Private Schools and the Intersection of HIPAA and FERPA

My wife works as an Administrative Assistant at a local private school. As you might expect, they take very seriously their responsibility to help stop the spread of COVID-19 in the community. As part of their efforts, they require students who were in direct contact with persons diagnosed with COVID-19 to quarantine at home, away from the other students.

The school does a good job of communicating with parents. They send out regular email with statistics on the number of students or faculty diagnosed with COVID-19 and the numbers currently quarantining. Of course, they don’t disclose any names or other identifying information because of privacy concerns.

As a school, are they legally not allowed to disclose that kind of information, or are they refraining because of a more general concept of privacy?

That question is not so easy to answer because it depends on the interplay of two federal statutes — HIPAA and FERPA. Most people know that HIPAA covers the privacy of medical records. The Family Educational Rights and Privacy Act (FERPA), on the other hand, protects the privacy of student educational records. One or the other, or neither, apply to schools.

As a general rule, HIPAA does not apply to schools. HIPAA applies to health care providers who exchange electronic information, health plans, and health information clearinghouse. Even if the school has a nurse on-site, it is usually not considered a health care provider. There are certain exceptions, but they are not common. For instance, a school that provides health care to students in the normal course of business, such as through its health clinic, is also a “health care provider” under HIPAA. However, many schools that meet the definition of a HIPAA covered entity do not have to comply with the requirements of the HIPAA Rules because the school’s only health records are considered “education records” or “treatment records” under FERPA.

FERPA is a Federal law that protects the privacy of students’ “education records.” FERPA affords parents certain rights regarding their children’s education records maintained by educational agencies and institutions and their agents to which FERPA applies. These include the right to access their children’s education records, the right to seek to have these records amended, and the right to provide consent for the disclosure of personally identifiable information (PII) from these records, unless an exception to consent applies.

FERPA applies to educational agencies and institutions that receive Federal funds under any program administered by the U.S. Department of Education. An educational agency or institution subject to FERPA may not disclose the education records, or PII from education records, of a student without the prior written consent of a parent or the student, unless an exception applies.

Private and religious schools at the elementary and secondary levels generally do not receive funds from the U.S. Department of Education and are, therefore, not subject to FERPA. Neither will HIPAA apply unless one of the uncommon exceptions exists. Of course, private schools should still be mindful of the privacy of their students and just because HIPAA or FERPA does not apply does not mean the school should make those disclosures. However, private schools do have more flexibility in handling these situations than do most public institutions.

Source: Joint Guidance on the Application of FERPA and HIPAA to Student Health Records


CMS Encourages Faster COVID-19 Diagnostic Testing

CMS is changing its payment methodology to encourage higher throughput of COVID-19 diagnostic testing. Previously, CMS would reimburse $100 per test

Starting January 1, 2021, Medicare will pay lower the base rate to $75. However, if the laboratory can complete the test within two (2) calendar days from the date the specimens is collected, CMS will reimburse an additional $25 for a total of $100 per test.

To be entitled to this $25 incentive, the laboratory must: a) complete the test in two calendar days or less, and b) complete the majority of their COVID-19 diagnostic tests that use high throughput technology in two calendar days or less for all of their patients (not just their Medicare patients) in the previous month.

Source: Press release: CMS Changes Medicare Payment to Support Faster COVID-19 Diagnostic Testing


DOJ sues Cigna, alleging $1.4B in Medicare Advantage fraud

Cigna falsified the health conditions of its Medicare Advantage plan members to coax CMS into making larger payments to the insurer on behalf of beneficiaries, a U.S. Justice Department lawsuit alleges.

Medicare Advantage organizations get reimbursed by Medicare based on a formula that takes into account the patient population’s acuity levels. Risk adjustment scores adjust for health conditions so that more reimbursement levels are higher for more costly or chronically ill populations.

The risk adjustment scores have become a source of potential fraud. If the scores are not accurately calculated, MA organizations can receive more reimbursement than their populations warrant. The scores are calculated by CMS based on information provided by the MA organization about the patients health conditions. If the health information provided by the MA organization is inaccurate, so too will be the risk adjustment scores derived by CMS.

Cigna uses a medical assessment system called “360” to assess the health condition of its patients, but this system did not require the providers to state whether the patient’s condition was derived from a clinical assessment or the patient’s subjective description.

CMS alleges that Cigna received an estimated $1.4 billion from 2012 to 2017 and DOJ is seeking equal to three times that amount in damages, along with a civil penalty of $11,000 for each violation.

Source: DOJ sues Cigna, alleging $1.4B in Medicare Advantage fraud


CMS Issues Cease and Desist Orders to Uncertified Labs Performing COVID-19 Testing

Since August 12, 2020, CMS issued 171 cease and desist letters to entities across the U.S. that were testing for COVID-19 without the appropriate certifications under the Clinical Laboratory Improvement Amendments of 1988 (CLIA).

Every facility that conducts COVID-19 testing is considered a “laboratory” and must be certified under CLIA, which verifies that labs meet federal performance and quality standards to help ensure they provide reliable results.

According to CMS, 34% of the labs that were ordered to stop testing were operating without a CLIA certificate, while the remaining 66% were performing COVID-19 testing outside the scope of their existing CLIA certification. The letters provided non-certified labs with information on how to become CLIA certified and encouraged certified labs to obtain proper CLIA certification so they could resume COVID-19 testing.

Source: CMS Takes Action to Protect Integrity of COVID-19 Testing


Data Breaches Can Result in Federal and State Liability

Regulatory bodies continue to impose severe penalties on covered entities who fail to protect patient data from unauthorized disclosure.

Community Health Systems, Inc. recently settled claims with HHS Office of Civil rights resulting from a 2014 data breach that exposed personal information of approximately 6.1 million patients for $2.3 million.

But settlement with the federal government does not necessarily end the matter as such large-scale data breaches likely implicated state law.

On October 8, 2020, the New Jersey Attorney General announced a multi-state settlement involving 28 participating states for a total of $5 million.

These cases are in contrast to penalties imposed on providers who fail to give patients access to their own records, such as the recent $160,000 fine imposed on Dignity Health.

Sources: Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement; Dignity Health Settles with OCR for $160,000 for Failing to Provide Access to Records


Two charged in prescription and kickback scheme

An 11-count indictment unsealed on Friday charges former Kindred Home Health employee Amber Price, 37, and Christopher Cruz, 46, owner of a medical marketing business, CP Cruz Management Group, LLC (Cruz), with one count of conspiracy to violate the federal anti-kickback law.

Under the alleged scheme, Price and Cruz would create fraudulent prescriptions using actual hospital patient data. They would either forge the physicians’ signatures on the prescription forms or use pre-signed or photocopied forms. Price and Cruz would then provide fraudulent prescriptions to pharmacies or labs for submission to Medicare and private payors for reimbursement. When the pharmacies and labs got reimbursed, they would pay a percentage of the reimbursement to Price and Cruz.

The submission of false prescriptions is a violation of the civil False Claims Act. No doubt, Price and Cruz were charged with conspiracy to violate the Anti-Kickback Statute in order to impose criminal liabilities on top of the civil penalties under the FCA.

Source: Two people charged in connection with health care fraud scheme, officials say


Medical Device Maker to Pay $18 Million to Settle Allegations of Improper Payments to Physicians

This is not a Texas company, but it is a good example of how some manufacturers try to cloak improper payments under the veil of legitimate compensation.

The device manufacturer paid millions of dollars in “advertising assistance, practice development, practice support, and purported unrestricted educational grants” directly to local healthcare providers to induce sales of their products. Moreover, these inducements were only paid to select providers to reward them for past sales. The press release highlights the fact that the manufacturer’s compliance officer warned them of the practice, but those warnings went unheeded.

This matter started as a qui tam (Whistleblower) action under the False Claims Act by the former chief compliance officer of the company.

Source: Medical Device Maker to Pay $18 Million to Settle Allegations of Improper Payments to Physicians


OCR Settles Eighth Investigation in HIPAA Right of Access Initiative

Since 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has been prioritizing enforcement actions against covered entities that do not allow patients timely access to their health records at a reasonable cost as required by HIPAA. This month, OCR settled an eighth investigation for $160,000 and corrective action against a hospital who failed to provide a mother full access to her son’s medical records for more than 22 months.

Source: OCR Settles Eighth Investigation in HIPAA Right of Access Initiative


VIDEO: TBCE Stem Cell Stakeholder meeting

Stem Cell Stakeholder meeting of the Texas Board of Chiropractic Examiners from Tuesday, October 13, 2020.


HHS Renews Public Health Emergency Declaration through January 20, 2021

On Friday, October 2, the U.S. Department of Health & Human Services (HHS) announced that the Public Health Emergency (PHE) declaration for COVID‑19 will be renewed for another 90 days, beginning on October 23 (the date the PHE was previously scheduled to expire) and extending through January 20, 2021.

Source: Renewal of Determination That A Public Health Emergency Exists