Minnesota School Steps in Without Parental Consent, Violating HIPAA, Student Lands in Hospital. The Consequences of Unregulated Data

Child in Hospital Minnesota Article

Minnesota School Steps in Without Parental Consent, Violating HIPAA, Student Lands in Hospital.

MACC is outraged with the illegalities of adopting the Common Core Standards in Minnesota and around the nation.   Parents and Citizens have taken great offense to a one-size-fits-all curriculum and over testing. We want to make it clear however that MACC is equally concerned with data flowing unregulated from state agency to agency and between schools and medical facilities. This is an instance where a parent’s right to make medical decisions for their own child has been crossed.  Thanks to JMLmom!

The Consequences of Unregulated Data

By JMLmom

When we send our children to school we all have this private notion that our children are safe. For the most part this may be true, however things are changing. FERPA (Family Education Rights Protection Act) used to protect our children and families personally identifiable information. The US Department of Education unilaterally changed that to where anyone with an educational interest can now access our children’s and our family’s information.

So what happens when we have to share our student’s medical records with the schools? The following words are from a parent who knows firsthand the devastation of what can happen when your child’s medical records are compromised due to their school’s maltreatment of the child’s information. Mind you this comes from a family with special needs children in a Minnesota School District, as many of us do.

“Many people aren’t concerned about it until they’re burned. Most people are still under the false impression that schools follow HIPAA (Health Information Portability and Accountability Act). They do not. The only part of a school that *may* follow HIPAA is the medical biller, if filed electronically. All other records fall under FERPA and have no enforcement for violations. Please be aware and cautious with shared data to your school districts. They may not be as careful with your child’s data as you are.

We also provide necessary medical records directly, and have permission for contact with the Primary Care Provider only – whom I trust implicitly, and knows our history of privacy issues and schools trying to change our children’s orders without parental consent for their convenience and not our child’s benefit. This allows contact with a medical provider in an emergency, a local ER, yet a block to too much information filtering through and changes that we do not want. He also notifies us when school is making strange requests and I can have a meeting to find out what the problem is and go from there

Our school used the medical releases to contact the specialists independently and try to change medical orders without parent consent. They then contacted our DME, which they obtained info off the feeding pump, and tried getting orders changed that route. It didn’t work but did violate HIPAA for both the clinic and DME contacted. This affected many families in this group at the time as new notices had to be made and sent as a result and permissions obtained.

They then decided to change orders with no consent and harmed our child. Our child ended up very ill and required surgical repair as a result. To recover, our child missed three months of school.

With our other child, they contacted our nursing agency and falsely billed nursing hours under their waiver. This was also a HIPAA violation for both entities and Medicaid Fraud. It cost her waiver $75,000.

I was accused of mismanaging funds before we found out where they were disappearing. The school’s punishment? They had to pay it back and write a letter describing what happened and how it wouldn’t happen again. The nursing agency’s punishment? None.

This had nothing to do with specifics and everything to do with not following the law. The school didn’t want to feed our child properly. They thought a feeding tube was an inconvenience. They thought my other child’s nursing expense was our problem. So they decided they weren’t going to deal with them. It was a school attitude problem.”

We are thankful for this parent sharing their story and that their children are ok today, as it very well could have turned out with a much different outcome. This was just one family’s experience with their children’s medical information being misused. Our children’s information, whether medical or personally identifiable (PII) should be of the utmost importance of our schools to protect. And should not be used to cause a child harm. We as parents must be vigilant about making sure that we are protecting our children’s information, once it crosses the line from HIPAA to FERPA, a new ball game and new set of rules takes hold. And it is not always for the benefit of the child or family.
http://www.hhs.gov/ocr/privacy/index.html

http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

 

 

Advertisements

One thought on “Minnesota School Steps in Without Parental Consent, Violating HIPAA, Student Lands in Hospital. The Consequences of Unregulated Data”

  1. I share your anger if, without your consent, your school made medical decisions which led to your child missing school from medical complications.

    I highly recommend you contact Patient Privacy Rights. Dr. Deb Peel needs to hear this story! (512) 732-0033

    It’s not the first time there has been Medicaid fraud in schools.
    http://archive.azcentral.com/business/articles/20120810mobile-dental-clinics-scrutiny.html

    No doubt things will get worse since school-based health care is rapidly growing and there is flimsy guidance on FERPA/HIPAA in schools.

    USED recently requested guidance on a “Dear Colleague” letter to higher education institutions to protect student medical record.
    http://ptac.ed.gov/sites/default/files/DCL%20Final%20Signed-508.pdf

    A physician, I advocated that the guidance include k-12 and early childhood, pointing out how there is no consistency or logic when it comes to HIPAA and FERPA privacy and security regulations in school-based health centers.

    The example in my state:
    OCHIN (headquartered in Portland, Oregon), is a health information network spanning 18 states and serving over 4,500 physicians. OCHIN also provides a hosted Epic Systems’ practice management system (PMS) and electronic health record (EHR).

    OCHIN guides educational institutions on HIPAA/FERPA. Take a look at the 2nd link if you really want to be confused!
    https://ochin.org/media/FERPA-versus-HIPAA-School-Based-Health-Center-Records-OCHIN-Position-Paper-131014.pdf
    https://ochin.org/media/FERPA-versus-HIPAA-School-Based-Health-Center-Records-Compliance-Decision-Tree-971467-4Final-4.5.12-rev.pdf

    OCHIN’s guidance is inconsistent with a memo from the Oregon DOJ.
    https://public.health.oregon.gov/HealthyPeopleFamilies/Youth/HealthSchool/SchoolBasedHealthCenters/Documents/Training1208_DOJmemo.pdf
    https://public.health.oregon.gov/HealthyPeopleFamilies/Youth/HealthSchool/SchoolBasedHealthCenters/Documents/Training1208_DOJfaqs.pdf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s