Federal privacy laws that govern the release of information about the Virginia Tech killer have proven problematic for reporters.
From the Summer 2007 issue of The News Media & The Law, page 23.
By Sean Hill
Since Seung-Hui Cho’s deadly rampage at Virginia Polytechnic Institute and State University, reporters covering the shootings have had trouble obtaining information about the shooter due to a tangle of federal privacy laws.
Although Cho committed suicide after killing 32 people on April 16, records related to his mental health and his time at Virginia Tech remain veiled behind assertions that they are protected by the Health Insurance Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (FERPA).
On their own, the two laws present major obstacles to reporters accessing information from schools and hospitals, with HIPAA covering health information and FERPA protecting education records.
Journalists’ problems are compounded in Cho’s case, where the two laws present twin barriers as relevant records are spread across Virginia Tech, a state court and a private hospital.
Larry Hincker, associate vice president for university relations at Virginia Tech, said requests have been made for Cho’s academic and medical records from his enrollment at the school. But Hincker said the school is restricted by HIPAA and FERPA.
“Each of those [laws] restricts the custodian of information from releasing information to people it doesn’t belong to,” Hincker said.
‘I don’t have a story’
Bill Myers, a reporter for the Washington Examiner, felt the impact of FERPA when he tried to learn about Cho’s earlier interactions with students and school officials.
Myers filed three state Freedom of Information Act requests after the shootings. His requests included: e-mail between Virginia Tech Police Chief Wendell Flinchum and university officials, Cho’s e-mail, and e-mail belonging to Cho’s victims.
All three were denied. Cho’s e-mail messages and the victims’ e-mail messages were denied due to FERPA, while the school said Flinchum’s e-mail could not be released because it was part of a “pending” investigation. The Virginia open records law allows documents related to ongoing criminal investigations to not be released.
“It goes without saying that [the denials] blocked the story,” Myers said. “Without those e-mails, I don’t have a story.”
Records protected by FERPA are generally referred to as “education records,” but include any information that is “maintained by an educational agency or institution” and are “directly related to a student.”
Importantly in Cho’s case, though, FERPA does not apply after death, according to federal education officials, making it unclear how the law could be used to block access to records that shed light on his time at the school.
“Generally, rights expire with the individual,” said LeRoy Rooker, director of the Family Policy Compliance Office at the U.S. Department of Education. “So at the postsecondary level, that’s going to be the student, always, because FERPA rights belong to the parents until the student turns age 18 or attends a post-secondary at any age.”
However, Hincker said opinions vary as to whether FERPA rights stop at death, saying that “the state attorney general, which is of course our lawyer, is not of that opinion.”
“FERPA does not address that,” said Ron Forehand, chief of the education section at the Virginia attorney general’s office. “The law, it’s just silent as to that. And it’s up to various interpretations.”
Hincker said that at death, FERPA rights pass to the individual’s estate.
Does HIPAA apply?
Access to Cho’s mental health records could be governed by HIPAA, depending on where the records were generated.
HIPAA’s privacy rule protects from disclosure personally identifiable health information that is housed by health insurance companies, health care providers who transmit certain information electronically, and health care clearinghouses (essentially data-processing companies).
The private mental health facility Cho was committed to by a judge in December 2005 would likely be prevented from releasing information about Cho under HIPAA. HIPAA rights, according to the Department of Health and Human Services Web site, pass to the individual’s personal representative upon death, giving the representative the ability to grant their release.
However, the more interesting question is what law covers Cho’s medical records generated at an on-campus clinic at Virginia Tech, with the answer lying in the unique interplay between HIPAA, FERPA and state law.
There is some question about whether HIPAA would apply to any medical records of students treated at on-campus clinics.
HIPAA includes at least one key exception in which its protections are not applied to health-related records: when FERPA already provides protection.
If student treatment records are “shared in any way at the institution to anyone other than a treatment provider,” Rooker said, those records become education records under FERPA.
However, even if on-campus clinic records are not shared with a third party and therefore converted to education records, HIPAA may still not apply.
On-campus student health care records are either covered by FERPA (because they have been shared with a third party) or exempt from FERPA under a specific statutory exemption of FERPA (because they have not been shared). Either way, the preamble to HIPAA seems to say they are not subject to the HIPAA regulations.
The HIPAA preamble, printed in the Federal Register, states that the Department of Health and Human Services considered applying the rules to student health records until they were disclosed for reasons other than treatment, at which point they would become education records under FERPA. But the department decided against this.
“We chose not to adopt this approach because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations and inconsistent with the policy of FERPA that these records be exempt from regulation to the extent the records were used only to treat the student,” the preamble reads.
Specifically, the preamble says HIPAA excludes records from students who are at least 18 years old or attending a post-secondary school, that are maintained by a “physician, psychiatrist, psychologist, or recognized professional,” that are made, maintained or used “only in connection with the provision of treatment to the student,” and that are not available to anyone but a doctor or other appropriate professional.
That could mean that student health records at an on-campus medical clinic are never subject to HIPAA. (HIPAA could still cover the records of nonstudents treated at an on-campus clinic.)
“What it says in the regulations, and it’s very clear on this, is that the records that are subject to FERPA are not subject to HIPAA’s privacy rule,” Rooker said. “So, it’s FERPA that governs what happens with medical and treatment records at a post-secondary institution.”
However, this issue does not appear to have been tested in the courts. Some attorneys say HIPAA can apply to student medical records, depending on how the campus health facility is set up.
Jane Hickey, chief of the health services section of the Virginia attorney general’s office, said HIPAA would apply if a health care entity maintains its records separately from academic records, recognizes itself as a separate entity, and electronically bills for services.
“Each university would make that [decision] on its own based on how it wants to set up any health care services it’s providing,” Hickey said, “and whether it wants to maintain all of that as part of its educational system, or if it wants to separate out the health care entity as a separate standalone organization.”
Peter Swire, a law professor at Ohio State University and former White House coordinator of HIPAA, said: “I think the assumption was that FERPA provided a workable framework and we didn’t want to have HIPAA on top of it. But you’re pointing to a possible gap in how these fit together.”
Virginia Tech maintains that HIPAA protects student records at the on-campus health clinic.
When informed that HIPAA may not cover on-campus student health records, Hincker said: “Well, that’s new to me. But all of the news coverage that I’ve read is that HIPAA governs health care providers regardless of whether the health care provider is associated with an institution of education or whether that’s a free-standing health care provider.”
Ultimately, Cho’s records may not fall under FERPA or HIPAA, and at that point release would be governed by state law. In Virginia, health records are confidential but may be released upon authorization of the individual.
At death, the records may be disclosed to the individual’s personal representative or, if there is no representative, to certain relatives.
A panel’s secrecy
The Virginia Tech Review Panel, which was created by Virginia Gov. Tim Kaine to investigate and issue a report on the shootings, has found its way through the laws, at least partially.
The panel received mental health records from the university after Cho’s family granted permission for their release to the panel. The panel also received by court order a transcript and tape recording from a December 2005 court-administered civil commitment hearing.
According to statute, records from commitment hearings may be sealed at the individual’s request, only to be opened by court order “for good cause shown.”
In a June 19 executive order, Kaine also said that where necessary, he or his appointee would issue subpoenas to help the panel obtain needed information.
The media is unable to gain access to information from the panel because in the June executive order Kaine said he will treat all records received by the panel as working papers, thus making them exempt from the state’s open records act.
The confusion over the rules governing the release of information in the Virginia Tech shootings is symptomatic of the general mess that results from the laws.
Megan Schnabel, a metro editor at The Roanoke (Va.) Times, said reporters attempting to gather information about accident or crime victims have problems in part because of how the law is interpreted.
“There seems to be a lot of confusion about both HIPAA and FERPA,” Schnabel said. “Different people seem to have different interpretations of how they should be applied, not just in this case.”