FERPA, HIPAA & DPPA Federal Privacy Laws

619 views

Published on

Published in: Self Improvement
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
619
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

FERPA, HIPAA & DPPA Federal Privacy Laws

  1. 1. FERPA, HIPAA & DPPAHow federal privacy laws affect newsgathering The federal laws that control the information a state can disclose about its citizens are usually meant to protect individu- al privacy rights, but many open government experts say states are interpreting the laws too broadly and it is interfering with journalists’ newsgathering ability. The federal privacy protection laws — including the Family Educational Rights and Privacy Act (FERPA), which applies to student records; the Health Insurance Porta- bility and Accountability Act (HIPAA), which deals with health information and medical records; and the Driver’s Privacy Protection Act (DPPA), which deals with records kept by state departments of motor vehicles — can hinder reporters’ ability to obtain records under state freedom-of-information laws. Spring 2010
  2. 2. The Family Educational Rights and Privacy Act (FERPA) The Family Educational Rights and Privacy Act of 1974 is The new Department of Education regulations prevent the the federal law that protects the privacy of student education release of even anonymous information when those records are records and requires schools to obtain a student’s consent, or, requested by someone the institution “reasonably believes” for minor students, the consent of their guardian, prior to knows the identity of a student involved in the record. This disclosing academic records. new rule proves especially problematic for journalists because The law was aimed at protecting it hinders their ability to make a gen- students’ grades and disciplinary records eralized records request about a widely from public release, but according to the publicized campus incident when Society of Professional Journalists, it “has the names of involved students have been twisted beyond recognition, keeping already been made public. school lunch menus, graduation honors Because the law is vague and and athletic travel records secret.” unclear, reporters say, even simple In practice, the act is frequently abused open-records requests are handled to deny newsworthy open-records re- differently at different schools. A six- quests for information in which there is month investigation by the Columbus no legitimate privacy interest, said Frank Dispatch in 2009 into how college LoMonte, executive director of the Stu- athletic departments respond to public dent Press Law Center. “Because of the records requests found that branches over-the-top way that schools and col- of the same state college system had leges interpret FERPA, journalists have conflicting approaches to dealing with been denied access even to anonymous records requests. statistical information that’s necessary The results of the Columbus Dis- to perform their oversight function,” patch investigation “stunned” former he said. U.S. Senator James Buckley, who LoMonte cites other extreme exam- crafted the legislation in the 1970s ples, including practices at the University to keep report cards and transcripts of Wisconsin-Milwaukee and Emporia private. Buckley told the newspaper State University in Kansas. Wisconsin he never intended for the law to apply “took FERPA literalism to new heights” to athletic records. “The law needs when it withheld audiotapes and minutes to be revamped. Institutions are put- of open, public committee meetings dur- ting their own meaning into the law,” ing which students spoke and voted, say- Buckley said. ing that the students’ voices were private Meaningful reform would hinge information and Emporia claimed that on getting rid of the “perception, fu- campus parking tickets are were private eled by a poorly drafted statute, that under the act, LoMonte said. a school that slips up and mistakenly When Congress enacted FERPA dur- honors an open-records request will ing the 1970s, it was designed to protect lose all of its federal money and be student records from being released dur- shut down,” LoMonte said. “In the ing a time when a substantial amount of 36-year history of the statute, not one social-science research was taking place in institution has ever been penalized one elementary and high schools. “The addi- dime, and yet that perception persists.” tion of colleges to FERPA was very much LoMonte said the statutory defini- an afterthought and some people in fact tion of what is an “education record” think it was a mistake,” LoMonte said. could also be tightened so that it is Still, at the time, the act was under- clear that a student’s parking tickets, stood to apply only to educational records job application or any other document and not to every document that refers to a that is generated in a non-academic student. When courts have interpreted the law they have used capacity is not a FERPA record. “If the student is just doing this common-sense approach, but the Department of Educa- something that any member of the general public could do, tion has been “openly defiant,” even enacting a rule effective like getting a traffic ticket, then they’re not acting in their in January 2009 that appears to directly contradict the courts’ ‘student’ capacity and there shouldn’t be two sets of disclosure interpretation that documents are no longer FERPA documents rules just because one driver was lucky enough to register for once student identities are removed, LoMonte said. a racquetball class,” he said.2 FERPA, HIPAA & DPPA: How federal privacy laws affect newsgathering Spring 2010
  3. 3. Health Insurance Portability and Accountability Act (HIPAA) Congress passed the Health Insurance Portability and Ac- and leaking celebrity patient medical records or financial in- countability Act in 1996, which required the Department of formation to tabloids. Farrah Fawcett’s medical records, for Health and Human Services to enact federal health privacy instance, were leaked to the National Enquirer in 2007 when regulations known as the Standards for Privacy of Individually she received her cancer diagnosis. Identifiable Health Information. Many media organizations, For that reason, hospitals are cracking down on both including The Reporters Committee for Freedom of the Press, unintentional and intentional breaches, which makes sense the Newspaper Association of America, the National News- to most journalists. “No reporter would argue with that,” paper Association and the American Society of Newspaper Ornstein said. “It’s an issue of misusing HIPAA where no Editors, objected that the proposed rule overly patient privacy applies.” restricted access to information. Still, the law According to the Department of went into effect in 2003. Under the privacy rule, Health and Human Services, HIPAA those who violate the law unintentionally can allows the release of hospital direc- incur civil penalties of $100 per violation, up to tory information containing basic a $25,000 annual maximum fine. For intentional facts about current or recent patients violations and misuse of individually identifiable treated by a hospital, unless the pa- health information, criminal penalties can lead tient objects. This includes patients’ to a fine of up to $250,000 and imprisonment for names, locations within the hospital, up to 10 years. A safe harbor provision exists for general conditions, including whether inadvertent disclosures made by covered entities a patient has been treated and released that exercise reasonable diligence in attempting or has died, religious affiliations and to comply with the law. room telephone numbers. However, Even with safeguards to protect institutions despite these guidelines, many hospi- that make a good-faith disclosure decision, jour- tals claim information is protected by nalists say agencies withhold records that were HIPAA when it is not. never intended to be covered under HIPAA One recent example of widespread because they are unsure about the law — or HIPAA misapplication is the vast use it as an excuse. variation in how state and county “Reporters understand the need not to have health departments and government private health information released willy-nilly,” agencies provided information on the said Charles Ornstein, a Pulitzer Prize-winning H1N1 flu and its related deaths. The reporter for ProPublica in New York and presi- Association of Health Care Journalists dent of the Association of Health Care Journal- found that while HIPAA prevents the ists. “The biggest problem, from my estimation, release of names of patients, when an is that HIPAA is misapplied by hospitals and H1N1-related death occurred, some healthcare institutions.” hospitals were more forthcoming and Many hospitals, for example, refuse to released the age of the person who release information even with the consent of died and some underlying medical the patient. When Ornstein was a reporter for conditions, while others would go the Los Angeles Times, he was assigned to cover no further than to state a death had the 2005 derailment of a train in Glendale, occurred. California, and wanted to talk with survivors “Across the country, there can in local hospitals. He found that the hospitals be an attitude of ‘big brother knows had a “radical difference” in willingness to help best,’ and ‘we know what information journalists. Some hospitals relied on HIPAA the public should know and we’ll tell automatically, refusing even to let survivors know a reporter you what you need to know,’” said Ornstein. “Unfortunately wanted to speak with them, while others arranged interviews and this attitude is not arming the public with the information to invited Ornstein and his photographer to approach the patients. decide what the risk is and how to protect themselves.” “HIPAA doesn’t say you can’t ask the patient [for an inter- Still, health institutions typically release hospital inspec- view], but a hospital that doesn’t want to cooperate just uses tion reports, Ornstein said, even when the reports include HIPAA as a shield,” Ornstein said. “It goes beyond issues of information relating to a specific patient that can be easily patient privacy. Some hospitals just don’t want to be in the identified. For example, when Dennis Quaid’s newborn twins media and will go to unbelievable lengths to say we’re not al- were among three children who received an overdose of the lowed in, when in fact it’s not that easy.” blood-thinner Heparin, an investigation took place and the Exacerbating the problem are privacy breaches, including inspection report was released, even though the public could reports of nurses and doctors hacking into hospitals’ computers, surmise that “Patient A” and “Patient B” where Quaid’s chil- illegally accessing their friends and family members’ records, dren, Ornstein said.Spring 2010 The Reporters Committee for Freedom of the Press 3
  4. 4. The Driver’s Privacy Protection Act (DPPA) The Driver’s Privacy Protection Act was passed in 1994 exemption. SPJ, for example, did not pursue the newsgather- and amended in 1999 to require drivers’ consent before states ing exemption because “at the time, the leadership did not can release personal information contained in an individual’s feel comfortable having rights above and beyond those of the department of motor vehicles record, even when the informa- general public,” said SPJ Executive Director Joe Skeel. tion is requested en masse for a generalized marketing purpose. “I thought it was a terrible idea at the time,” said Diane The protected privacy information includes all of the in- Kennedy, president of the New York News Publishers Associa- formation attached to a person’s driver’s license record and tion. By turning down a newsgathering exemption, the media application, such as their name, address, telephone number, industry essentially gave up the public’s only hope for access- vehicle description, Social Security Number, driver identifica- ing important motor vehicle records through news reporting. tion number, photograph, height, weight, gender, age, driving- The belief that journalists should always be treated the related medical conditions and fingerprints. The law does same as members of the public has evolved since 1994, said not, however, protect a driver’s traffic violations, accidents or Skeel, who noted that SPJ recently pursued a federal shield current license status from release. Whether that information law, which gives reporters more rights than ordinary citizens to is available upon request depends on each individual state law resist subpoenas. “Now, if journalists don’t have special rights, and many state rules are more restrictive than it’s really going to hurt the public more in the the federal guidelines. long run,” he said. Senator Barbara Boxer of California created Though no newsgathering exemption ex- DPPA in the wake of the murder of a famous ists within the DPPA, reporters in some states actress whose stalker hired a private detective are able to rely on various narrow interpreta- to find her address through state motor vehicle tions of the law in order to gain access to the records. Ironically, the final version of the law records. In some states, journalists reporting carved out an exemption for licensed private on accident trends or similar issues can pursue investigators. disclosure under the driver safety exemption. The law has other exceptions, which some New York, for example, maintains a database open government advocates argue swallow accessible to those who frequently need to gain the rule. The protected personal information access to driving records — such as towing can still be accessed by any federal, state or operations, insurance companies, and credit local agency in order to carry out its govern- bureaus — as well as anyone participating in mental function, such as for law enforcement market research activities. purposes and for use in proceedings involving Until recently, New York journalists who automobiles — for instance, a recall of motor believed their reporting fell under the research vehicles or an insurance claim investigation. function could gain access to the database after The personal data can also be released if a re- signing an agreement promising to use the quester can show the information will be used online lookup system only for research pur- for automobile and driver safety purposes, the poses. Every record search cost $7, with each prevention of auto theft, or for market research newspaper running a few thousand searches activities. per year. But in April, the state’s motor vehicles “The biggest irony of this bill is that it department began contacting newspapers makes allowances for nearly every special inter- to revoke database privileges, saying it had est group imaginable — from insurance compa- conducted an audit and determined that nies to direct marketers — but it bars access to newsgathering was not a research function, the public, which pays to collect and maintain even when used for public safety purposes or the information and which is supposed to to illustrate driving trends. benefit from collecting this information,” then Kennedy said the Department of Motor Society of Professional Journalists Freedom of Vehicles “has not been forthcoming with Information Committee Chairwoman Lucy Dalglish testified plausible reasons why” the audit was conducted in the first before the House Judiciary Committee when it was considering place and why its commissioner has refused to meet with news the legislation in 1994. organizations to discuss the issue or clarify the problem. “The only protection the public has against government New York media organizations plan to write a formal letter incompetence is the ability to scrutinize these records. In a to the DMV requesting to have their database access reinstated. democratic society, the price of government accountability can At the very least, the media industry hopes the database can be sometimes be the loss of a small measure of privacy,” Dalglish retooled so that reporters who already have personal informa- testified on behalf of a coalition of journalism groups. tion can use the lookup to verify that they are writing about Despite all the exemptions to the law, there is no provi- the correct person. sion allowing journalists access to the data for newsgathering “The public is deprived of knowing there are these danger- purposes and some lay the blame for the lack of a news-related ous drivers out there,” Kennedy said. She illustrated the im- exemption squarely on the shoulders of the news media indus- portance of motor records in reporting by citing a car accident try, which fought the legislation but did not pursue a media in which a driver with a long history of reckless behavior hit a4 FERPA, HIPAA & DPPA: How federal privacy laws affect newsgathering Spring 2010
  5. 5. mother and little girl. The police officer on the scene failed to tions already in place, since the media industry already gave up run the driver’s license or issue a citation, but a reporter used their opportunity for a newsgathering exemption. “I think we the database to look up the driver’s information. As a result of kind of missed the boat on that,” said Kennedy. the reporter’s story, the driver’s license was revoked. At least one state, however, has succeeded in creating a “I believe the DPPA was passed as part of a knee legislative recognition of journalists’ right to obtain records jerk reaction to something that was not based in real- under the DPPA exemption for the promotion of highway and ity,” said Robert J. Freeman, the executive director of vehicle safety. In Minnesota, the head of the state Driver and the Committee on Open Government in New York. Vehicle Services testified to her belief that the DPPA safety Part of the problem, Freeman said, is that there are too many exemption clearly encompasses journalists. privacy laws, and they are not consistent. Voting records, for “Since the inception of DPPA, we have had an agreement example, are public and contain the same information expressly with the state Driver and Vehicle Services to get the data we made private by the DPPA. Freeman called the law an “aberra- used to get, but under a use agreement,” said Minneapolis at- tion” because there is a vast societal distinction between when torney Mark Anfinson, who represents the Minnesota News- it was enacted, and now, when people freely publish the very paper Association. “It’s been consistently a good arrangement.” information protected by the act on Facebook, online phone Still, Anfinson says just this past year, the department has been books and other message boards. asking news organizations to provide more information on the “There are numerous sources of that information, but intended use of drivers’ records. Anfinson said that will not be a Congress, in its overreaction, decided to limit that informa- problem for reporters, since “it is so easy for any news organi- tion which historically has been open,” Freeman said. “There zation to itemize the important public uses this data is put to.” are innumerable situations involving government officials in He points to a recent example in which a local ABC affili- which it is in the pubic interest to have access to the kind of ate used the data to document that a small community had 77 information shut off by the DPPA.” driver’s licenses issued under the same name and birth date Unlike FERPA, however, there is no easy legislative fix for and, as a result, the state investigated the scam and revoked DPPA. Congress likely will not act to remove privacy protec- all the licenses. Comparing the federal privacy laws Unlike with FERPA, reporters aren’t calling for a con- secret under DPPA. If DPPA was invoked, unlike FERPA, it’s gressional “fix” of HIPAA. Since the real issue appears to be usually because DPPA actually does apply.” misinterpretation and misapplication of the law, Ornstein said Both FERPA — with its roots in protecting schoolchildren health facilities need further education and retraining about from embarrassment based on 1970s social science research — what HIPAA does and does not do. and DPPA, which many argue is obsolete in the information-age But LoMonte said FERPA and HIPAA have some troubling of the Internet, protect against harms that some see as only a similarities. “In both cases there are widespread misperceptions theoretical risk. HIPAA, on the other hand, stems from the about what is and isn’t covered, and the cultural norm has widespread and current abuse of patient health information. become, when in doubt, to disclose nothing,” LoMonte said. “The issue of hacking into financial, insurance and health Even though HIPAA only applies to disclosures by health information by doctors and nurses who should know better is care providers and health insurers, “the idea has become stuck very real and that shouldn’t happen,” Ornstein said. When in- in the general public’s heads that anything referring to some- stitutions are faced with these legitimate concerns about privacy, one’s health is confidential,” said LoMonte, who has heard of they are often more likely to err on the side of nondisclosure, photographers being banned from taking a picture of an athlete’s which makes journalists’ newsgathering especially difficult. leg being taped up in the locker room because the school thinks “What all three statutes also have in common is that they that violates HIPAA. Still, LoMonte said the frequency of those have generated such a pervasive fear of the results of non- misinterpretations “really pales in comparison” to FERPA. compliance that impacted institutions would much rather While both FERPA and HIPAA are frequently misapplied, risk a suit under the relevant public records statute than to the DPPA leaves less room for misinterpretation. “The DPPA disclose information covered by either of the three statutes,” is so laser-focused on driver license and registration records, Harry Hammitt, vice president of the Virginia Coalition for there’s less room for subjective judgment calls,” LoMonte said. Open Government, wrote in a report on federal controls of “We rarely hear of someone being falsely told that a record is information disclosure. FERPA, HIPAA & DPPA: How federal privacy laws affect newsgathering © 2010 The Reporters Committee for Freedom of the Press. Written and researched by Miranda Fleschert. This guide was funded by a grant from the McCormick Foundation.Spring 2010 The Reporters Committee for Freedom of the Press 5
  6. 6. http://www.rcfp.org/readingroom Visit the Reporters Committee’s Reading Room . . . The Reporters Committee makes all of its publications available online, so that journalists who want to stand up for their First Amendment and freedom of information rights can have the resources they need, anytime. Visit the Reading Room at www.rcfp.org/readingroom.

×