3 Ways Districts Can Better Handle Student Health Records

In the shadowy corners of the internet, medical records are readily available for purchase. On the dark web and black market, patient records can sell for $1,000 apiece. These records are sold to buyers in many industries: data brokers like IQVIA (formerly known as IMS Health), pharmaceutical firms and even tech companies. Children’s health data is just as valuable, and no one can doubt that medical records, especially those for our children, should be rigorously protected.

And yet, relatively few school districts have a mature cybersecurity plan and the appropriate resources to keep sensitive information secure. As a result, schools may be an easy target for hackers seeking valuable data to sell on the dark web.

So how can you ensure that your district is a better steward of student health records?

1. Adopt consistent policies regarding the privacy of student data.

The first step is to work closely with your legal counsel to clarify your district’s responsibilities when it comes to student data and privacy. For example, are you required to abide by both FERPA and HIPAA? Depending on your organization’s unique situation, both may apply. It’s important to know exactly what is required of your organization under these laws and others. Your state may have its own student records laws and regulations, so be sure that you fully understand those as well.

Then, adopt consistent policies regarding the privacy of student data. Again, this is something you should work on with your legal counsel’s assistance and review. Once this is done, don’t forget to review your district’s relationships with all vendors in light of conformity with these policies.

This brings us to our next step, partnering with vendors who are committed to protecting student data.

2. Ensure that vendors are equally committed to protecting student data.

You could have the most rock-solid cybersecurity policies and practices within your district, but what about the vendors managing your data? It’s crucial to that you only work with vendors who can demonstrate practices and policies to protect student data and reduce the risk of compromise. Selecting a school health records vendor is more than simply choosing good software; you are selecting a long-term relationship with a partner and its tools to efficiently deliver and enhance the critical healthcare services your students need.  Your vendor needs to be transparent and trustworthy, understand your workflow, provide the level of service you’ll need throughout the relationship and, just as importantly, be around for a long time.

There are two things to consider when working with vendors. The first is making sure that vendor contracts and agreements do not allow the harvesting and sale of student medical records, even in a de-identified or aggregate form. Some electronic health records management system vendors sell patient data to third parties, so make sure your vendor is not one of them!

This is most prevalent with free software. With budgets shrinking, school districts are understandably looking for ways to comply with the vast array of state health data reporting requirements and obtain the efficiencies of electronic health records (EHR) without adding significant costs. However, the ethics, legal liability and privacy implications of free software must be approached as an extremely serious responsibility of school health care providers as well as the school district’s administrative and legal personnel.

Remember, if you are not paying for the product, you (or your students) could BE the product. Private vendors should not make money by selling student health data obtained from school health records. Make sure that any contracts your organization enters into specifically forbid the vendor from selling student data. If your district is still contemplating “free” EHR software, then at the very minimum make sure to require the vendor to provide a comprehensive list of all companies to whom the vendor has sold or is marketing the aggregated and de-identified data.

Second, make sure your vendor has taken steps to ensure the security of their software. Look for a system that is FERPA and HIPAA compliant. Even if your district is not a covered entity, greater attention to compliance and security is never a bad thing, especially when it comes to protecting student privacy. In addition, you want a vendor who has taken steps to protect its systems from cyber attacks. Ask your vendor if their product is SOC 2-compliant, and how they ensure their data centers are secure.

3. Work with parents and educators to promote informed consent about how student data is managed.

Regardless of how your district chooses to manage student health records, full transparency is a must. If using EHR software, your district has an ethical obligation to make sure that the parents of its students fully understand the privacy implications if the vendor sells their records to third parties. You need to be able to explain to parents in ordinary language the privacy implications of what data is collected and how it may be used.

As the President’s Council of Advisors on Science and Technology remarked, “Notice and consent is the practice of requiring individuals to give positive consent to the personal data collection practices of each individual app, program, or web service. Only in some fantasy world do users actually read these notices and understand their implications before clicking to indicate their consent.” A long, drawn-out “Terms of Service” agreement with a checkbox isn’t enough to ensure that parents actually are informed about how their children’s data will be managed, and to truly understand the effects that the sale of student data might have on their children in the future.

So, have a strategy for supporting parent education and involvement in the EHR process. For example, you may wish to hold a limited number of town hall meetings or create other educational tools to reach parents who would otherwise not read the Terms of Use or the Privacy Policy.

With student information at risk, it’s more important than ever that parents, educators, school districts and national organizations work together to protect student privacy and ensure students’ futures are not impacted by data breaches or the sale of sensitive records.

---

[1] Yannis Bakos, et al., Does Anyone Read the Fine Print? Consumer Attention to Standard Form Contracts, Law & Economics Research Paper Series Working Paper No. 09-40, NYU Center for Law, Economics and Organization (March 2013).