Getting 'Hip' to Other Privacy Laws: Part One of a Two-Part Article

by Julie Roth, MHSA, JD, RHIA

Although HIPAA currently enjoys the privacy spotlight, it is only one of several federal laws aimed at privacy protection. We have federal protections for everything from our medical and financial information to what videos we rent. When you add the various state privacy laws and accrediting body standards to the mix, privacy becomes an ever-evolving sea of statutes, rules, regulations, standards, and case decisions.

This article highlights and simplifies three of the federal privacy laws: one that protects our information in the hands of federal agencies, another that protects our education records, and a law that protects our financial information.

Privacy Act of 1974

If you work in healthcare, you’ve been following the HIPAA privacy standards for almost a year. But did you know that federal agencies have followed similar standards for nearly 30 years? The Privacy Act of 1974 requires federal agencies holding personally identifiable records to safeguard that information and provide individuals with certain privacy rights.

Federal agencies collect records about individuals for a variety of reasons. For example, an agency may collect medical records to determine an individual’s eligibility for federal employment or participation in a federal benefit program. Agencies must describe what records are collected about individuals and how they are used, protected, and disclosed by publishing a notice in the Federal Register. Only information necessary to accomplish legitimate agency activities may be collected or used, and policies to safeguard the confidentiality of this information must be implemented.

Before disclosing records to a third party, an individual’s written consent must be obtained. However, agencies may use individuals’ records as necessary to carry out internal activities without consent. They may also make disclosures pursuant to certain law enforcement requests, court orders, health and safety issues, and to comply with specific laws and governmental needs.
Balancing out the consent exceptions, agencies must account for nonconsensual disclosures by documenting when, to whom, and why a particular disclosure was made. With limited exceptions, agencies must make this accounting available to an individual upon his or her request.

In general, individuals may access their records, but each agency defines its own terms and appropriate limitations. If an individual discovers an inaccuracy in a record, he or she may request that the record be amended. An agency may decline to amend a record, but it must provide a review process and allow the individual to file a statement of disagreement. Any subsequent disclosures of the record must reference the dispute and include the statement.

Family Educational Rights

Under the HIPAA privacy rule, we now enjoy the right to access and control our medical information. We’ve had similar rights regarding our education records since 1974. The Family Educational Rights and Privacy Act (FERPA) provides students who attend or have attended a federally funded educational institution with certain rights regarding their records (for the purposes of this article, “students” includes adult students or parents of a minor student).

Education records contain personally identifiable information about students, such as social security numbers and other sensitive information like grades and enrollment history. In primary and secondary institutions, school health records of students under 18 are education records. Treatment records of students 18 and older, and those maintained by post-secondary institutions, become education records when they are disclosed to anyone (including students) other than treatment providers. When disclosed to treatment providers, these records are excluded from FERPA requirements.

To protect education records, FERPA requires institutions to obtain a student’s written consent before disclosing student information to third parties. Several disclosures are excluded from this requirement, such as disclosures to appropriate staff, other schools to which a student seeks to enroll, and organizations connected with a student’s financial aid. Records may also be disclosed as necessary for certain educational oversight activities, limited health and safety emergencies, or as required by law.

Directory information such as a student’s name, address, and academic achievements may be disclosed without consent, but students must first be notified of this practice and be given an opportunity to opt out of the directory. Whenever an institution receives a request for student information or makes a disclosure without a student’s written consent, it must document specific information in the student’s record. Internal and directory requests and disclosures are exempt from this requirement.

In addition to providing consent rights, FERPA allows students to inspect their records. If factors such as distance make inspection impractical, students must be provided with copies or some other means of access. Letters of recommendation to which a student has voluntarily waived access and certain financial records are not available for inspection. Students may ask that inaccurate or misleading information in their records be amended and must be provided with a hearing if the institution denies the request. If the final decision is in favor of the institution, the student may place a statement of disagreement in the disputed record and have it included with any subsequent disclosures.

Gramm-Leach-Bliley Act

Have you ever wondered why you began receiving privacy notices from your financial institutions over the last few years? The Gramm-Leach-Bliley Act (GLBA) is responsible. This law requires financial institutions to protect your nonpublic information (NPI) by informing you about their privacy policies and allowing you to opt out of certain disclosures.

Although the GLBA mostly affects banks and other traditional financial institutions, a hospital may be covered if it conducts banking-related financial activities, such as routinely charging interest on patients’ long-term payment plans. You have a right to a privacy and opt-out notice from a financial institution even if you are not a regular customer and only occasionally use its services as a “consumer” by doing something like withdrawing cash from a foreign ATM. A customer is entitled to the privacy and opt-out notices at the outset of the relationship and each year thereafter. A consumer should receive the notices before his or her NPI is shared.

The privacy notice describes what NPI the financial institution collects and discloses and the parties with whom it may share that information. Generally, NPI such as payment history and account numbers is collected from forms, applications, and transactions. This information may be shared inside the corporate family or sometimes with nonaffiliated third parties, such as retailers and marketers. The notice must also describe any disclosures required by law, how NPI is safeguarded, and how former-customer NPI is handled.

The opt-out notice must provide an opportunity to prevent disclosures to nonaffiliated third parties through some reasonable means, such as calling a toll-free number or mailing in a form. The opt-out right has several significant exceptions. Consumers do not have the right to opt out of disclosures necessary to administer authorized transactions, comply with various reporting laws, or carry out numerous other legally permitted activities. It is important to keep abreast of these privacy laws to uphold the integrity of privacy both within and outside the healthcare arena.