III by liamei12345



                                   Section III

 Laws and principles guiding adoption, use of HIT / HIE

                              To be included in

     The Maryland Governor’s Task Force to Study the
          Adoption of Electronic Health Records
                       Final Report

ad523e98-37a6-47c1-9505-94546881ca46.doc                          1
III. Laws and principles guiding adoption, use of HIT / HIE

The privacy laws and regulations that have been adopted in the United States over the last
few decades have all been based on a commonly accepted set of fair information
practices. The earliest public documentation of this concept was the "Richardson Report"
on "Records, Computers and the Rights of Citizens," published in 1973, which
introduced "Fair Information Practices Principles" ("FIPPs")1. These principles were first
codified into law in the Privacy Act of 19742 specifically § 552a, which was applicable
only to federal agencies. The four FIPPs are:
    1. Notice: Data collectors must disclose their data collection. The existence and
       purpose of record-keeping systems must be known to the individuals whose data
       is contained therein.
    2. Choice: Data subjects should have rights to opt out of uses and disclosures of their
       data. Information must be collected only with the knowledge and implicit or
       explicit permission of the subject, used only in ways relevant to the purpose for
       which the data was collected, and disclosed only with permission of the subject or
       in accordance with overriding legal authority (such as a public health law that
       requires reporting of a serious contagious disease).
    3. Access: Data subjects should be able to view their information and have it
       corrected if necessary. Individuals must have the right to see records of
       information about them and to assure the quality of that information (accuracy,
       completeness, and timeliness). In health care, records are rarely deleted or
       replaced, but this principle implies that there is at least a due process for
       individuals to amend poor quality information.
    4. Security: Data collectors must take reasonable steps to ensure that their data is
       accurate and protected against unauthorized use and disclosure. Reasonable
       safeguards must be in place for the confidentiality, integrity and availability of

Health Insurance Portability and Accountability Act (HIPAA)
In the 1990’s the increasing use of health information technology (HIT) brought the issue
of protecting personal health information from disclosure or misuse to the forefront and
this prompted legislative actions. Grounded by the Fair Information Practices Principles,
Public law 104-191, known as the Health Insurance Portability and Accountability Act of
1996 (HIPAA), outlined a series of health care regulations such as improving the
portability of health insurance coverage, promoting the use of medical savings accounts
and fighting waste, fraud and abuse in health care systems3. The Administrative

  “Records, Computers and the Rights of Citizens, Report of the Secretary's Advisory Committee on
Automated Personal Data Systems, July, 1973”.
  “Overview of the Privacy Act of 1974”. [http://www.usdoj.gov/oip/04_7_1.html]
 104th Congress. (August 21, 1996). Public Law 104-191: Health Insurance Portability and Accountability
Act of 1996. Retrieved from http://aspe.hhs.gov/admnsimp/pl104191.htm.

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                2
Simplification provisions of the Health Insurance Portability and Accountability Act of
19964 (Title II) subparts C and E address the “Security standards for the protection of
electronic health information” and “Privacy of identifiable health information”
respectively. These subparts address in detail the security and privacy of electronic
health data and require compliance with a comprehensive set of requirements for security
of information architectures. Subpart C chapter 164.306 states general rules for security
standards. These rules state that covered entities must do the following:
    1. Ensure the confidentiality, integrity and availability of all electronic protected
       health information the covered entity creates, receives, maintains or transmits.
    2. Protect against any reasonable anticipated threats or hazards to the security or
       integrity of such information
    3. Protect against any reasonable anticipated use or disclosure of such information
       that are not permitted or required under subpart E.
    4. Ensure compliance with this subpart by its workforce.

HIPAA, Title II specifically states that covered entities must implement administrative,
physical and technical safeguards for protecting electronic health information. The act
goes on to address requirements related to use and disclosure of electronic health
information, types of authorization required for release and when an individual has the
opportunity to approve or object to said release. The act also outlines the rights of an
individual, and the notification of those rights to the person, to request health
information, how entities must account for disclosures of health information and the
administrative policies and procedures required for implementation of the standards.

Section 1173 (d) of HIPAA also recognizes the need to develop health information
system architectures that ensure the confidentiality and privacy of individual health
records.5 HIPAA requirements put forth minimum protections for patient information
that policy makers use to build upon when bolstering protections of patient information.
The Markel Foundation outlined nine principles that should be built into any system.6
These principles include:
    1.     Openness and transparency
    2.     Purpose specification and minimization
    3.     Collection limitation

  HIPAA Administrative Simplification , Regulation Text, 45 CFR Parts 160,162,164, (Unofficial Version
as amended through February 16,2006), Pages 36-84, [http://www.hhs.gov/ocr/AdminSimpRegText.pdf]
  Federal Register. (2/20/2003). Part II: Department of Health and Human Services Office of the Secretary
45 CRF Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule. Retrieved from:
  Rhodes, H. (2006). Privacy and security challenges in HIEs: Unique Factors Add New Complexities to
Familiar Issues. Journal of AHIMA, 77(7); July/August:pp. 70-71,74 in Electronic Health Information
Exchange Task Force to Study Electronic Health Records. (9/11/2006). Health Information Exchange.
Retrieved from: http://mhcc.maryland.gov/electronichealth/presentations/hlthinfoexchange.pdf

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                 3
    4.        Use limitation
    5.        Individual participation and control
    6.        Data integrity and quality
    7.        Security safeguards and controls
    8.        Accountability and oversight
    9.        Remedies
In addition to standards safeguarding personal health information, HIPAA also has
specified standards for health information exchange (HIE). These standards are known
as the Transaction and Code Set Regulations.7 Adherence to these regulations, including
use of specific health care transactions, code sets, and identifiers, is necessary for any
provider engaging in administrative HIE with a covered entity under HIPAA. Covered
entities include payers, providers, and claims clearinghouses. Administrative transactions
include claims and encounter information, payment and remittance advice, claims status
and inquiry. Examples of standard code sets for identifying specific diagnosis and
clinical procedures on claims and encounter forms include Healthcare Common
Procedure Coding System (HCPCS), Current Procedural Terminology version 4 (CPT-4)
and International Classification of Diseases version 9 (ICD-9). The adherence to these
standards enables administrative health information to be exchanged in a predictable

Although HIPAA legislation established extensive standards and guidelines for
exchanging personal health information, exceptions to the law have, at times, led to
confusion as to which regulations to follow. For example Section 1178 of the HIPAA
law states that HIPAA supersedes state laws except when a determination is made by the
Secretary that the provision of State law:
    1. Is necessary:
         a.        To prevent fraud and abuse
         b.        To prevent fraud and abuse related to the provision of or payment for
                   health care
         c.        To ensure appropriate State regulation of insurance and health plans to the
                   extent expressly authorized by statute or regulation
         d.        For State reporting on health care delivery or costs
         e.        For purposes of serving a compelling need related to public health safety
                   or welfare, the Secretary determines that the intrusion into privacy is
                   warranted when balanced against the need to be served

 Centers for Medicare and Medicaid Services. (2007). Transaction and Code Set Standards: Overview.
Retrieved from: http://www.cms.hhs.gov/TransactionCodeSetsStands/

ad523e98-37a6-47c1-9505-94546881ca46.doc                                              4
    2. Has as its principle purpose the regulation of controlled substances
    3. Addresses issues of privacy of individually identifiable health information
       [Section 264(c)(2)]
    4. Limits the authority of public health
    5. Has as its principle purpose the regulation of controlled substances
    6. Limits state regulatory reporting by health plans for monitoring and certification
This broad set of exceptions has led to confusion regarding whether state or federal
regulations should be followed for unique instances of information sharing.9 This
confusion and the concern for breaching privacy and security laws have prompted many
providers to resist sharing information even under allowable circumstances.

Medicare Prescription Drug Coverage Improvement and Modernization Act
In addition to HIPAA, other federal government actions are also impacting the exchange
of electronic health information. In 2003, the Medicare Prescription Drug Coverage
Improvement and Modernization Act (MMA) overhauled Medicaid and provided
enhanced prescription drug coverage to seniors10. Section 1013.A.3.c.i.II of the MMA
requires the Center for Medicare and Medicaid Services to develop a uniform set of e-
prescribing standards to be used in ambulatory care settings.11 These electronic data
standards would support a database of prescribing histories from which information can
be obtained and used in evaluations and other relevant activities. The intent is for e-
prescribing to act as a catalyst for significant improvements in patient safety, quality of
care and cost effectiveness. 12 In addition to meeting MMA requirements, e-prescribing
standards must be compatible with all other state and federal laws regulating prescribing.

Maryland Privacy Laws
Given the need to conduct State-level activities around health care and the sharing of
personal health information, Maryland and at least 37 other states have introduced
legislation addressing the promotion of HIT.13 Additionally, governors in at least 10
states have issued executive orders calling for the promotion and the adoption of HIT

  104th Congress. (8/21/1996). Public Law 104-191 Health Insurance Portability and Accountability Act of
1996. [http://aspe.hhs.gov/admnsimp/pl104191.htm].
  Electronic Health Information Exchange to Study Electronic Health Records. (September 11, 2006).
Issues Raised by Expansion of the use of Electronic Health Records in School Health Services.
   Department of Health and Human Services Medicare Prescription Drug, Improvement, and
Modernization Act. [http://www.medicare.gov/medicarereform/108s1013.htm]
   National Committee on Vital Health Statistics. (9/2/2004). Letter to Tommy Thompson: E-prescribing
Standards. [http://www.ncvhs.hhs.gov/040902lt2.htm].
   Department of Health and Human Services Medicare Prescription Drug, Improvement, and
Modernization Act. [http://www.medicare.gov/medicarereform/108s1013.htm]: Section 1013.A.2.c.i
   eHealth Initiative. (8/16/2006). State policy makers taking action to drive improvements in health care
quality and safety through information technology. [http://www.ehealthinitiative.org/news/

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                  5
strategies. These State-level activities often involve the creation of commissions, task
forces, councils and advisory groups to study the issues and develop recommendations
for how to improve health care through the use of HIT.

In 1991, the Maryland Confidentiality of Medical Records Act (MCMRA) was passed
into law.14 It addressed many of the same issues as HIPAA but since it preceded HIPAA,
the specifics of the guidelines and restrictions are different, and often discordant, with the
federal law. In an effort to identify the specific discrepancies, State agencies collaborated
to develop a document that compared the MCMRA with HIPAA Privacy Statues and
Regulations15. This comparative analysis highlighted the need to ensure future legislation
be written in such as way that state and federal regulations are more concordant.
Examples where the MCMRA and HIPAA laws differ include:

         Definition of identifying information and de-identification criteria:
          HIPAA refers to protected health information as being “individually identifiable
          health information maintained or transmitted in any form or medium.”
          MCMRA uses the term medical record, defining it as “any oral, written or other
          transmission in any form which is entered into the record of and relates to the
          health care of the patient and which identifies or can readily be associated with
          the patient.” Although the terms are similar, the meaning by which individual
          identification is addressed differs with HIPAA being more clearly defined. For
          example, to de-identify personal health data to be used for research, the
          following identifiers for individuals, as well as their relatives, employers, and
          household members are removed16. Exceptions can be made, however, based
          upon approval of an Institutional Review Board which adheres to federal
             o Names;
             o All geographical subdivisions smaller than a state, including street
               address, city, county, precinct, zip code, and their equivalent geo codes.
               The first three digits of the zip code can for regions where the Census
               bureau data indicates more than 20,000 people have the first three digits of
               the zip code;
             o All elements of dates (except year) for dates directly related to an
               individual, including birth date, dates of admission and discharge from a
               medical facility, and date of death; for persons age 90 and older, all
               elements of dates (including year) that would indicate such age must be
               removed, except that such ages and elements may be aggregated into a
               single category of “age 90 or older”;

   Maryland Department of Health and Mental Hygiene. (March, 2003). Maryland Confidentiality of
Medical Records Act Compared with HIPAA Privacy Statute & Regulations.
   Maryland Health Care Commission. Maryland Confidentiality of Medical Records Act Compared with
HIPAA Privacy Statute and Regulation. [http://www.dhmh.state.md.us/hipaa/pdf/MCMRAcomp.pdf].
   University of South Florida. (2007). Use and Disclosure of De-Identified Data For Research Purposes

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                6
            o Telephone numbers;
            o Fax numbers;
            o Electronic mail addresses;
            o Social security numbers;
            o Medical record numbers;
            o Health plan beneficiary numbers;
            o Account numbers;
            o Certificate or license numbers;
            o Vehicle identifiers and serial numbers, including license plate numbers;
            o Device identifiers and serial numbers;
            o Web Universal Resource Locators (URLs);
            o Internet Protocol (IP) address numbers;
            o Biometric identifiers, including fingerprints and voiceprints;
            o Full face photographic images and any comparable images; and
            o Any other unique identifying number, characteristic, or codes, except as
              permitted below in 4.4 of this Standard Operating Procedure; and
        Rules of confidentiality for uses of information in treatment, payment, and
         health care operations: Although the rules for HIPAA and MCMRA are similar,
         HIPAA rules require more explicit disclosure to patients regarding health care
         information disclosures and privacy protections found in federal and state law.17
         These HIPAA provision place additional administrative burdens on providers.
        Disclosures Requiring Authorization: Although HIPAA and MCMRA rules
         regarding disclosure are similar, HIPAA requires that a patient be consulted
         about preferences regarding “directory information” (i.e., Jane Doe is in stable
         condition) being available, while MCMRA permits such disclosure unless the
         patient declines in writing.18

        Permissive Disclosures without Authorization: HIPAA and MCMRA both allow
         for the disclosure of health information by covered entities for certain purposes.
         Most HIPAA provisions are permissive, while disclosure under MCMRA or
         other state laws are often mandatory such as for issues of abuse and neglect or
         other legally compelled activities.

   Maryland Health Care Commission. Maryland Confidentiality of Medical Records Act Compared with
HIPAA Privacy Statute and Regulation. [http://www.dhmh.state.md.us/hipaa/pdf/MCMRAcomp.pdf].

ad523e98-37a6-47c1-9505-94546881ca46.doc                                            7
         Patient Remedies: HIPAA violations can result in administrative fines while
          persons violating MCMRA laws may be sued in state court for actual damages.
          No comparable private right of action exists under HIPAA. Additionally,
          MCMRA “grants broad immunity from suit to health care providers who
          disclose or fail to disclose a medical record if acting in good faith. HIPAA
          contains a somewhat less generous exculpatory clause that prohibits imposition
          of a civil penalty if the person, acting with reasonable diligence, did not know
          that the action violated federal law.19”
         Un-emancipated Minor Disclosure Rights: In regard to disclosure rights for un-
          emancipated minors, HIPAA defers to state law which in Maryland ties these
          rights to a minor’s capacity to consent to treatment. Maryland law allows a
          minor the right to “consent to treatment for drug abuse, alcoholism, venereal
          disease, pregnancy, contraception, injuries from rape or sexual offense, and
          initial media screening of the minor into a detention center.20 Older minors (at
          least 16 year of age) may also consent to treatment for mental or emotional
          disorders. In regard to mental health and abortion services, physician judgment
          plays a key role in whether disclosure is made to the parents.
         Overview of Administrative Procedures and Forms: HIPAA supersedes
          MCMRA regarding administrative requirements. These include designation of
          the entity, designation of a privacy official, and training of personnel. The entity
          also must have appropriate administrative, technical, and physical safeguards in
          place to protect personal health information security and sanctions for violators.
The growth of HIT and the discrepancies between MCMRA and HIPAA has been
recognized as significant by the Maryland General Assembly. This has prompted the
legislature to address the need to balance the protection of personal health information
with the use of information sharing to benefit individual, State and public health needs.
In recent years there have been many bills in response to these issues. For example,
Senate Bill 499 (2005) required the State Advisory Council on Medical Privacy and
Confidentiality (Advisory Council) to develop guidelines regarding the rights and
responsibilities of Maryland physicians, other medical personnel, hospitals, and health
insurers for safeguarding patient privacy and confidentiality under HIPPA. This
Advisory Council consists of 29 members appointed by the governor including
legislators, the Department of Health and Mental Hygiene, health care professionals,
representatives of the insurance industry, health regulatory agencies patient advocacy
groups, computer security, legal advisors, consumers, and organized labor.21,22 The
Advisory Council is charged to:

   Maryland Code : Health General : Title 4. Statistics and records: Subtitle 3A. State Advisory Council on
Medical Privacy and Confidentiality: § 4-3A-02. Composition; term; removal. Retrieved from:
   State Advisory Council on Medical Privacy and Confidentiality. (2006). State Advisory Council on
Medical Privacy and Confidentiality Home Page. Retrieved from: http://www.dhmh.state.md.us/sacmpc/

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                   8
          Advise the General Assembly of emerging issues in the confidentiality of
           medical records;

          Conduct hearings;
          Monitor developments in federal law and regulations regarding: Confidentiality
           of medical records; Health care information technology; Telemedicine; and
           Provider and patient communication;
          Facilitate dissemination of information on, and compliance with, federal
           standards for privacy of individually identifiable health information;
          Study the issue of patient or person in interest notification subsequent to: the
           transfer of records relating to the transfer of ownership of a health care practice;
           the death, retirement, or change in employment of a health care practitioner; or
           the sale, dissolution, or bankruptcy of a corporation which has ownership
           interests or possession of medical records;

          Study medical databases and the electronic transmission of data in relation to its
           impact on patient confidentiality;

          Study emerging provider best practices for supporting patient confidentiality;
          Make recommendations to the General Assembly regarding the confidentiality
           of medical records; and

          Submit an annual report and its recommendations to the Governor,
Maryland’s General Assembly also enacted statutes that address the terms of disclosure
of health information for specific populations. Senate Bill 690 (2005) clarified the
compulsory process and procedures for authorized disclosures of specified health records
under specific circumstances.23 The following year, House Bill 1040 (2006) was passed
requiring “a custodian of a public record to deny inspection of the part of the record that
contains personal information about an individual with a disability or an individual
perceived to have a disability defined under Section 20 of Article 49B.24” Finally, House
Bill 749 (2006) requires health care providers to disclose a medical record without the
authorization of the person in interest to an employer or insurer, and uninsured
employer’s fund, or a subsequent injury fund for investigating the compensability or
nature and extent of an alleged work-related injury or occupational disease.25

Other legislative actions focused on informing individuals when certain actions were
being taken regarding their personal health information. More specifically, Senate Bill
887 (2005) required individuals, or their legal representative, to be notified by the State

   Maryland General Assembly. (2005). Senate Bill 690.
   Maryland General Assembly. (2006). House Bill 1040.
   Maryland General Assembly. (2006). House Bill 749.

ad523e98-37a6-47c1-9505-94546881ca46.doc                                         9
Board of Physicians any time a subpoena was issued for specified medical records and
informed them of their right to assert in a motion to suppress or contest the information
sharing through a court hearing. Additionally, House Bill 1020 (2005) required health
care practices who were closing to provide patients with 30 days notice regarding how
they could retrieved their health care records.

Prescription Drugs
Monitoring and identifying the misuse of controlled prescription drugs is another area of
focus for the General Assembly and relates to HIE and patient safety. The state of
Maryland has passed a series of laws that address the contents of prescription orders,
monitors for schedule II controlled substances, and specifications for transferring and
outsourcing prescriptions26,27. There are also regulations regarding the scope, definitions,
records, and validity requirements for prescriptions. The Prescription Drug Safety Act
(House Bill 433) of 2004 mandated a workgroup to study prescription legibility and
patient safety issues.28 This workgroup proposed implementing incentives to promote the
use of e-prescribing and developing realistic timelines that are compatible with both the
Centers for Medicare and Medicaid (CMS) timeframe and overall technological
capabilities. This workgroup also recommended assurances that data would not be used
to evaluate e-prescribing practices, provider and patient choice would be preserved and
the use of tax incentives are important enablers of adoption.

In 2006, there was an attempt to establish a system to monitor prescription drug usage in
the state (Senate Bill 333/ House Bill 1287) which passed both houses but was vetoed by
the Governor. Reasons for the veto included concerns over the impact of the system on
adequate treatment of pain management, inadequacies in patient security and
confidentiality, and an overemphasis on law enforcement rather than treatment.29, 30, 31 In
2006, House Bill 626, otherwise known as the Prescription Safety Act was passed. This
bill adds “prescription format and content requirements, requires the health occupations
boards to monitor compliance with the requirements, authorizes drugs to be dispensed by
a pharmacist on an electronically transmitted prescription, and creates a credit against the
State income tax for individuals or corporations that transmit prescriptions electronically
to a pharmacy.”

Special Issues with School Records

   Maryland Health Care Commission. (2/5/07). Maryland Laws Pertaining to Prescriptions.
   Code of Federal Regulations. (4/1/2006). Title 21-Food and Drugs.
   Electronic Health Information Exchange to Study Electronic Health Records. (September 11, 2006). E-
Prescribing and the role of Electronic Health Networks.
   eHealth Initiative. (2005). eHealth Initiative’s Analysis of Maryland Legislation. Retrieved from:
   Maryland General Assembly. (2006) [http://mlis.state.md.us/2006rs/billfile/sb0333.htm]
   Ehrlich, R. (2006). Veto Letter to the Speaker of the House. Retrieved from:

ad523e98-37a6-47c1-9505-94546881ca46.doc                                               10
The previous discussions addressed legislation focused specifically on protection of
personal health information contained within a health record such as those found in a
hospital or doctor’s office. However, health information is also included in school
records. These records may fall under the jurisdiction of educational laws regarding
disclosure or can be under HIPAA protections.

There are three primary legislative actions that govern the privacy of student academic
records in addition to potential HIPAA protections. A cornerstone law that protects
students’ rights to privacy is the Family Educational Rights and Privacy Act of 1974
(FERPA, or the Buckley Amendment). FERPA requires parental consent to access
records, except for legitimate education interest by school officials.32 FERPA requires
schools to have written permission from the parent, legal guardian, or eligible student
prior to releasing any information from a student’s medical record. There are exceptions
to this requirement which allow disclosure without consent under the following
conditions (34 CFR § 99.31):
         School officials with legitimate educational interest
         Other schools to which a student is transferring
         Specified officials for audit or evaluation purposes
         Appropriate parties in connection with financial aid to a student
         Organizations conducting certain studies for or on behalf of the school
         Accrediting organizations
         To comply with a judicial order or lawfully issued subpoena;
        Appropriate officials in cases of health and safety emergencies; and
        State and local authorities, within a juvenile justice system, pursuant to specific
         State law. 33
Additionally, if schools provide ample notification and time to parents and students to
express objections, schools may disclose directory information, such as a student's name,
address, telephone number, date and place of birth, honors and awards, and dates of
attendance without consent. Schools also must notify parents and eligible students
annually of their rights under FERPA although the means by which notification occurs
(i.e., special letter, PTA bulletin, student handbook, or newspaper article) is left to the
discretion of each school.34

The second legislative action, the Protection of Pupil Rights Amendment (PPRA, or the
Hatch Amendment-20 U.S.C. § 1232h; 34 CFR Part 98) of 1998 (amended again in

   U.S. Department of Education. (2007). Family Educational Rights and Privacy Act.

ad523e98-37a6-47c1-9505-94546881ca46.doc                                              11
2001), applies to schools receiving federal funding from the U.S. Department of
Education. PPRA requires schools make instructional materials available to parents if
being used in conjunction with an education-funded survey, analysis, or evaluation
involving participation of their children. PRPA also requires prior parental consent if
information is sought from pupils regarding specified topics including some sensitive
health information.35 More specifically, schools must obtain written parental consent
when information is collected concerning:

          Political affiliations;
          Mental and psychological problems potentially embarrassing to the student and
           his/her family;
          Sex behavior and attitudes;
          Illegal, anti-social, self-incriminating and demeaning behavior;
          Critical appraisals of other individuals with whom respondents have close
           family relationships;

          Legally recognized privileged or analogous relationships, such as those of
           lawyers, physicians, and ministers; or

          Income (other than that required by law to determine eligibility for participation
           in a program or for receiving financial assistance under such program).36”
Finally, the Individuals with Disabilities Act (IDEA) passed in 1975 and reauthorized as
the Individuals with Disabilities Education Improvement Act (IDEIA) expands FERPA
protections. The IDEIA outlines “procedures for parental notification, record retention,
storage, and destruction; training requirements; and the publication of names of staff
members with access to student information.37” For example, the IDEIA requires that the
educational entity make reasonable efforts to obtain parental consent and that consent
must be obtained to conduct student evaluations to determine whether the child has a
physical, mental or emotional disability.38

In addition to the federal regulations, there are also state policies that dictate the process
and content for disclosing school records, including health information contained within
them. For example, the Maryland Student Records System Manual (MSRSM) 2006
specifies guidelines to comply with state regulations Education article 2-205, Annotated
Code of Maryland, and 16 separate regulations under Title 13A, State Board of
Education, and two regulations under the Department of Health and Mental Hygiene’s

   U.S. Department of Education. (2007). Protection of Pupil Rights Amendment.
   Federal Register. Department of Education 34 CFR Parts 300 and 30-Assistance to States for the
Education of Children With Disabilities and Preschool Grants for Children With Disabilities; Final Rule

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                  12
Title 10 governing immunizations and lead screening.39 Examples of these guidelines

          Standard form to be submitted to schools certifying that the child has undergone
           blood testing for lead poisoning.
          Standard forms for certifying immunization compliance
          Describes which forms must be used to comply with the record of physical
           examination requirement
As noted earlier, the inclusion of health information within school records can cloud
jurisdictional boundaries. There are two types of health information found in school
records. The first type of school-based health information found in a school record
includes traditional health services. This health information may include immunization
monitoring, first aid, and periodic health screenings that are documented in the record but
may have been provided at other locations, such as a doctor’s office. This information is
considered to be part of the school record and is governed by FERPA and other well
established education laws and protections which guard the privacy rights of students.40

The second type of health information found in educational settings involves referrals and
the use of school-based health centers (SBHCs).41 The intent of the legislatively
mandated SBHCs is to provide prevention and early intervention to health problems that
interfere with a child’s ability to learn. SBHC services may include medical health,
mental health, and dental services on-site or through other providers by referral. SBHCs
also serve as a safety net provider for under-- and uninsured families.

Health information gathered in SBHCs is subject to different federal and state statutory,
regulatory, and policy directives regarding privacy and confidentiality than are general
student records.42 For example, services provided through non-traditional settings, such
as SBHCs can lead to protections under HIPAA if data is transmitted electronically in
connection with a HIPAA standard transaction. If the data being transferred falls under
HIPAA’s standard transactions, including billing third-party payers such as a health plan
or Medicaid, this data transfer places the health information under the category of a
covered entity under HIPAA. Covered entities must comply with the requirements of the
Transaction Standard and Code Set Rule such as using specified data elements and
transaction codes. Therefore, when school health programs transmit electronic health
information for billing, even if this service is provided by a third party, the SBHC must

   Electronic Health Information Exchange to Study Electronic Health Records. (September 11, 2006).
Issues Raised by Expansion of the use of Electronic Health Records in School Health Services.
   Electronic Health Information Exchange to Study Electronic Health Records. (September 11, 2006).
Issues Raised by Expansion of the use of Electronic Health Records in School Health Services.

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                13
comply with HIPAA.43 Beyond the Transaction Standard and Code Set Rule, however,
the HIPAA statute is silent on the subject of SBHCs. Given the increasing numbers of
children with physical and emotional conditions, clarification and awareness of how to
handle confidential health information is even more important.44 While information in
the SBHC record is covered under HIPAA or FEPRA, the health information in the
traditional education record (i.e. first aid) is not. Where there is a lack of clarity on the
necessity to comply with HIPAA in SBHC, the policy of the Maryland State Department
of Education (MSDE) is to treat all SBHC records and transactions as covered by HIPAA
rules for privacy, security, and disclosure when they fall outside of the boundaries of
FEPRA. A SBHC that receives federal funding is required to comply with FEPRA.45
The issues involving health information in school records needs further discussion to
clarify and resolve the discrepancies between FERPA and HIPAA, parameters for
consent of minors, longevity of maintenance and transfer of personal health records to
providers, and transfer costs to electronic format.46

   The Commonwealth of Massachusetts. Memorandum: HIPAA and FERPA.
   National Task Force on Confidential Student Health Information, Guidelines for protecting confidential
student health information, Kent Ohio: American School Health Association, 2000, page 34 – in Electronic
Health Information Exchange Task Force to Study Electronic Health Records, Issues raised by expansion
of the use of electronic health records in school health services, September 11, 2006)
   Electronic Health Information Exchange to Study Electronic Health Records. (September 11, 2006).
Issues Raised by Expansion of the use of Electronic Health Records in School Health Services.
   Electronic Health Information Exchange to Study Electronic Health Records. (September 11, 2006).
Issues Raised by Expansion of the use of Electronic Health Records in School Health Services.

ad523e98-37a6-47c1-9505-94546881ca46.doc                                                 14

To top