5 Ways Districts Can Better Handle Student Health Records

In the shadowy corners of the internet, medical records are readily available for purchase. On the dark web and black market, patient records can sell for $1,000 apiece. These records are sold to buyers in many industries: data brokers like IQVIA (formerly known as IMS Health), pharmaceutical firms and even tech companies. Children’s health data is just as valuable, and no one can doubt that medical records, especially those for our children, should be rigorously protected.

And yet, relatively few school districts have a mature cybersecurity plan and the appropriate resources to keep sensitive information secure. As a result, schools may be an easy target for hackers seeking valuable data to sell on the dark web.

So how can you ensure that your district is a better steward of student health records?

1. Implement an electronic health record system.

Implementing an electronic health record (EHR) system is an essential best practice for school districts to keep student health records secure and organized. Electronic health records allow districts to maintain accurate, up-to-date student health information, while also ensuring privacy and compliance with state and federal regulations. An EHR system makes it easier for school nurses and other health professionals to access student health records from any device with internet access, so they can provide quality care and treatment to students when they need it most. In addition, an EHR system can also help to reduce errors in documentation and promote continuity of care for students. By using an EHR system, school districts can improve the quality of care provided to their students and ensure the safety and privacy of their health information.

2. Ensure that school health providers are trained on privacy regulations and how to handle student health information.

Ensuring that school health providers are trained on privacy regulations and how to handle student health information is a crucial best practice in keeping student health data safe. Health information is sensitive and private, and it is vital to ensure that school staff members understand how to collect, store, and handle this information appropriately. Providing training for school health providers on privacy regulations and best practices for handling student health data can help prevent data breaches and ensure that student health information is kept confidential. It can also help to build trust between families and school health providers, creating a positive and supportive learning environment. By prioritizing the training of school health providers on privacy regulations and best practices for handling student health data, school districts can ensure that student health data remains safe and secure while also promoting quality care and trust in their school community.

3. Adopt consistent policies regarding the privacy of student data.

The first step is to work closely with your legal counsel to clarify your district’s responsibilities when it comes to student data and privacy. It’s important to know exactly what is required of your organization under laws such as FERPA. Your state may have its own student records laws and regulations, so be sure that you fully understand those as well.
Then, adopt consistent policies regarding the privacy of student data. Again, this is something you should work on with your legal counsel’s assistance and review. Once this is done, don’t forget to review your district’s relationships with all vendors in light of conformity with these policies.

This brings us to our next step, partnering with vendors who are committed to protecting student data.

4. Ensure that vendors are equally committed to protecting student data.

You could have the most rock-solid cybersecurity policies and practices within your district, but what about the vendors managing your data? It’s crucial to that you only work with vendors who can demonstrate practices and policies to protect student data and reduce the risk of compromise. Selecting a school health records vendor is more than simply choosing good software; you are selecting a long-term relationship with a partner and its tools to efficiently deliver and enhance the critical healthcare services your students need. Your vendor needs to be transparent and trustworthy, understand your workflow, provide the level of service you’ll need throughout the relationship and, just as importantly, be around for a long time.

There are two things to consider when working with vendors. The first is making sure that vendor contracts and agreements do not allow the harvesting and sale of student medical records, even in a de-identified or aggregate form. Some electronic health records management system vendors sell patient data to third parties, so make sure your vendor is not one of them!

This is most prevalent with free software. With budgets shrinking, school districts are understandably looking for ways to comply with the vast array of state health data reporting requirements and obtain the efficiencies of electronic health records (EHR) without adding significant costs. However, the ethics, legal liability and privacy implications of free software must be approached as an extremely serious responsibility of school health care providers as well as the school district’s administrative and legal personnel.

Remember, if you are not paying for the product, you (or your students) could BE the product. Private vendors should not make money by selling student health data obtained from school health records. Make sure that any contracts your organization enters into specifically forbid the vendor from selling student data. If your district is still contemplating “free” EHR software, then at the very minimum make sure to require the vendor to provide a comprehensive list of all companies to whom the vendor has sold or is marketing the aggregated and de-identified data.

Second, make sure your vendor has taken steps to ensure the security of their software. Look for a system that is FERPA compliant. Even if your district is not a covered entity, greater attention to compliance and security is never a bad thing, especially when it comes to protecting student privacy. In addition, you want a vendor who has taken steps to protect its systems from cyber attacks. Ask your vendor if their product is SOC 2-compliant, and how they ensure their data centers are secure

5. Work with parents and educators to promote informed consent about how student data is managed.

Regardless of how your district chooses to manage student health records, full transparency is a must. If using EHR software, your district has an ethical obligation to make sure that the parents of its students fully understand the privacy implications if the vendor sells their records to third parties. You need to be able to explain to parents in ordinary language the privacy implications of what data is collected and how it may be used.

As the President’s Council of Advisors on Science and Technology remarked, “Notice and consent is the practice of requiring individuals to give positive consent to the personal data collection practices of each individual app, program, or web service. Only in some fantasy world do users actually read these notices and understand their implications before clicking to indicate their consent.” A long, drawn-out “Terms of Service” agreement with a checkbox isn’t enough to ensure that parents actually are informed about how their children’s data will be managed, and to truly understand the effects that the sale of student data might have on their children in the future.

So, have a strategy for supporting parent education and involvement in the EHR process. For example, you may wish to hold a limited number of town hall meetings or create other educational tools to reach parents who would otherwise not read the Terms of Use or the Privacy Policy.

With student information at risk, it’s more important than ever that parents, educators, school districts and national organizations work together to protect student privacy and ensure students’ futures are not impacted by data breaches or the sale of sensitive records.

[1] Yannis Bakos, et al., Does Anyone Read the Fine Print? Consumer Attention to Standard Form Contracts, Law & Economics Research Paper Series Working Paper No. 09-40, NYU Center for Law, Economics and Organization (March 2013).