HIPAA, FERPA, and Title IX Played Big Role in Menu-Courey Case
COLUMBIA -Title IX. What exactly is it? What does it entail? Most people will say that Title IX has to do equality for women in sports. The official definition is "No person in the United States shall, on the basis of sex, be excluded from participation in, be denied the benefits of, or be subjected to discrimination under any education program or activity receiving Federal financial assistance," according to the U.S. Department of Education's website. So Title IX not only applies to sports, but to all educational programs. The reason that this law has been in the news lately is because there is a section of Title IX that the Supreme Court has confirmed that "if a school knows or reasonably should know about sexual harassment or sexual violence that creates a hostile environment, the school must take immediate action to eliminate the sexual harassment or sexual violence, prevent its recurrence, and address its effects."
The Sasha Menu-Courey case brought a lot of speculation as to what exactly Title IX covered and whether or not the University of Missouri dropped the ball on how it handled the entire situation. But Title IX is not the only law that comes into play in this case. HIPAA, the Health Insurance Portability and Accountability Act of 1996, and FERPA, the Family Educational Rights and Privacy Act, also played big roles in the outcome of what ended up happening.
HIPAA is a federal law that protects all "individually identifiable health information," or "protected health information (PHI)," according to the OCR Privacy Rule Summary on the U.S.'s health and human services website. The law defines PHI as "the individual's past, present or future physical or mental health or condition, the provision of health care to the individual, and the past, present or future payment for the provision of health care to the individual."
Broadway Urgent Care physician Eric Bettis said "HIPAA is a privacy law. It relates to all the medical records and relationships the patient has with their physician or their providers."
HIPAA applies to health plans, health care providers, and health care clearinghouses. Health plans include "health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for health care, such as Medicaid, Medicare and the military and veterans health care programs." Health care providers include "doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies but ONLY if they transmit any information in an electronic form in connection with a transaction for which Health and Human Services (HHS) has adopted a standard." Health care clearinghouses include "entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa."
Bettis said information protected by HIPAA is protected by the law so that " information does not get out to people in the community or to people that could use that information either for profit or other nefarious purposes."
Bettis said HIPAA information can be released under extenuating circumstances.
"HIPAA information can be released to other treating physicians, information can be given out if the patient is at risk to themselves or indicates an impending risk to somebody else," Bettis said.
HIPAA officially says information may be released "to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information and to HHS when it is undertaking a compliance investigation or review or enforcement action."
Bettis said that health care providers are obligated by law to protect their patients confidentiality.
"Things are shared in a patient-physician relationship that aren't shared, even oftentimes with their family. People need to know that there's a safe place that they can go. The law protects that."
Medical professionals go to great lengths to abide by HIPAA not only to protect their patients but also to protect themselves. The Department of Justice enforces this law and the penalties are severe. HIPAA states "a person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment."
"There is a significant financial penalty," Bettis said. "Your license can be censured, your practice can be censured."
"It's not just a penalty that goes against the practitioner but it could go against their employer, anybody that does business."
Applied to the Sasha Menu-Courey case, if she in face told medical professionals that she was sexually assaulted, some say HIPAA bound them not to release that information, unless they believed that Menu-Courey was a danger to herself or others.
The other law that comes into play is FERPA, the Family Educational Rights and Privacy Act. This Federal law "protects the privacy of student education records," according to the U.S. Department of Education's website.
Cheryl Stephens, director of registration and financial services and the Title IX coordinator at Columbia College, said "At age 18, or once they've graduated high school and they're at, basically an institution of higher learning, then those rights become the child's."
According to FERPA, "parents or eligible students have the right to inspect and review the student's education records maintained by the school." Schools must have written permission from the student to be able to release any information from a student's education record.
"If a student's parents call us and they want to ask about what's going on with their student's account or with their financial aid, then we actually have to say, I'm sorry, I can't talk to you, I don't have a third party release on file for you," Stephens said.
However, there are a few exceptions to FERPA.
Under FERPA, schools cannot disclose a student's educational records, without consent, except: "if a student is transferring, in connection with financial aid to a student, in compliance with a judicial order or a lawfully issued subpoena and in the cases of health and safety emergencies."
The type of information that FERPA is allowed to release in those instances is not the entire student's educational record.
"It's basically directory information," Stephens said. "Name, phone number, if that's even in the directory."
In Menu-Courey's case, experts argue a school could release information--such as her parent's contact information--because it would have been a health or safety violation.
Back to Title IX.
As stated before, Title IX's policy on sexual harassment is that "if a school knows or reasonably should know about sexual harassment or sexual violence that creates a hostile environment, the school must take immediate action to eliminate the sexual harassment or sexual violence, prevent its recurrence, and address its effects."
Stephens, the Title IX coordinator at Columbia College, said "most people still think of Title IX as far as athletics only and about equal rights for men and women. But it actually extends beyond the classroom."
Stephens said she and her colleagues have spent the past year trying to educate their fellow staff members and students about what Title IX really is.
"The spirit of the law basically says that sexual harassment or sexual assault is not OK, whether it's intentional or not," Stephens said. "If we become aware of a situation, then as a faculty or staff member, by law, we have to report it to the Title IX coordinator."
Connecting that to the Menu-Courey case, if HIPAA restricted medical professionals from telling others about her alleged sexual assault, then it started a chain reaction.
Because they could not release that information, no one at the university found out and the health or safety emergency exception to FERPA was not enacted.
And because no one at the university found out, no one started a Title IX investigation.
Now it's up to the University's investigation to see if the scenario played out this way.