Emory Law Journal


Consider a law student who has a mental or reproductive health issue that the student wishes to keep private. If the student seeks care at an off-campus health clinic that is not affiliated with the student’s law school or university, the student typically has a number of federally enforceable privacy rights. For example, the federal HIPAA Privacy Rule will typically apply and prohibit the clinic from disclosing the student’s protected health information to professors, parents, and other third parties without the student’s prior written authorization. The law student also will have the right to receive a notice of privacy practices, the right to request further privacy restrictions, the right to obtain paper and electronic copies of medical records, the right to amend incorrect medical record entries, the right to receive an accounting of medical record disclosures, the right to ask privacy-related questions of an institutional privacy officer, and the right not to be intimidated, threatened, coerced, or discriminated against for exercising these rights. The HIPAA Security Rule also will typically apply, requiring the clinic to implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of the student’s electronic protected health information. Finally, if the off-campus clinic discovers a breach of the student’s unsecured protected health information, the HIPAA Breach Notification Rule will typically apply, requiring the clinic to report the breach to the student, the federal government and, in certain cases, prominent media outlets serving the jurisdiction.

If the law student seeks care at a health center affiliated with the student’s university, however, the story will be completely different. This is because the medical records that result from the student’s encounter with the student health center—called student treatment records—are excepted from the definition of protected health information under the HIPAA Privacy, Security, and Breach Notification Rules. Student treatment records also are excepted from the definition of education records under the Family Educational Rights and Privacy Act of 1974 (FERPA), the major federal statute that requires federally funded academic institutions to protect the privacy of such records. These exceptions exist because Congress, in late 1974, expressed its intent that student treatment records be protected only by state law. Unfortunately, state law provides minimal protections for student treatment records.

This Article responds to the need for greater privacy, security, and breach notification protections for student treatment records. After reviewing a number of privacy and security breaches involving colleges and universities and the patchwork of federal and state law that fails to adequately protect student treatment records, this Article shows that many student health centers provide students with confusing information (at best) and misleading or incorrect information (at worst) regarding their privacy, security, and breach notification protections. After providing several practical, political, and health policy justifications for amending federal law, this Article re-writes relevant statutory and regulatory provisions in FERPA and HIPAA. If the proposals set forth in this Article are implemented by the federal government, student treatment records will receive the maximum privacy, security, and breach notification protections available currently available under the law.