.) But if these new directives mean what I think they mean, then a gaping privacy hole for students—all students, not just rape survivors—is about to be at least partially filled.
Although the change isn’t perfect—I would like to see all medical records actually protected by HIPAA—legal change can be slow. But this change happened in six months. And six months is very, very fast. And we have a campus rape survivor to thank for the change. Jane Doe wrote, in a letter to the editor of the UO campus newspaper, “I know a lot of people are angry. I am angry, too. I am angry with the culture that appears to exist in our athletic department that prioritizes winning over safety of our students.”
Had these new FERPA guidelines been in place back in December 2014, UO likely would not have been able to access Jane Doe’s medical records without a court order, and certainly not prior to her filing a lawsuit. Since her lawsuit did not put her medical treatment at issue, according to these new guidelines, UO would have had to go through ordinary civil litigation channels to access her medical records. And they would only have had access to those relevant to her legal complaint—not access to whichever ones they felt like taking.
Annie E. Clark, the Executive Director of End Rape on Campus, is supportive of these changes, and credits Jane Doe’s lawsuit for helping protect the privacy of all students: “Jane Doe’s lawsuit helps all students—not just rape survivors—because it called attention to an existing loophole regarding medical privacy,” she said. “As stigmatized as mental health already is, we need to culturally and legally break down the barriers that make people feel unsafe or ashamed to ask for help. And assuring students that their medical privacy will not be breached is one necessary step in the right direction.”
Last month, on August 4, UO settled its case with Jane Doe for more than $800,000, a settlement that includes a UO education, an education free of the presence of her assailants since they are banned from campus. Furthermore, part of the settlement includes a promise that “the school will pursue a policy change requiring all transfer applicants to report any disciplinary history at prior schools.”
But UO’s proposed policy change doesn’t stop other schools from recruiting the three former UO basketball players who were found responsible for assaulting Doe. Since leaving UO, Brandon Austin transferred yet again, as have his two teammates. They will all play college basketball elsewhere, on scholarship.
The question of a school’s responsibility to pay attention to a transfer athlete’s history of sexual assault has come to the forefront recently given the high-profile case of Samuel Ukwuachu, a Baylor University football player convicted on August 20 of second-degree sexual assault. Ukwuachu had transferred from Boise State to Baylor after being kicked off of his former team for violence against a female student there. Reporting for Texas Monthly, Jessica Luther and Dan Solomon produced an indicting piece showing how complicit college coaches can be in bringing violent students to campus. Some conferences and schools are making moves to make sure that recruits with violent pasts can’t transfer to campus. But for Jane Doe, UO’s promise to do the same is too little, too late. And even to this optimist, it seems that three men who were found responsible for a heinous sexual assault have escaped meaningful punishment.
Photo by Flickr user Wolfram Burner
AN INDEPENDENT FREE PRESS HAS NEVER BEEN MORE IMPORTANT.
Your financial support helps DAME continue to cover the critical policies, politics social changes impacting woman and their allies.