The 2019-20 academic year, abruptly disrupted by the COVID-19 pandemic is over. But, not all Extended School Year (ESY) services this summer will be in-person. And, distance learning may well continue, in part or in full, when the 2020-21 school year starts. Your program will likely need to include school-based teletherapy for some time.
Accordingly, you’ll want to be sure you’re using FERPA- and HIPAA-compliant teletherapy platforms.
We always encourage you to consult professional legal counsel. But, at Pediatric Therapeutic Services (PTS) we felt it important to mention some issues to keep in mind. These are basics we make sure our clinicians understand. We hope they’ll help you choose platforms for school teletherapy that let you stick to best practices—and the law.
FERPA vs. HIPAA: Two Kinds of Information, One Common Goal
Education information and health information differ. The federal laws governing who can access them, however, share the goal of keeping them private and secure.
The Family Educational Rights and Privacy Act (FERPA) protects students’ personally identifiable information (PII)—name, birthdate, identification numbers, and so on—in education records.
Except under certain circumstances, FERPA prevents schools that receive federal funding from releasing education records without express written permission from parents or “eligible students” (those age 18 and older or attending postsecondary schools).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to keep a person’s protected health information (PHI) from being disclosed without the person’s knowledge or consent (again, exceptions exist). It also set national standards for the secure electronic transmission of PHI.
Generally, HIPAA doesn’t apply to schools. Schools often have students’ PHI on file in education records, but FERPA protects it. The HIPAA Privacy Rule specifically excludes FERPA-protected records from its coverage. HIPAA does apply to healthcare providers, including school-based therapists, school nurses, and psychologists, as Sandra Barboza and colleagues explained in The Internet Journal of Law, Healthcare and Ethics.
Because using teletherapy for schools necessarily increases electronic transmission of both PPI and PHI, your program needs platforms that comply with FERPA and HIPAA.
Best Privacy and Security Practices for School-Based Teletherapy
Since both laws are technology neutral (not mandating specific technologies), no single uniform standard for FERPA- and HIPAA-compliant teletherapy platforms exists. But your program can still follow several best practices to ensure you’re obeying school teletherapy rules:
Use Only Securely Encrypted Platforms and Services
Encryption is a must. Proper encryption protects data from the instant it’s created, wherever it’s sent, and allows only authorized users to access it.
Be sure your platform doesn’t limit its definition of “data” to information users knowingly provide. Platforms should encrypt all user metadata and content.
Sign a Written Contract or Legal Agreement When Possible
If you can, sign a contract that specifies what data the platform collects, to whom it belongs, with whom it may be shared, how long it will be kept, and similar provisions.
When such contracts aren’t feasible—as with most click-wrap services (which require clicking the “accept” box for use)—take such steps as:
- Printing out the Terms of Service.
- Checking to see whether the provider may amend them without notice.
- Developing policies about who in your program may or may not accept them.
The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) offers detailed guidance about what to look for and what to avoid in Terms of Service.
Monitor Communications Containing Protected Data
HIPAA requires systems used to electronically communicate PHI as follows: “must have mechanisms in place so communications can be monitored and remotely deleted if necessary.” Such mechanisms include anti-virus and anti-malware tools, automatic log offs after a certain amount of idle time, and administrators’ ability to block an authorized user’s access.
Develop a Data Breach Protocol
Children’s PHI is “particularly vulnerable” to bad actors, according to PTAC. Schools have a legal and ethical responsibility to “design and implement a comprehensive data breach response plan” that includes notifying data owners as soon as possible.
Let PTS Help You Take Stock of and Strengthen Your Program
In March, the Department of Health and Human Services (HHS) announced it will not penalize health care providers for noncompliance “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” Providers may use such non-public-facing audio and/or video services as Zoom, Skype, Google Hangouts, and FaceTime to connect and communicate with patients during the pandemic without fear of penalties if these technologies don’t fully comply with HIPAA requirements.
Some platforms are highlighting their claims of compliance. Zoom, for instance, points to various features it says make it both a FERPA- and HIPAA-compliant platform.
Rather than take any platform at its word or rely on HHS’ temporary non-enforcement, why not investigate how you can use school-based teletherapy in ways that protect students’ information and maximize the good your program can do?
Contact PTS to claim a free Related Services Audit for help identifying immediate ways to strengthen your program.